GSB 7.1 Standardlösung

Navigation and service

E-Privacy Regulation

E-privacy is the common term in connection with the handling of personal data on the Internet and the associated protection of privacy. The e-Privacy Directive governs data protection in electronic communication. A new e-Privacy Regulation is currently being negotiated at EU level.

blue glowing lock and next to it are digital lines
Source: Getty Images International

The European legislator has decided to replace the Data Protection Directive for Electronic Communications (so-called E-Privacy Directive) with an e-Privacy Regulation. After the German legislator had to implement the European requirements of the E-Privacy Directive into the Telecommunications Act (TKG) and the Telemedia Act (TMG), a regulation applies directly in the Member States.

The Regulation aims at approximating the rules on electronic communications to the General Data Protection Regulation (GDPR), without exceeding the provisions of the GDPR. Particularly noteworthy is the extension of the scope of the e-Privacy Regulation to so-called over-the-top (OTT) communication services. These include, for example, Voice over IP (VoIP) services such as WhatsApp and Skype, which in their function correspond to the “classic” voice telephony and SMS services. The BfDI welcomes the inclusion of these services in the new Regulation because this guarantees confidentiality of communication also for OTT services. The Regulation is also intended to formulate more precise rules for the setting and use of cookies on websites and the tracking of users.

At the beginning of the legislative process, it was envisaged that the e-Privacy Regulation would enter into force with the GDPR on 25 May 2018.The European Commission presented a draft e-Privacy Regulation on 10 January 2017 and the European Parliament’s lead LIBE Committee adopted its position on the proposed Regulation on 26 October 2017. However, negotiations in the Council of the EU have not progressed decisively since mid-January 2017. Even under the German Presidency, no agreement was reached in the Council in the second half of 2020. However, on 10 February 2021, the representatives of the Member States in the Council were able to agree on a common position after more than four years of negotiation. The EU legislator has thus taken a major step forward in the planned adoption. With a common position by the Council, the so-called trialogue negotiations between the European Parliament, the Council of the EU and the European Commission can now finally begin. However, the positions of the Council and Parliament differ widely, so that a final agreement and adoption is likely to be expected at the earliest in 2022. After the entry into force of the Regulation, a 24-month transition period is currently foreseen before the Regulation can be applied.

The BfDI has initially successfully campaigned against the Federal Ministry for Economic Affairs and Energy to ensure that regulations on data retention and on the further processing of communication metadata other than for the intended purpose and without the end-users’ consent were deleted in the Draft Regulation. Unfortunately, both points were reintroduced in the text of the Regulation under the Portuguese Presidency and adopted by the Council on 10 February 2021. Furthermore, the BfDI’s concerns about the general reduction of the level of data protection remained unheeded. The same was true for his request to entrust in an obligatory manner the data protection authorities with the data protection supervision on compliance with the e-Privacy Regulation, which is in accordance with the Commission’s draft. Thus, in some Member States, there is a risk of fragmentation of the supervisory landscape and of additional, unnecessarily complex coordination mechanisms between the various supervisory authorities in the European Data Protection Board (EDPB). This will make it more difficult to enforce data subjects’ rights.

The BfDI now hopes that in the trialogue negotiations, the European Parliament will be able to push for deleting again the regulations introduced by the Council, which are hostile to data protection, or at least for making them more data protection friendly. He will continue to advocate this objective in the context of his participation in the respective votes on the German position within the Council of the EU.