Since its proposal by the European Commission, the ePrivacy Regulation has been the topic of discussion among regulators, consumer groups, privacy advocates, and industry associations. At the beginning of the year, IAPP analyzed legislative developments that occurred under the Bulgarian presidency, where legislative discussions and amendments to the text dealt with issues such as the scope of the regulation, obtaining consent for the use of cookies, grounds for data processing other than consent, and ePrivacy’s interaction with the GDPR.
Although the pace of ePrivacy’s advancement has been slower than initially promised by policymakers, a pressing need remains to examine the amendments made by the Austrian presidency and deliberations among member states to better understand the unfolding process and the nature of the changes being proposed to the text.
The Austrian presidency’s first set of amendments (July 10) incorporated revisions to Articles 6, 8, and 10, as well as the related recitals, and indicated the need for further discussion at the WP level. In its second set (Sept. 20), the presidency noted that there were “quite diverging views” among delegations on the changes proposed to articles 6 and 10 and regarding policy/legal issues related to article 8. Member state delegations had raised questions involving the scope of ePrivacy and its position vis-à-vis the GDPR, the fundamental rights of confidentiality with respect to data protection, GPS location data, and developments in artificial intelligence, the Internet of Things, and automated driving. The presidency also indicated that it had “decided to stick, for the time being” to the approach outlined in July, whereby it will continue to ask delegations for further guidance, “including concrete drafting suggestions.”
What are the changes?
Article 2: According to the presidency, at the WP TELE meeting of July 17 and in written comments, delegations requested further changes in relation to information security measures, which they believe should not be prohibited by the regulation. Considering this, the presidency has adopted the view that end-users or third parties who take information security measures on their behalf are “not at all covered by the ePrivacy Regulation.”
Article 2 on Material Scope lists two types of processing activities: Those to which ePrivacy applies and those to which it does not. To the list of processing activities to which it does not apply, the latest round of amendments added “electronic communications metadata processed by the end-users concerned or by a third party entrusted by them to record, store or otherwise process their electronic communications metadata on their behalf” to a new Article 2(2)(f). Recital 8 was also modified to indicate that third parties that end-users request to process their electronic communications data on their behalf are excluded from the regulation.
Article 6: The presidency’s proposed amendments to Article 6 have been intended to make it more “future-proof,” such that it will have the flexibility to “enable the development of innovative services,” including those related to AI and IoT. In line with this objective, the latest amendments include a possibility for further compatible processing of electronic communications metadata in a new Article 6 (2a). Moreover, several “minor linguistic modifications” were made to Article 6 in the latest round of amendments to increase flexibility. Wording changes were also made to Article 6(2)(f) and Article 6(2a) (c) to ensure more coherence and better alignment with the GDPR.
The presidency also invited the delegations to consider two options going forward: The first option would be to move ahead “with the aim of tightening the concept of further processing by including additional safeguards.” The second option would be to move forward “with the aim of including further flexibility in the concept of further processing, e.g. by aligning the text closer to the GDPR.” The presidency also asked the delegation to provide “concrete drafting suggestions” if possible.
Article 8: Article 8 prohibits the use of processing and storage capabilities of terminal equipment and the collection of information from end-users’ terminal equipment, while carving out a few exceptions. One of the exceptions contained in Article 8(1)(e) is when “it is necessary for a security update.” The latest amendments expanded this exception to when “it is necessary for a software update,” if it is “for security reasons.” According to the presidency, this change was made so that software providers would not be obliged to split security updates from other updates.
Regarding conditional access to website content, which is addressed in Recital 20, the presidency stated that it would like to “continue the discussion,” given disagreement among Member States over whether this was compatible with the GDPR and the notion of “freely given consent.”
Article 10: In light of the concerns raised by Article 10, particularly regarding “the burden for browsers and apps, the competition aspect, the link to fines for non-compliance but also the impact on end-users and the ability of this provision to address e.g. the issue of consent fatigue,” the presidency proposed to delete this article and the respective recitals in their entirety in its July 10 Amendments. Regarding what effect deleting Article 10 will have, EDRi has argued that “fewer users will become aware of privacy settings that protect them from leaking information about their online behaviour to third parties.”
What’s next?
The Council’s provisional agendas for meetings scheduled during the second semester of the Austrian presidency indicate that the Dec. 4 meeting will include only legislative deliberations and a progress report on the ePR. In addition, a spokesman for Austria’s innovation ministry tension for the Privacy Advisor, David Meyer also recently explained that “it's quite possible that trilogue negotiations between the EU institutions will be only conducted after the European Parliament elections next May. The law now appears extremely unlikely to come into effect until 2020 at the earliest.”
As the “sister legislation” to the GDPR, hopes were originally that the new ePrivacy Regulation would come into effect simultaneously with the GDPR in May 2018. While several forecasts for its entry into effect have been revised to 2020, we may see the pace of ePrivacy developments accelerate towards the end of this year, especially as the December 4 legislative deliberations approach. What impact the Council’s progress report will have on the future pace of ePrivacy developments is also worth watching.
photo credit: PGBrown1987 via photopin