Another revised draft ePrivacy Regulation (“ePR”) was recently published which introduces the ability for organisations to rely on the “legitimate interests” legal basis to drop cookies on end users’ devices.
This change has been criticised by some commentators for ambiguities and watering down data protection rights despite accompanying safeguards. It remains to be seen if it will be retained in future draft iterations or indeed, the agreed version of the ePR, in relation to which there is no clear timetable for implementation at present.
First published in January 2017, the ePR covers specific data regulation reforms such as cookies, electronic direct marketing, over-the-top services and machine-to-machine communications. The overall approach, including a more stringent sanctions regime, would bring ePrivacy regulation into much closer alignment with the GDPR and was originally intended to coincide with the GDPR’s implementation in 2018.
Despite revised proposals from numerous Presidencies of the Council of the European Union, Member States have been unable to agree a final version of the ePR. At the moment, this means that it is unlikely to take effect before 2023 as a grace period of up to 2 years will need to elapse following adoption of the final draft.
With regards to Brexit, since the ePR is unlikely to be effective by the end of the transition period, it will not be incorporated into UK law under the withdrawal legislation (in contrast to the intended implementation of a UK GDPR). Therefore, the existing Privacy and Electronics Communications Regulations 2003 (“PECR”) will continue to apply following the end of the transition period. Once the ePR takes effect, the UK may choose to mirror the drafting or bring in its own drafting which diverges from the ePR. In any event, the ePR (in its current form) will likely still have implications for UK organisations dealing with individuals in the EU due to its intended extra-territorial scope.
The Proposed Amendments to the Draft ePrivacy Regulation
The latest draft, which simplifies the text of the core provisions and further aligns them with the GDPR, was proposed by the Croatian Presidency when it became clear that the majority of the Member States would not support the existing text.
Commentators have criticised the drafting which seems to contain some inconsistencies. Firstly, it directly contradicts the EDPB’s statement in May 2018 that ePrivacy Regulation should not allow processing “on open-ended grounds, such as “legitimate interests” that go beyond what is necessary for the provision of an electronic communications service.” The introductory text to the draft, conversely, states that proposed safeguards mean that the new legal ground remains “in line with the GDPR”. Furthermore, tech advertisers wishing to rely on the “legitimate interests” ground may do so on condition that the end user is provided with clear information and has “accepted such use”. How an end user would confirm acceptance in practice is however unclear and this seems to cut across the prohibition on using the ground for profiling purposes.
The new proposal clearly intends to address some of the more contentious drafting points and cater to business needs (e.g. advertising). Nonetheless, given the lack of agreement to date and the ambiguities in the drafting, it remains far from certain that this draft will become the enacted version of the ePR.