– To complement the General Data Protection Regulation finalised earlier this year, today (10 January 2017) the European Commission published a proposed regulation to replace the 2009 ePrivacy Directive. As the draft proposal that was recently leaked indicated, the directive is indeed being replaced by a regulation. According to the Commission, having one set of rules through a regulation instead of 28 national implementations of the directive will significantly increase legal certainty for businesses while ensuring that all people and businesses in the EU will enjoy the same level of protection for their electronic communications.
In addition to adapting the ePrivacy rules to complement the General Data Protection Regulation, the scope has been expanded to cover new internet-based providers of electronic communications services in contrast to the current ePrivacy Directive which only applies to traditional telecoms operators.
The rules on cookies in the proposed regulation is a game-changer that will dramatically alter how websites and browsers operate. While the current ePrivacy Directive provides little details on whether websites need to seek consent on the usage of cookies, case law and guidance by member state data protection authorities have generally established that browser privacy settings are not sufficient for expressly granting consent to the usage of cookies. The proposed regulation changes this drastically by creating new rules for browsers and the usage of tracking technologies.
The Commission stated however when revealing the proposal that no consent is needed for non-privacy intrusive cookies including “cookies set by a visited website counting the number of visitors to that website” as well as cookies that are essential for the proper functioning of a website (e.g. to remember shopping cart history). The possibility to ensure the functioning of a website without the need for explicit consent supports browser-implemented “Do Not Track” functionality provided for by some browsers (but which is currently almost universally ignored by websites) by ensuring that it is not necessarily a binary choice between accepting cookies or be unable to use a website but rather a choice whether to accept being tracked.
The Commission is urging the European Parliament and Council to work swiftly on the proposal in order for it to be adopted by 25 May 2018 when the General Data Protection Regulation comes into force.