Privacy & Information Security Law Blog

On February 10, 2021, representatives of the EU Member States reached an agreement on the Council of the European Union’s (the “Council’s”) negotiating mandate for the draft ePrivacy Regulation, which will replace the current ePrivacy Directive. The text approved by the EU Member States was prepared under Portugal’s Presidency and will form the basis of the Council’s negotiations with the European Parliament on the final terms of the ePrivacy Regulation.

The Council highlights the following key elements of the draft ePrivacy Regulation in its press release:

• Coverage of both electronic communications content and communications metadata (such as location, time and recipient of a communication). The text maintains the general principle that electronic communications data is confidential, which means that any interference (i.e., listening to, monitoring or other processing of data pertaining to communications) by anyone other than the parties involved in the communication is prohibited, except when permitted by the ePrivacy Regulation. The processing of electronic communications data without the user’s consent will, for example, be allowed where it is necessary to ensure the integrity of communications services, identifying malware or viruses, or in cases where EU or EU Member States’ laws require the processing for the prosecution of criminal offences or prevention of threats to public security. With respect to communications metadata, the text permits, for example, processing for billing purposes, for detecting or stopping fraudulent use, and to protect users’ vital interests, such as in monitoring for the spread of epidemics. Furthermore, in certain situations, providers of electronic communications networks and services will be permitted to process metadata for a purpose other than that for which it was collected, provided that such purpose is compatible with the initial purpose and that strong, specific safeguards apply to such processing;
• Machine-to-machine data transmitted via a public network, as this is deemed necessary to protect privacy rights in the context of Internet of Things applications;
• Users located in the EU, regardless of whether the processing of their data takes place outside the EU or the service provider is located in a non-EU jurisdiction;
• With respect to the use of cookies and other technologies involving the storage of information on or collection of information from a user’s device, the Council’s text provides that the use of these technologies will only be allowed if the user has consented or for specific purposes laid down in the ePrivacy Regulation. Additionally, the text emphasizes that users should have a genuine choice with respect to the use of cookies or similar technologies. Making access to a website conditional on cookie consent as an alternative to a paywall (i.e., the use of so called “cookie walls”) will only be permitted if the user is able to choose between that offer and an equivalent offer by the same provider that does not involve consenting to the use of cookies. The Council’s text further envisions that users will be able to give consent to the use of certain types of cookies by whitelisting one or several providers in their browser settings.

The draft ePrivacy Regulation also sets forth requirements with respect to line identification, public directories and unsolicited and direct electronic marketing.

The Council will now begin discussions with the European Parliament to negotiate the final text. These negotiations may prove challenging as the Council’s text could be characterized as less privacy protective than the original proposal of the European Commission dating back to January 2017.

Once adopted by the Council and the European Parliament, the draft text provides for a transition period of two years, starting twenty days after the final text of the ePrivacy Regulation is published in the EU Official Journal.

Read the final draft ePrivacy Regulation.