On Wednesday, December 14, 2016, the first draft of new ePrivacy law leaked from the EU Commission. The leaked version should not be considered the final version of the new ePrivacy regulation which is anticipated to be published only sometime in January 2017, but it does provide some useful insights in the outcome of the law reform. The aim of the new ePrivacy Regulation is, among others, to consolidate data processing law in the field of electronic communications with the General Data Protection Regulation (“GDPR”) that was adopted earlier this year.
The new law will be in a form of a regulation. This should help to reduce the current fragmentation of national rules based on ePrivacy Directive (2002/58/EC), which will be repealed by this new ePrivacy Regulation. It means that the ePrivacy Regulation will be directly binding and applicable to every person in the EU without the need of any transposition of the rules in the national laws of the Member States. In addition, the scope of the territorial applicability is expected to be broader, mirroring the GDPR, and the Regulation shall apply to all electronic communications data processing concerning EU citizens.
The scope of the applicability of the ePrivacy law is also extended with respect to services covered. The leaked draft suggests that the Regulation will cover (despite heavy lobbying in the EU to the contrary), not only the current telecommunication services but also so-called over-the-top services (“OTTs”) which are currently not subject to the EU electronic communications regulatory framework. Services such as WhatsApp, Facebook, Skype and others will thus become regulated. Additionally, machine-to-machine communication will also enjoy protection under this Regulation, which is especially important for new cutting edge services and service providers in the field of the Internet of Things.