Data protection laws are undergoing a significant transformation. In the UK, the key pieces of law governing data protection are the Data Protection Act (1998) and the EU ePrivacy Directive 2002 (amended 2009, 2011), which gave us the UK’s Privacy and Electronic Communications Regulations (PECR). But this is all set to change.
On 25 May 2018, the EU General Data Protection Regulation came into force. It was proposed that a new ePrivacy Regulation would be implemented on the same date, but this has now been delayed (until such time as it is enforced, PECR will still apply in the UK.)
When it does arrive, the ePrivacy Regulation will govern electronic communications, and as a regulation not a directive, it will apply directly across all member states. The overhaul of the rules is designed to ensure alignment with the stricter new privacy rules under the GDPR and to draw on key definitions and concepts used in that Regulation.
The Regulation will not only cover more traditional communications via telephone, phone and SMS; its scope will be broadened to cover instant and social media messaging services, for example WhatsApp and ‘voice over internet protocol providers’ (VoIPs) such as Skype. The European Commission also says the Regulation aims to ‘simplify’ the rules surrounding Cookies.
this is the timescale so far:
January 2017 a draft text of the ePrivacy Regulation was published.
September 2017 the European Council published proposed amendments
October 2017, a report is agreed by the EU’s Civil Liberties Committee (LIBE), in a narrow vote.
As it stands the ePrivacy Regulation proposes strict rules, which could have fair reaching consequences and some are concerned about the business impact this could have, see ePrivacy Regulation fears.
There is still some room for change as the Regulation is debated by the EU Parliament and the Council of Ministers in the ‘trilogue’ negotiation stage.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance to the Data Protection Act 1998 or other statutory measures referred to in the document.