Italy: FAQ On The Draft ePrivacy Regulation: An Italian Perspective

Co-authored by Francesco Armaroli

After our first Q&As on the reformed Italian Data Protection Code (DPC), here is a brand new FAQ list answering some of the most common questions received from clients and colleagues on the draft ePrivacy Regulation and its relationship with GDPR, Italian Data Protection Law and the Italian Data Protection Authority's (the Garante) guidance on ePrivacy issues.

1. What is the ePrivacy Regulation?

The ePrivacy Regulation is a new piece of legislation (not yet in force, nor applicable) complementary to the GDPR which will repeal and replace Directive 2002/58/EC (so-called ePrivacy Directive), introducing a more homogeneous and harmonized European discipline concerning the processing of personal data in electronic communications.

2. What sectors will be "hit" the most by the ePrivacy Regulation?

The sectors most affected by the advent of the ePrivacy Regulation will remain substantially the same as those touched by the ePrivacy Directive: from marketing to eCommerce, from call centers to big data analytics, from the Internet-of-Things to online advertising, with the inclusion of Over-The-Top operators. This is even more so because each of the companies operating in these sectors is increasingly moving towards an "online only" and ever-connected business dimension, which is and will be thriving on data mining, sophisticated analytics and tracking technologies and, in the not so far future, artificial intelligence.

3. What will be the impact of upcoming ePrivacy rules on online processing activities?

The draft ePrivacy Regulation introduces, among other things, new provisions on online consent. In particular, those are: (i) the obligation to collect online consent pursuant to GDPR's criteria (i.e., consent must specific, explicit and always demonstrable); and (ii) the introduction of a provision on the basis of which each entity processing data must periodically request individuals to renew their marketing consent (at least every 12 months). If confirmed in the final text, such provisions will affect cookies and direct marketing and will push many to reconsider their approach to online tracking and digital marketing. However, as of today these new provisions are still being discussed by EU legislators.

4. Where are we with the current legislative process?

The final text of the ePrivacy Regulation has not been approved yet, nor is it clear when it will actually come into force or become applicable. What is certain is that the draft proposed by the Commission in 2017 is still subject to the scrutiny of both the European Parliament and the Council of the EU. Indeed, the European legislative process envisages that both institutions shall propose a series of amendments to the original draft and that, at the end of this phase, the Commission will prepare a summary of such proposals which both institutions will then have to vote on. Monitoring the evolution of the ePrivacy Regulation legislative process is important because different approaches have emerged from Parliament and Council of the EU. The former is taking a strong pro-consumer stance, while the latter is trying to adopt a more business-oriented view. The Commission will therefore have to summarize both trends in a functional manner, so to get to the final approval of the ePrivacy Regulation in reasonable time (most likely by mid-2019).

5. When is ePrivacy Regulation's final approval and entry into force scheduled?

As mentioned above, the length of the European legislative process may have outcomes difficult to predict (i.e., see what happened with GDPR between 2012 and 2016). To date, legislators seem still far from the final approval of the Regulation - initially scheduled for the first half of this year, now coming into effect from May 2019. In addition, it is not excluded that the occurrence of next years' European elections may further delay the approval of the new ePrivacy rules. In any case, as of today there is no official indication on the expected or foreseeable timing for final approval of the Regulation.

6. What is the relationship between GDPR and the ePrivacy Regulation?

The ePrivacy Regulation is complementary to the GDPR. In fact, it integrates with and complements rules that are more specific what has been established by the more general provisions of the GDPR. Although there are important differences between the two pieces of legislation, the relationship between them can be summarized by saying that the ePrivacy Regulation is lex specialis to the GDPR. Therefore, while framework rules come from GDPR (e.g., definitions, key principles and obligations), sector-specific requirements will be disciplined by the ePrivacy Regulation (e.g., marketing, cookies, processing of personal data via electronic communications, etc.) and apply as an exception in limited circumstances. On the contrary, with regard to sanctions the GDPR and the current draft ePrivacy Regulations converge. In fact, according to the latest draft of the ePrivacy Regulation the same administrative fines of the GDPR (i.e., ranging from €20 million up to 4 percent of the total annual global turnover) will be imposed on entities violating ePrivacy rules as well.

7. And that between the ePrivacy Regulation and Member States' laws?

Coordination between upcoming ePrivacy rules and member states' national laws will follow the same process that has already occurred for GDPR. In substance, each national legislator will be responsible for adapting its regulatory framework to the new law, which being a European regulation, will be directly applicable within each member state's legal system. Therefore, the basic rules will be identical at European level; although it is not excluded that different "local variations" of the applicable regulatory framework may be put in place by individual member states. However, as of today no official sources or guidelines have been made available in this regard.

8. Will future ePrivacy rules affect the newly reformed Italian Data Protection Code?

Indeed, they will. It is likely that the new DPC will undergo further amendments in order to align its provisions with those of the future ePrivacy Regulation – as it happened with GDPR. As of today, the provisions concerning the processing of personal data in electronic communications remain unchanged in the new DPC.

9. What should we expert from European regulators and what is the Garante doing?

Following the approval of the ePrivacy Regulation, each national Data Protection Authority (DPA) will have to make some efforts to review existing ePrivacy provisions and guidelines. In particular, for the purpose of consistency and coordination with the provisions of the upcoming common rules. This process will certainly follow the guidance of the European Data Protection Board (EDPB). In fact, the EDPB had recently expressed itself on ePrivacy issues and on the state of the art of the current reform process of the ePrivacy Regulation (link). However, no common EDPB guidance has been issued yet.

With regard to Italy, at the moment we have no evidence of initiatives of the Garante concerning ePrivacy matters. However, it is likely that the Garante will intervene so to amend its previous guidance on ePrivacy issues throughout 2019. In particular, guidelines on the use of cookies, profiling and marketing will need to be modified according to the new legal framework– although the timing of this process is still uncertain. To date, we would not exclude that this "review phase" will follow EDPB's inputs and guidance, as well as the most recent developments of the ePrivacy Regulation reform process.

Do you have more questions or you want to share your thoughts on this article? Contact our Dentons Italy TMT Team.

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.