The draft ePrivacy Regulation: will it still be future proof?

by Herwin Roerdink

The intentions were admirable: a new ePrivacy Regulation that would apply on the same day as the newly introduced General Data Protection Regulation (GDPR). When the European Commission published its first proposal in January 2017, this still seemed to be the idea. But this turned out to be completely different. There was great division in the European Parliament, the negotiations in the Council were stuck. The Council did publish a compromised version late September for discussion, but so far, there is no final text yet. The bottlenecks are mainly in the area of cookies (Article 8 of the proposal) and direct marketing (Article 16 of the proposal). A final proposal is still a long way off. With a possible transition period of 1 to 2 years, the new ePrivacy Regulation will probably come into force in 2023 or 2024 at the earliest. This is unfortunate on several points, to put it mildly, all the more so because developments in the online marketing industry and the enforcement by data protection regulators do not wait for the completion of the legislative process. I will discuss a number of these developments below, all of which have an impact on the practice of ePrivacy and direct marketing for European advertisers and the companies involved in the AdTech industry.


“The bottlenecks are mainly in the area of cookies and direct marketing.”


The lengthy legislative process is not a favourable development for legal certainty, especially in the field of online marketing. For the processing of personal data, we have been relying on the ‘new’ harmonised GDPR regime for 2.5 years now, but for the sending of direct marketing communications and the use of cookies and similar techniques, we still have to rely on the ePrivacy Directive from 2002 that has been implemented in national laws throughout the member states of the EU (in the Netherlands the Telecommunications Act). So, in the context of an email campaign, the use of social media or the collection of behaviour of website visitors, both regimes apply with all the uncertainty that goes with it.


Despite this, it seems that the regulators are not waiting for the new ePrivacy Regulation and have started to address various direct marketing issues under the GDPR. For example, the European Data Protection Board very recently published an extensive consultation version of their Guidelines on targeting of social media users in which the roles of the various parties (users, social media providers and targeters) are scrutinized and an analysis of the various targeting mechanisms is provided (with numerous examples). Also, when it comes to enforcement of online marketing laws, the ‘regular’ privacy supervisor (in the Netherlands the Dutch Data Protection Authority) seems to have completely taken over the supervision from the Dutch telecom supervisor ACM. The most recently published fine imposed by ACM with regard to cookies dates back to 2015. The latest version of ACM’s frequently asked questions about the Dutch Cookie Act dates from June 2014. Since then, however, the DDPA has enforced the use of cookies, has investigated the request for permission to place tracking cookies carried out among 175 websites, has issued guidelines on the use of cookie walls and published information on the ‘rules of the game’ surrounding direct marketing (including a quite bold statement that commercial direct marketing can never be justified under the principle of legitimate interest, which is still under debate). It seems that the DDPA puts the ACM (and the direct marketing rules from the Telecommunications Act to be enforced by the ACM) out of play.


In the past two years the courts in the Netherlands have frequently dealt with lawsuits about the GDPR, more than 300 times in the Netherlands alone. In practice, the often casuistic rulings give little guidance for the interpretation of the GDPR. We are waiting for more principled judgments of the Supreme Court and the European Court of Justice. Last year the ECJ has finally ruled for the first time – 17 years after the introduction of the ePrivacy Directive – in a case about direct marketing and obtaining permission for cookies. The (disappointing) conclusion of the ECJ was that consent cannot be obtained on the basis of pre-ticked boxes, which wasn’t new. Unfortunately, more practically relevant questions were not answered. Questions such as: is it allowed to require consent to receive direct marketing in the case of a lead generation website? Can you obtain permission for cookies by means of the statement ‘if you continue to use this website you give permission’? Hopefully the ECJ will soon rule on the interpretation of the ePrivacy Directive or addresses questions relevant to online marketing under the GDPR. With the exception of one case in which preliminary questions are being asked about the concept of email from the ePrivacy Directive (more specifically, whether advertising, which appears in specific advertising windows in the inbox of users of a free email service, can be regarded as email), there doesn’t seem to be any relevant cases pending about the ePrivacy Directive.


“It is to be expected that other ‘safe’ countries will suffer the same fate as the United States.”


Meanwhile, the regulators are quite active when it comes to enforcement. Since the introduction of the GDPR, various fines have been imposed by the national supervisors, some of them relating to direct marketing. According to reports, there have been issued at least 362 fines for a total amount of almost 500 million euros. In addition, both the EDPB and the national supervisors have issued several opinions in which the generally strict views of the supervisors on online marketing are given. In general, the regulators are unanimous in their opinions, for example on the ban on cookie walls, on the strict application of the customer exception for sending unsolicited electronic communications and on the ban on the aforementioned use of the ‘continued use’ as a basis for obtaining consent for the use of cookies. Although in an opinion expressed at the end of last year, the Spanish regulator indicated that the latter method could provide a basis for obtaining consent, it has very recently adjusted this view in line with the views of the other regulators. Without any (high) court ruling against these opinions, these opinions are leading in order to prevent enforcement.


