Effective regulation through design - Aligning the ePrivacy Regulation with the EU General Data Protection Regulation (GDPR): Tracking technologies in personalised internet content and the data protection by design approach

After numerous revisions of the initial draft of the ePrivacy Regulation, the Portuguese presidency finally submitted a draft that all EU Member States agreed on. We would like to take the opportunity of the beginning of the trilogue to point out a serious technical flaw in the current draft. This flaw lies in the ambiguous relationship between the ePrivacy Regulation and the GDPR. As such, this ambiguity calls into question the applicability of several decisive provisions of the GDPR; first and foremost, the data protection by design approach and co-regulation instruments such as codes of conduct and certificates.

The electronic communications sector is characterised by two key aspects in particular: its rapid pace of technological development and the dependency of users on the trustworthiness of electronic communication providers. Since third parties mediate the data subjects’ communication, data subjects on their own can only exercise limited control over their privacy, freedom, equality, etc. Based on our interdisciplinary research focusing on personalised content and tracking technologies, we observe that the current draft of the ePrivacy Regulation itself does not provide a level of protection that could be considered effective in meeting the needs of electronic communications users. Effective protection could however be provided by applying the aforementioned GDPR-provisions. It would therefore be contradictory for the ePrivacy Regulation to jeopardize through its ambiguous interplay with the GDPR the application of the very GDPR provisions that are best suited to keep up with the needs of the data subjects.

In our opinion, to avoid this ambiguity, the legislator has two options: Either the legislator may specifically clarify the application of the data protection by design approach and other related provisions (in particular the processing principles, data subjects' rights and certification mechanisms) in the ePrivacy Regulation. Or, more fundamentally, the legislator may clarify, firstly, in Art. 1 sect. 3 that "insofar as the Regulation does not provide for more specific rules, the provisions of the GDPR shall apply". Secondly, the legislator has to clarify in the specifying provisions of the ePrivacy Regulation which GDPR provisions they exactly specify and to what extent (e.g. restriction of the legal basis or the requirement of strict identity of purpose); in this way, the legislator can avoid unclear specifications leading to the exclusion of GDPR standards that the legislator did not intend to exclude.

With this study, we would also like to recommend to the legislator an expansion of its legislative methods to include those of other disciplines, such as user experience research and visual design. While legislation should still draw from the legal considerations involved in the legislative information process, we suggest that this process would benefit considerably if supplemented with empirical studies and design methods such as those presented in this paper. Accordingly, the legislator could test which regulations produce which effects in practice, thereby increasing the effectiveness and the rationality of laws. In conclusion, we argue for more evidence-based lawmaking through design.