ePrivacy Regulation only a matter of when, IAPP Advisory Board member says 

"It is more cost-effective for EU companies to work with EU companies, or non-EU companies that take privacy and the GDPR seriously."
Table of Contents

Interview: The new ePrivacy Regulation has been long in the making but insights from this interview with Jose Belo, IAPP Advisory Board Member, suggest that a common European ePrivacy law could be closer than we think. 

Here’s why your EU company should consider work with EU companies or non-EU companies that take privacy and the GDPR seriously. 

When will the ePrivacy Regulation become law?

That’s a good question. I think that, with the GDPR coming into force and the compliance needs that the GDPR required going much further than what companies originally expected, a clearer awareness of the business impact of privacy-related regulations makes passing the ePR (ePrivacy Regulation) more difficult for Member States. 

We have to understand that, with privacy programme budgets remaining basically the same, in general, and with multiple companies actually cutting budgets, there is a lot of economic pressure on them already. 

And that’s not all. I also think that the EU wants to get it right on the first try. The GDPR has become a benchmark on how to protect personal data across the World. But it also brought to light how woefully underprepared we all were to comply with the GDPR. In my opinion, the lack of enforcement was a conscious decision by supervisory authorities to allow companies to have more time for privacy programmes to be more compliant.

Now, in 2022, there has been more than time and enforcement seems to start picking up the pace.

Also, with the CJEU decisions and the steady publishing of new guidelines, with novel approaches to the GDPR (for example, the creation of EDPB Task Forces to enforce the GDPR), the GDPR, in itself, is evolving. Through this practical knowledge of how the GDPR is being handled by companies and by supervisory authorities, the EU is also adapting the ePR to accommodate the lessons learned.

About Jose Belo

  • Member of the IAPP European Advisory Board
  • Research Fellow at the ISLC of the University of Milan
  • Head of Data Privacy at Valuer.ai, Copenhagen
  • Born in Coimbra, the second-largest urban area in Portugal outside Lisbon and Porto Metropolitan Areas 
  • 6.300+ followers: Follow Jose Belo on LinkedIn

How does ePR apply to the EU Digital Strategy?

The EU must not lose focus of the bigger picture: Its Digital Strategy. And the ePR is an essential part of it, as is the Digital Services Act, the Digital Markets Act, the Data Act and the AI Act.

All of them, with the GDPR, Regulation (EU) 2018/1807 on the free flow of non-personal data, the ePR is part of that strategy to help the EU to bridge the existing gap with other countries that compete with the EU in the digital space.

Is EU companies using non-EU vendors a compliance risk?

What is clear is that the EU does not have its own massively used smartphone, it does not have its own massively used cloud provider, it does not have its own massively used social media, it does not have its own massively used messaging app. The EU, in general, relies on products and services provided by non-EU companies to do all this. 

The fact is that EU companies still mainly use non-EU companies to fill the gap, many of them not being compliant with the GDPR. Still, companies take the risk. However, this risk to companies is growing with every enforcement action by the supervisory authorities. This means proper data protection compliance due diligence on vendors, due to international data transfers, has become one of the highest priorities for Privacy and Data Protection Departments across the EU.

And thus, EU companies that use non-EU vendors that do not have in place supplementary technical and organisational measures, as required by the CJEU and the EDPB, are, themselves, not compliant with the GDPR.

What are "the numbers" of EU and compliance?

It’s not that there aren’t EU-based solutions that handle the areas that are in scope of the ePR. They exist. The issue is that EU companies and employees have become used to non-EU solutions.  

So, there is also a cultural change in third party management that the evolution of the legal privacy framework is demanding by making international data transfers more difficult: 

It is more cost-effective for EU companies to work with EU companies or non-EU companies that take privacy and the GDPR seriously. 

With the ePR’s core scope being associated with protecting the fundamental rights of data subjects in electronic communications in the EU (in particular, with the processing of communications data and the use of cookies and similar technologies, tracking of devices – online and offline –, calling line identification, electronic phone directories and direct marketing communications), with the EU’s shortcomings on many of these areas, the ePR is requiring that EU companies work with EU or non-EU companies that comply with the extraterritorial compliance requirements of the GDPR. 

Or face the growing risks of having to adjust non-compliant EU or non-EU vendors at the last minute, as supervisory authorities are becoming more and more active in enforcement.

This is far from ideal. Data Protection Departments should be able to understand the enforcement trends, adjust their risk levels and take a proactive approach, rather than a reactive one.

With all that said, I firmly believe that the ePrivacy regulation is going to happen. The question is, thus, when, not if.

Thank you, Jose Belo!

Disclaimer: The views and opinions expressed in this article are those of the speaker and do not necessarily reflect the views or positions of Cookie Information.

Upcoming webinars – overview