It looks unlikely that the draft e-Privacy Regulation will come into effect before 2021. European Council negotiations on the text of the draft Regulation are currently ongoing, and trilogue discussions by the Council, Parliament and Commission will then take place. However, the upcoming May 2019 European elections may lead to a delay in the Council adopting a common position and the trilogue discussions commencing. In addition, the latest draft text of the Regulation, published by the European Council, provides that it will apply 24 months from the date it is adopted, with the result that even if it is adopted imminently, it may not come into effect until 2021.

Late last year, various industry associations raised concerns about the draft Regulation in a joint letter. The letter urged the EU institutions not to rush negotiations, stating that many substantive issues which have been raised since the draft Regulation was first put forward have not yet been addressed. It stressed that the expanded scope of the draft Regulation would create a large overlap with the GDPR, effectively replacing large portions of the GDPR for a vast majority of data processing activities. In particular, it called for closer consideration of the legal bases for both electronic communications data and terminal equipment data and alignment with those available under the GDPR.

The Council of the EU has released a progress report on the draft Regulation, highlighting the main topics where further work is necessary. In particular, the Report notes that Article 10 (the provision on privacy settings) has raised a lot of concerns, including with regard to the burden for browsers and apps, the competition aspect, the impact on end-users, and the ability of this provision to address the issue of consent fatigue. The original aim of Article 10 was to address the issue of users being overloaded with pop-up windows requesting consent to the use of cookies. Article 10 adopts a privacy by design approach, requiring providers of browsers and similar software to provide users with cookie and tracking controls. By centralising consent in software, it was hoped to do away with cookie banners and notices. The Report notes that some delegations support the deletion of this provision, whilst others would prefer a simpler provision of the information about privacy settings to be provided to the end-user. The added value of Article 10 looks doubtful in light of the higher bar for consent and increased information requirements introduced by the GDPR, which companies should already have addressed by updating their cookie banners and policies.

We will be closely monitoring the progress of the draft Regulation and will keep you updated.