The Croatian Presidency of the EU has issued an amended proposal for an e-Privacy Regulation, to be discussed during the meeting of the Working Party on Telecommunications and Information Society on March 5 and 12. Negotiations have been ongoing for a number of years and the previous Finnish Presidency had tried unsuccessfully to reach a political agreement last November.

Currently, the Croatian Presidency is proposing to simplify the text of some of the core provisions and to further align them with the General Data Protection Regulation, which may prove to be a controversial move. Highlighted below are some of the most important amendments for industry in the latest draft.

What’s new?

The key change in the latest draft is the addition of the legitimate interests of an electronic communications network, or service provider, as a potential lawful basis for the processing of electronic communications metadata such as location data. This can only be relied upon where the interests, or the fundamental rights and freedoms of the end-user, are not overriding. The legitimate interests of a provider of electronic communications networks or services to process electronic communications metadata could exist where such processing is necessary for:

  • Detecting or stopping fraudulent or abusive use of, or subscription to, electronic communications services;
  • Calculating and billing interconnection payments; or
  • For the purposes of network management or network optimisation.

However, crucially, the proposal does make it clear that the use of legitimate interests cannot be used in order to determine the nature or characteristic of an end-user or to build an individual profile on them.

Furthermore, one of the main changes in the latest draft is the ability to rely on the legitimate interests of the service provider as the lawful basis for the collection of information from end-users' terminal equipment (including through the use of cookies and other tracking applications). The draft seems to focus on mobile phones and similar terminal equipment but leaves aside security issues that may arise from modems and routers. These obligations are particularly relevant in view of the forthcoming BEREC Guidelines on common approaches to the identification of the network termination point in different network topologies.

Under this proposal, providers would also be permitted to process an end-user’s electronic communications metadata where it is necessary for the provision of an electronic communications service based on a contract with that end-user (and for billing related to that contract).

What remains unchanged?

As with the previous proposal, the new rules should not prohibit the processing of electronic communications data (content and metadata) without the consent of the end-user for the purposes of ensuring the security of electronic communications services, including availability, authenticity, integrity or confidentiality. This should cover processing for the purposes of checking security threats such as the presence of malware or viruses, or the identification of phishing.

When processing content, the provider of the electronic communications service may be required to consult the supervisory authority, but this will depend on whether consent is obtained from one user for the provision of a service to that user or from all parties to the communication. Only the latter will require consultation with the supervisory authority.

In addition to the new provisions discussed above, providers of electronic communications networks and services should continue to be permitted to process electronic communications metadata after having obtained the end-users' consent or in order to protect the vital interests of a natural person.

The ability to facilitate end-user consent through software settings remains in place as does the option to rely on consent, which would only now be useful in the context of profiling and determining the characteristics of a user now that legitimate interests have been introduced.

One of the other sections that remains in the latest draft is the obligation for electronic communications networks or service providers to, where necessary, implement appropriate security measures such as encryption and pseudonymisation to ensure the privacy of the end-user.

Next steps

It is notable that the Presidency text is moving further away from the European Parliament's position, which will make negotiations between the two legislative bodies more difficult if a Council agreement on this text is reached in the near future.