After more than four years of negotiations, the Regulation on Privacy and Electronic Communications (ePrivacy Regulation), which will replace the ePrivacy Directive (2002/58/EC), appears to be at a turning point. On Feb. 10, 2021, the Council of the European Union announced it has adopted a consolidated version (the “Council’s Position”) which will be the basis for trilogue negotiations with the European Parliament and the European Commission. The Council’s Position was also essentially ‘welcomed’ by the European Data Protection Board in the Board’s Statement of March 9, 2021.

In addition to the General Data Protection Regulation (GDPR), the ePrivacy Regulation represents a core element of EU-level data protection. It will create a comprehensive set of rules for electronic communications and protect the privacy of end users, the confidentiality of their communications, and the integrity of their devices. Unlike the GDPR, it covers not only personal data but also metadata and confidentiality requirements, and will apply to instant messaging apps, Voice over Internet Protocol (VoIP) platforms, and machine-to-machine communication. Like the GDPR, the draft text of the ePrivacy Regulation proposes a transition period of two years, starting twenty days after the ePrivacy Regulation is published in the EU Official Journal, providing organizations time to come into compliance with the new law.

While the compromise draft now adopted by the Council follows the structure of the preceding draft (see also our posts: The ePrivacy Regulation: The Next European Initiative in Data Protection of April 17, 2019, and EU Cookie Compliance: Getting Ready for 2020 of Nov. 25, 2019), it includes a number of changes and reinserts certain provisions that the German and the Portuguese Council Presidency had deleted in their proposed draft – which caused Germany and Austria to abstain their votes on the Council’s Position. The European Data Protection Board also communicated its concerns in its Statement of March 9, 2021.

The most important changes to the previous version are the following:

  1. SCOPE: One of the key changes in this version of the ePrivacy regulation is the broadened scope of the regulation, which now applies to users located in the EU, regardless of whether the processing of their data takes place outside the EU or the service provider is located in a non-EU jurisdiction. Thus, your organization, regardless of whether it is located in the EU, will be subject to the ePrivacy regulation if in relation to EU residents it sends them direct marketing communications or processes their electronic communications, metadata, or terminal equipment information.
  2. COMMUNICATION DATA: As a general rule, electronic communication data under the ePrivacy regulation is confidential. Any interference, including listening to, monitoring, and processing of data by anyone other than the parties involved in the communication, is prohibited. However, the latest draft of the ePrivacy regulation inserts new exceptions that permit processing without user consent. For example, user consent would be unnecessary when an organization processes electronic communication data to ensure the integrity of communications services, check for malware or viruses, or carries out acts which the service provider is obliged to perform pursuant to EU or member state law relating to the prosecution of criminal offences or the prevention of threats to public security.
  3. METADATA: Under the current draft, electronic communications network and service providers must obtain prior consent from the user before processing their electronic communications metadata. The council’s position recognizes certain exceptions to consent and permits processing without consent when processing for billing purposes, for detecting or stopping fraudulent use, and to protect users’ vital interests, such as monitoring for the spread of epidemics. Furthermore, in certain situations, providers of electronic communication networks and services are permitted to process metadata for purposes other than those for which it was collected, provided such purpose is compatible with the initial purpose, and strong, specific safeguards apply to such processing.
  4. COOKIE CONSENT: With respect to the use of cookies and other technologies involving the storage of information on, or collection of information from, a user’s device, the council’s position provides that the use of these technologies is only allowed if the user has provided GDPR-compliant specific consent, or for specific purposes set forth in the ePrivacy regulation. Another core principle is that users should have a genuine choice with respect to the use of cookies or similar technologies. The current draft proposes that organizations remind end-users of their right to withdraw their consent at periodic intervals (at least once annually).The Council’s Position condones the use of a so-called “cookie wall”, i.e. making access to a website conditional on cookie consent as an alternative to a paywall, but only if the user is able to choose between that offer and an equivalent offer by the same provider that does not involve consenting to the use of cookies. The Council’s Position further provides that users will be able to give consent to the use of certain types of cookies by whitelisting one or several providers in their browser settings. In its most recent statement, the EDPB criticized these two aspects of the proposed draft and reiterated its position that, to fight consent-fatigue, cookie walls should generally be prohibited and that user-friendly browser setting options should be mandatory rather than merely recommended.
  1. RETENTION OF TRAFFIC AND LOCATION DATA: The Council’s position also provides for possibilities to retain traffic and location data, as preventive measures. This point, in particular, had previously been deleted by the Portuguese Council Presidency, and is also a concern of the EDPB, which wants the regulation to adopt the limits established by the latest CJEU case law.

