It won’t be long before the ePrivacy Regulation will come into force throughout the EU. ‘Isn’t the GDPR enough trouble as it is?’ and ‘What about the ePrivacy Directive that has been in force for years?‘ are just some of the obvious questions we have come across lately. It will be just as obvious that the answers go beyond a simple ‘yes’ or ‘no’. Let us try to shed some light on this issue.
Harmonization and modernization
First of all, unlike directives, a regulation has direct effect in all EU countries without the need for national laws. By issuing the ePrivacy Regulation, the EU automatically harmonizes the situation across Europe. Although the GDPR had the same aim to some degree, the exchange of electronic data needed serious fine-tuning. Roughly speaking, the ePR primarily applies to companies that are active in online communication and direct marketing using tracking technology. The ePR also specifically applies to relatively new players such as WhatsApp, Facebook Messenger, Skype, Gmail, iMessage and Viber. In other words: as of now, the so-called ‘over the top players’ are subject to the same requirements as network facilitators.
If it is up to the EU, ‘do not track’ will become the standard for browsers too. Funny enough, tests have shown that people who don’t mind being tracked in some cases receive better offerings from companies than those who prefer to stay completely untracked and anonymous. Obviously, online communication companies are faced with the challenge to reward people who also accept tracking cookies. It is important to note that, although the GDPR and the ePR are both regulations, the ePR will prevail and therefore overrule the GDPR in specific matters with regard to electronic data exchange. Remarkably enough, the interpretation of a ‘data subject’ in the ePR is broader than it is in the GDPR and includes legal entities. It may even include ‘things’ with a nod to IoT which in itself takes the discussions on AI to a whole new level.
We expect the ePR to take effect no earlier than at the beginning of 2020. There is a fair chance that some additional adjustments will have been incorporated by then, due to the lobbying by organizations like Facebook and Google. Recent research in The Netherlands showed, yet again, that over a thousand websites place tracking cookies whenever visitors ignore the cookie-wall. New legislation, and more importantly stronger enforcement, seems inevitable.