16 March 2020
Radar - March 2020 – 3 of 3 Insights
Legitimate interests suggested as grounds for using cookies.
The European Commission published a proposal for an ePrivacy Regulation (Regulation) to overhaul the Directive and harmonise application across the EU as part of its Digital Single Market initiative. The initial intention was for the Regulation to come into effect at the same time as the General Data Protection Regulation (GDPR) on 25 May 2018. Obviously that didn't happen. The draft Regulation has proved so contentious that it has not yet progressed as far as trilogues with the European Council still to agree its position.
The new Croatian presidency has published a revised text of the ePrivacy Regulation. It introduces changes to Article 6 (permitted processing of communications metadata) and Article 8 (protection of end-users' terminal equipment information including cookies rules) and related recitals. The aim is to simplify the text and further align with the GDPR, principally by introducing the possibility of processing based on legitimate interests in both cases, subject to conditions and safeguards.
Under the proposals, legitimate interests could be used as an exemption from the prohibition on:
provided that the legitimate interests are not overridden by the interests or fundamental rights and freedoms of the end-user.
The new draft sets out some examples of when the individual's rights and interests will override the legitimate interests of the service provider in dropping cookies or other similar technologies:
The information collected on the basis of legitimate interests cannot be shared with any third party (aside from data processors) unless it has been anonymised. There are also requirements to:
Similar but not identical considerations would apply to the collection of metadata based on legitimate interests.
If these revisions are adopted, they would represent a major change to the current regime and mean that cookies would not necessarily require user consent. This could be a big win for adtech (although the exceptions could water down any advantage) but privacy campaigners are already complaining that the safeguards around the legitimate interests proposals do not go far enough. The proposals have also been criticised as contradicting other provisions in the legislation.
Even were the Council to agree these proposals (which in itself seems most unlikely), they would go against the EU Parliament's position which could make trilogues difficult if not impossible to resolve. So what are these changes trying to achieve if they have little hope of coming to fruition? Some commentators suggest that this radical move is a last ditch attempt to either progress the legislation or get it sent back to the legislative drawing board at which point it would start from scratch.
Even if agreement is reached on the current proposals, they are unlikely to come in before the end of the UK's transition period and it remains to be seen whether the UK will go down the legitimate interests route for cookies and electronic communications metadata, with or without the EU.
by multiple authors