E-Privacy check-in: where we are, and where we're headed
Are we any closer to EU institutions reaching an agreement on the final regulation text
On 10 February 2021, the EU Council's latest ePrivacy Regulation proposal promised to introduce strict rules on electronic communications services, including on certain 'hot topics' such as regulating the use of cookies. One year later, as no concrete developments have taken place to enable these promises to be fulfilled, other European initiatives which are underway - such as the highly debated Digital Services Act - are already attempting to address some of these topics. Whilst the rules stemming from the ePrivacy Regulation proposal are not expected in the near future, its one-year anniversary offers an opportunity to recall the key changes that stakeholders could, - and should - already anticipate.
The last 5 years have seen lodes of debates concerning the need to legislate and adopt rules on protecting privacy and confidentiality in the use of electronic communications services. Just over a year ago, the ePrivacy Regulation proposal was agreed on by the EU Council and the long-awaited rules finally got mandate to move into the last stage of the European legislative negotiations process: the so-called 'trilogue discussions'.
The Regulation intends to replace Directive 2002/58/EC (ePrivacy Directive) which has been persevering longer than expected in coping with the rapid evolvement in the electronic communications services. The significant evolution in the domain of tracking identifiers, metadata and Internet of things are some of the reasons that necessitate the birth of the Regulation.
Though the initial proposal of the Regulation was first presented by the EU Commission in January 2017, the draft was subject to lengthy process of negotiations and outlasted eight different EU presidencies. The consensus was finally reached in February last year, allowing the Portuguese presidency to start talks with the EU Parliament on the final text of the Regulation. Another year has passed since then and there is still no clear sign indicating that EU institutions are about to reach an agreement on the final text.
Why is it taking so long?
It is quite a complicated task to try to reach a legal compromise between, on the one hand, the adoption of rules that ensures an effective protection of privacy and confidentiality in the use of electronic communications services; and, on the other hand, sufficient restrictive rules that could foster, rather than, prevent the development of legitimate uses of data and innovation.
Scope of the Regulation
The draft Regulation contains new rules applicable to current and future means of electronic communications services. These rules relate to calls, internet access, instant messaging applications, e-mail, internet calls and personal messaging provided through social media (via services and networks available to the public).
The Regulation complements the provisions of GDPR; specially the following uses of electronic communications services (by natural and legal persons):
- The use / processing of electronic communications data.
- The use of an end-user’s terminal equipment information (e.g. cookies).
- Sending of direct marketing communications to end-users.
If the Regulation is adopted, it will apply to the provision of the above services offered to end-users located in the EU, regardless of whether the processing takes place within or outside the EU and whether the service provider is established or located in the EU or not.
What are the Key Points of the Regulation?
New privacy and confidentiality framework for processing electronic communications data
The term 'electronic communications data' covers the content of communications (text, photos, documents, etc). It also covers the associated communication transmission metadata (time, location, recipient of transmitted data, etc).
In order to protect the confidentiality of the electronic communications data, the Regulation provides that there should not be any interference with such data, such as listening, tapping, storing, monitoring, scanning or other kinds of interception/surveillance of relevant data. Any interference by anyone other than the end-user is prohibited, unless expressly allowed by the latter.
The processing of electronic communications data by service providers will only be permitted if it is necessary for:
- the provision of electronic communications services;
- the security of the services and the end-user's terminal devices (e.g. identifying malware/viruses); or
- compliance with legal obligations by the service provider pursuant to EU or Member State law in relation to the prosecution of criminal offenses or to protection of public security.
The processing may also be carried out for other specific purposes, but that would depend on whether such processing relates to content data or to metadata.
New rules on cookie management and other similar identifiers
The Regulation maintains the current requirement to obtain consent before installation or use of cookies, unless the cookies are necessary for the provision of the electronic communication services.
Although the Regulation does not provide a clear explanation on cookie walls, (i.e. where a user is prevented from accessing a website unless they have consented to the use of cookies for the underlying services), the wording of the new draft suggests that such cookie walls are unlikely to be allowed under the Regulation for dominant service providers or public authorities.
