Paul Voigt, Axel von dem Bussche: the EU ePrivacy Regulation – Preliminary Guidance and Commentary 

Article 27 ePrivacy Regulation – Repeal

Art. 27 ePrivacy Regulation

Article 27 ePrivacy Regulation – Repeal

1. Directive 2002/58/EC is repealed with effect from [1August 2022].

2. References to the repealed Directive shall be construed as references to this Regulation.

Art. 27 ePrivacy Regulation

(43) Directive 2002/58/EC should be repealed.

Art. 27 ePrivacy Regulation initiates Chapter VII on the final provisions. It replaces the preceding ePrivacy Directive and, thus, finalizes the transition from directive to regulation. Doing so, it aims for a comprehensive harmonization of European legislation on privacy and data protection. To what extent a respective harmonization can actually be achieved, however, remains questionable. On the one hand, the ePrivacy Regulation still contains several provisions delegating specifications to the Member States. On the other hand, experience with the enforcement of the GDPR shows that also the ePrivacy Regulation will most probably also lead to significant deviations of enforcement practices between Member States.  This is true, all the more, when considering the opening clause in Art. 24 ePrivacy Regulation, pursuant to which Member States shall lay down their own rules on penalties other than fines and, thus, further particularize the sanctioning system under the ePrivacy Regulation.

Yet, at least the purpose of the regulation becomes clear, which is to harmonize the protection of fundamental rights and freedoms in particular with respect to the protection of privacy and personal data, as well as to ensure the free movement of personal data within the Union.[1]

[1] Cf. Rec. 41 S. 1 ePrivacy Regulation.

Repealing the ePrivacy Directive, the ePrivacy Regulation remains as the only relevant and applicable regulation on privacy within its given regulatory scope (cf. Art. 288 Sec. 2 TFEU). The ePrivacy Directive’s effect vis-á-vis the Member States ceases and, thus, their duty of transposition.[2] Indeed, national rules still stay in place, as their validity is based on the authority of national parliaments.[3] Yet, to the extent that they conflict with stipulations under the ePrivacy Regulation, they are superseded by primacy of application of European law and are, thus, ineffective.[4] Other than that, national legislation must assess whether some of the rules may still pertain their effectivity if they can be interpreted as an implementation of the ePrivacy Regulation’s delegations.

Since Art. 27 Sec. 1 ePrivacy Regulation applies only to the directive itself, administrative acts and decisions taken on the basis of the directive or its national transposition remain in force until they are amended, replaced or repealed.[5] This does not result from the ePrivacy Regulation itself, but from a systematic comparison with Rec. 171 S. 4 GDPR, which concerns the repeal of the Data Protection Directive under Art. 94 GDPR.

To the contrary, stipulations on consent pursuant to Art. 2 lit. f ePrivacy Directive (which itself referred to the preceding Data Protection Directive) do not stay in force. To the extent that Art. 4a ePrivacy Regulation stipulates different or additional normative requirements, these must be complied with accordingly and might render existing provisions of consent between private parties ineffective.[6] As a consequence, contracting parties are advised to review existing declarations of consent and, if necessary, to obtain new ones.

[2] Sydow, in: Sydow, EU-Datenschutzgrundverordnung (2018), Art. 94 Rec. 2.

[3] Hornung/Spiecker gen. Döhmann, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht (2019), Art. 94 Rec. 8.

[4] Nettesheim, in: Grabitz/Hilf/Nettesheim, Das Recht der Europäischen Union, Art. 1 TFEU, Recs. 71 et seqq.

[5] Sydow, in: Sydow, EU-Datenschutzgrundverordnung (2018), Art. 94 Rec. 6.

[6] Sydow, in: Sydow, EU-Datenschutzgrundverordnung (2018), Art. 94 Rec. 9.

Art. 27 Sec. 2 ePrivacy Regulation stipulates that references to the repealed directive now are to be interpreted as references to the ePrivacy Regulation (cf., for instance, Art. 95 GDPR). This provision intends to facilitate the transition from directive to regulation, as otherwise, respective references would be ineffective.[7] Accordingly, associated legislative efforts are eliminated to the extent that, generally, no additional adjustment is required.[8] With respect to private contracts, this reference, indeed, unfolds no direct effect, yet may a due interpretation with respect to the aim of ensuring privacy compliance result in the finding that references shall, as well, be construed as references to this regulation.[9]

[7] Golland, in: Taeger/Gabel, DSGVO – BDSG – TTDSG (2022), Art. 94 Rec. 13.

[8] Golland, in: Taeger/Gabel, DSGVO – BDSG – TTDSG (2022), Art. 94 Rec. 13.

[9] Golland, in: Taeger/Gabel, DSGVO – BDSG – TTDSG (2022), Art. 94 Rec. 20.