For the past three years, the EU has been debating the revision of the e-Privacy rules. Recently, there seems to have been a breakthrough and new legislation is looking increasingly more likely. This legislation will impact all EU27 countries. The rules will cover data rules that will look at the tracking of online activity via cookies as well as the inclusion of provisions to detect child pornography.

To recall, the overall objective of the regulation is to ensure that online communications guarantee the same privacy protection standards as those afforded to traditional telecom communications, and it details the conditions under which service providers can process electronic communications data. In addition, it also seeks alignment between the rules for electronic communications services and the new standards of the EU's General Data Protection Regulation (GDPR).

State of play & divergences between EU decision-makers

Discussions on e-Privacy rules have remained stalled due to disagreements in key issues such as privacy settings or the legal grounds for data processing, among others. Finally, in February 2021, EU Member States managed to adopt a position that seems to strike a good balance between solid protection of the private life of individuals and, foster the development of new technologies and innovation. However, several Member States expressed their disagreement, with Germany, aiming for a more privacy-oriented approach, and France, pushing for granting more discretion to public authorities to retain and use data.

The EU27 will now start negotiations with representatives from the European Parliament, which supported more privacy-oriented provisions. Consequently, members of the European Parliament have already been vocal indicating that negotiations will not be easy, reflecting scepticism as regards the new more industry-oriented text, given that previous ones did not do enough to protect fundamental rights, allowing exceptions for companies for advertising or reducing the level of data protection, among other ways through data retention. Nevertheless, there seems to be a willingness to reach a compromise agreement between both institutions.

The upcoming negotiations will be closely followed by the industry, as they will among other reasons, look to ensure that the pro-business provisions included in the text will survive throughout the negotiations. It is particularly important for the technology sector that the provisions on processing metadata and terminal equipment (i.e., telephones, computer terminals, workstations) remain aligned with what is already in the GDPR.

Similar to what has happened with the GDPR, the new EU privacy rules could have a global dimension as by providing a higher level of protection, they could be taken as a reference point in other jurisdictions when designing or updating their privacy rules.

Comparison with data privacy rules in the US & China

 

 

 

 

The GDPR is one of the main pillars of the data protection legal framework in the EU and together with the e-Privacy Directive, they ensure the highest level of data protection for EU citizens.

The current e-Privacy directive builds on the EU telecoms and data protection frameworks to ensure that all communications over public networks maintain a high level of data protection and of privacy. Its current revision might bring even higher protection standards.

Background pattern

Description automatically generated

 

 

 

The United States (US) legislates data privacy differently from the EU and does not have comprehensive data protection law like GDPR in place.

It presents a fragmented data protection framework, where there is not one single regulation at national level but rather a variety of federal and state laws that aim to protect a citizen’s privacy and online data.

Overall, the US system seems to allow cross-border data flows unlike the EU’s approach which tends to be more restrictive when it comes to data flows. Another divergence from the EU’s system consists of the constitutional protection given to personal data and privacy in the EU, where they are considered fundamental rights. There is no equivalent protection in the US.

 

 

 

 

China recently released its draft of the Personal Information Protection Law for public consultation. Importantly, the draft contains many provisions that seem to be inspired by the EU GDPR.

Although there have been some advancements in this field, there is no law of general application that specifically addressed data protection.

It remains to be seen what the outcome of the consultation would be but, while China may adopt some provisions from the EU’s model it may also seek to protect the interests of its tech giants. This may result in a mixed approach between the EU and the US models.


The outcome of the negotiations will be important given that, as it has happened with the GDPR, other jurisdictions may take the EU rules as an inspiration or even mirror them when legislating on privacy-related aspects.
While the final outcome of the negotiations is far from certain, if and once an agreement is reached, Member States will have to implement the regulation as it stands. The impact of the regulation will be significant as it will apply to direct marketing sent over electronic-communication networks, which is an activity most companies engage in, and potentially could drive up compliance and marketing costs for businesses that rely on big data.

The e-Privacy regulation provides opportunities to engage with the EU decision-makers leading the debate as well as the ones influencing the debates it will trigger in other jurisdictions.

If you feel we can be of support, then contact us today by emailing us directly at gurpreet.brar@edelman.com and laura.armenteros@edelman.com