News and events

Cookie Law lurking in the shadows of the GDPR


At this point, most companies and organisations are aware of the General Data Protection Regulation (GDPR) that will become applicable on 25 May 2018. The upcoming EU Regulation concerning respect for private life and protection of personal data in electronic communications (ePrivacy Regulation), on the other hand, has not received as much media attention, although it will affect a broad spectrum of stakeholders. The proposed Regulation aims to update and modernise the legislative framework concerning privacy in electronic communications, and covers a wide range of Internet activities, including cookies and direct marketing. This article provides a brief overview of the proposed Regulation.

ePrivacy Regulation versus GDPR

Much like the GDPR, the ePrivacy Regulation is part of the EU Commission’s Digital Single Market Strategy, and the Commission published its first draft in January 2017. While the GDPR replaces the Data Protection Directive from 1995, the ePrivacy Regulation will replace the ePrivacy Directive from 2002 (updated in 2009). As the legislation will now take the form of a Regulation instead of a Directive, it will be self-executing and automatically become legally binding across the EU (as opposed to Directives that require local implementation).

The GDPR concerns the privacy of personal data, while the ePrivacy Regulation covers the privacy of electronic communications data (i.e. personal and other data related to electronic communications services). The ePrivacy Regulation is lex specialis to the GDPR, meaning it complements but also overrides the GDPR in matters regarding electronic communications data that qualify as personal data.

Wide scope – both material and territorial

Like the GDPR, the ePrivacy Regulation has a wide territorial scope; it applies to the provision of electronic communications services in the EU, regardless of the location of the service provider. In other words, it covers all companies and other parties doing business in the EU.

The material scope of the Regulation is wider than that of the current ePrivacy Directive; the Regulation covers not only traditional telecommunications players but also so called “over-the-top” service providers, i.e. it covers Internet-based services such as messaging services and web-based e-mail services (Gmail, WhatsApp, Facebook Messenger, etc.), and the “Internet of Things”, i.e. machine-to-machine communications.

Cookie law

The ePrivacy Directive has often been referred to as the “cookie law”, and although the proposed Regulation does cover other matters as well, there is still some basis for the nickname. The Regulation aims to simplify the cookie landscape and make it more user-friendly.

The main rule is that consent for cookies is required, and when defining “consent”, the Regulation refers to the GDPR, which in turn states that consent must be a “freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. However, the Regulation also provides an exception to the main rule, which enables users to express cookie consent through browser settings. In addition, the Regulation states that consent is not needed for non-privacy intrusive cookies improving the user’s Internet experience, such as cookies for remembering shopping cart histories.

In practice, the new cookie rules will mean that a vast majority of cookie consent banners and pop-up windows will disappear, which most probably agree is a good thing. However, the new rules have been criticised as well, since many companies that rely on, for example, behavioural advertising, will encounter difficulties if a large number of users decide to reject all such cookies. Cookies for online advertising are not likely to fall within the scope of non-privacy intrusive cookies. Users that have rejected all cookies in their browser settings may in turn encounter problems when visiting webpages that require cookies to function.

Confidentiality of electronic communications

According to the Regulation, electronic communications data shall, as a main rule, be confidential. In other words, any listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or processing of electronic communications data by other persons than the end-users is prohibited.

However, the Regulation does include some flexibility. For example, it enables providers of electronic communications networks and services to process certain confidential data where necessary, e.g.,  to achieve the transmission of a communication, for network or service security or technical purposes, or with the consent of the end-user (provided the purposes for which the end-user provided consent cannot be achieved by processing anonymous data). It should be noted that such consent may be withdrawn at any time, and end-users must be reminded every six months of such possibility.

Direct marketing requires consent

As under the ePrivacy Directive, electronic communications services may be used to send direct marketing communications (such as marketing e-mails) only to natural persons that have agreed to receive such messages. However, as its predecessor, the Regulation also includes an exception to said rule, stating that when e-mail addresses are collected from existing customers in the context of a sale of a product or service, such contact information may be used for direct marketing regarding similar products or services, as long as customers are clearly provided with the opportunity to object to the direct marketing free of charge. 

Enforcement measures drawn from GDPR

According to the Regulation, the independent supervisory authority that monitors the application of the GDPR, will also monitor compliance with the ePrivacy Regulation. Moreover, end-users have access to the same remedies as under the GDPR, and the Regulation also includes similar administrative fines as provided for in the GDPR; depending on the type of infringement, the maximum fine that can be assessed is either 10 MEUR or 2 % of the total worldwide annual turnover, whichever is greater, or 20 MEUR or 4 % of the total worldwide annual turnover, whichever is greater.

Next steps

The EU lawmaker’s plan is that the ePrivacy Regulation will come into force on 25 May 2018 – at the same time as the GDPR. Given that the draft Regulation was published in January this year, the schedule has been considered rather optimistic to say the least, but the political target of May next year still stands.

The European Parliament recently voted for an amended version of the Regulation in plenary, thus triggering the beginning of trilogue proceedings and negotiations with Member States in the Council.

Since its publication, the Regulation has been criticised for both being too broad and not being broad enough, for being unclear and complicated, etc. Heavy lobbying from various stakeholders has already taken place and is likely to continue until the final Regulation is approved. Many have already started preparing for the GDPR, but since the ePrivacy Regulation has not yet been finalized, preparing for it is more difficult. Affected stakeholders should follow any developments closely.

For further information, please contact:
Anna Liinamaa

More news

Back to News and Events »