On 10 January 2017, the European Commission issued a proposal for a new ePrivacy Regulation (ePR) triggering a legislative process that is still ongoing. The proposed ePR was intended to replace the existing ePrivacy Directive 2002/58. As well as updating the current ePrivacy framework in the EU, the Commission has qualified the proposal as lex specialis to the General Data Protection Regulation 2016/679 (GDPR), which it is designed to “complement and ” With this in mind, the original aim had been for the proposed ePR to become enforceable on 25 May 2018(at the same time as GDPR).
Following the publication of the proposed ePR, the European Parliament adopted its report with the mandate for entering into inter-institutional negotiations in October 2017. However, the Council of the European Union has not yet been able to agree its The Council has been seeking better alignment of the proposed ePR with the GDPR and to find solutions on many open questions. After two and a half years of negotiations, it remains uncertain whether a Common Approach can be reached.
During the nearly three years since the proposed ePR was issued, many amendments have been suggested and debated in the Council with a view to solving the concerns raised by Member States. These amendments have sought to achieve the right balance between the need for technological innovation, public security and the protection of privacy in the context of the digital economy. The structure of the proposed ePR and the way in which it was originally construed, however, have made a suitable way forward difficult to
This study aims to provide a critical evaluation of the proposed ePR. It is by no means an exhaustive analysis but looks at some of the aspects that have proven to be in conflict with the approach of the GDPR and the various objectives behind the 5 This study also aims to formulate some essential public policy suggestions for a new text which supports the objectives of the proposed ePR in a more pragmatic and feasible way, avoiding the legal uncertainty created by some foundational elements of the current proposal.
When updating the EU ePrivacy framework, a balance needs to be struck between the protection of privacy and public security in the context of the digital economy and the need for technological development. This balance needs to be effective in practice and aligned with the existing framework for the protection of personal data, which is closely related to the protection of confidentiality.
Our critical evaluation of the proposed ePR has shown that:
Rather than complementing the GDPR, the current proposal is in some respects in conflict with the basic tenets of the EU data protection framework.
The essence of flexibility in the application of the GDPR created by focussing on risk is fundamentally missing from the proposed ePR, which instead imposes a general prohibition on processing with narrow exceptions. This creates a dual and conflicting system in which standards for the protection of personal data are not consistently applied.
The rules covering the confidentiality of communications have grown in complexity as the legislators sought ways to avoid situations where specific desirable use cases were not permitted by The result is unlikely to be optimal, given the breadth of processing activities covered, unless elements of the GDPR’s risk-based approach are introduced.
The close relationship between Articles 7 and 8 of the Charter of Fundamental Rights of the European Union emphasises and demonstrates the fact that the protection of the right to respect for private life, which the proposed ePR is specifically seeking to protect with regard to communications, needs to be compatible with the mechanisms of protection set out in the GDPR.
In light of our critical analysis and findings, a number of essential steps are recommended to improve the text. In particular:
The ePR should move away from an approach that protects confidentiality predominantly, if not exclusively, by setting out specific legal bases for the processing of specific types of data.
By contrast, a risk-based approach should be applied with the introduction of a similar “balancing test” as under the GDPR’s Article 6(1)(f), applying to activities that cause little or no privacy impact. This will allow proportionality and accountability based on the risks of the associated data
Data processing that poses no risks to individuals, such as data that is or is made anonymous, should be explicitly excluded from the ePR’s scope, which in line with the GDPR should only apply to personal data. This will be particularly important in an IoT context, where data relating to machines will lack any personal
Overall, our analysis shows that improvements to the text are possible only if a reconsideration of the proposal’s core approach to regulating the legal bases for processing is undertaken.
Study of proposal for an ePrivacy Regulation
Table of content
Introduction and background
Critical analysis of the current proposal for an ePrivacy regulation
An alternative approach to regulating ePrivacy in the EU