GDPR Day (i.e., May 25, 2018) has passed, bringing with it higher standards for data privacy, but there is more to be done: the European Union ("EU") is working hard to finalize its reform of the ePrivacy Directive, an effort initiated in January 2017 when the EU Commission adopted a proposal for a Regulation on Privacy and Electronic Communication (the "ePrivacy Regulation" or the "Regulation").
In a nutshell, the ePrivacy Regulation is lex specialis to the General Data Protection Regulation ("GDPR"). While the GDPR applies to all categories of personal data—hard copy and electronic—the ePrivacy Regulation would typically only apply to electronic communications data, a subset. The Regulation, if adopted, would cover not only traditional telecommunications operators and providers of electronic communication services but also "over-the-top" communications services. (For an outline on what the ePrivacy Regulation contemplates, see our The European Files article (p. 24).)
While the policymakers had hoped that the ePrivacy Regulation would enter into force on GDPR Day, this obviously didn't happened. However, certain actions have been taken to push the ePrivacy Regulation forward: on GDPR Day, both a progress report was issued by the presidency of the Council (the "Progress Report") and a statement was issued by the European Data Protection Board ("EDPB"), the successor of the Working Party No. 29. The ePrivacy Regulation was debated on June 8, 2018, by the Transport, Telecommunications and Energy Council ("TTE") and subsequently re-discussed at a technical level on June 14, 2018.
Below we provide a summary of these recent developments and a prospective timeline for the adoption of the ePrivacy framework.
The Progress Report reflects the intense work that has taken place since the beginning of 2018. It relays concerns expressed at a political level and outlines suggested changes to the initial ePrivacy Regulation resulting from discussions between representatives of various EU member states. It's particularly noteworthy that the need to inform end-users of privacy settings offered by software permitting electronic communications is softer under the compromise text attached to the Progress Report. Indeed, software providers are only obliged to inform end-users about privacy settings at the time of installation or first usage or when updates change the privacy settings. Furthermore, the Progress Report suggests that activities concerning national security and defense be excluded from the ePrivacy Regulation. Those proposals go hand in hand with others in the Progress Report promoting increased access to end-users' terminal equipments.
The direction suggested in the Progress Report somewhat departs from the approach promoted by the European Parliament back in October 2017.
Statement of the EDPB
The EDPB states that the ePrivacy Regulation should be based on "broad prohibitions, narrow exceptions, and the use of consent." The EDPB points out, as the European Parliament has, that the confidentiality of electronic communications requires a more extensive protection than the one offered by the GDPR and that consent from end-users should be obtained systematically. The EDPB criticizes the possibility to process electronic communications content and metadata based on open-ended grounds, such as the organization's "legitimate interests" or the general purpose of performing a contract. In the same context, the EDPB says that processing electronic communications metadata without consent should only be done after the data has been anonymized.
The EDPB states that the ePrivacy Regulation should apply as soon as data relating to the behavior of a user are collected, whether or not the user has created an account for a service. According to the EDPB, this approach will ensure the protection of the user's privacy while permitting fair competition between data controllers.
The EDPB advises that the ePrivacy Regulation enforce consent requirement for cookies and similar technologies. In line with the European Parliament's view, the EDPB supports the application of privacy by default standards. It states that privacy settings should allow users to give and withdraw consent in an easy, binding and enforceable manner against all parties. The EDPB believes that such an approach should explicitly apply to the operating systems of smartphones, tablets and any other "user agent"—i.e., that communications applications should take into account users' choices, no matter what technical means are involved.
What's Next (and When)?
The TTE Council did not tackle all of the issues raised in the Progress Report and the EDPB's statement. According to information made publicly available, the TTE Council merely stressed the need to have a balanced text, "user friendly and future proof." Given the variety of positions expressed by the TTE Council, the European Parliament and the EDPB, further discussions will be necessary to reach to an agreement, delaying in the adoption process.
To illustrate that, following the political debate on June 8, 2018, the presidency of the Council didn't even introduce changes to the ePrivacy Regulation in preparation for the technical discussions held on June 14, 2018 at the level of the working party. Rather, it proposed various options and directions for the member states to first consider and agree on. Time is pressing, however, as the upcoming European elections in 2019 are very close and might put the whole adoption process on hold.
Under EU law making processes, it can take as many as three to tango, which makes for a challenging set of steps.