The ePrivacy Regulation is supposed to modernize the existing ePrivacy Directive and to bring it in line with the General Data Protection Regulation (GDPR). #EDPD17 chairman Prof. Dr Ulrich Wuermeling (Latham & Watkins) points out that the consequences may be drastic and explains how the new ePrivacy Regulation may affect your business in this article.
The ePrivacy Regulation will be one of the focus topics of the European Data Protection Days in Berlin in May.
Register now for #EDPD17 and discuss the proposal and the potential consequences for businesses!
The European Commission has issued a Proposal for a new ePrivacy Regulation. The purpose of the reform is to modernize the existing ePrivacy Directive and to bring it in line with the General Data Protection Regulation (GDPR). Some hoped the Commission would cut back the ePrivacy Directive to its original scope of regulating public communications service providers, because the GDPR is specifically designed to regulate online activities. However, the Proposal goes the opposite way and affects every business that uses public electronic communications services. The consequences may be drastic depending on what the ePrivacy Regulation will look like after European Parliament and the Council agree on its final form.
As one of the main changes, the European Commission highlights the application of the proposed ePrivacy Regulation to Over-the-Top (OTT) communications services. This is important for OTT providers, but not for other businesses. The main feature of the proposal is the continued expansion of the scope of ePrivacy law. For example, the ePrivacy Directive from 2002 was revised in 2006 and 2009 to cover the use of location data and the setting of cookies by any business. The Proposal continues this path and, therefore, becomes more relevant for day-to-day data processing by every business. In fact, it also applies to private use, because the Proposal does not include a private household exemption.
The Proposal not only protects personal data but also data about companies and anonymous data. It is not limited to the protection of data during communication, either. It covers all data stored in and related to terminal equipment of end-users. Consequently, the ePrivacy Regulation becomes relevant for every business that, for example, operates a website or otherwise uses communications services.
One of the key features of the Proposal is the focus on consent requirements. It recognizes that users are increasingly annoyed about cookie consent banners, but provides very limited exemptions. If the Proposal becomes law, users will be overwhelmed with consent requests and will all have to comply with the strict consent requirements of the GDPR. In some areas, the Proposal even prohibits the processing of data with consent.
Mr. Wuermeling is a Visiting Professor at Queen Mary University of London and an attorney at the law firm Latham & Watkins LLP. At Queen Mary University of London he teaches and researches in European data protection law. In his work as an attorney, he consults on data protection law and represents clients in data protection disputes. He has been hosting the Euroforum data protection congress since its year. Mr. Wuermeling obtained his doctorate on the subject “trade barrier privacy” from the University of Würzburg and has published numerous articles on privacy law.