Because European parties very often rely on the services of software suppliers and data brokers from the United States for their marketing and advertising needs, the ruling of the European Court of Justice in the second Schrems case is also very relevant. Not only did the ECJ declare the Privacy Shield mechanism (a form of self-certification that allowed the transfer of personal data to the United States) invalid, the ECJ also sharpened the most obvious second option (that of Standard Contractual Clauses) considerably. In order to enable the transfer of personal data on that basis, a European data exporter will have to implement (often very difficult if not impossible) additional safeguards in order to offer some protection against U.S. government surveillance. It is to be expected that other ‘safe’ countries will suffer the same fate as the United States. The same applies to the other mechanism for the transfer of personal data, the binding corporate rules. After all, all these mechanisms – without additional measures – will not prevent U.S. authorities from gaining access to personal data of European data subjects. The data protection authority of Baden-Württemberg very recently issued the first guidance on international data transfers. However, the guidance does not really address the challenges that global companies would face in practice and additional guidance from either the European institutions or other data protection authorities is very much welcome.


Following the Schrems II judgment, NOYB – the European Center for Digital Rights led by Max Schrems – submitted 101 complaints to the privacy supervisors of 30 member states of the European Union and the EEA. NOYB (“none of your business”) complains about the fact that many companies are still using Google Analytics or Facebook Connect despite the Schrems II judgment, while both Google and Facebook are still subject to U.S. supervisory legislation and are therefore acting contrary to the judgment. In principle, each supervisor will be obliged to deal with the complaints filed and will have to enforce it if needed. Only three complaints have been withdrawn in the meantime, because the parties concerned (all based in Liechtenstein) were able to demonstrate that they had removed the code elements of Google and Facebook. The EDPB in the meantime has created a taskforce to look into these complaints filed by NOYB.


Of particular interest to the AdTech industry is the class action instituted by the Dutch foundation The Privacy Collective against Oracle and Salesforce. In this case, the phenomenon of real-time bidding ad auctions (RTB) is denounced: a system in which, based on profiles of millions of internet users, personalized online advertisements are auctioned and displayed within milliseconds and personal data is made available to countless commercial parties, which, according to The Privacy Collective, violates the GDPR. Allegedly, based on the brand new possibility to file mass claims in the Netherlands, this would lead to a possible compensation of no less than €10 billion. A similar case is expected in the United Kingdom. The entire AdTech industry will look at this case with interest, all the more so because RTB is being used on an enormous scale.


Last but not least, the industry is also in a state of flux. The ever stricter privacy rules mean that alternatives in this area are being fully explored. In a recent article published on Wired entitled ‘Can Killing Cookies Save Journalism’, a possible solution is described in the form of contextual advertising: a method in which advertising is not shown based on website behaviour and online tracking, but in which advertisers target customers reading a certain type of article or watching a certain type of show. After all, a visitor to the travel page of a newspaper is likely to be interested in advertisements for travel destinations or travel operators. Without knowing the exact personal preferences of the website visitor, relevant advertisements can still be shown in this way. A spokesman of the Dutch public broadcaster NPO, one of the parties who uses contextual advertising, explained: “When do people want to buy a Snickers? It’s not because someone is in a specific age or in a specific region or has a high income; it’s because they are hungry and they are looking at food at that moment”. This new technique has made the NPO decide to completely give up the use of cookies in 2020, without – as research showed – experiencing a decline in its digital ad revenue. 


Considering the above, while there is little or no movement in the legislative process of the ePrivacy Regulation, the legal reality is one of enormous movement in that area. Although it seems that a final text of the ePrivacy Regulation is still some way off, in practice the developments within the online marketing industry and the enforcement activities of regulators emerge quickly. It is to be hoped that the legislative process can keep pace with these new developments and the final ePrivacy Regulation will meet the widely supported desire of the legislator to make it future-proof.


About the author
Herwin Roerdink is partner at Vondst Advocaten and head of the Data Protection team. He advises a large range of (data driven) clients on a strategic level and assists clients in enforcement procedures initiated by the DDPA and ACM. He also lectures on e-privacy law at the renowned Grotius Academy.

Share your thoughts

No Comments

Sorry, the comment form is closed at this time.