Hogan Lovells calls for an alternative approach to regulating privacy in the digital economy

Press releases | 25 November 2019

LONDON, 25 November 2019 – Hogan Lovells has published a study evaluating the ongoing legislative proposal for a new ePrivacy Regulation, a law aimed at updating the current ePrivacy framework in the EU.

After nearly three years of debates and negotiations, the European Union is nowhere near agreeing a position on how to achieve the right balance between the need for technological innovation, public security and the protection of privacy in the context of the digital economy. According to Hogan Lovells, this is due to the structure and legislative approach of the proposed ePrivacy Regulation, which, rather than complementing the GDPR as originally intended, is in some fundamental respects in conflict with it.

In the context of the confidentiality of electronic communications, the proposed ePrivacy Regulation follows an approach that relies on a blanket prohibition qualified by limited exceptions, which is likely to lead to unwanted effects for the development of machine-to-machine communications, the Internet of Things and artificial intelligence. With regard to the provisions dealing with information collected from and emitted by terminal equipment, the proposed ePrivacy Regulation seeks to limit the processing of a broad spectrum of information, including both personal and non-personal data, irrespective the actual impact of such processing on people's privacy. In summary, the essence of flexibility in the application of the GDPR created by focussing on risk is fundamentally missing from the proposed ePrivacy Regulation.

In light of these shortcomings, the report released today by the firm provides a number of policy recommendations to improve the current text, including the following:

  • The ePrivacy Regulation should move away from setting out narrow legal bases for the processing of specific types of data 
  • The valuable risk-based approach of the GDPR should be applied to the ePrivacy framework 
  • Data processing that poses no risks to individuals, particularly where data that is or is made anonymous, should be explicitly excluded from the scope of the ePrivacy Regulation

Eduardo Ustaran, Global Co-Head of the Privacy and Cybersecurity practice at Hogan Lovells, said: “There is clearly a need for the protection of privacy in the digital economy, but to be effective, any ePrivacy legal framework must be compatible with technological development and human progress. The European Union has the opportunity to get this balance right by applying a more flexible risk-based approach which will work now and in the future.”

Download the report