The draft e-Privacy Regulation had a fairly adventurous journey in the last 4 years, following the publication of its first version by the Commission in January 2017. Dozens of versions of the regulation have been prepared during the successive EU presidencies, but no consensus has been reached between Member States. However, the Portuguese Presidency, which took office this year, has succeeded in speeding up the process. Already in early January, their first draft text was published, followed by a new version at the end of January and finally, an agreement on the draft e-Privacy Regulation was reached between Member States on 10 February.
What's next?
The compromise regarding the text of the e-Privacy Regulation reached in the Council is a significant step forward (preceded by 4 years of conciliation), but it is not the end of the process, as the final text must now be agreed with the European Parliament. The proposal has already been discussed before the Parliament, since the Parliament's Committee on Civil Liberties and Justice (LIBE) gave an opinion and made textual proposals the the draft.
The Portuguese Presidency has therefore been authorized by the Committee of Permanent Representatives of the Member States to the Council (COREPER) to open negotiations with Parliament on the final text. The task will not be easy in many respects, since, as the negotiations between Member States show, there are a number of interests and perspectives on the creation of the "little brother of GDPR". The difficulties are also illustrated by the fact that the draft that has just been adopted is already being criticized (e.g. by the BfDi, the German federal data protection authority).
What could be the points of discussion during the finalization of the text?
In fact, the adoption of the e-Privacy Regulation has been hampered by some issues that may also cause severe discussions in the next phase as well. Topics for such further discussion may include in particular:
- Provisions for the processing of electronic communications metadata, especially the cases when compatible further processing is allowed.
- Rules for the protection of data stored on and related to end-user terminals (including the regulation of cookies and other technologies for monitoring end-users' online activity).
When should the new rules apply?
According to current plans, if the final version of the regulation is adopted, it would enter into force on the 20th day after its publication and become applicable two years later (similar to the solution applied in case of the GDPR, which also provided 2 years of preparation for the new legislation). It can be seen, that - although the e-Privacy Regulation may have come closer to its approval and application than ever before - it may be a long time before the new rules can actually be applied (at the earliest in 2023, according to the current status). On the basis of the negotiations that are beginning between the Council and Parliament, we will perhaps see how sharp a confrontation can develop on certain subjects, and this can also help to predict more precisely the timetable for the application of the new rules.