ePrivacy, PECR, and Brexit

Last updated 8 March 2019

This is an upgrade of the catch-all piece of privacy legislation which deals with communications metadata, e-marketing lists, device fingerprinting, and cookies. You know it best as the cookie law.

Relevant policy:
Draft Proposal for a Regulation concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications)

Progress and developments:
In February 2017 the European Scrutiny Committee of the House of Commons examined the draft Regulation. They noted these questions for Government:

The Government has said that the UK will comply with the new data protection Regulation by 25 May 2018, before Brexit. This is the date when the Commission also intends this proposal to apply, once adopted. In the light of this we would be grateful if the Minister could confirm whether the Government:

  • also intends to comply with this proposal on ePrivacy before Brexit;
  • plans to keep UK law aligned with EU data protection law after Brexit, including this proposal once adopted; and
  • considers that any provisions in the proposal as currently drafted are problematic in any way to the UK as a third country after Brexit.

The Minister recalls in his account of the Commission’s review of the existing ePrivacy Directive:

“In addition, the evaluation also found potential overlaps with the GDPR, such as the provisions for data security and data breach notifications. The reform thus aims to remove contradictions and duplications between the instruments, reduce discretion for member states, as well as clarify the application of certain provisions.”

However, the respective scopes of the new GDPR and the proposed Regulation are not entirely clear to us and, by extension, may not be clear to duty-holders and data subjects. We are concerned about legal uncertainty which may become even more important after Brexit when the UK will have to consider what, if any, EU data protection law it wishes to retain in the longer term as UK law. So when the Minister next writes, please could he clarify, using practical examples where possible, when data relating to “electronic communications”, including metadata would fall to be considered:

  • exclusively under the proposed Regulation;
  • exclusively under the GDPR; and
  • under both.

We would also be very interested to learn in due course whether there are any adverse consequences that might flow from scenarios (a)-(c), in terms of the level of legal protections provided to UK citizens or burdens imposed on UK business.

The Committee then went further than that:

We note that, just like the GDPR, the proposal will apply to providers outside the EU if they offer electronic communications services to EU end users. We observe that this extraterritoriality has the potential to affect the UK after Brexit, regardless of the specifics of the future UK-EU relationship.

We draw the Minister’s attention to paragraphs 6.22–6.26 of this Report where we analyse the CJEU’s preliminary ruling in the case of Watson v Secretary of State for the Home Department. This is clearly relevant to Article 15 of the current ePrivacy Directive and the drafting of Article 11 of the proposed Regulation (together with corresponding Recital 26). Could the Minister confirm that the proposed Article 11 strikes the right balance between the need to protect the fundamental rights of EU citizens to the standard of the EU Charter and the needs of Member States to retain data for national security and law enforcement purposes? We ask this particularly because, as the Minister himself highlights, there is no specific derogation in the proposal relating to data retention. This is striking considering the legal gap created when the Data Retention Directive was invalidated by the CJEU in the Digital Rights Ireland judgment.

In August 2017 the white paper on data flows after Brexit did not discuss the ePrivacy directive, despite it being a key component of a robust data protection framework. The July 2017 Lords report on the EU Data Protection Package touched briefly upon it.

In March 2018 the European Scrutiny Committee examined the Directive’s progress as reported to it by the Minister for Digital and the Creative Industries. Noting the delay to its finalisation, the commitee asked “we are concerned about the implications for the UK should the Regulation not be agreed when the UK still has a vote, but during the implementation period. We ask her to comment on that eventuality. If an adopted proposal were not to apply to the UK before the end of an implementation period, could the Minister tell us whether the UK would want to align with it anyway for the purposes of its future trading relationship with the EU?”

Meanwhile, in December 2018 Parliament introduced the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 to provide for continunity with the existing regulation throughout the Brexit process.

In February 2019 the The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) (No. 2) Regulations 2019 statutory instrument was introduced. The sifting committee determined that the SI will not be debated in Parliament.