Last week, the LIBE Committee proposed over 800 amendments to the much-anticipated e-Privacy Regulation. The amendments are included in a draft report prepared by MEP Marju Lauristin and posted on the European Parliament website.
Debate over Legitimate Interests
Perhaps the most notable amendment centers on the addition of an exemption from having to obtain the consent of end-users to process metadata for purposes other than those for which they were initially collected and where the processing is necessary for the purpose of legitimate interest (in accordance with Article 6(1)(f) of the GDPR), provided that a data protection impact assessment (DPIA) was carried out, as prescribed in Article 35 of the GDPR.
As reported in the IAPP’s Privacy Advisor, fierce lobbying and debate around this proposed exemption is expected and has already begun to take place.
“Due to the impact on private life and integrity of communication systems, electronic communications data should be treated as sensitive data and therefore only be processed on the basis of consent or specific purposes described by law,” said German MEP Jan Albrecht.
On the other side of the aisle, British MEP Daniel Dalton sees such an exemption as an opportunity to address concerns about “consent fatigue,” and as a way to protect the value of consent. According to Dalton, “[i]f online businesses have to rely on cookie banners to ask for consent for every little thing, what value does consent have anymore?”
Regardless of the fight over the inclusion of legitimate interests, others have remained focused on issues such as cookies, which present interesting challenges around obtaining and managing consent. “My main concern is that while people are distracted by what promises to be an intense legislative process, the clock to put in place a valid cookie consent solution is ticking,” said Eduardo Usteran, partner at Hogan Lovells, in an interview with the IAPP’s Privacy Advisor.
It is clear that organisations and their legal counsel are concerned about how they will comply with upcoming consent requirements, particularly where current “implied consent” practices will be insufficient come 25 May 2018.
Other proposed amendments include:
- Separate definitions for users and end-users, resulting in a limitation of the personal scope of certain provisions to natural persons only. End-users are defined as “a legal entity or a natural person using or requesting a publicly available electronic communications service,” while users are defined as “any natural person using a publicly available electronic communications service, for private or business purposes, without necessarily having subscribed to this service.” (Draft Amend. 375-376)
- Expanded definition of electronic communications data to include “location data, such as the location of the terminal equipment from or to which a phone call or an internet connection has been made or the wireless access points that a device is connected to. . . . [and] also include data necessary to identify users’ terminal equipment and data emitted by terminal equipment when searching for access points or other equipment.” (Draft Amend. 188)
- Extended protections on information to include not only that which is stored in an end-users’ terminal equipment, but also to information processed by and related to an end-users’ terminal equipment. (Draft Amend. 511)
- A household exemption to consent is included for situations where a user of an electronic communications service explicitly requests the provision of a service for purely individual or individual work-related usage, such as search or keyword indexing, virtual assistants, text-to-speech engines and translation services.
- An exception for tracking employees without consent “if it is necessary in the context of employment relationships, [and] is strictly technically necessary for the execution of an employee’s task where: (i) the employer provides and/or is the subscriber of the terminal equipment; (ii) the employee is the user of the terminal equipment; and (iii) it is not further used for monitoring the employee.” (Draft Amend. 562)
It remains to be seen which of these, and other proposed amendments, will make an appearance in the final draft.
The Regulation is expected to replace the current e-Privacy Directive, and align with the GDPR. It is intended to create harmonised rules around the processing of personal data in the context of electronic communications, and is likely to expand the scope of these rules to apply to the Internet of Things (IoT) and Over-The-Top (OTT) services.
How OneTrust Helps
Evolving data privacy regulations create consistent challenges for website owners. EU cookie laws require organisations to inform website visitors about the data that’s being collected from them and to provide them with the choice over sharing their information.
OneTrust provides website owners with a transparent mechanism for obtaining required cookie consent from website visitors and respecting Do Not Track requests, helping organisations comply with EU cookie laws. Our comprehensive cookie compliance solution includes continuous website scanning against a 5.5M cookie database, flexible interface for managing visitor consent, and customisable visitor preferences center.