DIGITALEUROPE’s comments on the ePrivacy Regulation proposal

DIGITALEUROPE is committed to working with the Council and the European Parliament to deliver a new ePrivacy Regulation (ePR) that can truly protect Europeans’ right to privacy while not hampering innovation and beneficial data uses. European consumers and companies shouldn’t have to choose one or the other, and the right balance can be found if the new law provides for a risk-based approach and ensures full consistency with the letter and the spirit of the General Data Protection Regulation (GDPR) as well as the upcoming European Electronic Communications Code (EECC).

We urge the co-legislators to:

• Define a reasonable scope that complements existing rules, minimises overlaps and stays true to the objectives of data protection and telecoms law. For instance, anonymous data, which does not pose privacy risks and is therefore not covered by the GDPR, should not be regulated. Rules pertaining to ancillary communications, which are not functionally equivalent to telecoms services, or rules pertaining to M2M platforms, which for instance include industrial automation processes, should be explicitly excluded, thus not be covered by the ePR and should be left under the purview of the GDPR.

• Ensure full consistency with the GDPR and the EECC, which would avoid parallel and conflicting definitions describing the same phenomena. Similarly, consent standards, as well as the relevance of additional legal bases, should be the same across the GDPR and the ePR. The ePR rules should also be consistent among each other and avoid internal overlaps and duplications for the rules applicable to content, metadata and terminal equipment.

• More broadly, ensure that the ePR preserves the GDPR’s risk-based approach rather than establishing blanket prohibitions for all processing underpinning a broad range of communications services and terminal equipment. Given the central role of electronic communications in people’s lives and the many uses which communications can serve, the ePR should be technology neutral and ensure legal flexibility to allow for data processing that has little or no impact on the right to privacy and confidentiality such as improving quality of service, providing automatic updates, ensuring that devices are free from security vulnerabilities and many others.

• Allow sufficient time for implementation as companies would need to apply software changes to comply under the ePR and this, requires minimum 18 and preferable 24 months to implement.