ePrivacy Regulation (December 2016)

On Wednesday, December 14, 2016, the first draft of new ePrivacy law leaked from the EU Commission. The leaked version should not be considered the final version of the new ePrivacy regulation which is anticipated to be published only sometime in January 2017, but it does provide some useful insights in the outcome of the law reform. The aim of the new ePrivacy Regulation is, among others, to consolidate data processing law in the field of electronic communications with the General Data Protection Regulation (“GDPR”) that was adopted earlier this year.

The new law will be in a form of a regulation. This should help to reduce the current fragmentation of national rules based on ePrivacy Directive (2002/58/EC), which will be repealed by this new ePrivacy Regulation. It means that the ePrivacy Regulation will be directly binding and applicable to every person in the EU without the need of any transposition of the rules in the national laws of the Member States. In addition, the scope of the territorial applicability is expected to be broader, mirroring the GDPR, and the Regulation shall apply to all electronic communications data processing concerning EU citizens.

The scope of the applicability of the ePrivacy law is also extended with respect to services covered. The leaked draft suggests that the Regulation will cover (despite heavy lobbying in the EU to the contrary), not only the current telecommunication services but also so-called over-the-top services (“OTTs”) which are currently not subject to the EU electronic communications regulatory framework. Services such as WhatsApp, Facebook, Skype and others will thus become regulated. Additionally, machine-to-machine communication will also enjoy protection under this Regulation, which is especially important for new cutting edge services and service providers in the field of the Internet of Things.

On the other hand, the Regulation seems to somewhat decrease the current level of protection provided to internet users when it comes to of the use of cookies. The Regulation will allow one-time default settings of internet browsers, whereby the users will, at the outset, set their preferences and decide whether their devices should use the cookies or not (though they may later change the general settings). Unlike the ePrivacy Directive, the draft Regulation also allows for use of metadata (including cookies) for the purpose of provision of value added services,. The Regulation does not govern the much discussed data retention obligations. The long-awaited CJEU decision in Watson and Tele2, which should be rendered still in December 2016, is therefore hoped to shed light on whether judicial or independent authorization for access to communications data should be regarded mandatory.