To be clear from the outset: 2021 won’t be boring, given that several important topics are currently on Brussels’ desks.

One long-running topic is the ePrivacy Regulation. The draft law is currently being voted on by the European Council, whose presidency was held by Germany for six months until December 2020 and which has now been handed over to Portugal.

In November last year, Germany presented proposed amendments to the draft law to the Member States. This draft is yet another attempt to bring the discussion about the regulation – which has been ongoing since 2017 – to a close. The regulation was actually supposed to enter into force together with the GDPR in 2018. In the meantime, it has become clear that the German proposal has also failed to gain approval and that negotiations will continue this year.

What is the ePrivacy Regulation actually about?

The aim of the regulation is to further concretise the GDPR and to replace the outdated ePrivacy Directive and the Cookie Directive.

In terms of content, the regulation deals in particular with the protection of personal data in electronic communication. The regulation is to apply to every company that offers any form of online communication service, uses online tracking technologies, or conducts electronic direct marketing.

Users must individually and demonstrably consent to cookies, and promotional emails may only be sent after prior consent. What’s more, exemptions from this are being heatedly and contentiously debated.

But take note: Following a landmark ruling by the ECJ in October 2019, senders of promotional emails have already had to adapt their websites or also their newsletter registration forms to the effect that they may not (any longer) use default settings for cookies.
The ePrivacy Regulation also aims to restrict offline tracking, which to date has not been explicitly regulated. This includes the use of data sent from devices such as smartphones for network connectivity purposes. Such data is required by radio standards such as WiFi or Bluetooth in order for devices to establish and maintain connections with each other. The collection of such data can also be used to enable the sending of personalised messages to end-user devices. Currently, the draft envisages that data may be used exclusively for statistical analysis, as long as it is provided with an opt-out solution for the user.

And where do we go from here?

The Member States will continue to discuss the draft regulation in 2021. In the event that the negotiations lead to the adoption of the regulation, it would also only come into effect with a two-year transition period, in order to give the industry the opportunity to adapt their processes to the new requirements.