On 10 February 2021, the EU Member States agreed on the EU Council’s negotiating mandate for the draft ePrivacy Regulation. The new Regulation will repeal and replace the existing ePrivacy Directive 2002/58/EC. The text approved by the EU Member States allows the EU Council to start negotiations with the European Parliament on the final text of the ePrivacy Regulation.

Key Highlights

The EU Council’s Press Release sets out the key highlights of the draft ePrivacy Regulation, which include:

  • The rules will apply when end-users are in the EU. This also covers cases where the processing takes place outside the EU or the service provider is established or located outside the EU.
  • The Regulation will cover electronic communications content and metadata (such as information on location, time and recipient of a communication).
  • Metadata may be processed, for example, for billing purposes, for detecting or stopping fraudulent use, and to protect users’ vital interests (including for monitoring the spread of epidemics, or in natural or man-made disasters). In certain instances, providers of electronic communications networks and services will be permitted to process metadata for a purpose other than that for which it was collected (even without the user’s consent or a legislative basis), provided that such purpose is compatible with the initial purpose and that strong specific safeguards apply to such processing.
  • The draft text maintains the rule that electronic communications data is confidential. Any interference, including listening to, monitoring or other processing of data by anyone other than the parties involved in the communication is prohibited, except when permitted by the ePrivacy Regulation. Permitted processing without the consent of the user includes, for example, where it is necessary to ensure the integrity of communications services, checking for malware or viruses, or cases where the service provider is bound by EU or EU Member States’ laws for the prosecution of criminal offences or prevention of threats to public security.
  • As the user’s terminal equipment, including both hardware and software, may store highly personal information, such as photos and contact lists, the use of processing and storage capabilities and the collection of information from the device will only be allowed with the user’s consent or for other specific transparent purposes laid down in the regulation.
  • The end-user should have a genuine choice on whether to accept cookies or similar identifiers. Making access to a website dependent on consent to the use of cookies for additional purposes as an alternative to a paywall will be allowed if the user is able to choose between that offer and an equivalent offer by the same provider that does not involve consenting to cookies.
  • To avoid cookie consent fatigue, an end-user will be able to give consent to the use of certain types of cookies by whitelisting one or several providers in their browser settings. Software providers will be encouraged to make it easy for users to set up and amend whitelists on their browsers and withdraw consent at any moment.

The draft text proposes a transition period of two years, starting twenty days after the ePrivacy Regulation is published in the EU Official Journal. The text of the draft ePrivacy Regulation is available here.