Will 2021 finally be the year of the ePrivacy Regulation?

The legislative process to enact an ePrivacy Regulation has been going on for a while: a first draft was introduced by the European Commission on 10 January 2017.  Intended to replace the current ePrivacy Directive, the Regulation was meant to come into force at the same time as the GDPR in May 2018. However, since the original proposal, we have been stuck in a regulatory limbo of rejected drafts and uncertainty about the future of the Regulation.

Where we left off

Both the (currently still applicable) ePrivacy Directive and the proposed ePrivacy Regulation are concerned with the processing of personal data and the protection of privacy in the electronic communications sector.

With its initial draft for an ePrivacy Regulation, the European Commission wanted to achieve:

• Direct applicability of the law in all EU Member States, rather than requiring the adoption of (potentially conflicting) national implementation acts.
• Set requirements both for content and metadata derived from electronic communications.
• More scope for telecommunications providers to use data and provide additional services, subject to obtaining appropriate consent.
• Streamlined rules on cookies.
• Harmonised rules on unsolicited direct marketing electronic communications.
• Enhanced enforcement, including by bringing penalties for non-compliance in line with those under the GDPR.

The initial Commission draft has been through major revisions, which is not surprising given the three years of debates it has already been subjected to in the EU. Some of the more notable amendments proposed along the way include:

• introducing legitimate interests as a lawful basis for the processing of electronic communications metadata and for placing cookies, and
• introducing stricter consent requirements.

The German Presidency draft

One of the more significant of the recent drafts was published by the German presidency of the Council of the European Union on 4 November 2020.  It took a distinctly different approach to the one in the preceding draft by the Croatian presidency.

Cookies

Under the German draft, cookies and similar technologies are prohibited except when:

• the end-user has given their consent
• they are necessary for carrying out transmission of an electronic communication
• they are technically necessary for providing a service specifically requested by the end-user
• they are necessary for audience measurements, subject to certain conditions
• they are necessary to maintain or restore the security of information society services, prevent fraud or detect technical faults for the duration of that purpose
• they are necessary for a software update, subject to conditions, or
• they are necessary to locate terminal equipment when an end user makes an emergency communication.

Crucially, the German draft removed the proposal under the Croatian draft that legitimate interests of a service provider could provide a valid lawful basis for collecting information from an end user’s terminal equipment without their consent.

The use of so-called 'cookie walls', which make access to website content dependent on the consent to the storage of cookies for additional purposes is allowed subject to certain conditions:

• The end-user needs to be able to choose between services on the basis of clear, precise, and user-friendly information about the purposes of cookies and similar techniques.
• The provider needs to ensure there is an equivalent offer by the same provider that does not involve consenting to data use for additional purposes.
• There need to be alternatives to the service and there should not be an imbalance of power between the end-user and the service provider.

Consent to cookies under the German draft can be granted using browser and software settings. Software providers are encouraged to include settings in their software which allow end users to manage consent in their terminal equipment by maintaining whitelists where consent can be granted and withdrawn.

Data retention

The German proposal would require erasing all electronic communications content or anonymising it when it is no longer necessary for the initial purpose of processing. The same applies to metadata when it is no longer needed for the purpose of the transmission of a communication. The only exception is where electronic communications metadata is needed for the purpose of billing, in which case it may be kept until the end of the period during which a bill may lawfully be challenged according to national law.

In a rejection of the Croatian Presidency’s draft proposal, which allowed for the retention of data if required by national law due to national security reasons or for aiding law enforcement, the German presidency’s draft did not include such an exemption.

The German draft followed the guidance of recent CJEU case law (in Privacy International) that sets limits to mass data retention and data collection practices for national security reasons.

Reception of the German draft

The German presidency’s draft received a mixed response in the Council. While the deletion of the legitimate interest provision was generally well received, other changes were called into question. Some Member States argued that the restrictions with respect to the processing of metadata were too harsh and would impede innovation. Others suggested the Council should use the last proposal submitted by the Finnish Presidency as the starting point for a next round of negotiations. As a result, the German presidency’s draft, like the 12 drafts which preceded it, was rejected in Council

The Portuguese draft

The rejection of the German draft triggered another round of proposals and negotiations.  2021 started with a bang as the Portuguese presidency released a new draft of the Regulation on 5 January.

The Portuguese draft retains major elements of the German draft.  While many of the changes in the Portuguese draft are intended to simplify the text and make it more consistent with GDPR provisions, there are also some significant developments including (partly copying suggestions from previous drafts):

• The reinsertion of provisions allowing further processing of electronic communications data (including metadata) where the processing is compatible with the initial purpose for which the data was processed.
• Service providers may access end user devices where necessary for the performance of a contract (rather than for technical performance).
• There are new requirements on service providers to carry out a Data Protection Impact Assessment before sharing anonymised electronic communications data with third parties, and additional transparency and information requirements.
• Allowing service providers to process electronic communications data (including metadata) without consent in order to provide an electronic communications service (rather than the more restrictive previous purpose of achieving transmission of a communication).

Despite concerns expressed by the EDPB about aspects the Regulation, at the time of writing, the draft was due to be presented to Council imminently. If it gets approval this month, that would be a major step in the right direction although not the end of the story.

Where does that leave us?

It seems unlikely that the ePrivacy Regulation will enter into force before 2023, and even this will only happen if the Member States are able to agree on a final version in the next few months.  

In order to keep pace with the ever-changing tech landscape, the EU has already started to implement parts of the ePrivacy Regulation into other laws. Since December 2020, the European Electronic Communications Code has required EU Member States to expand the definition of "Electronic Communications Services" in their telecommunication laws to include so-called "Over-the-Top-Services" where signals are transmitted over the internet, eg messaging services such as WhatsApp or Skype, regulating these providers in a similar way as traditional telco services. The EDPB has also started to suggest some issues may be better dealt with by amending the GDPR.

With the Brexit transition period now over, the UK could, in theory, 'go it alone' and give up waiting for the ePrivacy Regulation.  There is no indication that this is actively being considered and it is more likely that the UK will wait to see what the EU eventually decides, particularly given the need for an EU adequacy arrangement for personal data. Given the glacial pace of development, that could still change.