Companies have incurred considerable costs as a result of the implementation of the EU’s General Data Protection Regulation (GDPR), which has been in force since May 2018. Under the EU’s legislative procedures, the Regulation is due to be followed by a second – large – regulatory text on privacy: the ePrivacy Regulation (ePR) that will supersede Directive 2002/58/EC (ePD). According to Art. 29 Section 2 of the Commission’s original proposal, the ePR was actually intended to become applicable at the same time as the GDPR, but this did not happen. The legal uncertainty over which regulations apply to them is causing companies considerable difficulties.
The ePR is currently the subject of intense discussion in the Council. This has re-ignited the prolonged debate in Brussels that preceded the GDPR’s own implementation. For many people, depending on their interpretation, the ePR is seen as an existential threat to the online advertising business, which has an annual global turnover of hundreds of billions of euros: The rules on consent and the use of tracking technologies, particularly third party cookies, are crucial for user- and behaviour-based advertising. The ePR is also expected to contain additional guidelines on direct advertising and the information that should be provided as well as the configuration options that must be available to the end user. Deliberations in the Council are dragging on; the latest surprise was the Council Draft of July 10th 2018 which stated that the requirement on privacy settings (Art. 10 of the Commission Draft) had been deleted and not replaced.
The ePR will be directly effective as soon as it comes into application without the need for national implementation laws. It repeals the ePD as well as any conflicting national regulations (those based on the ePD in particular). The ePD and ePR are lex specialis to the GDPR, meaning that they provide special privacy provisions on electronic communications data, which override the general rules of the GDPR.
The period up to the entry into force of the ePR will also be complex. Art. 95 GDPR states that it will not impose additional obligations on specific service providers above those in the ePR. The legislation thus intends all national regulations based on the current ePD and pursuing the same objectives to remain applicable. However, the ePD only takes precedence over GDPR legislation in areas where both regulations pursue the same objective. The GDPR does not stipulate any additional obligations where this is the case. The general provisions of the GDPR apply in areas not covered by more specific provisions in the ePD.
Violations of the GDPR by companies may be punished by fines of up to four percent of the annual turnover.
Violations of rules based on ePD already face potentially higher fines since the ePD cites Directive 95/46/EC, which was superseded by the GDPR, in relation to sanctions. On the other hand, although the forthcoming ePR may specify its own schedule of fines, the tariffs themselves are expected to be in line with the GDPR.
German legislators are currently in the planning stages of the draft Second EU Data Protection Amendment and Implementation Act (Datenschutz-Anpassungs- und -Umsetzungsgesetz EU, or DSAnpUG-EU) which is intended to bring clarity to the complex nexus of national legislation on data protection and the GDPR. The draft of the 2nd DSAnpUG-EU will apparently harmonise existing legislation on data protection with the GDPR and, where possible and desirable in the legislators’ view, use the opening clauses in the GDPR to implement specifically German regulatory approaches. However the current draft of the 2nd DSAnpUG-EU does not provide for any reform of the data protection provisions of the Telecommunications Act (Telekommunikationsgesetz, or TKG) or the Telemedia Act (Telemediengesetz, or TMG). So the uncertainties around the implementation of the ePD appear likely to remain until the ePR comes into force.
No agreement is likely in the Council under the Austrian presidency. And when it is finally reached, the Trilogue would have to convene. If we assume that approval would take as long after the Trilogue convenes as it did for the GDPR, the regulation is unlikely to come into force before 2020. And since a one-year transition period is contained both in the EU Parliament’s Opinion and the Council’s Draft Opinion, the most likely date for the ePR to come into force is 2021.
Dr. Alexander Golland
Senior Consultant, PwC Germany
Dr. Jan-Peter Ohrtmann
Partner, PwC Germany
Tel: +49 211 981-2572