Council of the EU adopts its position on the ePrivacy Regulation and EDPB issues statement: one cautious step forward

17 Mar 2021

Background

On 10 February 2021, after four years of negotiations, the Council of the EU has finally published a negotiation position on the draft ePrivacy Regulation (Council’s position), its 14th version. Germany and Austria did not vote and the German data protection authority has already expressed its disagreement with the text, while France is seeking exemption of national security agencies from some provisions. The latest draft will now be subject to trilogue negotiations.

Key aspects of the Council’s position

The ePrivacy Regulation, set to replace the ePrivacy Directive 58/2002, will apply to (i) the processing of electronic communications content and metadata (e.g. information on location and recipient of the communication) carried out in connection with the electronic communications services like Skype and Whatsapp[1], including M2M, VoIP, and IOT services, (ii) end-users’ terminal equipment information, including, e.g. PCs, smart phones, smart cars, smart meters, etc., (iii) the offering of a publicly available directory of end-users of electronic communications services and (iv) direct marketing communication to individuals (including spam). The ePrivacy Regulation, as lex specialis, specifies and complements the GDPR.

Territorial scope of application  Non-EU established companies will be subject to the ePrivacy Regulation when they: (i) provide electronic communication services, (ii) process electronic communication content and metadata, (iii) protect terminal equipment information, (iv) offer publicly available directories of end-users of electronic communications service or (v) send direct marketing communications to end-users located in the EU. These companies will have to appoint a representative in the EU within one month from the start of their activities and communicate it to the competent supervisory authority. As of January 2021, this includes UK operators as well.

Confidentiality of electronic communications data remains the rule   Any interference with electronic communications content and metadata is prohibited, including listening to, reading, storing, etc. However, the Council excludes from this prohibition the situations when processing of electronic communication data is necessary (i) to provide an electronic communication service, (ii) to detect or prevent security risks or attacks on end-users’ terminal equipment or (iii) to comply with a legal obligation.

Consent standard  The Council’s position maintains the (high) consent standard of the GDPR. Accordingly, consent must be freely given, specific, informed, and an unambiguous indication of the end-user’s wishes through a clear affirmative action. The Council’ position extends the consent mechanism to legal persons, through a representative.

Other than consent, legal bases for processing include: (i) necessity for the purposes of network management or network optimization, or to meet technical quality of service requirements; (ii) necessity for the performance of an electronic communications service contract to which the end-user is party; (iii) necessity for the protection of the vital interests of a natural person. It is worth noting that, unlike the previous drafts, the current text does not recognize a service provider’s legitimate interest as a ground to process electronic communications.

Processing of metadata   (e.g. specific numbers called, geographical location of the caller and the time, date and duration of the call, formerly called traffic data in the ePrivacy Directive) is subject to user consent. A few exceptions apply to this rule, such as processing of metadata for billing purposes, fraud prevention or protection of vital interests (e.g. monitoring epidemics and their spread), and research or statistical purposes, subject to certain conditions. Processing metadata of end-users for the protection of their vital interest, should only take place where the processing cannot be manifestly based on another legal basis and where the protection of such vital interests cannot be ensured without that processing. In certain cases, metadata can be processed for other compatible purposes without the user’s consent, provided that strong safeguards are applied (e.g. reusing metadata only after their encryption or anonymization).

Cookie walls are authorized   The Council’s position allows the use of so-called cookie walls (i.e. when a user’s access to a website depends on granting consent to cookies) if the user is able to choose (has a genuine choice) between that offer and a paid cookie-free offer from the same service provider, or between that offer and an equivalent offer from another provider that does not involve cookies.

Users can give or withdraw consent to the use of certain types of cookies in browser settings   In order to remedy so-called “cookie fatigue”, the current text would allow users to whitelist one or several service providers in their browser settings, while consent provided directly through a cookie banner should always prevail over the recorded preferences.

