Privacy & Information Security Law Blog

On January 10, 2017, the European Commission announced the final elements of its long-awaited “digital single market” strategy for Europe. The announcement includes two new proposed EU regulations as well as a European Commission Communication, as described below.

• The first proposed EU regulation released is the new ePrivacy Regulation, which is intended to replace the existing ePrivacy Directive and align requirements with those found in the EU General Data Protection Regulation (“GDPR”). As a regulation rather than a directive, the new ePrivacy Regulation will apply uniformly across EU Member States and will not be subject to implementing legislation at the EU Member State level. As a substantive matter, the proposed ePrivacy Regulation:
  • applies to so-called “over-the-top” communications services that provide their services via Internet-based applications and were not previously included within the scope of the ePrivacy Directive;
  • restricts the use of metadata derived from electronic communications (e.g., the time and location of a call) by providers of such services, but permits use of that data with appropriate customer consent; and
  • streamlines the consent requirement found in the ePrivacy Directive regarding the use of cookies, and clarifies that consent is no longer necessary to use cookies for the purpose of improving the user’s experience (e.g., to remember the user’s shopping cart history).

• The second proposed EU regulation is focused on the handling of personal data by EU institutions and bodies (and not the private sector), and will bring the data protection requirements into line with the obligations set forth in the GDPR.
• The European Commission Communication is directed at countries outside of the EU and includes guidelines to follow when preparing data transfer frameworks (such as the EU-U.S. Privacy Shield) to ensure they comply with the requirements of EU law, in particular the requirements of the GDPR. Along with the communication, the European Commission also announced that it would prioritize discussions regarding possible adequacy decisions with key trading partners in East and Southeast Asia, including Japan and South Korea.

The next step for the proposed EU regulations is for the European Council and the European Parliament to review and amend the drafts. The drafts that emerge from this process will enter the trilogue phase where the EU institutions and Member States, acting through the European Council, will seek to negotiate and agree on the final text of the two regulations. The European Commission has announced its intention to finalize and adopt the two regulations before the GDPR becomes applicable on May 25, 2018.