After more than four years of negotiations, the Regulation on Privacy and Electronic Communications (ePrivacy Regulation), which will replace the ePrivacy Directive (2002/58/EC), appears to be at a turning point. On Feb. 10, 2021, the Council of the European Union announced it has adopted a consolidated version (the “Council’s Position”) which will be the basis for trilogue negotiations with the European Parliament and the European Commission. The Council’s Position was also essentially ‘welcomed’ by the European Data Protection Board in the Board’s Statement of March 9, 2021.
In addition to the General Data Protection Regulation (GDPR), the ePrivacy Regulation represents a core element of EU-level data protection. It will create a comprehensive set of rules for electronic communications and protect the privacy of end users, the confidentiality of their communications, and the integrity of their devices. Unlike the GDPR, it covers not only personal data but also metadata and confidentiality requirements, and will apply to instant messaging apps, Voice over Internet Protocol (VoIP) platforms, and machine-to-machine communication. Like the GDPR, the draft text of the ePrivacy Regulation proposes a transition period of two years, starting twenty days after the ePrivacy Regulation is published in the EU Official Journal, providing organizations time to come into compliance with the new law.
While the compromise draft now adopted by the Council follows the structure of the preceding draft (see also our posts: The ePrivacy Regulation: The Next European Initiative in Data Protection of April 17, 2019, and EU Cookie Compliance: Getting Ready for 2020 of Nov. 25, 2019), it includes a number of changes and reinserts certain provisions that the German and the Portuguese Council Presidency had deleted in their proposed draft – which caused Germany and Austria to abstain their votes on the Council’s Position. The European Data Protection Board also communicated its concerns in its Statement of March 9, 2021.
The most important changes to the previous version are the following:
- SCOPE: One of the key changes in this version of the ePrivacy regulation is the broadened scope of the regulation, which now applies to users located in the EU, regardless of whether the processing of their data takes place outside the EU or the service provider is located in a non-EU jurisdiction. Thus, your organization, regardless of whether it is located in the EU, will be subject to the ePrivacy regulation if in relation to EU residents it sends them direct marketing communications or processes their electronic communications, metadata, or terminal equipment information.
- COMMUNICATION DATA: As a general rule, electronic communication data under the ePrivacy regulation is confidential. Any interference, including listening to, monitoring, and processing of data by anyone other than the parties involved in the communication, is prohibited. However, the latest draft of the ePrivacy regulation inserts new exceptions that permit processing without user consent. For example, user consent would be unnecessary when an organization processes electronic communication data to ensure the integrity of communications services, check for malware or viruses, or carries out acts which the service provider is obliged to perform pursuant to EU or member state law relating to the prosecution of criminal offences or the prevention of threats to public security.
- METADATA: Under the current draft, electronic communications network and service providers must obtain prior consent from the user before processing their electronic communications metadata. The council’s position recognizes certain exceptions to consent and permits processing without consent when processing for billing purposes, for detecting or stopping fraudulent use, and to protect users’ vital interests, such as monitoring for the spread of epidemics. Furthermore, in certain situations, providers of electronic communication networks and services are permitted to process metadata for purposes other than those for which it was collected, provided such purpose is compatible with the initial purpose, and strong, specific safeguards apply to such processing.
- RETENTION OF TRAFFIC AND LOCATION DATA: The Council’s position also provides for possibilities to retain traffic and location data, as preventive measures. This point, in particular, had previously been deleted by the Portuguese Council Presidency, and is also a concern of the EDPB, which wants the regulation to adopt the limits established by the latest CJEU case law.
It remains to be seen how the European Parliament will react to these changes in the trilogue negotiations that will commence soon, and we may see further changes to this 14th version of the text before it is finalized.