It remains to be seen how the European Parliament will react to these changes in the trilogue negotiations that will commence soon, and we may see further changes to this 14th version of the text before it is finalized.

Tags: EDPB, eprivacy directive, European Data Protection Board, European Union, GDPR
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dr. Viola Bensinger Dr. Viola Bensinger

Viola Bensinger is Global Co-Chair of the Greenberg Traurig’s IP & Technology Practice Group and the Global Data Privacy & Cybersecurity Practice, and also chairs the Technology Practice in Germany. She advises clients from the technology, media, health care, automotive and other industries.

Read more about Dr. Viola Bensinger
Photo of Carsten A. Kociok Carsten A. Kociok

Carsten Kociok is a partner in the Technology, Financial Services and Data Privacy Practice in Berlin and Co-Head of Greenberg Traurig’s global Fintech Group. He advises national and international clients across all industries, including financial services, information technology, artificial intelligence, ecommerce, media, health

Carsten Kociok is a partner in the Technology, Financial Services and Data Privacy Practice in Berlin and Co-Head of Greenberg Traurig’s global Fintech Group. He advises national and international clients across all industries, including financial services, information technology, artificial intelligence, ecommerce, media, health care, telecoms, retail and real estate, on a wide variety of complex commercial and regulatory matters.

Carsten is a leading technology lawyer, ranked consistently in Band 1 for Fintech Legal in Germany since 2020. He has in-depth and wide-ranging experience in the areas of privacy and cybersecurity, payments law, financial services, e-money products, blockchain technology, and financial and banking regulation, as well as in artificial intelligence regulation – including compliance with the EU AI Act – and the integration of AI technologies into existing software systems.

Carsten regularly assists clients in licensing projects and audit proceedings with financial regulators and advises on the contractual and regulatory aspects of developing, implementing and operating financial technology products and transactions.

On the data privacy side, Carsten counsels clients on complex data-driven business models and regulatory matters, including on international data transfers, data privacy compliance, monetization of data, artificial intelligence, litigation, cybersecurity and data breach response.

Carsten regularly lectures and publishes on various FinTech and data privacy topics. Prior to joining the firm, Carsten worked at Olswang Germany for eight years and in the Capital Transaction Practice Group of an international law firm in New York.

Read more about Carsten A. KociokCarsten's Linkedin Profile
Show more Show less
Photo of Viola Zollitsch Viola Zollitsch

Viola Zollitsch is a member of the German Litigation and IP & Technology groups. She assists national and international clients from all sectors and industries in the resolution of commercial disputes focusing on complex contractual and copyright disputes, as well as post-M&A conflicts.

Viola Zollitsch is a member of the German Litigation and IP & Technology groups. She assists national and international clients from all sectors and industries in the resolution of commercial disputes focusing on complex contractual and copyright disputes, as well as post-M&A conflicts. Her practice covers strategic litigation advice, extrajudicial dispute resolution, arbitration and the representation of clients in court.

Viola further advises national and international clients in the media, technology, and digital health care sectors, with a particular focus on the entertainment industry, digital platforms, as well as general contract law.

Read more about Viola ZollitschViola's Linkedin Profile
Show more Show less
Related Posts
GDPR europe map lock data privacy
European Commission Adopts EU-U.S. Adequacy Decision
July 10, 2023
European Union Privacy Regulation
What GDPR requirements does a company that uses personal information to train an artificial intelligence (AI) need to meet?
June 22, 2023
cybersecurity
The Complete Handbook for Cross Border Transfers of Personal Information Utilizing the New European Standard Contractual Clauses
December 8, 2022