EPrivacy Regulation

Last updated May 24, 2024

The ePrivacy Regulation (ePR) is a proposal for the regulation of various privacy-related topics, mostly in relation to electronic communications within the European Union. Its full name is "Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications)." It would repeal the Privacy and Electronic Communications Directive 2002 (ePrivacy Directive) and would be lex specialis to the General Data Protection Regulation. It would particularise and complement the latter in respect of privacy-related topics. Key fields of the proposed regulation are the confidentiality of communications, privacy controls through electronic consent and browsers, and cookies.

The history of the regulation goes back to January 2017 when the European Commission proposed the ePrivacy Regulation.^[1] The intention was that it would sit alongside the EU GDPR (General Data Protection Regulation) when it was introduced on 25 May 2018.^[1] The scope is still under discussion.^[2] According to some proposals, it would apply to any business that processes data in relation to any form of online communication service, uses online tracking technologies, or engages in electronic direct marketing.^[3]

The proposed penalties for noncompliance would be up to €20 million or, in the case of an undertaking, up to 4% of the total worldwide annual turnover, whichever is higher.^[4] The ePrivacy Regulation originally was intended to come in effect on 25 May 2018, together with the GDPR, but has still not been adopted.

Difference between Regulation and Directive

The (new) ePrivacy Regulation will repeal the (current) ePrivacy Directive.

Contrary to an EU Directive, an EU Regulation is a legal act of the European Union that becomes immediately effective as law in all member states simultaneously.

The current ePrivacy Directive is a legal act of the European Union that requires member states to achieve a particular result without dictating the means of achieving that result. It has therefore been implemented into national laws and regulations. If the proposed ePrivacy Regulation became effective, these laws would be superseded and will (for reasons of clarity) likely be repealed. The ePrivacy Regulation would be self-executing and not require many implementing measures.

Key points of Commission's proposal

According to the EU Commission, the proposal includes the following key changes:^[3]

New players: Privacy rules will also apply to new players providing electronic communications services such as WhatsApp, Facebook Messenger, and Skype. That will ensure that the popular services guarantee the same level of confidentiality of communications as traditional telecoms operators.
Stronger rules: All people and businesses in the EU will enjoy the same level of protection of their electronic communications through this directly applicable regulation. Businesses will also benefit from one single set of rules across the EU.
Communications content and metadata: Privacy is guaranteed for communications like the time and the location of a call. Metadata have a high privacy component and must be anonymised or deleted if users did not give their consent unless the data is needed for billing.
New business opportunities: Once consent is given for communications data (content and/or metadata) to be processed, traditional telecoms operators will have more opportunities to provide additional services and to develop their businesses. For example, they could produce heat maps indicating the presence of individuals, which could help public authorities and transport companies when developing new infrastructure projects.
Simpler rules on cookies: The cookie provision, which has resulted in an overload of consent requests for internet users, will be streamlined. The new rule will be more user-friendly, as browser settings will provide for an easy way to accept or refuse tracking cookies and other identifiers. The proposal also clarifies that no consent is needed for non-privacy-intrusive cookies improving internet experience (like to remember shopping cart history) or cookies used by a website to count the number of visitors.
Protection against spam: The proposal bans unsolicited electronic communications by emails, SMS, and automated calling machines. Depending on national law, people will either be protected by default or be able to use a do-not-call list to avoid receiving marketing phone calls. Marketing callers will need to display their phone number or use a special pre-fix that indicates a marketing call.
More effective enforcement: The enforcement of the confidentiality rules in the regulation will be the responsibility of data protection authorities, already in charge of the rules under the General Data Protection Regulation.

Reception

In February 2021, the German Federal Commissioner for Data Protection and Freedom of Information saw multiple red lines being crossed. Data retention had again become part of the proposal, despite the fact that it had been ruled unlawful by many courts. The regulations concerning the Internet constituted a step back in that cookie walls would be again allowed. Important consumer rights such as the "right to object" and "data protection impact assessment" would be voided. Personal data could be processed for purposes different from the original ones without the person's consent. The "pay-or-allow-to-be-tracked" question to access a website would henceforth be permitted. The directive of 2001 required in its art 15(1) that data might be retained for an important public interest. The proposal now in 17a does not have such a reference to the public interest anymore.^[5]^[6]^[7]^[8]

In March 2021, France was reported to be leading an effort to modify the ePrivacy initiative to exempt national security agencies from some provisions.^[9]

On July 6, 2021, the European Parliament approved a derogation to the ePrivacy regulation that enables providers of electronic communication services to scan and report private online messages containing material depicting child sex abuse, and allow companies to apply approved technologies to detect grooming techniques.^[10]

Related Research Articles

The Office of the Data Protection Commissioner (DPC), also known as Data Protection Commission, is the independent national authority responsible for upholding the EU fundamental right of individuals to data privacy through the enforcement and monitoring of compliance with data protection legislation in Ireland. It was established in 1989.

