As the Estonian Presidency of the Council of the European Union wraps up this month, it put forward a new draft of the pending ePrivacy Regulation, which was considered at the Council's WP TELE meeting held Dec. 11. While it is a new consolidated draft, with many deviations from the initial Commission draft throughout, the new pieces for consideration in this draft are limited to articles 6 through 8, which concern the legitimate bases for processing electronic communications and metadata, plus rules around the retention, storage, and deletion of user data.
The stated purpose of this most recent meeting was to consider these modifications to articles 6 through 8 and then begin discussion of Article 10, which regards the provision of privacy settings in apps and communications software. Likely, the next Council draft will incorporate any changes discussed there.
As might be gleaned from public statements by Parliament Rapporteur MEP Birgit Sippel, the Council's and Parliament's drafts on the ePrivacy Regulation remain far apart in many areas, including in these new Council drafts of articles 6 through 8 and their attendant recitals. While the Parliament wants to limit processing of communications data and metadata as much as possible, the Council is looking to leverage consent and the GDPR's allowances for legitimate processing in a few areas.
For example, the newest Council draft creates carve-outs for processing metadata for the performance of a contract, or for meeting a legal obligation or where it's in the vital interests of someone who can't provide consent for themselves. These all mirror similar GDPR language for legitimate processing. Parliament did not address these potential carve-outs at all.
In fact, while the Council is attempting to expand potential legitimate grounds for processing, the Parliament draft attempts to walk certain pieces of the Commission draft back.
In fact, while the Council is attempting to expand potential legitimate grounds for processing, the Parliament draft attempts to walk certain pieces of the Commission draft back. For example, while the Commission would allow for processing of metadata made anonymous, Parliament strikes that provision from Article 6(2)(c).
Further, the Council has proposed an entirely new ground for processing for the purposes of statistical research in Article 6, with a new Recital 17b that reads in part: "This type of processing should be subject to further safeguards to ensure privacy of the end-users by employing appropriate security measures such as encryption and pseudonymisation. In addition, end-users who are natural persons should be given the right to object." Parliament currently does not address research at all in their ePrivacy amendments.
Going even further, the Council is proposing that the processing of one end user's data by request be allowed, even without consent of other end users involved in the communication, as long as the rights and freedoms of those end users are not "adversely affected" and a data protection impact assessment is carried out. This will likely prove contentious with the Parliament, which would require that there be no possible impact of any kind on any other end user, "adverse" or not, should a requested service be the basis for processing.
In terms of Article 7, the open question in front of the Council is whether it's necessary to provide for the deletion of communications data if that is already covered in the GDPR. The Parliament offered only very minor amendments to Article 7. However, both drafts run contrary to any sort of data retention laws that member states might try to impose. They are very clear that communications data and metadata should be deleted as soon as the messages have been sent and "when it is no longer needed for the purpose of the transmission of a communication."
In terms of Article 7, the open question in front of the Council is whether it's necessary to provide for the deletion of communications data if that is already covered in the GDPR.
Finally, there is Article 8, which outlines the ways that communications services and platforms can access the data on an end user's device, be it a mobile phone or other piece of hardware—so-called "terminals." The Council's suggested amendments are generally surrounding provisions for security operations, plus a new carve-out for consent: If the end user permits it, the communications platform would be able to collect information regarding the connection between two users.
The Parliament draft is more specific about the control end users would have in postponing security updates and does not include any consent language regarding that connection information.
We will have to wait until the next draft to see how these potential changes were received by members of the Council and what they might have in store for Article 10. In the meantime, Parliament will be tapping its collective watch, looking forward to the trilogue process.
Photo courtesy of the Estonian Presidency.
If you want to comment on this post, you need to login.