Legitimate interests suggested as grounds for using cookies.
What's the issue?
The ePrivacy Directive 2002, as amended, (implemented in the UK by the Privacy and Electronic Communications Regulations or PECR, also amended multiple times) covers universal service and user rights in relation to electronic communications networks and services. For the majority of businesses, the most important elements deal with the use of cookies and similar technologies, and rules on electronic marketing. Communications network and service providers must also comply with security and privacy obligations.
The European Commission published a proposal for an ePrivacy Regulation (Regulation) to overhaul the Directive and harmonise application across the EU as part of its Digital Single Market initiative. The initial intention was for the Regulation to come into effect at the same time as the General Data Protection Regulation (GDPR) on 25 May 2018. Obviously that didn't happen. The draft Regulation has proved so contentious that it has not yet progressed as far as trilogues with the European Council still to agree its position.
What's the development?
The new Croatian presidency has published a revised text of the ePrivacy Regulation. It introduces changes to Article 6 (permitted processing of communications metadata) and Article 8 (protection of end-users' terminal equipment information including cookies rules) and related recitals. The aim is to simplify the text and further align with the GDPR, principally by introducing the possibility of processing based on legitimate interests in both cases, subject to conditions and safeguards.
Under the proposals, legitimate interests could be used as an exemption from the prohibition on:
- Providers of electronic communications networks and services from processing electronic communications metadata. And
- The use of processing and storage capabilities of terminal equipment and the collection of information from end-users' terminal equipment, including about its software and hardware,
provided that the legitimate interests are not overridden by the interests or fundamental rights and freedoms of the end-user.
The new draft sets out some examples of when the individual's rights and interests will override the legitimate interests of the service provider in dropping cookies or other similar technologies:
- Where the end-user is a child.
- Where the service provider processes the information to determine the nature and characteristics of the end-user or to build an individual profile of them.
- Where the data processed includes sensitive or special personal data.
The information collected on the basis of legitimate interests cannot be shared with any third party (aside from data processors) unless it has been anonymised. There are also requirements to:
- Carry out an impact assessment.
- Inform the end-user of any processing based on legitimate interests and give them the right to object.
- Implement appropriate technical and organisational measures like pseudonymisation and encryption.
Similar but not identical considerations would apply to the collection of metadata based on legitimate interests.
What does this mean for you?
If these revisions are adopted, they would represent a major change to the current regime and mean that cookies would not necessarily require user consent. This could be a big win for adtech (although the exceptions could water down any advantage) but privacy campaigners are already complaining that the safeguards around the legitimate interests proposals do not go far enough. The proposals have also been criticised as contradicting other provisions in the legislation.
Even were the Council to agree these proposals (which in itself seems most unlikely), they would go against the EU Parliament's position which could make trilogues difficult if not impossible to resolve. So what are these changes trying to achieve if they have little hope of coming to fruition? Some commentators suggest that this radical move is a last ditch attempt to either progress the legislation or get it sent back to the legislative drawing board at which point it would start from scratch.
Even if agreement is reached on the current proposals, they are unlikely to come in before the end of the UK's transition period and it remains to be seen whether the UK will go down the legitimate interests route for cookies and electronic communications metadata, with or without the EU.