The ePrivacy Directive, along with the General Data Protection Regulation (AVG), currently form the legal framework to ensure digital privacy for European Union citizens.
Where the AVG focuses on the protection and processing of personal data, ePrivacy focuses specifically on the processing of personal data for electronic communications. Consider the regulations regarding the use and management of cookies, or the regulations regarding telemarketing.
In the Netherlands, the ePrivacy Directive is implemented in the Telecommunications Act (Tw). However, a revision - the ePrivacy Regulation - is being worked on at the European level.
Disagreements within legislative bodies of the European Union have delayed the introduction of the ePrivacy Regulation, in fact, it was originally supposed to be introduced in parallel with the introduction AVG, in May 2018. Under pressure from an active lobby, draft versions of the regulation have been published at regular intervals in recent years. On February 10, 2021, an important step toward the adoption of the regulation was taken: the Council of the European Union agreed on a draft text and submitted it to the European Parliament.(1)
Work is now continuing in parliament on ePrivacy Regulation, the text is certainly not yet fixed. This is already evident from a statement by the European Data Protection Board (EDPB), the collaborative body of European data protection authorities, which calls for a number of changes.(2) Negotiating the final text is also likely to be a time-consuming process. Thus, adoption of the ePrivacy Regulation may also not take place in 2021.
Revision of the ePrivacy Directive
The ePrivacy Directive was established to complement and specify the AVG's predecessor, the Privacy Directive.(3) Because the Privacy Directive was replaced by the AVG in 2016, a revision of the ePrivacy Directive was also necessary. The AVG highlights this in recital 173.
On Jan. 10, 2017, the European Commission made an initial proposal for the ePrivacy Regulation.(4) Fundamental discussions on the interpretation of the ePrivacy Regulation are ongoing within the Council, so what the final content of the ePrivacy Regulation will be is uncertain for now.
Content of the ePrivacy Regulation
The ePrivacy Regulation, like the ePrivacy Directive, will both supplement and specify the AVG. What is important here is that the specifying rule should not involve a lower level of protection for natural persons than the general rule of the AVG.
The proposal extends the scope of the ePrivacy Regulation to over-the-top services. Think of online services involving electronic communications, such as Whatsapp. The ePrivacy Regulation will also mark another step in the development of cookie rules. With the entry into force of the AVG, the rules regarding consent have become stricter.
How a battle will now be struck with the cookie rules in the ePrivacy Regulation is one of the discussion points. For example, will an explicit ban on cookie walls be included? May cookies be placed only on the basis of consent or will other bases be made available? And should it be possible to refuse third-party cookies in default settings? These points have not yet been crystallized.
Also, the ePrivacy Regulation harmonizes the supervision of privacy law. According to the proposal, the supervisor of the AVG will also be the supervisor of the ePrivacy Regulation. This attempts to ensure better consistency with the AVG. In the Netherlands, supervision of the ePrivacy Directive and the AVG is currently still separate. The Consumer and Market Authority (ACM) supervises the ePrivacy Directive, the Personal Data Authority (AP) supervises the AVG. For Dutch privacy law, this would mean that the AP would become the sole supervisory authority.
Footnotes
(1) https://www.consilium.europa.eu/en/press/press-releases/2021/02/10/confidentiality-of-electronic-communications-council-agrees-its-position-on-eprivacy-rules/?utm_
(2) https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_statement_032021_eprivacy_regulation_en.pdf
(3) https://eur-lex.europa.eu/legal-content/NL/TXT/HTML/?uri=CELEX:32002L0058&from=EN, recital 12
(4) https://eur-lex.europa.eu/legal-content/NL/TXT/?uri=CELEX%3A52017PC0010
