It has been some months since we wrote about the ePrivacy Regulation and some years since the first draft was proposed. Since then, we have seen numerous delays in achieving an agreed form of legislation, caused in part by strong views on how privacy and confidentiality shape the development of electronic communications services and passionate industry lobbying by both the AdTech industry and privacy organisations.
On 10 February 2021, the Council of the EU’s Permanent Representatives Committee (COREPER) finally adopted an agreed position on the ePrivacy Regulation, allowing the legislation to progress to the next stage of negotiation, namely the trilogue between the Council, the European Parliament and the European Commission. Judging by the initial reactions to the Council’s draft, this negotiation stage will not be without its challenges and seems likely to be a protracted process. The agreed text can be read here.
Key positions taken in the draft
Cookie walls
The draft does not prevent the use of cookie walls (a cookie wall is where an end user is prevented from using a service unless they have accepted a form of cookie). The draft provides that access to a free service can be made conditional on accepting cookies, provided that the service provider offers an equivalent option that does not require the acceptance of cookies.
Direct marketing
There is little substantive change here, although Member States are entitled to provide a specific period of time after which direct marketing consents will be effective expire or assign call identification prefixes to identify direct marketing calls.
Metadata
The draft allows for processing of metadata without consent for certain defined purposes. These relate to information security, fraud prevention, service provision (for example, billing and managing abuse of the service) or for the protection of “vital interests” which follows the same concept used in the GDPR.
Retention and surveillance
The draft provides for an exception from the requirement to obtain consent and to delete or anonymise device data and/or metadata once it is no longer needed to provide the service, where this is required under EU or member state law for the prevention, investigation, detection or prosecution of criminal offences or prevention of threats to public security. Whilst provision for use of data for these purposes was included in previous drafts, the new draft clarifies that the data can specifically be retained for these purposes.
Re-purposing of data
In line with the purpose limitation principle set out in the GDPR, the Council’s draft provides that pseudonymised metadata and device information can be processed for purposes other than those for which it was collected, provided such processes are “compatible” with the original purpose (based on fairly loosely defined criteria). This introduces some uncertainty over how such data will be used over time, particularly taking into account developments in technology. This provision will be good news for telco companies and companies operating in the adtech space. However, there are still some limitations. Data originally processed on the basis of consent or public interest cannot be repurposed in this way, the data cannot be shared with third parties (other than processors acting on the service provider’s behalf) unless in an anonymised form, and use of re-purposed metadata to determine the nature or characteristics of an individual or to build a profile of them is not permitted to the extent this would significantly affect them.
Next steps
The proposal is essentially a long-awaited mandate for further negotiation. The Presidency of the Council will now commence negotiations between the European Parliament, the European Commission and the EU Council representatives on the final text of the ePrivacy Regulation. Once agreed, there will be an implementation period (currently proposed at two years) from the twentieth day following its publication in OJEU.
The Presidency takes the view that the draft strikes a good balance between solid protection of the private life of individuals and fostering the development of new technologies and innovation – but it remains to be seen whether the European Parliament and European Commission will agree.
Status in the UK
Whilst the ePrivacy Regulation will not apply directly in the UK, the current draft provides that UK service providers would still need to comply with it to the extent that end users are located in the EU. Additionally, the UK government has committed to implementing laws to protect privacy and is currently seeking an adequacy decision from the European Commission following Brexit. As a result, it seems likely that the UK will seek to align with the ePrivacy Regulation, at least to some extent.
Reactions so far
The draft has widely been interpreted as being more business friendly than privacy friendly.
Notably, representatives for Germany and Austria abstained from voting on the agreed text. Whilst no formal reasons were given at the time, the Federal Commissioner for Data Protection and Freedom of Information (BfDI) of Germany (BfDI issued a press release setting out concerns relating to the use of cookie walls, consent requirements and the reintroduction of data retention provisions, among other things and referring to the draft as a “severe blow to data protection.”
Privacy rights organisations have criticised the draft for eroding protections that were proposed in previous drafts. Particular issues of concern include the surveillance provisions allowing for the retention of metadata, cookie walls and the right to re-purpose data.
The draft was also criticised for failing to future proof. Specific terminology is used that, whilst serving to aid understanding, does not make provision for future developments in technology.
Our take
This is by no means the end of the journey for the ePrivacy Regulation. The trilogue process itself can be lengthy (the parties took nearly a year to agree the final form of the GDPR) and we can expect a fairly wide gap to close here, given that the European Parliament has previously demonstrated a fairly pro-privacy stance. Thereafter, we will also need to wait and see how the UK chooses to react to the legislation and to what extent UK legislation will align with it.
