E-Privacy: The EU Council agrees on a draft regulation

On February 10, 2021,  member states agreed on a negotiating mandate for revised rules on the protection of privacy and confidentiality in the use of electronic communications services (e-privacy regulation).

These updated ‘ePrivacy’ regulation will specify when service providers are allowed to process electronic communications data or have access to data stored on end-users’ devices (including cookies information). This agreement allows the Portuguese presidency to start talks with the European Parliament on the final text.

This regulation covers the processing of electronic communication and meta data, electronic direct marketing (emailing, phone call), use of cookies.

In particular, the draft regulation would allow the use of cookie wall provided that the user is able to choose between that offer and an equivalent offer provided by the same provider that does not involve consenting to cookies.

Why do we need a new e-privacy regulation?

Initially, it was planned that the e-privacy regulation be adopted at the same time as the GDPR in 2016 as the former complements the latter (e.g. it specify rules applicable to cookies, electronic communication including marketing etc.). However, the negotiations of this regulation drug out, a first draft regulation was released in 2017 but was rejected last year.

As a consequence, the e-privacy directive of 2002 amended in 2009 is still applicable and has become outdated.  An update has therefore become urgent in order to take into consideration new technological and market developments (e.g, use of Voice and web-based email and messaging services etc.) 

In this regard, Pedro Nuno Santos, Portuguese Minister for Infrastructure and Housing and President of the Council declared: “Robust privacy rules are vital for creating and maintaining trust in a digital world. The path to the Council position has not been easy, but we now have a mandate that strikes a good balance between solid protection of the private life of individuals and fostering the development of new technologies and innovation. The Portuguese presidency is very pleased to launch talks now with the European Parliament on this key proposal.”

Scope of the draft regulation

The regulation will cover electronic communications content transmitted using publicly available services and networks, and metadata related to the communication (e.g. information on the location and the time and recipient of the communication.) It is considered potentially as sensitive as the content.

Unlike the GDPR, which it complements, many e-Privacy provisions will apply to both natural and legal persons.

Internet of Things, the rules will also cover machine-to-machine data transmitted via a public network.

The rules will apply when end-users are in the EU, including where the processing takes place outside the EU or the service provider is established or located outside the EU. This provision is similar to the GDPR.

Permitted processing of communication and metadata

As a principle, electronic communications data will be confidential (i.e. any interference such as listening, monitoring and processing by third parties will be prohibited unless otherwise permitted by the regulation)

Permitted processing of electronic communications data, without the consent of the user, includes the following:

  • ensuring the integrity of communications services,
  • checking for the presence of malware or viruses, or
  • cases where the service provider is bound by EU or member states’ law for the prosecution of criminal offences or prevention of threats to public security.

Metadata may be processed for billing, or for detecting or stopping fraudulent use.

With the user’s consent, service providers could also process the metadata as follows: 

  • use metadata to display traffic movements to help public authorities and transport operators to develop new infrastructure where it is most needed;
  • to protect users’ vital interests, including for monitoring epidemics and their spread or in humanitarian emergencies, in particular, natural and man-made disasters;
  • providers of electronic communications networks and services may process metadata for purposes other than those for which data was collected if this purpose is compatible with the initial purpose and strong specific safeguard apply to it.

The use of processing and storage capabilities and the collection of information from the device will only be allowed with the user’s consent or for specific purposes laid down in the regulation.

Cookies consent and cookie wall

The end-user should have a genuine choice on whether to accept cookies or similar identifiers.

Cookie wall (i.e. making access to a website conditional on consent to the use of cookies for additional purposes as an alternative to a paywall)  will be allowed if the user is able to choose between that offer and an equivalent offer provided by the same provider that does not involve consenting to cookies.

The text also includes rules on online identification, public directories, and unsolicited and direct marketing.

The regulation would enter into force 20 days after its publication in the EU Official Journal, and would start to apply two years later.

E-Privacy: The EU Council agrees on a draft regulation
Tagged on: