The GDPR entered into force late last month, but that doesn’t mean the European Union's mission to protect online privacy has stopped.
The relatively unknown e-Privacy Regulation (ePR) is the next step in Europe’s larger effort to harmonize data protection across all Member States. Set to replace the ePrivacy Directive, the so-called “Cookie Directive,” the proposed ePR protects the confidentiality of communications content across all technological platforms. It covers any direct interactive exchange across an electronic communications network, including machine to machine communications and communications metadata. The ePR has global territorial reach, implicating businesses around the world that provide service to Europeans by restricting the processing, storing, and sharing of user data – including ancillary and “over-the-top” providers.
This post explains how the lesser known ePR fits into Europe’s new privacy regime and how the ePR updates existing cookie tracking rules.
- ePR and GDPR
Much of the surrounding discourse relates to uncertainty as to how ePR coincides with the GDPR. Though both laws have strict consent requirements for user data, the GDPR regulates personal data while ePR regulates communications content, whether the data is personal or not. Understandably, there is some confusion as to how content of electronic communications will be governed when it simultaneously fits within the GDPR’s definition of personal data.
There are three ways that the latest draft of ePR addresses this overlap:
- First, ePR functions as “lex specialis,” to the GDPR, a term which means that when two laws could apply simultaneously to one situation, the more special or specific of the two will govern. Here, ePR is the law that governs whenever both it and the GDPR could theoretically apply to an electronic communications content because the GDPR is a general privacy regulation and the ePR is specific to communications privacy.
- Second, ePR “particularize[s] and compliment[s]” the GDPR by governing all personal data contained in an electronic communication, while the GDPR covers all other forms of personal data not specifically addressed by ePR. For example, if you include your address in an email, it constitutes personal data governed by ePR because it is part of an electronic communication. Meanwhile, the same address would be governed by the GDPR in the context of being on file with your doctor’s office because there it constitutes personal data that is not part of an electronic communication.
- Finally, ePR content protections only extend to communications in transit, so that once a communication reaches the recipient, any personal data contained therein is protected by the GDPR. In other words, once an email reaches the recipient’s inbox, the personal information contained therein goes from ePR protections to GDPR protections.
- The Cookie Provision
The former e-Privacy Directive, or “Cookie Directive,” that required consent for websites to store or access information from a visitor’s device, infamously littered European websites with annoying consent pop-ups. The ePR touts the same privacy protections without the infernal notifications.
Except for “non-privacy” related cookies, ePR prohibits the tracking, storage, and processing of information from users’ devices without their consent. Building off of the Cookie Directive, ePR maintains these consent rules but streamlines the provision so that consent for cookies can be tracked through software and user browser settings instead of individual websites. Plus, consent for one website’s cookies will extend to subsequent revisits to the site.
Interestingly, though, ePR does not prevent website providers from requesting user consent for cookies irrespective of privacy settings. While obtaining or giving consent may be made easier by new tracking methods, it’s unclear just how much these options will reduce the frequency pop-ups.
The bolstered cookie provision acts like a not-so-subtle jab at companies whose revenue streams rely heavily on third-party data sharing practices. For example, ePR requires browser privacy settings to include relevant information about the risks associated with third party cookies, long-term browsing history records, and their use in targeted advertising.
Despite ePR’s intent, a major exception to the cookie provision could mean business as usual:
A website may condition user access to content on consent for cookies so long as the condition is not “disproportionate” to the user’s real choice.
So, for websites that provide necessary public services and that condition access on consent, the condition would be disproportionate to choice because it would force people to choose between, say, paying your electric bill and having your data tracked. But in the case of most businesses today, users have plenty to choose from. If you don’t want to give an electronic commerce platform the power to track your online history, then take your business elsewhere (like literally any department store’s website). This means that, potentially, popular online platforms may nonetheless be able to store cookies on user devices absent consent.
What’s Next:
To bring ePR into force, the European Parliament and the Council of the European Union must each deliberate to a final position on the proposed law. Although the Parliament reached its opinion and adopted a legislative draft in October 2017, the Council’s 28 Member States have yet to reach their common position. In lieu of outside pressure and meetings scheduled throughout the month, there’s a chance that negotiations for a final version of the law will begin this summer, putting ePR on track to be finalized by the end of 2018 or by early 2019.
Like the GDPR, the ePR will likely affect company's practices beyond Europe. Public Knowledge will keep tracking the ePR closely to critically understand how it impacts American consumers and what elements of it, if any, should be incorporated to a much necessary American comprehensive privacy regime.
Image credit: Alpha Stock Images