EU ePrivacy Regulation 2021
The final implementation date of the EU ePrivacy Regulation is still uncertain. Drafts of the regulation are being discussed by the member states with no final agreement in place. The regulation is intended to replace the Privacy and Electronic Communications Directive 2002. While it is reasonable to allow time to debate and perfect legislation the continuing and unpredictable changes in data use mean that the development of this regulation is racing to keep up with changes in the environment it is trying to protect. The ePrivacy Regulation is in danger of falling behind.
With a proposed transition period of 24 months any new regulation will not come into force until at least 2024 in the unlikely chance of it being approved in 2022. The regulation is well developed; with a draft full version published in February 2021
The problem lies with agreement on the details. A statement released in March 2021 gave some indication of the state of play at the time. The EU is constrained by the very reasonable policy of not allowing the ePrivacy legislation to weaken the regulations already in place under the GDPR. Some of the areas of debate at the time (March 2021) are discussed.
General prohibitions with narrow exceptions for personal data processing. These exceptions are being looked at to avoid loopholes that will break the spirit of the legislation. An example is the need of content providers to monitor activity as a security precaution compared to the need for data privacy of those users.
The availability of strong and trusted encryption is a necessity in the modern digital world. Any measures to weaken encryption even for national security issues (a notion proposed by the French government) is seen as an unwelcome opportunity for fraudulent use of the systems concerned.
The need for a privacy preserving approach regarding “take it or leave it” solutions. A common privacy solution is to offer individuals the sole choice to accept or refuse. Presenting a granular range of alternatives is preferred.
Audience measurement shall be limited to non-intrusive practices that are not likely to create a privacy risk for users. Feedback and audience participation engines should focus on low level analytical data. It should not be possible to profile users through an analysis of responses and other related website activity.
Effective way to obtain consent for websites and mobile applications. Privacy settings should be effective and user friendly. There are worries about ‘consent fatigue’ where multiple actions are required to give or refuse content such as in a check-box focussed web form.
These and other issues covered by the ePrivacy Regulation need to be agreed by all the EU member countries before it can become law. In outline very little is covered that is not already in the GDPR. The ePrivacy Regulation will serve to update and clarify some of the aspects covered by GDPR but only if an agreement on its contenst can be made in a timely fashion.