• news-banner

    Expert Insights

ePrivacy Update

The draft ePrivacy Regulation has been talked about for almost as long as the GDPR itself. Initially, there was even consideration of it entering into force at the same time as the GDPR (back in May 2018). Those timings have obviously slipped. There are various sticking points, but the overall issue is that any new law that looks to impact the European digital economy (a key potential source of economic growth across the block) is always going to be sensitive for Member States (and other stakeholders). As such, it is no surprise that draft remains in stalemate within the European Council (the body that comprises Member State government representatives).

By way of update on where things currently sit, on 5 January 2021, the Council of the European Union, under the 6 month Council presidency of Portugal (which lasts from 1 January 2021 until 1 July 2021, when it will pass to Slovenia) released a new, draft version of the ePrivacy Regulation – the 14th draft to date!

One key theme to address is what the text says about businesses’ ability to rely on a lawful basis other than consent in order to process electronic communications’ metadata and place cookies, or similar technologies, on end-user’s terminals (i.e. devices).

The law as it stands (under the ePrivacy Directive and implementing national legislation) is fairly restrictive, requiring the end user’s GDPR compliant consent subject to a few exemptions (generally where the activity is strictly necessary) in order to place a cookie. By way of reminder, this is why we see so many cookie banners on websites these days!

Various drafts of the ePrivacy Regulation since 2017 have gone backwards and forwards loosening or tightening these restrictions. Critics of the consent approach have long argued that the mechanism does not achieve its aim of protecting the privacy of individuals and instead creates frustration and ‘consent fatigue’ amongst individuals. They maintain that other lawful bases should also be made valid.

An earlier draft of the regulation had inserted legitimate interest as a lawful basis to process data, however, this was largely withdrawn during the recent German presidency (which lasted from 1 July 2020 until 1 December 2020) and remains absent from this draft. The current draft does, however, introduce the prospect of relying on the lawful basis of “performance of a contract”.

There are various other amendments which will be considered in detail by the Council over the next 6 months, although it is too early to tell whether this draft will be any more likely to secure the support of the other Members States. Of course, it remains a further open question as to whether the UK would seek to mirror the ePrivacy Regulation under UK law post-Brexit, or whether this will be one of the first areas where we see real divergence.

We will keep you posted.

Our thinking

  • Delay of the new food and drink ads regulation & impact on live sports broadcasts

    Sarah Johnson

    Insights

  • Understanding the Data (Use and Access) Act 2025: Implications for UK Businesses

    Janine Regan

    Insights

  • Why Getty Images v Stability AI Judgment Will Not Answer Our Key Questions

    Nick White

    Insights

  • Liz Gifford, Janine Regan and Courtney Benard write for New Law Journal on an amendment to the Data (Use and Access) Bill which will allow UK charities to send direct marketing emails to supporters without prior opt-in consent

    Liz Gifford

    In the Press

  • Extra Time: Legal and commercial insights into sponsorship agreements

    Anna Sowerby

    Podcasts

  • Bloomberg quotes Richard Davies on the relationships between football clubs and their investors and shareholders

    Richard Davies

    In the Press

  • Sparkling Opportunities: Unveiling the growth and tips for investment into the English sparkling wine industry

    Iwan Thomas

    Insights

  • Navigating International M&A Disputes: Insights and Strategies for 2025

    Stephen Burns

    Quick Reads

  • Rebecca Steer writes for Drapers on how retailers can prepare for upcoming cyber legislation

    Rebecca Steer

    In the Press

  • Rebecca Steer writes for Infosecurity Magazine on the UK's new Cyber Security Bill

    Rebecca Steer

    In the Press

  • Detailed analysis of new Government guidance for businesses on Modern Slavery Act section 54 statements

    Kerry Stares

    Insights

  • Unlocking Opportunities: Introduction of the Re-domiciliation Regime in Hong Kong

    Shirley Fu

    Insights

  • UK Cybersecurity and Resilience Policy Statement April 2025 - Impacts for Managed Services Providers and Data Centres

    Mark Bailey

    Insights

  • Mastering Claims Against Estates: A Guide to Debt Enforcement in Switzerland

    Remo Wagner

    Quick Reads

  • The Economic Times interviews Kim Lalli on the UK-India Free Trade Agreement

    Kim Lalli

    In the Press

  • The new UK-India Free Trade Agreement – a significant development for both nations

    Kim Lalli

    Quick Reads

  • Token2049 week - what's on the horizon?

    Racheal Muldoon

    Quick Reads

  • Rebecca Steer writes for Artificial Lawyer on GenAI, copyright and the future of innovation

    Rebecca Steer

    In the Press

  • Computing quotes Gareth Mills on a major antitrust case involving Google

    Gareth Mills

    In the Press

  • Charles Russell Speechlys advises long standing client Puma Growth Partners on its investment in LOVE CORN

    Ashwin Pillay

    News

Back to top