Information privacy is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, contextual information norms, and the legal and political issues surrounding them. It is also known as data privacy or data protection.

The Data Protection Directive, officially Directive 95/46/EC, enacted in October 1995, was a European Union directive which regulated the processing of personal data within the European Union (EU) and the free movement of such data. The Data Protection Directive was an important component of EU privacy and human rights law.

The Data Protection Act 1998 (DPA) was an Act of Parliament of the United Kingdom designed to protect personal data stored on computers or in an organised paper filing system. It enacted provisions from the European Union (EU) Data Protection Directive 1995 on the protection, processing, and movement of data.

The Information Commissioner's Office (ICO) is a non-departmental public body which reports directly to the Parliament of the United Kingdom and is sponsored by the Department for Science, Innovation and Technology. It is the independent regulatory office dealing with the Data Protection Act 2018 and the General Data Protection Regulation, the Privacy and Electronic Communications Regulations 2003 across the UK; and the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 in England, Wales and Northern Ireland and, to a limited extent, in Scotland. When they audit an organisation they use Symbiant's audit software.

A privacy policy is a statement or legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. Personal information can be anything that can be used to identify an individual, not limited to the person's name, address, date of birth, marital status, contact information, ID issue, and expiry date, financial records, credit information, medical history, where one travels, and intentions to acquire goods and services. In the case of a business, it is often a statement that declares a party's policy on how it collects, stores, and releases personal information it collects. It informs the client what specific information is collected, and whether it is kept confidential, shared with partners, or sold to other firms or enterprises. Privacy policies typically represent a broader, more generalized treatment, as opposed to data use statements, which tend to be more detailed and specific.

Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person.

Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data. This includes usually the right to get details on which data is stored, for what purpose and to request the deletion in case the purpose is not given anymore.

Data retention defines the policies of persistent data and records management for meeting legal and business data archival requirements. Although sometimes interchangeable, it is not to be confused with the Data Protection Act 1998.

A cybersecurity regulation comprises directives that safeguard information technology and computer systems with the purpose of forcing companies and organizations to protect their systems and information from cyberattacks like viruses, worms, Trojan horses, phishing, denial of service (DOS) attacks, unauthorized access and control system attacks.^{While cybersecurity regulations aim to minimize cyber risks and enhance protection, the uncertainty arising from frequent changes or new regulations can significantly impact organizational response strategies.}

HTTP cookies are small blocks of data created by a web server while a user is browsing a website and placed on the user's computer or other device by the user's web browser. Cookies are placed on the device used to access a website, and more than one cookie may be placed on a user's device during a session.

Privacy law is a set of regulations that govern the collection, storage, and utilization of personal information from healthcare, governments, companies, public or private entities, or individuals.

Privacy and Electronic Communications Directive2002/58/EC on Privacy and Electronic Communications, otherwise known as ePrivacy Directive (ePD), is an EU directive on data protection and privacy in the digital age. It presents a continuation of earlier efforts, most directly the Data Protection Directive. It deals with the regulation of a number of important issues such as confidentiality of information, treatment of traffic data, spam and cookies. This Directive has been amended by Directive 2009/136, which introduces several changes, especially in what concerns cookies, that are now subject to prior consent.

Security breach notification laws or data breach notification laws are laws that require individuals or entities affected by a data breach, unauthorized access to data, to notify their customers and other parties about the breach, as well as take specific steps to remedy the situation based on state legislature. Data breach notification laws have two main goals. The first goal is to allow individuals a chance to mitigate risks against data breaches. The second goal is to promote company incentive to strengthen data security.Together, these goals work to minimize consumer harm from data breaches, including impersonation, fraud, and identity theft.

The General Data Protection Regulation is a European Union regulation on information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also governs the transfer of personal data outside the EU and EEA. The GDPR's goals are to enhance individuals' control and rights over their personal information and to simplify the regulations for international business. It supersedes the Data Protection Directive 95/46/EC and, among other things, simplifies the terminology.

A dark pattern is "a user interface that has been carefully crafted to trick users into doing things, such as buying overpriced insurance with their purchase or signing up for recurring bills". User experience designer Harry Brignull coined the neologism on 28 July 2010 with the registration of darkpatterns.org, a "pattern library with the specific goal of naming and shaming deceptive user interfaces". In 2023 he released the book Deceptive Patterns.

NOYB – European Center for Digital Rights is a non-profit organization based in Vienna, Austria established in 2017 with a pan-European focus. Co-founded by Austrian lawyer and privacy activist Max Schrems, NOYB aims to launch strategic court cases and media initiatives in support of the General Data Protection Regulation (GDPR), the proposed ePrivacy Regulation, and information privacy in general. The organisation was established after a funding period during which it has raised annual donations of €250,000 by supporting members. Currently, NOYB is financed by more than 4,400 supporting members.

