The trilogue discussions on the draft EU ePrivacy Regulation are scheduled to start summer 2021. It is the last leg in the EU legislative process whereby the European Parliament and the Council of Ministers (read: Member States) attempt to reconcile the differences between the drafts they signed off on earlier in the process. The trilogue leads to a final text approved by both the EP and the Council and is published in the Official Journal.
As privacy professionals look toward the start of the trilogue and prepare for a final ePrivacy Regulation, we offer the following overview of key provisions of the text approved by the Council earlier this year. This text forms the basis of the trilogue discussions. We focus on three main areas: cookies, the scope of application of the Regulation, and unsolicited direct marketing communications and spam.
The latest rules on the use of cookies
Q: Are so-called “cookie walls” prohibited?
A: No, but users must be given an “equivalent” non-cookie option as well.
Although the ePR’s rules on the use of cookies may continue to evolve, in the latest draft, cookie walls, which ban access to certain services unless a user allows cookies, are not prohibited as long as the user is given an “equivalent offer” for the service that does not require the use of cookies.
Q: Do all uses of cookies require consent?
A: No, as there are a limited number of other legal bases that may justify the deployment and reading of cookies.
As a general rule, deploying and reading nonessential cookies requires consent. A nonessential cookie is a cookie that serves a purpose other than the mere provision of an electronic communication service. There are a limited number of other legal bases that can justify the use of nonessential, nontracking cookies, including the provision of a service specifically required by the end-user, audience measurement or cookies deployed for security purposes. For example, single-session cookies, which keep track of a user’s input when filling in online forms across several pages; authentication session cookies, which verify a user’s identity; and “shopping basket” cookies, which keep track of items a user has selected and placed into a cart do not necessarily require the consent of the end-user.
Q: Can consent to cookie storage be provided through software settings rather than through the individual end-user?
A: Yes. An end-user may provide consent to one or more providers through software settings, such as browser settings, for one or more specific purposes across one or more specific services of that provider. However, consent expressed directly by an end-user must prevail over software settings. Thus, if the browser is set to accept certain cookies but the user says no, the user’s choice prevails.
Q: Is the consent for cookies limited in time?
A: The Council text foresees that end-users who have provided consent must be periodically, i.e., every 12 months, reminded of their right to withdraw consent.
Q: Can service/network providers use third parties to obtain cookie consent on their own behalf?
A: Yes. Although the responsibility for obtaining a user’s consent to cookies lies with the information society service provider or advertising network provider, these entities may use other third parties to obtain consent on their own behalf.
The expanded scope of the general horizontal rules
Q: Which entities are subject to the general provisions of ePR?
A: Conventional telecommunications services, such as those that provide internet access, mobile telephony, or SMS services; interpersonal communication services, including over-the-top services such as Messenger, VoIP services like WhatsApp and Skype, and email services such as Gmail; and machine-to-machine transmission services all fall within the scope of ePR.
Q: Do all types of M2M communication fall within the scope of ePR?
A: No. The latest draft distinguishes between M2M services that involve the conveyance of signals via an electronic communications network and constitute an electronic communications service within ePR’s scope and M2M services carried out via a private or closed network outside ePR’s scope.
Q: Do messengers integrated into another service as an ancillary feature fall within the scope of ePR?
A: Yes. According to Article 4(2) of the Council draft, the definition of interpersonal communication service includes “services which enable interpersonal and interactive communication merely as a minor ancillary feature that is intrinsically linked to another service.”
Q: Does the ePR apply extraterritorially?
A: Yes. The ePR applies to the provision of electronic communication services, processing of electronic communications content and metadata, and protection of the terminal equipment of end-users who are in the European Union (Article 3(1)).
Q: What should an organization do if it is not established in the EU but falls within the scope of ePR?
A: Within one month from the start of its activities, it should designate in writing a representative in the EU and communicate that representative to the competent supervisory authority in one of the Member States where the end-users of its electronic communications services are located (Article 3(2-3)).
Q: Are there any exceptions to the requirement to designate a representative in the EU?
A: Yes. If an entity’s activities are “occasional and are unlikely to result in a risk to the fundamental rights of end-users taking into account the nature, context, scope and purpose of those activities,” it need not designate a representative in the EU (Article 3(2a)).
The rules on unsolicited direct marketing communication
Q. Have the rules on sending unsolicited direct communications by email, i.e., spam, changed?
A: No. The currently applicable rules remain largely unchanged: Unsolicited direct marketing communications by email or other comparable techniques such as IMS, SMS and Bluetooth are subject to prior consent except if the sender has obtained a valid consent as part of a prior purchase of goods or services, and the new communication is from the same sender and relates to similar goods or services.
If these conditions are met, there is no need to obtain a new consent but the recipient must be given the possibility to opt-out of receiving further communication. The opt-out option must be provided in the initial communication and at every subsequent communication. This is often referred to as the similar products and services exemption. Note that Member States may subject this exemption to a time limit and specify the period of time that contact details from an existing relationship may be used for further marketing communications.
Next steps and timeline
It is generally expected that the trilogue for the ePR will be a complex and lengthy process. The original Commission proposal dates back to January 2017 and the EP signed off on its draft later that year. The Council took several years to come to an agreement on a text that would be acceptable to the Member States. It is this text, agreed upon in early 2021, that forms the basis of the trilogue discussion. This text differs fundamentally from the text approved by the EP in 2017. The composition of the EP has also changed because of intervening elections. The stakes are high and we should expect heated discussions. We have a way to go before all relevant bodies agree and the final text is published in the Official Journal.
Once published, the Regulation will enter into force 20 days later. It does not start to apply, however, until 24 months later. This grace period should allow all affected parties, including the Member States, to prepare. Since the new law takes the form of a regulation it does not need to be implemented into national law, but it is possible (and likely) existing national laws in the Member States will need to be adjusted to align with the new regulation. Assuming the trilogue is completed by 2022 — which may be overly optimistic — the ePR would not start to apply until sometime in 2024. This is a long detour from the original road map, which was to have the ePR enter into force the same time as the EU General Data Protection Regulation, in May 2018.
Photo by ål nik on Unsplash