Last week, the LIBE Committee proposed over 800 amendments to the much-anticipated e-Privacy Regulation. The amendments are included in a draft report prepared by MEP Marju Lauristin and posted on the European Parliament website.

Debate over Legitimate Interests

Perhaps the most notable amendment centers on the addition of an exemption from having to obtain the consent of end-users to process metadata for purposes other than those for which they were initially collected and where the processing is necessary for the purpose of legitimate interest (in accordance with Article 6(1)(f) of the GDPR), provided that a data protection impact assessment (DPIA) was carried out, as prescribed in Article 35 of the GDPR.

As reported in the IAPP’s Privacy Advisor, fierce lobbying and debate around this proposed exemption is expected and has already begun to take place.

“Due to the impact on private life and integrity of communication systems, electronic communications data should be treated as sensitive data and therefore only be processed on the basis of consent or specific purposes described by law,” said German MEP Jan Albrecht.

On the other side of the aisle, British MEP Daniel Dalton sees such an exemption as an opportunity to address concerns about “consent fatigue,” and as a way to protect the value of consent. According to Dalton, “[i]f online businesses have to rely on cookie banners to ask for consent for every little thing, what value does consent have anymore?”

Cookie Concerns

Regardless of the fight over the inclusion of legitimate interests, others have remained focused on issues such as cookies, which present interesting challenges around obtaining and managing consent. “My main concern is that while people are distracted by what promises to be an intense legislative process, the clock to put in place a valid cookie consent solution is ticking,” said Eduardo Usteran, partner at Hogan Lovells, in an interview with the IAPP’s Privacy Advisor.

It is clear that organisations and their legal counsel are concerned about how they will comply with upcoming consent requirements, particularly where current “implied consent” practices will be insufficient come 25 May 2018.


Other proposed amendments include:

It remains to be seen which of these, and other proposed amendments, will make an appearance in the final draft.

The Regulation is expected to replace the current e-Privacy Directive, and align with the GDPR. It is intended to create harmonised rules around the processing of personal data in the context of electronic communications, and is likely to expand the scope of these rules to apply to the Internet of Things (IoT) and Over-The-Top (OTT) services.

How OneTrust Helps

Evolving data privacy regulations create consistent challenges for website owners. EU cookie laws require organisations to inform website visitors about the data that’s being collected from them and to provide them with the choice over sharing their information.

OneTrust provides website owners with a transparent mechanism for obtaining required cookie consent from website visitors and respecting Do Not Track requests, helping organisations comply with EU cookie laws. Our comprehensive cookie compliance solution includes continuous website scanning against a 5.5M cookie database, flexible interface for managing visitor consent, and customisable visitor preferences center.