European Regulation on Privacy and Electronic Communications
(Last updated: 29 October 2019 / draft ePrivacy Regulation of 4 October 2019)
We will gladly keep you updated on developments around the ePrivacy Regulation. Please subscribe to our newsletter.
Key content of the ePrivacy Regulation
The ePrivacy Regulation regulates the use of electronic communications services within the European Union and is intended to replace the Directive on Privacy and Electronic Communications (Directive 2002/58/EC). The ePrivacy Regulation is primarily aimed at companies operating in the digital economy and specifies additional requirements they need to meet in relation to the processing of personal data.
On this website, CMS presents key information on the ePrivacy Regulation and the status of the legislative process. We explain in particular the scope of application of the ePrivacy Regulation and deal in detail with the hotly debated topic of tracking.
ePrivacy Regulation – current status and timescale
Originally, the ePrivacy Regulation was intended to apply from 25 May 2018 together with the General Data Protection Regulation (GDPR). Unlike with the GDPR, however, the EU states have not yet been able to agree on the draft legislation, and negotiations on the ePrivacy Regulation are still ongoing in 2019.
On 10 January 2017, the EU Commission presented the first draft of the ePrivacy Regulation; on 26 October 2017, the EU Parliament adopted an amended draft and voted in favour of negotiations with the Commission and the Council of the European Union (trilogue negotiations). On 5 December 2017, the then EU Council presidency published its own draft, which was followed by further drafts. The Romanian presidency presented its draft on 22 February 2019; the latest drafts of July this year and most recently of 4 October 2019 were produced by the current Finnish presidency of the Council. These drafts are still being negotiated in the Council. Accordingly, there is as yet no authoritative draft text available.
The trilogue negotiations that were scheduled to start in the second half of 2018 have not yet begun. Consequently, the ePrivacy Regulation is not expected to enter into force before 2020. Based on the current status, it is not likely to become applicable before 2022, or even 2023, following a transitional period of 24 months from the date of entry into force.
ePrivacy Regulation - chronological overview
- 4th Draft by the Finnish Presidency, 4 October 2019
- 3rd Draft by the Finnish Presidency, 18 September 2019
- 2nd Draft by the Finnish Presidency, 26 July 2019
- Draft by the Finnish Presidency, 12 July 2019
- Progress Report by the Romanian Presidency, 20 May 2019
- Draft by the EU Parliament (Report A8-0324 / 2017), 26 October 2017
- Draft by the European Commission, 10 January 2017 (German version)
Current framework of administrative fines under the ePrivacy Regulation
As is already the case with infringements of the GDPR, companies face substantial fines if they breach the ePrivacy Regulation.
The draft ePrivacy Regulation essentially cites the provisions of the GDPR with regard to rules on legal remedies, liability and penalties. The stipulation on administrative fines (Article 23 of the draft), for example, refers to Article 83 of the GDPR.
Depending on the nature of the infringement, fines may amount to EUR 20,000,000 or 4% of the company’s worldwide annual turnover, whichever is higher (Article 23(3) of the draft).
Data processing justified after balancing interests?
The GDPR provides legal grounds for processing personal data based on the legitimate interests of the controller (Article 6(1), sentence 1, letter f). Although many experts have called for a similar provision in the ePrivacy Regulation, to date there is no such rule. This raises the crucial question as to how the scopes of application of the GDPR and the ePrivacy Regulation are to be distinguished in this respect, since legitimation under Article 6(1), sentence 1, letter f of the GDPR is only possible if the GDPR is applicable.