New EU ‘cookie law’ yet to emerge

September 2019  |  FEATURE  |  DATA PRIVACY

Financier Worldwide Magazine

September 2019 Issue

Intended to enter into force in concurrence with the General Data Protection Regulation (GDPR), the European Union’s (EU) bedfellow legislation, the ePrivacy Regulation (ePR), has been delayed – awaiting its shot at further disrupting the data protection landscape.

Possessing the same territorial scope as the GDPR, the ePR – referred to by some as the ‘cookie law’ – repeals the extant 2002 Privacy and Electronic Communications Directive (ePrivacy Directive), particularising and complementing the former on the electronic communications data that qualify as personal data, such as requirements for consent to the use of cookies and opt-outs.

The EU’s aim is that with the e-communications sector developing rapidly – including the proliferation of internet-based messaging and communications services such as Voice over Internet Protocol (VOIP) and instant messaging – the ePR will provide clearer rules covering online communications and, alongside the GDPR, reinforce trust and security in digital services in the EU.

“The digital economy has been a major driver of growth in the past two decades and is expected to grow seven times faster than the overall EU GDP in coming years,” stated the European Commission (EC) in a 2017 impact assessment. “Information and communications technology (ICT) has therefore become the foundation of all modern innovative economic systems.”

The EC’s impact assessment highlighted three main issues with existing data protection provision. First, citizens’ private life when communicating online is not sufficiently and effectively protected. Second, citizens are not effectively protected against unsolicited marketing. And third, businesses face obstacles created by fragmented legislation and differing legal interpretations across Member States, as well as unclear and outdated provisions.


Given the extent of the attention paid to the GDPR over the past few years, companies and citizens across Europe can be forgiven for a certain degree of ignorance as to the arrival of its legislative twin: the ePR.

“In the UK, for example, there is still relatively poor awareness of the ePR,” says Rafael Bloom, information governance adviser at Salvatore Ltd. “Some organisations have taken a piecemeal approach to adjusting operations in light of new pieces of data-centric legislation, meaning that there is no overarching programme of change. Instead, we observe that the GDPR, in dominating this conversation for the last 30 months, has exhausted many people’s tolerance for the subject of personal data privacy.

While noting the EU’s declaration that the ePR and the GDPR are complementary pieces of legislation, many observers remain unclear as to how to distinguish them.

“Therefore, there is a lack of appetite for what many would interpret as a repetition of the GDPR exercise,” he continues. “On the other hand, it must also be stated that the organisations that have taken a wider, governance-based approach, are simply waiting until the detail of the ePR becomes clear.”

Distinguishing features

While noting the EU’s declaration that the ePR and the GDPR are complementary pieces of legislation, many observers remain unclear as to how to distinguish them.

“Machine-to-machine (M2M) communications are a key aspect of the new ePR, along with a more up-to-date understanding of how the connected age really functions,” suggests Mr Bloom. “With the GDPR, the overlap is potentially confusing. I rely on the broader principle of lex generalis v lex specialis to help pick them apart, with the GDPR setting out general principles and obligations for data protection – mostly in reference to ‘data at rest’ – and the ePR being focused on communications channels, including the new platforms for communication that simply did not exist at the time the existing ePrivacy law was drafted; in other words, ‘data in transit’.”


Although a firm date for its arrival is yet to be announced, there is room to speculate as to the yardstick by which the effectiveness, or otherwise, of the ePR should be measured.

“The purpose of such legislation is manifold, but it is clear that the EU’s intentions centre around citizens’ rights and freedoms, preventing harm and possible discrimination based on data held and protecting institutions from malicious attack,” believes Mr Bloom. “There are serious systemic risks to Member States – with infrastructure, institutions and individual citizens at risk – and both the ePR and the GDPR are designed to lift the general level of digital maturity, so as to protect us from harm.

“The yardstick will therefore be whether or not these laws actually do result in a collective elevation of standards, awareness and proactivity around the security and privacy of personal data,” he continues. “The idea of a company losing business because it cannot be trusted to hold people’s data properly is now very much a reality.”

For now, companies and citizens of Europe, or, more accurately, those that are aware of the ePR’s existence, await its emergence with a mixture of interest and indifference.

© Financier Worldwide


Fraser Tennant

©2001-2019 Financier Worldwide Ltd. All rights reserved.