Collection of information for audience measuring without consent   In accordance with the current version, companies can collect information from the end-users’ terminal equipment (both hardware and software that may store highly personal information, such as photos and contact lists), without users’ consent for the sole purpose of audience measuring (e.g., web analytics, in aggregate form) and under defined rules. They can also collect information from terminal equipment where necessary (i) for the sole purpose of providing an electronic communication service; (ii) for providing a service specifically requested by the end user;[2] (iii) for IT security purposes; (iv) for a software update and (v) to locate the end user’s device in the event of an emergency communication.

In contrast with the GDPR, the Council’s position does not include a one-stop-shop mechanism, meaning that companies may face enforcement actions from multiple EU member states’ authorities. To secure consistent implementation of the regulation across the EU, the European Data Protection Board (EDPB) will be competent to issue EU-wide guidance on e-privacy.

The Council’s position on ePrivacy Regulation is aligned with the GDPR in terms of fines and compensation right (respectively, articles 83 and 82 of GDPR). For infringements of the ePrivacy Regulation, fines of up to 10 million euros or 2% of the worldwide annual turnover will apply, while for the infringement of confidentiality of electronic communications and permitted processing fines of up to 20 million euros or 4% of the worldwide annual turnover can be imposed. Any person will have a right to claim compensation for material or non-material damages suffered as a result of an infringement.

Following its entry into force, the Regulation provides for a two-year period before becoming enforceable to allow companies to comply with the new rules.

The EDPB’s comments on the Council’s position

On 9 March 2021, the EDPB adopted its Statement regarding the Council’s position, welcoming the progress, but also expressing several concerns. In particular, the new Regulation must not undermine the level of protection of the current framework, nor depart the rules of the GDPR.

For instance, the EDPB states that some exceptions are too broad, such as the re-purposing provision that may undermine the protection of electronic communications metadata by allowing processing for any purpose judged by the service provider to meet the compatibility clause. Concerning processing and retention of electronic communication data for the purposes of law enforcement and national security, the latest case law of the Court of Justice of the EU (for instance, La Quadrature du Net and Privacy International cases) must be respected, along with the EU Charter of Fundamental Rights and the European Convection on Human Rights. The EDPB is also concerned about the “take it or leave it” solution for cookies and emphasizes that an explicit prohibition of unfair practices should be included. It stresses the importance of offering fair alternatives to users by the same service providers, regardless of their sector of activity or of their current financing model. Also, the derogation for audience measurement should be limited to low level analytics necessary for the analysis of the performance of the service requested by the user. Finally, the EDPB considers that both browser and operating system providers should be obliged to put in place a user friendly and effective mechanism allowing controllers to obtain consent for websites and mobile applications.

Closing remarks

As for the next step, the Council and the European Parliament will negotiate the terms of the final text. Negotiations are expected to be challenging, particularly in view of the EDPB’s statement and the Parliament’s approach. In particular, consistency with the CJEU’s line of case law on data retention, national security exceptions must be ensured, along with upholding the protection of the fundamental right to privacy and ensuring consistency with the GDPR.

On the other side, alignment with the GDPR concerning fines and compensation rights, as well as its territorial scope of application, are expected to yield significant consequences worldwide.

We advise monitoring closely the negotiation developments and preparing to roll out compliance.

Do not hesitate to contact us should you require further information and assistance on the issues discussed in this note, or any other data protection related matter.

_______________________________________________________________________________

[1] A service normally provided for remuneration via electronic communications networks, which encompasses, with the exception of services providing, or exercising editorial control over, content transmitted using electronic communications networks and services, the following types of services: (a) ‘internet access service’ as defined in point (2) of the second paragraph of Article 2 of Regulation (EU) 2015/2120, (b) interpersonal communications service and (c) services consisting wholly or mainly in the conveyance of signals such as transmission services used for the provision of machine-to-machine services and for broadcasting (DIRECTIVE (EU) 2018/1972 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 11 December 2018 establishing the European Electronic Communications Code).

[2] For instance, storing of information in or accessing information from a smart meter should not require consent to the extent that such use or access is necessary for the provision of the energy supply service requested by the end-user, when it is necessary for the stability and security of the energy network or for the billing of the end-users’ energy consumption.