One year after our first Q&As on the draft ePrivacy Regulation and the reformed Italian Data Protection Code (DPC), here is a 2.0 version of the same FAQ list, the aim of which is to answer some of the most common questions on the relationship of the draft with GDPR, the DPC and the Italian Data Protection Authority's (the Garante) guidance on ePrivacy issues.
1. What is the ePrivacy Regulation?
2. What sectors will be "hit" the most by the ePrivacy Regulation?
The sectors most affected by the advent of the ePrivacy Regulation will remain substantially the same as those touched by the ePrivacy Directive: from marketing to eCommerce, from call centers to big data analytics, from the Internet-of-Things to online advertising. In general, the Draft ePrivacy Regulation will complement and implement the GDPR with specific regard to the online environment, therefore all companies using new technologies in their data processing activities should of course consider how to comply with this piece of legislation.
3. What will be the impact of upcoming ePrivacy rules on online processing activities?
The draft ePrivacy Regulation may introduce, among other things, new provisions on online consent. In particular, those are: (i) the obligation to periodically request individuals to renew their marketing consent (at least every 12 months); and (ii) the possibility to send marketing communications based on the soft opt-in exception using means different than emails (e.g., sms, mms, push notifications, etc.). However, as of today these new provisions are still being discussed by EU legislators.
4. Where are we with the current legislative process?
The final text of the ePrivacy Regulation has not been approved yet, nor is it clear when it will actually come into force or become applicable. What is certain is that the draft proposed by the Commission in 2017 is still subject to the scrutiny of both the European Parliament and the Council of the EU. Indeed, the European legislative process envisages that both institutions shall propose a series of amendments to the original draft and that, at the end of this phase, the Commission will prepare a summary of such proposals which both institutions will then have to vote on. Monitoring the evolution of the ePrivacy Regulation legislative process is important because different approaches have emerged from the European Parliament and Council of the EU. The former is taking a strong pro-consumer stance, while the latter is trying to adopt a more business-oriented view.
5. When is the ePrivacy Regulation's final approval and entry into force scheduled?
As mentioned above, the length of the European legislative process is difficult to predict (i.e., see what happened with GDPR between 2012 and 2016). To date, legislators seem still far from the final approval of the Regulation ̶ initially scheduled for the first half of this year. As of today there is no official indication on the expected or foreseeable timing for final approval of the Regulation.
6. What is the relationship between GDPR and the ePrivacy Regulation?
The ePrivacy Regulation is complementary to the GDPR. In fact, it integrates with and complements rules that are more specific than what has been established by the more general provisions of the GDPR. Although there are important differences between the two pieces of legislation, the relationship between them can be summarized by saying that the ePrivacy Regulation is lex specialis to the GDPR. Therefore, while framework rules come from the GDPR (e.g., definitions, key principles and obligations), sector-specific requirements will be covered by the ePrivacy Regulation (e.g., marketing, cookies, processing of personal data via electronic communications, etc.) and apply as an exception in limited circumstances. On the contrary, with regard to sanctions the GDPR and the current draft ePrivacy Regulations converge. In fact, according to the latest draft of the ePrivacy Regulation the same administrative fines of the GDPR (i.e., ranging from €20 million up to 4 percent of the total annual global turnover) will be imposed on entities violating ePrivacy rules as well.
7. And that between the ePrivacy Regulation and member states' laws?
Coordination between the upcoming ePrivacy rules and member states' national laws will follow the same process that has already occurred for GDPR. In substance, each national legislator will be responsible for adapting its regulatory framework to the new law, which being a European regulation, will be directly applicable within each member state's legal system. Therefore, the basic rules will be identical at European level; although it is not excluded that different "local variations" of the applicable regulatory framework may be put in place by individual member states. However, as of today no official sources or guidelines have been made available in this regard.
8. Will future ePrivacy rules affect the newly reformed Italian Data Protection Code?
Indeed, they will. It is likely that the new DPC will undergo further amendments in order to align its provisions with those of the future ePrivacy Regulation – as happened with GDPR. As of today, the provisions concerning the processing of personal data in electronic communications remain unchanged in the new DPC.
9. What should we expert from European regulators and what is the Garante doing?
Following the approval of the ePrivacy Regulation, each national Data Protection Authority (DPA) will have to make some effort to review existing ePrivacy provisions and guidelines, in particular for the purpose of consistency and coordination with the provisions of the upcoming common rules. The European Data Protection Board (EDPB) is particularly active in this regard. However, no actual and specific EDPB guidance on the ePrivacy Regulatoin has been issued yet.
With regard to Italy, at the moment we have no evidence of initiatives of the Garante concerning ePrivacy matters. In fact, it is likely that the Garante will intervene so to amend its previous guidance on ePrivacy issues only after the ePrivacy Regulation has been approved or further guidance from the EDPB are issued.
10. What is the private sector doing?
There is great attention on ePrivacy issues from private sector players nowadays. This because online processing activities constitute a relevant part of each business model in almost every industry and sector. In fact, the waiting for the future ePrivacy Regulation is fostering the creation of new technological tools of ePrivacy compliance. This is the case for the so-called Consent Management Platforms (CMPs). CMPs are tools of industry self-regulation that especially support website publishers and advertisers in the collection of GDPR-like consent for the provision of online-targeted advertising. Although CMPs did not receive any formal blessing from European regulators yet, they may well become a market good practice as the ePrivacy Regulation approaches.
Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.