The gathering of personally identifiable information (PII) is the practice of collecting public and private personal data that can be used to identify an individual for both legal and illegal applications. PII owners often view PII gathering as a threat and violation of their privacy. Meanwhile, entities such as information technology companies, governments, and organizations use PII for data analysis of consumer shopping behaviors, political preference, and personal interests.

The Data Protection Act 2018 is a United Kingdom Act of Parliament which updates data protection laws in the UK. It is a national law which complements the European Union's General Data Protection Regulation (GDPR) and replaces the Data Protection Act 1998.

Bundesverband der Verbraucherzentralen und Verbraucherverbände — Verbraucherzentrale Bundesverband eV v Planet49 GmbH (2019) Case C‑673/17 is a decision of the Court of Justice of the European Union on the consent requirement for the placement of cookies under Article 2(f) and Article 5(3) of Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (‘ePrivacy-Directive’), as amended by Directive 2009/136/EC.

References

1 2 "The EU ePR (ePrivacy Regulation)". itgovernance.co.uk. Retrieved 21 July 2022.
↑ Kayali, Laura; Manancourt, Vincent (10 February 2021). "How Europe's new privacy rules survived years of negotiations, lobbying and drama". Politico.
1 2 "Proposal for an ePrivacy Regulation". Shaping Europe’s digital future - European Commission. 10 January 2017.
↑ "Fines / Penalties". General Data Protection Regulation (GDPR). Retrieved 10 December 2020.
↑ BfDI kritisiert Position des Rats zur ePrivacy-Verordnung, Federal Commissioner for Data Protection and Freedom of Information, 2021-02-10.
↑ E-Privacy-Verordnung erlaubt Vorratsdaten und Nachschlüssel, orf.at, 2021-02-14
↑ right to object. www.privacy-regulation.eu.
↑ data protection impact assessment, art 23 - art 43, GDPR.
↑ Christakis and Propp, Theodore and Kenneth (8 March 2021). "How Europe's Intelligence Services Aim to Avoid the EU's Highest Court—and What It Means for the United States". Lawfare.
↑ Bertuzzi, Luca (6 July 2021). "New EU law allows screening of online messages to detect child abuse". Euractiv.

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[ITGov-1] 1 2 "The EU ePR (ePrivacy Regulation)". itgovernance.co.uk. Retrieved 21 July 2022.

[2] Kayali, Laura; Manancourt, Vincent (10 February 2021). "How Europe's new privacy rules survived years of negotiations, lobbying and drama". Politico.

[proposal-3] 1 2 "Proposal for an ePrivacy Regulation". Shaping Europe’s digital future - European Commission. 10 January 2017.

[4] "Fines / Penalties". General Data Protection Regulation (GDPR). Retrieved 10 December 2020.

[5] BfDI kritisiert Position des Rats zur ePrivacy-Verordnung, Federal Commissioner for Data Protection and Freedom of Information, 2021-02-10.

[6] E-Privacy-Verordnung erlaubt Vorratsdaten und Nachschlüssel, orf.at, 2021-02-14

[7] right to object. www.privacy-regulation.eu.

[8] ta protection impact assessment, art 23 - art 43, GDPR.

[9] Christakis and Propp, Theodore and Kenneth (8 March 2021). "How Europe's Intelligence Services Aim to Avoid the EU's Highest Court—and What It Means for the United States". Lawfare.

[10] Bertuzzi, Luca (6 July 2021). "New EU law allows screening of online messages to detect child abuse". Euractiv.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

v t e Privacy
Principles	Right of access to personal data Expectation of privacy Right to privacy Right to be forgotten Post-mortem privacy
Privacy laws	Australia Brazil Canada China Denmark England European Union Germany Ghana New Zealand Russia Singapore Switzerland United Kingdom United States California, amended in 2020
Data protection authorities	Australia Denmark European Union France Germany India Indonesia Ireland Isle of Man Netherlands Norway Philippines Poland South Korea Spain Sweden Switzerland Thailand Turkey United Kingdom
Areas	Consumer Digital Education Medical Workplace
Information privacy	Law Financial Internet Facebook Google Twitter Email Personal data Personal identifier Social networking services Privacy-enhancing technologies Privacy engineering Privacy-invasive software Privacy policy Secret ballot Virtual assistant privacy
Advocacy organizations	American Civil Liberties Union Center for Democracy and Technology Computer Professionals for Social Responsibility Data Privacy Lab Electronic Frontier Foundation Electronic Privacy Information Center European Digital Rights Future of Privacy Forum Global Network Initiative International Association of Privacy Professionals NOYB Privacy International
See also	Anonymity Cellphone surveillance Data security Eavesdropping Global surveillance Identity theft Mass surveillance Panopticon PRISM Search warrant Wiretapping Human rights Personality rights
Category