What is the Regulation and why is it deemed necessary?
The Regulation is a draft EU legislative instrument which is intended to replace the Privacy and Electronic Communications (EC) Directive 2002/58/EC (the Directive) which is implemented in the UK through the Privacy and Electronic Communications (EC Directive) Regulations 2003, SI 2003/2426.
The European Commission’s intention in bringing forward the Regulation is to ‘reinforce trust and security in the digital single market’ by updating the legal framework on ePrivacy. This step is part of the European Commission’s project to modernise the EU’s data protection framework. It will also make the ePrivacy legislation consistent with the provisions of the General Data Protection Regulation (EU) 2016/679 (GDPR). The GDPR sets out a broad framework for the
processing of personal data. The Regulation, by contrast, sets out specific rules for the processing of personal data in the context of electronic communications.
Examples of the changes which the Regulation makes include removing breach notification requirements as these are now covered in the GDPR, consistency of the fines regime with the GDPR (up to 4% of annual worldwide turnover), harmonising cookie consent rules throughout the EU and creating slightly wider exemptions (for example in the context of analytics), harmonising and broadening the communications data processing rules and harmonising direct marketing consent requirements.
What is the current status of the draft legislation?
The European Parliament set out its position on the Regulation in October 2017. However, the Council of the EU, which is made up of ministers of the Member States, has not yet come to a position on the legislation. The Regulation cannot be adopted until the Council of the EU has come to a position and the Council of the EU and the European Parliament have agreed on a text.
The European Parliament is due to hold elections on 23–26 May 2019 and will thereafter appoint a new European Commission, which will begin its term of office from 1 November 2019. It is therefore likely that any adoption of the Regulation will not take place before 2020. It is also possible that the new European Parliament will decide not to continue negotiations on the Regulation and the instrument will fall. The more likely outcome, however, is that the new European Parliament picks up where the previous European Parliament left off, and the Regulation will eventually proceed to adoption.
When is it likely that Regulation will be adopted and come into force?
If the Regulation is adopted, it will come into force after a few days. However, the coming into force date is different from the date from which the legislation applies. It is only from the date of application that the Regulation would become enforceable law. The latest draft text from the Council of the EU says that the Regulation will apply two years from its coming into force date. However, the European Parliament will need to agree the timeframe. Their draft of 2017 envisaged a much shorter time before the legislation would apply.
Has the UK government indicated its position on ePrivacy?
The government has welcomed the opportunity to update the Directive, to address technological developments and the evolving digital landscape. The government’s central policy aim is to ensure that the proposals protect the confidentiality of electronic communications while still encouraging digital innovation. In terms of the relevant timeframes, the government considers that due to the importance of the Regulation, the quality of the text should be prioritised over speed.
Which ePrivacy rules will apply in the UK after Brexit?
If the UK leaves the EU without the withdrawal agreement in place, SI 2003/2426 will be retained in domestic law by virtue of section 2 of the European Union (Withdrawal) Act 2018 (EU(W)A 2018). SI 2003/2426 will continue to be interpreted in the same way as it was before the UK's exit from the EU subject to any subsequent amendments (see below).
Domestic and EU case law that applies to the legislation will also continue to be relevant (EU(W)A 2018, s 6(3)). Amendments will be made to SI 2003/2426 under the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations to ensure that they continue to operate effectively after the UK's withdrawal from the EU.
If the Withdrawal Agreement is approved and enters into force on the UK’s exit from the EU, then EU law will continue to apply to the UK during the transition period (currently due to last until 31 December 2020, although it is likely that it could be extended to either December 2021 or December 2022). If the Regulation applies (as opposed to merely coming into force) during the transition period, it will become UK national law automatically, by virtue of section 2(1) of the European Communities Act 1972. This provision enables EU regulations to flow directly into UK law without further implementation and will be retained in domestic law through the European Union (Withdrawal Agreement) Bill which will be introduced if Parliament approves the Withdrawal Agreement, in order to implement it.
At the end of the transition period, if the Regulation is indeed applicable in the UK, the provisions of EU(W)A 2018 will come into force at that point in order to save the Regulation and turn it into domestic law.
Is it too early for businesses to be preparing for change?
Yes. The text of the Regulation is far from agreed at EU level. In all likelihood, given the upcoming European Parliamentary elections and change of the European Commission, the final text of the Regulation will not be agreed until 2020. At that point businesses should start preparing, but there may be a long lead in time as there was with the GDPR before the Regulation actually applies.
It is also possible that the Regulation will never become law in the UK if its date of application falls after the end of the transition period. If the UK exits the EU without a deal, then the Regulation will not apply to the UK either, although the adoption of substantially similar rules may be necessary in order for the UK to gain an EU adequacy decision.
Eleonor Duhs advises on GDPR and ePrivacy law. Prior to joining Fieldfisher, Duhs worked as a senior government lawyer. She was the UK government’s lead lawyer in negotiations on the GDPR. While working in the Department for Exiting the European Union, she was the legal lead on the provisions of EU(W)A 2018. She also led on aspects of the Withdrawal Agreement and the framework for the UK-EU future relationship.
This article was first published on Lexis®PSL TMT on 21 March 2019