Tag: ePrivacy Regulation

EU Member States agree on EU Council’s Draft for the ePrivacy Regulation

22. February 2021

On February 10, 2021, representatives of the EU Member States have reached an agreement on a negotiating mandate for the draft ePrivacy Regulation.

The Council of the European Union’s (the Council) text approved by the EU Member States was prepared under Portugal’s Presidency. It will form the basis of the Council’s negotiations with the European Parliament as part of the trilogue process on the final terms of the ePrivacy Regulation, which will replace the current ePrivacy Directive.

The main key elements of the new draft are highlighted by the Council, and encompass the following points:

  • Coverage of both electronic communications content and communications metadata – the text sticks with the general principle that electronic communications data is confidential, which means that any interference by anyone other than the parties involved in the communication is prohibited, except when given permission by the ePrivacy Regulation
  • Machine-to-machine data transmitted via a public network, as this is deemed necessary to protect privacy rights in the context of Internet of Things applications
  • The scope of application includes users located in the EU, regardless of whether the processing of their data takes place outside the EU or the service provider is located in a non-EU jurisdiction
  • Regarding the use of cookies and other technologies involving the storage of information on or collection of information from a user’s device, the Council’s text provides that the use of these technologies will only be legitimate if the user has consented or for specific purposes laid down in the ePrivacy Regulation; however, users should be able to have genuine choice

In addition to broadening the scope of the current directive, the proposed regulation would most likely affect an advertising technology market that is already in the process of undergoing significant changes. As such, the European Commission is also working on the proposed Digital Service Act, Digital Governance Act and Digital Market Act.

However, the draft is presumed to initiate some arguments going forth into the next stage. Based on previous drafts, there are some differences which will need to be reconciled. Especially with regard to the permissions for accessing content and metadata of electronic communications, the two sides are somewhat divided. Where the European Parliament is pushing primarily for consent, the Council seems to have added some more permissions and exceptions to the consent rule. The content regarding data retention will be another point where intense arguments are predicted.

Criticism also comes from some countries, for example from the German Federal Commissioner for Data Protection, Ulrich Kelber. In a press release he attacked the new draft as “a severe blow to data protection”, mentioning that he is concerned by the “interference with the fundamental rights of European citizens”.

Although the new draft brings the erPrivacy Regulation back to life, it is still a long road before unison on its text is fully reached. It is certain that intense discussion in the upcoming trilogue process will continue, and the outcome will be closely watched by many.

Update on ePrivacy Regulation

12. June 2018

The council of the European Union’s Bulgarian presidency has released a progress report on the draft ePrivacy Regulation ahead of a council meeting June 8th, 2018.

The ePrivacy Regulation (Regulation on Privacy and Electronic Communications) should replace the current ePrivacy Directive and was originally intended to enter into force together with the General Data Protection Regulation (GDPR) on May, 25th 2018.

The report offers several updates including its scope and link to the GDPR, processing of electronic communications content and metadata, among others. Latter mentioned has been one of the main concerns of the Member States. The balance between privacy and innovation regarding processing of metadata seems to be a key aspect of the ePrivacy Regulation.

Furthermore, significant changes of privacy settings according to the future Art. 10 are important for the Commission. The providers of software are only obliged to inform the end-users about the settings and the way the end-users may use them, at the time of installation or first usage and when updates change the privacy settings.

The report ends with three questions for the policy debate at the TTE Council on June 8th. Among others, the versions relating to the permitted processing of metadata and the protection of terminal equipment and privacy settings are open for discussion if it is an acceptable basis to move forward.

European Commission proposes new ePrivacy Regulation

10. February 2017

On January 10, the European Commission published a proposal for an ePrivacy Regulation. After the adoption of the General Data Protection Regulation (‘GDPR’), a new ePrivacy Regulation would be the next step in pursuing the European Commission’s Digital Single Market Strategy (‘DSM’).

If adopted, the ePrivacy Regulation will replace both the ePrivacy Directive (2002/58/EC) and the Cookie Directive (2009/136/EC). In contrast to a Directive that has to be implemented into national law by each EU Member State, a Regulation is directly applicable in all Member States. Thus a Regulation would support the harmonisation of the data protection framework.

What’s new?

Since 2009, when the ePrivacy Directive was revised last, important technological and economic developments took place. In order to adapt the legal framework to the reality of electronic communication, the scope of the proposed Regulation is widened to apply to the so called ‘over-the-top’ (‘OTT’) service providers. These OTT providers, such as WhatsApp, Skype or Facebook, run their services over the internet.

By ensuring the privacy of machine-to-machine communication, the Regulation also deals with the Internet of Things and thus seems not only to consider the current situation of electronic communication, but also to prepare for upcoming developments within the information technology sector.

Electronical communications data (metadata as well as content data) cannot be processed without complying with the requirements of the Regulation. Metadata can be processed, if necessary for mandatory quality of service requirements or for billing, calculating interconnection payments, detecting or stopping fraudulent, or abusive use of, or subscription to, electronic communication services.

Content data can be used for the sole purpose of the provision of a specific service to an end-user, if the end-user or end-users concerned have given their consent to the processing of his or her electronic communications content and the provision of that service cannot be fulfilled without the processing of such content or if all end-users concerned have given their consent to the processing of their electronic communications content for one or more specified purposes that cannot be fulfilled by processing information that is made anonymous, and the provider has consulted the supervisory authority.

Regarding the use of cookies, the end-users’ consent is still the basic requirement, except for first party non-privacy intrusive cookies. These cookies can now be used without the consent of the end-user. The proposed Regulation furthermore allows to use browser settings as consent.

In contrast to the draft of the Regulation leaked in December 2016, the official proposal does not contain the commitment to ‘Privacy by default’, which means that software has to be configured so that third parties cannot store information on or use information about a user’s device.

The Commission’s proposal of the Regulation just demands that software must offer the option to prevent third parties from storing information on or using information about a user’s device.

ePrivacy Regulation and GDPR

Both the ePrivacy Regulation and the GDPR are part of the above mentioned ‘DSM’. Several commonalities prove this fact. For instance, the fines in both Regulations will be the same. Furthermore, the EU Data Protection Authorities responsible for the enforcement of the GDPR will also be responsible for the ePrivacy Regulation.  This will contribute to the harmonisation of the data protection framework and increase trust in and the security of digital services.

What’s next?

After being considered and agreed by the European Parliament and the Council, the Regulation could be adopted by May 25th, 2018, when the GDPR will come into force. It is to see whether this schedule is practicable, considering how long the debate about the GDPR took.