Happy birthday GDPR – but where’s the e-Privacy Regulation?

So, we approach the GDPR’s first birthday. You know what’s nice for birthdays? Fines. Really big ones. According to an article in today’s Times (paywall), significant GDPR monetary penalties from the ICO are imminent, around the 1-year mark for our new data protection regime. The Irish DPC is apparently limbering up likewise. And it also announced its investigation into Google’s Ad Exchange this week, which could develop into a very significant foray into online ad tech.

But when it comes to ad tech – and a host of other online privacy issues – the GDPR is of course only part of the picture (albeit the major part). We have for some time been awaiting the new e-Privacy Regulation, which will replace Directive 2002/58/EC and (in the UK – subject to Brexit) PECR 2003. This will apply not only to direct marketing emails, but also to other crucial aspects of the digital ecosystem, such as security of electronic communications and related metadata, and the use of cookies and similar technologies. It will of course be important for businesses to comply with both the GDPR and the e-Privacy regime (as to how they fit together, see my blog post here).

So where on earth is this new Regulation? Good question. The European Council has announced in the past few days that an agreed text is still some way off.

If you delve into the EU Parliament’s website (a nice thing today, on election day), you will find a helpful summary of the outstanding issues, as well as a bit of history of aspirational timetables. This is all accompanied by a curiously retro little graphic of (I think) a train. It hasn’t gone very far out of its shed (maybe because it doesn’t have a driver?) but there is some imagery of a track. It all has something of the flavour of Brexit transport infrastructure planning on Chris Grayling’s desktop, but I think the overall point is that things are behind schedule, as there are a number of lingering points of disagreement at the European Council level. So there is no agreed draft text for the Council to discuss with the Commission and the EU Parliament.

Sticking points appear to concern inter alia impacts on artificial intelligence, data retention, privacy browser settings and mechanisms for securing cookie consent, e.g. via a generic consent covering parties on ‘whitelists’. Overall: it doesn’t look like we will get the missing piece of our privacy jigsaw anytime soon, so the ‘old’ e-Privacy laws remain in place alongside the GDPR.

Robin Hopkins