European Regulation on Privacy and Electronic Communications
(Last updated: 11 March 2019 / draft ePrivacy Regulation of 22 February 2019)
We will gladly keep you updated on developments around the ePrivacy Regulation. Please subscribe to our newsletter.
Key content of the ePrivacy Regulation
The ePrivacy Regulation regulates the use of electronic communications services within the European Union and is intended to replace the Directive on Privacy and Electronic Communications (Directive 2002/58/EC). The ePrivacy Regulation is primarily aimed at companies operating in the digital economy and specifies additional requirements they need to meet in relation to the processing of personal data.
On this website, CMS presents key information on the ePrivacy Regulation and the status of the legislative process. We explain in particular the scope of application of the ePrivacy Regulation and deal in detail with the hotly debated topic of tracking.
ePrivacy Regulation – current status and timescale
Originally, the ePrivacy Regulation was intended to apply from 25 May 2018 together with the General Data Protection Regulation (GDPR). Unlike with the GDPR, however, the EU states have not yet been able to agree on the draft legislation, and negotiations on the ePrivacy Regulation are still ongoing in 2019.
On 10 January 2017, the EU Commission presented the first draft of the ePrivacy Regulation; on 26 October 2017, the EU Parliament adopted an amended draft and voted in favour of negotiations with the Commission and the Council of the European Union (trilogue negotiations). On 5 December 2017, the then EU Council presidency published its own draft. The most recent draft by the current EU Council presidency is the version of 22 February 2019, which is still under discussion. Accordingly, there is as yet no authoritative draft text available.
The trilogue negotiations were scheduled to start in the second half of 2018, but are now not expected to commence until 2019. This makes it less likely that a final text of the ePrivacy Regulation will be available before the European elections in May 2019. Consequently, the ePrivacy Regulation is not expected to enter into force until 2020 at the earliest and – after a transition period the details of which are still uncertain – not to apply before 2021 or 2022.
ePrivacy Regulation - chronological overview
Current framework of administrative fines under the ePrivacy Regulation
As is already the case with infringements of the GDPR, companies face substantial fines if they breach the ePrivacy Regulation.
The draft ePrivacy Regulation essentially cites the provisions of the GDPR with regard to rules on legal remedies, liability and penalties. The stipulation on administrative fines (Article 23 of the draft), for example, refers to Article 83 of the GDPR.
Depending on the nature of the infringement, fines may amount to EUR 20,000,000 or 4% of the company’s worldwide annual turnover, whichever is higher (Article 23(3) of the draft).
Data processing justified after balancing interests?
The GDPR provides legal grounds for processing personal data based on the legitimate interests of the controller (Article 6(1), sentence 1, letter f). Although many experts have called for a similar provision in the ePrivacy Regulation, to date there is no such rule. This raises the crucial question as to how the scopes of application of the GDPR and the ePrivacy Regulation are to be distinguished in this respect, since legitimation under Article 6(1), sentence 1, letter f of the GDPR is only possible if the GDPR is applicable.