In fact, conditioning the access to a website on user's consent would only be possible if the service provider offers an equivalent option which does not require consenting to the use of cookie. Requiring the end-user's consent would therefore not be considered as a means of
depriving such user of a genuine choice under the Regulation. This would not be satisfied, however, if there would be a clear imbalance between such end-user and the service provider, for example, if the services are provided by public authorities or dominant service providers.
Another interesting point to note is that the Regulation significantly extends the list of exceptions to the requirement to seek end-users' consent to the use of cookies – this will for instance be the case for audience measuring cookies, cookies which are necessary for security purposes or even cookies which are necessary for software updates.
The Regulation also gives the users the chance to give consent to the use of certain types of cookies by whitelisting one or several providers in their browser settings; they can easily amend these whitelists and withdraw their consent, should they wish.
Direct marketing communications
Rules regarding electronic direct marketing remain largely unchanged compared to the ones that were provided by the ePrivacy Directive. The principles stay the same for direct marketing communications; advertising that has been sent directly to one or more specific end-users, via email or SMs, can only be addressed to individuals following obtaining their specific prior consent to such communications (opt-in).
The Regulation has introduced some amendments to the similar products and services exemption "soft opt-in rule". This exemption, which allows the use of contact details for electronic message within the context of an existing customer relationship for the offering of similar products or services, without the need for a specific prior consent, continues to apply. However, Member States are allowed to impose a limitation for the duration of this exemption.
With respect to direct marketing by way of voice-to-voice calls to individuals, if the calls do not involve the use of automated calling, they may be permitted by Member States - that is, of course, only if the end-users have not expressed their objection of such permission (opt-out). This practice is currently adopted in France.
Coordination between GDPR and the Regulation
The obvious effort undertaken to harmonise and coordinate the ePrivacy rules with the ones resulting from the GDPR is undoubtedly to be welcomed, in particular for entities which are likely to be covered by both instruments and which must constantly keep track of these new developments.
The Regulation not only expressly refers to definitions included in the GDPR (for instance, the definition of consent) but also develops rules which are similar to, or at the least strongly inspired by, the GDPR, such as the following:
- Member States must designate a supervisory authority responsible for monitoring the application of the Regulation. The authority must satisfy the same conditions as those applicable to GDPR authorities.
- Service providers that are not located in the EU but fall under the extraterritorial scope of the Regulation, are required to appoint a representative in the EU within one month from the start of their activities, unless their processing is occasional and unlikely to create risks for individuals. This appointment must be notified to the competent supervisory authority.
- Administrative sanctions provided for violations of the obligations created by the Regulation follow the same logic as that set out in the GDPR (i.e. two levels of fines, with higher fines for more severe infringements). For example, the violation of the principle of confidentiality of communications may give rise to fines of up to €20 million or 4% of annual worldwide turnover.
One-year Anniversary of the Regulation: what has changed so far and what comes next?
The approval of the new draft of the Regulation in February 2021 marked the beginning of the ordinary law-making discussion between the European Parliament, Council and Commission – the so-called 'trilogue process'. Due to the Regulation's technical nature and its civil society implications, the adoption process has proved to be a (very) lengthy process. Even a year later and despite the French presidency's declaration that it will continue to work on the Regulation, it seems that we might still need to wait a little longer before we can expect to see the final version.
In the meantime, the European Data Protection Board (EDPB) has already invited the European co-legislators to address several key privacy issues during the upcoming negotiations of the draft Regulation, including the necessity to include an explicit provision to enshrine the prohibition of the so-called cookie walls in the final version of the text.
This 'cookie wall prohibition', which was also called for by the European Consumer Organisation[BECU] in its recommendations for the trilogue negotiations is – perhaps unsurprisingly - paving its way to becoming legally binding through another European instrument: the highly debated Digital Services Act (the "DSA"). As a matter of fact, the latest version of the draft DSA approved by the EU Parliament on 20 January 2022 intends to prohibit the disabling of access to platforms following users' refusal to consent to the processing of their personal data for targeted advertising purposes. Such provisions, if maintained in the final version of the DSA, could introduce a platform-specific prohibition of cookie walls, whose interplay with Regulation's future general rules on cookies will have to be assessed.
As the Regulation provides for a transitional period of two years following its entry into force, actual changes may not be expected, at the very least, before 2024.