What is happening with the EU ePrivacy Regulation?

11 Oct 2018

Image: © Grecaud Paul/Stock.adobe.com

GDPR enforcement last May meant privacy officers had a lot on their plates, but the mysterious ePrivacy Regulation is set to make more changes.

While it may seem like the introduction of GDPR happened yesterday, the spectre of the as yet unenforced ePrivacy regulation is still casting a shadow for many enterprises, particularly marketers.

Siliconrepublic.com spoke to Alex van der Wolk, privacy and data security partner at Morrison & Foerster, about the progress (or lack thereof) of ePrivacy.

Many people may not have heard much about ePrivacy, considering the omnipresence of GDPR in recent months, but the concept of it dates back a long time. “It is not new at all. We have had general data privacy laws dating back to 1995, which have been superseded by GDPR. ePrivacy was originally enacted [as a directive] in 2002 and the whole concept of what it is about dates back to then.”

In a broad sense, the ePrivacy Regulation draft is a response to the technological developments of the last decade and a half.

Why now?

So, if it is not new and we already have GDPR, why the push to create an ePrivacy regulation? Since 2002, technology and business communications have changed immensely and the draft regulation includes provisions tackling electronic communications and internet tracking in broader terms, including direct digital marketing and tracking cookies.

Van der Wolk said that until the regulation is finalised, the true scope of the ePrivacy rules are difficult to discern. He said: “It looks very likely they [EU lawmakers] will broaden the scope of the opt-in consent for marketing messages. Originally it was email and fax and over the years some countries said, ‘OK, let’s broaden it out to include SMS.’”

It may make direct communication with customers a little more tricky. “The state of technology is developing so fast; we have messenger, we have WhatsApp, it’s very likely they will come out with wording that will say, ‘If you use that kind of direct-to-user communication system for marketing purposes, it is likely consent will be needed.’”

He added that many firms are unhappy with the proposed directive. “When it comes to marketing, companies are viewing these requirements as conversion killers.” New rules around spam and consent would mean email marketing would have to undergo major changes, and enforcement would be much stricter under a regulation than the existing directive.

No clear consensus as of yet

As far as a consensus on the provisions in the draft regulation goes, there is no clear sign that has been reached. Industry lobbying from marketers and staunch privacy advocates alike means delays are plaguing its journey. The EU Parliament elections next year throw a further spanner in the works.

Van der Wolk noted that despite the relative quiet on the issue from the EU, many firms are using post-GDPR momentum to try and prepare for ePrivacy – a difficult task when the regulation is still not set in stone. “Companies are rightfully saying, ‘How can I put effort into something that’s not finalised yet?’”

When it comes down to the ‘million-dollar question’ of a potential timeline for its enforcement, Van der Wolk said: “The true and honest answer is, we have no clue at all.”

Three bodies need to agree – the European Parliament, the European Commission and the European Council. This is something of a tall order, considering the vigorous lobbying coming from both sides. Giovanni Buttarelli said ePrivacy is “the essential missing piece of the jigsaw” for the privacy strategy of the bloc. It remains to be seen when it will be put in place.

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects