The Council of the European Union Issues Amendments to the Commission’s E-Privacy Regulation Proposal

The European Union has been undergoing deep change in its data protection framework over the past few years, which started with the passing of the General Data Protection Regulation (GDPR) in May 2016 (to take effect on 25 May 2018) to modernise the existing rules of the Directive 95/46/EC. The European Commission issued a draft E-Privacy Regulation on 10 January 2017, which aimed to replace the current E-Privacy Directive and align the text with the new requirements of the GDPR.

The proposed text of the E-Privacy Regulation has generated mixed reactions so far –– the advertising industry is on the frontline to have the Commission version modified as the current requirements are fairly strict (processing of electronic communications can only be based on necessity or consent of the end-user and direct marketing would mainly require opt-in.)

On the other hand, in an opinion released last April, the Article 29 Working Party has expressed four points of grave concern with regard to the tracking of the location of terminal equipment; the conditions under which the analysis of content and metadata is allowed; and the default settings of terminal equipment and software and with regard to tracking walls. The WP29 feels that the proposed Regulation would lower the level of protection enjoyed under the GDPR in those areas.

As part of the legislative process, the Council of the European Union issued on 8 September 2017 its proposed amended version of the E-Privacy Regulation proposal. The amended text focuses on the articles only, while recitals will be examined at a later stage.

The Council’s revised draft proposal specifies that “the revisions are based on the discussions held in the WP TELE (Working Party for Telecommunications and Information Society) meetings and on the written comments provided by delegations to date,” adding that many delegations are still in the process of analyzing the proposal.

Consequently, additional redrafts are to be expected. This first one “aims mainly at clarifying certain elements and outlining specific issues to be examined for the purposes of advancing the discussions on the file.”

The Council’s main changes concern the following:

  • Material scope: Clarifies the application of the Regulation to the processing of electronic communications content “in transmission,” and of electronic communications metadata (as opposed to all electronic communications data – as currently in the Commission’s E-Privacy Regulation Proposal, which includes both electronic communications content and electronic communications metadata.)
  • Territorial scope: clarifies and adds to the current proposal for the Regulation to also apply to:
    • The processing of electronic communications content in transmission and of electronic communications metadata of end-users located in the Union
    • The offering of publicly available directories of end-users of electronic communications services located in the Union
    • The placing on the Union market of software permitting electronic communications services located in the Union
    • The sending or presenting of direct marketing communications to end-users located in the Union
  • Obligation to appoint a representative: Some delegations suggested to extend the obligation to appoint a representative to other actors covered by the proposal. Who those actors would be is yet unclear and will be the subject of discussions of the upcoming WP TELE meetings. (The obligation currently only concerns providers of electronic communication services not established in the Union.)
  • Consent: The wording has been simplified and aligned with article 10 and the GDPR. It also extends the interval for the reminder to provide to end-users of the possibility to withdraw consent from six to twelve months
  • Confidentiality of electronic communications data in machine-to-machine communications: The Council inserted language to clarify that machine-to-machine communications are covered and to start the discussion on how to approach this issue.
  • Different legal grounds to be included for permitted processing of electronic communications: As delegations have proposed different legal grounds to be included, this issue will be submitted for discussion during the upcoming WP TELE meetings, including the different types of data – content and metadata. Several stakeholders have suggested including legitimate interest as an additional ground for processing, which would alleviate the strictness of the current requirements and provide more leeway for companies to track end-users of electronic communications.
  • Storage and erasure of electronic communications data: While this provision is currently relatively strict, as it requires erasure or anonymisation of data when it is no longer needed for the purpose of the transmission of the communication, the Council considers that more discussion is needed on further processing of data and will seek delegations’ views on how to approach that question.
  • Protection of information stored in and related to end-users’ terminal equipment: The Council will seek delegations’ views on whether any other grounds for processing could be considered.
  • Information and options for privacy settings to be provided: An article has been inserted to allow end-users to easily change the settings selected and will seek delegations’ views on the matter
  • Supervisory Authorities: Many delegations asked for more flexibility with regard to the supervisory authority. While the Council still proposes to keep the DPAs as authorities for monitoring the application of the Regulation, it acknowledged that some of the provisions might require expertise beyond DPAs competences.
  • End-users remedies: To ensure the consistency with the GDPR, it inserted an article to allow end-users who are natural persons to get collective redress (the right to mandate a non-for-profit body, organisation, or association to lodge a complaint on their behalf.)

The text of the proposal will be discussed article-by-article during upcoming WP TELE meetings on 19, 20, and 25 September. Delegates will be invited to express their views on the proposed changes, and will have a chance to raise further issues within each article and indicate their preferred solutions.

How OneTrust Helps

Evolving data privacy regulations create consistent challenges for website owners. EU cookie laws require organisations to inform website visitors about the data that’s being collected from them and to provide them with the choice over sharing their information.

OneTrust provides website owners with a transparent mechanism for obtaining required cookie consent from website visitors and respecting Do Not Track requests, helping organisations comply with EU cookie laws. Our comprehensive cookie compliance solution includes continuous website scanning against a 5.5M cookie database, flexible interface for managing visitor consent, and customisable visitor preferences center.