With ePrivacy delayed in negotiations, the respite this brings supports other data showing that GDPR has hit companies harder than expected, says Teavaro lead consultant Ben McDermott…

The ePrivacy Regulation was supposed to arrive with GDPR last year; then a few months later. Then it was delayed to this year. Now, with the draft still going through the negotiation process, it seems that ePrivacy will not arrive in any meaningful form until 2021. A reason to rejoice for put-upon data controllers? Perhaps. But then again, if we look at the surrounding landscape, perhaps not.

Firstly, the ePrivacy Regulation seems to have hit a few snags when it comes to future-proofing. This usually means there needs to be either more flexibility or more stringency to deal with the unforeseen outcomes driven by technological and even regulatory developments. Much of the topics requiring further work are those already covered in part by the GDPR: electronic communications data, privacy settings, hardware protection and supervision of the regulation. Strange then that the Council of the EU’s progress report suggests the draft Regulation requires more alignment with the GDPR, and more protection for the business models of those they are seeking to regulate (i.e. online services financed by advertising), as well as considerations for those they are regulating on behalf of (i.e. consent fatigue for end users).

No doubt that industry advocates and representatives have been lobbying hard, with the impact of GDPR being felt far and wide. Issues that dogged current monetisation methods appear to have found a sympathetic ear, but perhaps other matters have led the regulators to drag their heels?

GDPR was the biggest shake up of data laws in 25 years, and as such, it is doubtful that those who proposed them could have foreseen the landscape following last May’s deadline. The sheer number of data breaches alone – reported to be in excess of 59,000 by the end of January 2019 (figures from DLA Piper GDPR Data Breach Survey) – hints at the load under which regulators must find themselves. Not to mention the lack of GDPR preparedness of data controllers and data processors alike.

What has not been reported on in a collective fashion is the case load this generates. When, on the first day of GDPR, an $8.8bn lawsuit against Google and Facebook began the proceedings, the signs were ominous. More lawsuits have followed, with even those positioned as industry guides through the GDPR maze – such as the IAB – being named as defendants. We get some idea of the scale, however, when we consider that 60 GDPR fines were meted out in 2018. And we get some idea of the acceleration of this when we consider that this figure has now risen to over 90 after the first month of 2019.

With this context, the delay to ePrivacy could signal an acknowledgement by regulators that the storm of GDPR has not been weathered well by everyone. Companies need time to patch up the leaks – all 59,000 of them – before the next wave of regulation. And even with this respite, many could find riding that next wave even more difficult.

But it’s not all doom and gloom: these delays provide new opportunities for data controllers to build a long-term future, in which the word ‘controller’ means more than just compliance responsibility. It is apparent this requires technological changes in how data is handled, how consent is managed, and how the ecosystem adapts and develops. Thankfully, the regulators recognise this too, so this eye of the storm, under their control, may provide the calm needed to reflect, react and respond to new learnings about the new regulations before the next wave hits.