(Last updated: 30 March 2020 / draft ePrivacy Regulation of 21 February 2020)
Key content of the ePrivacy Regulation
The ePrivacy Regulation regulates the use of electronic communications services within the European Union and is intended to replace the Directive on Privacy and Electronic Communications (Directive 2002/58/EC). The ePrivacy Regulation is primarily aimed at companies operating in the digital economy and specifies additional requirements they need to meet in relation to the processing of personal data.
On this website, CMS presents key information on the ePrivacy Regulation and the status of the legislative process. We explain in particular the scope of application of the ePrivacy Regulation and deal in detail with the hotly debated topic of tracking.
ePrivacy Regulation – current status and timescale
Originally, the ePrivacy Regulation was intended to apply from 25 May 2018 together with the General Data Protection Regulation (GDPR). Unlike with the GDPR, however, the EU states have not yet been able to agree on the draft legislation.
On 10 January 2017, the EU Commission presented the first draft of the ePrivacy Regulation; on 26 October 2017, the EU Parliament adopted an amended draft and voted in favour of negotiations with the Commission and the Council of the European Union (trilogue negotiations). On 5 December 2017, the Estonian EU Council presidency published its own draft. This was followed by drafts from the Bulgarian, Austrian, Romanian, Finnish and Croatian Council presidencies.
To date, however, none of these countries has been able to bring about agreement among the EU Member States in the Council. The compromise proposed by Finland on 4 October 2019 likewise failed to gain sufficient support among the Committee of Permanent Representatives on 22 November 2019, with 14 votes being cast against it. Accordingly, there is as yet no authoritative draft Council text available. As a result, the trilogue negotiations that were scheduled to start in the second half of 2018 have not commenced yet. With the change in the EU Council presidency on 1 January 2020, it is now up to the Croatian presidency to convince the Member States of its proposal of 21 February 2020.
Following the failure of the latest draft, commentators don’t expect the ePrivacy Regulation to enter into force before 2023. A transitional period of 24 months means that any new regulations would then not come into effect before 2025.
Due to the stalled negotiations in the Committee of Permanent Representatives, however, there is also the prospect that the European Commission will withdraw the draft legislation completely. At present, the only certainty is that there will be no legal answer to a large number of data protection issues around electronic communications any time soon.
ePrivacy Regulation - chronological overview
Current framework of administrative fines under the ePrivacy Regulation
As is already the case with infringements of the GDPR, companies face substantial fines if they breach the ePrivacy Regulation.
The draft ePrivacy Regulation essentially cites the provisions of the GDPR with regard to rules on legal remedies, liability and penalties. The stipulation on administrative fines (Article 23 of the draft), for example, refers to Article 83 of the GDPR.
Depending on the nature of the infringement, fines may amount to EUR 20,000,000 or 4% of the company’s worldwide annual turnover, whichever is higher (Article 23(3) of the draft).
Data processing justified after balancing interests?
The GDPR provides legal grounds for processing personal data based on the legitimate interests of the controller (Article 6(1), sentence 1, letter f). The Committee of Permanent Representatives is currently grappling with the question of the extent to which a similar provision should be included in the ePrivacy Regulation. If the Council decides against this, it raises the crucial question as to how the scopes of application of the GDPR and the ePrivacy Regulation are to be distinguished in this respect, since legitimation under Article 6(1), sentence 1, letter f of the GDPR is only possible if the GDPR is applicable.