On 10 February 2021, four years after the European Commission’s initial legislative proposal and to the surprise of many, the Council reached a compromise agreement on their position on the ePrivacy Regulation.
The main aspects of the current Council position are as follows:
- Member States have agreed to enable processing for another purpose that is compatible with the purpose for initial collection but have not gone as far to include ‘legitimate interest’. Under the current proposal, grounds for processing electronic communications data include, amongst others, ensuring the integrity of communication services, the detection of fraud/stopping fraudulent use and necessity for providing the electronic communication service;
- In view of promoting “a trusted and secure Internet of things”, the Council has proposed extending the scope to “cover machine-to-machine data transmitted via a public network”;
- The processing of data stored on end-users’ terminal equipment (e.g. using cookies to track user behaviour) can be permitted, without consent, e.g. for audience measuring or if necessary for a software update, subject to further restrictions. Where the data collected from end-users’ terminal equipment is used for another compatible purpose, such further processing is only permitted if certain requirements are fulfilled. In particular, the collected information is eventually made anonymous, if the processing is limited to information that is pseudonymised, and if the information or data will not be used for extensive profiling;
- In an attempt to “avoid cookie fatigue”, the Member States have agreed that end-users “will be able to give consent to the use of certain types of cookies by whitelisting one or several providers in their browser settings”, with software providers being “encouraged to make it easy for users to set up and amend whitelists on their browsers and withdraw consent at any moment”; and
- The proposed period before application has been extended to 24 months.
The agreement now allows the Portuguese Presidency to start talks with the European Parliament on the final text. However, we do not anticipate that a compromise agreement will be easy or swift. This is in part due to the relatively restrictive approach of the European Parliament which argues that, as communications data can be highly sensitive, that data should be processed only if the user has given their consent, or if it’s strictly necessary for certain purposes. This approach is starkly different to that of industry and a number of Member States.
What we are seeing right now
We are currently helping various clients understand the impact of the upcoming ePrivacy regulation in light of the countless amendments suggested by the European institutions. The numerous changes to the regulation, such as General Data Protection Regulation (GDPR). All these aspects need to be considered when assessing the practical impact on product design and ePrivacy compliance management going forward.
In addition to the above, with the recent entry into application of the European Electronic Communication Code (EECC) and proposed ePrivacy interim Regulation to combat child sexual abuse online, the regulatory landscape for electronic communications service providers is becoming increasingly complex (already now). In particular we expect that pressure on players who offer communication services will soon increase in the Member States, in particular because the European Commission has just opened infringement proceedings against 24 Member States for not implementing EECC rules. Notably, the ePrivacy rules for communication providers covered by the EECC will be subject to an enforcement regime that is separate to the GDPR and regulators across Europe might be able to use this to circumvent the established one-stop-shop principle that is prevalent under the current EU data protection regime.