The legislative process to enact an ePrivacy Regulation has been going on for a while: a first draft was introduced by the European Commission on 10 January 2017. Intended to replace the current ePrivacy Directive, the Regulation was meant to come into force at the same time as the GDPR in May 2018. However, since the original proposal, we have been stuck in a regulatory limbo of rejected drafts and uncertainty about the future of the Regulation.
Both the (currently still applicable) ePrivacy Directive and the proposed ePrivacy Regulation are concerned with the processing of personal data and the protection of privacy in the electronic communications sector.
With its initial draft for an ePrivacy Regulation, the European Commission wanted to achieve:
The initial Commission draft has been through major revisions, which is not surprising given the three years of debates it has already been subjected to in the EU. Some of the more notable amendments proposed along the way include:
One of the more significant of the recent drafts was published by the German presidency of the Council of the European Union on 4 November 2020. It took a distinctly different approach to the one in the preceding draft by the Croatian presidency.
Under the German draft, cookies and similar technologies are prohibited except when:
Crucially, the German draft removed the proposal under the Croatian draft that legitimate interests of a service provider could provide a valid lawful basis for collecting information from an end user’s terminal equipment without their consent.
The use of so-called 'cookie walls', which make access to website content dependent on the consent to the storage of cookies for additional purposes is allowed subject to certain conditions:
Consent to cookies under the German draft can be granted using browser and software settings. Software providers are encouraged to include settings in their software which allow end users to manage consent in their terminal equipment by maintaining whitelists where consent can be granted and withdrawn.
The German proposal would require erasing all electronic communications content or anonymising it when it is no longer necessary for the initial purpose of processing. The same applies to metadata when it is no longer needed for the purpose of the transmission of a communication. The only exception is where electronic communications metadata is needed for the purpose of billing, in which case it may be kept until the end of the period during which a bill may lawfully be challenged according to national law.
In a rejection of the Croatian Presidency’s draft proposal, which allowed for the retention of data if required by national law due to national security reasons or for aiding law enforcement, the German presidency’s draft did not include such an exemption.
The German draft followed the guidance of recent CJEU case law (in Privacy International) that sets limits to mass data retention and data collection practices for national security reasons.
The German presidency’s draft received a mixed response in the Council. While the deletion of the legitimate interest provision was generally well received, other changes were called into question. Some Member States argued that the restrictions with respect to the processing of metadata were too harsh and would impede innovation. Others suggested the Council should use the last proposal submitted by the Finnish Presidency as the starting point for a next round of negotiations. As a result, the German presidency’s draft, like the 12 drafts which preceded it, was rejected in Council
The rejection of the German draft triggered another round of proposals and negotiations. 2021 started with a bang as the Portuguese presidency released a new draft of the Regulation on 5 January.
The Portuguese draft retains major elements of the German draft. While many of the changes in the Portuguese draft are intended to simplify the text and make it more consistent with GDPR provisions, there are also some significant developments including (partly copying suggestions from previous drafts):
Despite concerns expressed by the EDPB about aspects the Regulation, at the time of writing, the draft was due to be presented to Council imminently. If it gets approval this month, that would be a major step in the right direction although not the end of the story.
It seems unlikely that the ePrivacy Regulation will enter into force before 2023, and even this will only happen if the Member States are able to agree on a final version in the next few months.
In order to keep pace with the ever-changing tech landscape, the EU has already started to implement parts of the ePrivacy Regulation into other laws. Since December 2020, the European Electronic Communications Code has required EU Member States to expand the definition of "Electronic Communications Services" in their telecommunication laws to include so-called "Over-the-Top-Services" where signals are transmitted over the internet, eg messaging services such as WhatsApp or Skype, regulating these providers in a similar way as traditional telco services. The EDPB has also started to suggest some issues may be better dealt with by amending the GDPR.
With the Brexit transition period now over, the UK could, in theory, 'go it alone' and give up waiting for the ePrivacy Regulation. There is no indication that this is actively being considered and it is more likely that the UK will wait to see what the EU eventually decides, particularly given the need for an EU adequacy arrangement for personal data. Given the glacial pace of development, that could still change.
Mary Rendle looks at the UK's plans to unlock and leverage the benefits of data.
1 of 5 Insights
Katie Espigares looks at the EU's plans for data over the next five years.
2 of 5 Insights
Debbie Heywood looks at the EC's proposals to facilitate public-sector data sharing and data altruism.
4 of 5 Insights
Our experts look at EU and UK plans to refresh rules on network and information systems cybersecurity.
5 of 5 Insights