ePrivacy Regulation

The ePrivacy Directive (Directive 2002/58/EC), also nicknamed the “Cookie Directive” because of its rules on storing and accessing data on a users’ device, such as so-called Internet cookies, is a directive primarily regulating the processing of personal data in the electronic communications sector, i.e. by telecommunications providers. 

The ePrivacy Directive (ePD) is essential to the digital advertising industry because of its rules on cookies. Cookies play an important role in websites delivering a personalised experience, including relevant advertising. The ePrivacy Directive stipulates that member states must create rules that require website operators to inform the user concerned about the use of cookies and obtain their consent to use (most) cookies. 

The Commission wanted to repeal and replace the Directive with an ePrivacy Regulation, therefore, the ePrivacy Regulation was published by the European Commission on 10 January 2017. IAB Europe released its first position paper on the proposal for an ePrivacy Regulation on 13 July 2017 and its latest in April 2021.

As a matter of EU law, Regulations can be relied upon directly by citizens, meaning that the EU Member States no longer have a role in interpreting its application to fit within their national legal order.

At the European Parliament, the Committee in charge of the file is the LIBE Committee and its shadow rapporteur is MEP Birgit Sippel from S&D. Following the ordinary legislative procedure for this file, the European Parliament (EP) adopted its report in October 2017. 

On 10 February 2021, the Council of the EU signed off on its version of the ePrivacy Regulation, marking the beginning of negotiations with the European Parliament on the final text of the Regulation. The agreement constitutes a significant milestone toward getting an updated regulation in place. 

Whereas, the current form proposed Regulation does no longer include the text that would mandate browsers and other software providers to provide the option to prevent data collection through cookies et al. actively and to force users to choose as to their privacy preferences during installation. The absence of this provision (Article 10) may still be obfuscated by similar language in the Council text, which in practice reinstates the removed Article 10 provision. 

The proposal has also been an opportunity for the European Parliament to try to include consent as a condition for accessing a service. The European Council adopted a very opposite position by recognising the rights for ‘services provided in accordance with the freedom of expression and information including for journalistic purposes’. There is a great diversity of ad-funded content and outlets made available to users and submit that all online media are primarily financed through advertising. This underscores the importance of so-called conditionality for the continued sustainability of online media businesses. 

For more information on the political and legal aspects of the proposal, check out IAB Europe’s ‘Cookie Regulation FAQ’, along with IAB Europe’s (updated: April 2021) position paper on the proposed ePrivacy regulation below.

Q: What is the ePrivacy Regulation?

A: The ePrivacy Regulation is a proposed law of the European Union to replace the existing ePrivacy Directive. The directive is usually referred to as the Cookie Directive, as it requires websites to ask users for their consent to the use of cookies and similar identifiers. As a Regulation, the new cookie law will be directly applicable in its entirety without the need for the Member States to enact national laws transposing the rules. This means that there will only be one cookie law in the EU without any national margin for discretion when implementing the rules. Directives, on the other hand, have to be implemented at the national level by the governments of each EU Member State. 

Q: What else is new under the ePrivacy Regulation?

A: 

  • The ePrivacy Regulation include new players, providers of electronic communications, ensuring that these services have the same level of confidentiality of communications as traditional telecoms operators.
  • The fact that it is a Regulation and not a Directive will ensure the same rules and level of protection among the entire EU.
  • Both communications content and metadata are protected.
  • Whereas, the current form proposed Regulation does no longer include the text that would mandate browsers and other software providers to provide the option to prevent data collection through cookies and to force users to choose as to their privacy preferences during installation. The absence of this provision (Article 10) may still be obfuscated by similar language in the Council text, which in practice reinstates the removed Article 10 provision. 

Q: When will this become law? How does the lawmaking process work?

A: An agreement must now be found between Members of the European Parliament and Member States’ governments in the Council of the European Union, both of whom can make changes to the proposed text. This procedure is known as the Ordinary Legislative Procedure. A compromise between the two co-legislators will be reached informally in so-called trilogue negotiations between representatives of the Council and the Parliament with input from the Commission.  

The file was assigned in the EP to the Civil Liberties Committee (LIBE), presenting the report in June 2017 and adopting by the EP in October 2017. Since then, Birgit Sippel (S&D) took over as responsible, she was again re-appointed in 2019.

The discussions in the Council have been going on for four years and since September 2017 has been publishing several redrafts of the proposal. The newest draft version was released by the Portuguese Presidency in January 2021 and in February 2021 the Member States agreed on a mandate for negotiations with the European Parliament. The agreement constitutes a significant milestone toward getting an updated regulation in place. 

Q: What’s a trilogue negotiation?

A: Trilogue negotiations occur after both the Parliament and the Council have prepared their initial positions. Due to time limits which apply only later during the ordinary legislative procedure, the co-legislators usually seek to come to an informal agreement before the Parliament and the Council formally vote on a proposal for the first time. After the Parliament and the Council vote on a draft law for the first time, strict time limits will apply for the second and third rounds of votes.

For this reason, the representatives of the co-legislators meet with representatives from the Commission informally to agree before this part of the process.

Q: Who gets to have a say during the legislative process?

A: In the Parliament, the Committee on Civil Liberties, Justice and Home Affairs (LIBE) took the lead on the draft ePrivacy Regulation. The center-left group of Socialists and Democrats in the European Parliament secured rapporteurship on the file. The group appointed the MEP Birgit Sippel, as shadow rapporteur. Following the ordinary legislative procedure of this file, the European Parliament (EP) adopted its report in October 2017.

In the Council, the proposal is being dealt with by the In the Council, the proposal is being dealt with by The Transport, Telecommunications and Energy Council configuration (TTE) and ultimately voted on by national ministers in the Transport, Telecommunications and Energy Council configuration. The Council, on 10 February 2021, signed off on its version of the ePrivacy Regulation. This signing off meant the beginning of the negotiations with the European Parliament on the final text of the regulation. The agreement constitutes a significant milestone toward getting an updated regulation in place.

Q: When can we expect the co-legislators to reach a compromise? Are there any deadlines that have to be met?

A: The debate on this draft law has been contentious with many different interests having to be balanced, which have slowed down the process. On 5 January 2021, the Portuguese Presidency released a new draft version of the proposed ePrivacy Regulation. On 10 February 2021, the Member States agreed on a mandate for negotiations with the European Parliament. This signing off meant the beginning of the negotiations with the European Parliament on the final text of the regulation. 

There are no official deadlines, once an informal agreement has been reached, it still takes time for the law to be drawn up in each of the languages, and for the co-legislators to formally vote on the law. 

 

Lines (1)