Introduction

Since the European Commission unveiled a proposal for an e-Privacy Regulation in January 2017, this new piece of legislation, aiming to adapt rules on electronic communications and cookies, has undergone many iterations. The European Parliament has left its version untouched since October 2017, and in the meantime the Council of the EU has regularly published changes of its own (reflecting points of divergence between the various EU Member States). On 26 July 2019, at the level of the Council, the Finnish government has issued a revised (Council) proposal for the e-Privacy Regulation with some amendments concerning electronic communication content, data & metadata, and further processing of metadata. This proposal will be discussed during a next Council meeting on 9 September 2019. In this post, we shall provide a brief summary of the amendments and of the broader text as it currently stands.

Amendments in the Proposal of 26 July

The Proposal has introduced a limited number of amendments.

The most conspicuous amendment introduced by the Proposal is the division of Article 6 into four distinct provisions, in order to clarify their respective scope. This provision regulates processing of electronic communications data by telecommunications operators, specifically the conditions under which different aspects of electronic communication may be processed. The provision has now been split, each Article regulating processing of a specific type of data:

  • Art. 6 – all electronic communications data (content and metadata);
  • Art. 6a – electronic communications content ;
  • Art. 6b – electronic communications metadata;
  • Art. 6c – further processing of electronic communications metadata.

Another notable change in the new Art. 6 (all data) is the addition of a general rule according to which this data can only be processed (i) for the duration necessary for the permitted purposes and (ii) if those purposes cannot be fulfilled by processing information that is made anonymous.

Otherwise, some notable amendments have been made in Recital 32 and Article 16, concerning the scope of rules on unsolicited communications. While the previous version made it clear that advertising displayed online “to the general public” was excluded from the scope of these rules (suggesting targeted advertising was covered), new changes suggest that even targeted advertising might not constitute direct marketing communications under the Proposal (e.g. “presenting” advertising was previously covered, in addition to “sending“, but “presenting” has now been deleted; in addition, to fall within the scope of the rules, the marketing must be sent “for reception by that end-user“).

Key topics: current status in the Council’s draft e-Privacy Regulation

The current version of the Council’s draft of the e-Privacy Regulation can be summarized as providing for the following substantive rules for organisations:

a) Anti-spam: rules for digital marketing

As under the current framework (the e-Privacy Directive), unsolicited commercial communications by electronic means (“spam”) are prohibited, except if consent was given by the recipient. By way of an exception, no consent is needed for the sending of commercial emails to existing customers to advertise own, similar products (though every communication must include an opt-out possibility). The scope of these rules still appears to be subject to discussion, in particular their applicability to online advertising (see above).

b) Cookies and similar files/tags

The current Council draft of the e-Privacy Regulation also provides comprehensive rules for use of web cookies and similar files or tags, considerably extending the current regulations. The scope of these rules has been considerably extended compared to the old e-Privacy Directive, referring now to any use of the storing or processing capabilities of the device (and not merely the storage or retrieval of information). In other words, cookies and stored information remain covered, but so are now certain scripts and tags (which today largely falls outside of the scope of the current ‘cookie’ rules).

The use of cookies (and similar files/tags) requires consent in general. However, the e-Privacy Regulation provides for numerous exemptions, including both already familiar exemptions (cookies necessary for communication or technical reasons) as well as new exemptions such as (certain forms of) analytics, security (incl. fraud prevention), software updates and execution of employees’ tasks.

The quality of consent should in general correspond to the General Data Protection Regulation (GDPR). However, the e-Privacy Regulation should to some extent allow consent through browser settings, and currently contains a number of references to the possibility to give consent by software-related technical means. A previous Council draft had removed the Commission’s proposal to impose on Internet browser publishers an obligation to foresee granular settings at browser-level (replacing the obligation with merely an encouragement), and the latest draft has not changed this new, less stringent approach.

As far as ‘cookie walls’ are concerned (the practice of blocking access to content until a user gives consent to e.g. advertising cookies), the Council continues down the path it set a few iterations ago, not prohibiting cookie walls in principle provided the user is offered an ‘equivalent offer‘ that does not involve the need for such consent.

c) Secrecy of electronic communications

As indicated above, the new Council draft attempts to clarify the difference between the rules on electronic communications content, electronic communications metadata and electronic communications data (common rules for content and metadata).

The common principle remains that of secrecy of electronic communications data, save specific exceptions (e.g. metadata can now be processed for network management or network optimization, or for statistical purposes). There is also now a specific possibility to process metadata for ‘compatible‘ purposes subject to compliance with a specific process.

These rules apply not only to communications between humans, but also so-called “machine-to-machine” communications relevant in relation to Internet-of-Things devices.

Next steps

As several authorities have been updating their guidance on cookies (already published in the case of France, Germany, Ireland and the UK, and soon others such as Denmark), it is likely that the cookie provisions will give rise to further discussions. Other rules appear to be closer to finalization at the level of the Council; for instance, reports suggest Article 16 (the anti-spam article) is viewed as only requiring fine-tuning at this stage. In this context, the latest draft’s apparent removal of even online targeted advertising from the scope of the anti-spam rules may prove to be final for the Council. Even then, once the Council agrees on the entire document, it will still be necessary to reconcile the Council’s version with the European Parliament’s version.

Put differently, the Sisythean effort to finalise the e-Privacy Regulation is not yet over.

What does this mean for organisations?

While the text is not final, it is useful for organisations to already take it into consideration when contemplating any long-term product or project. For instance, organisations embarking on significant Internet-of-Things projects may wish to take into account secrecy of electronic communications, so as to avoid having to stop or redesign the project in a year or two. Any organisation contemplating a new flagship website or application may also wish to reconsider widespread use of tags rather than cookies if the intent was to avoid applicability of the cookie rules, as the rules will at some point be the same.

More generally, it can be useful for organisations to identify key fields of activity that will be impacted by the e-Privacy Regulation, so that when the final text arrives, they can more rapidly engage in a readiness exercise.