After years of legislative limbo, the draft ePrivacy Regulation is alive and kicking after ambassadors from the Council of the European Union agreed on a negotiating mandate. The move, led by the Portuguese Presidency in the Council, allows negotiations with the European Parliament to move forward, as part of the "trilogue" process.
"The path to the Council position has not been easy," Portuguese Minister for Infrastructure and Housing and President of the Council Pedro Nuno Santos said, "but we now have a mandate that strikes a good balance between solid protection of private life of individuals and fostering the development of new technologies and innovation."
The proposed ePrivacy Regulation would update the nearly 20-year-old ePrivacy Directive of 2002, expanding rules to cover technology services, such as voiceover IP, web-based email and other messaging services, including services such as Skype, WhatsApp and Facebook Messenger. The draft regulation would also "particularise and complement" the EU General Data Protection Regulation, according to a council news release. The council also released the full text of the draft proposal.
"This is an important milestone in the legislative procedure of the draft ePrivacy Regulation, after years of back and forth," Covington Burling's Jetty Thielemans said.
The Future of Privacy Forum's Gabriela Zanfir-Fortuna expressed similar optimism, saying, "It's almost a miracle the council managed to pull through negotiations ... after four years of failed attempts."
The mandate would "cover electronic communications content transmitted using publicly available services and networks, and metadata related to the communication." It would also cover machine-to-machine communications transmitted over public networks and apply when users are in the EU.
At this point, the council position creates a framework that prohibits interference with private communications "except when permitted." Permitted processing would include billing, mitigating fraud and user consent. Metadata may also be processed "to protect users' vital interests," including for the monitoring and spread of epidemics and other humanitarian emergencies. Users must also provide consent prior to processing information on their "terminal equipment," notably their smartphones, which often contain "highly personal information," such as photos and contact lists.
In addition to broadening the scope of the current directive, the proposed regulation would affect an advertising technology market that's already undergoing significant changes, brought on by the likes of Apple's iOS 14 and Google's moves beyond third-party cookies. At the same time, the European Commission is also working on a slate of potential laws that would affect the Digital Single Market, with the proposed Digital Service Act, Digital Governance Act and Digital Market Act.
Under the ePrivacy proposal released Feb. 10, 2021, end-users "should have genuine choice on whether to accept cookies or similar identifiers." The proposal also addresses what it calls "cookie consent fatigue" by allowing users to provide consent to the use of types of cookies by whitelisting one or multiple providers in their browser settings.
"What this confirms is that we are going to live with cookie consent obligations for the years to come," said Hogan Lovells Partner Eduardo Ustaran, CIPP/E. "Whether that is the most effective regulatory approach to ePrivacy is debatable, but at least we can prepare for it and find ways to make it work in the real world."
Though the news means the proposed regulation has life again, difficult negotiations remain as the trilogue process commences. The council will now begin negotiations with the European Parliament, and based on earlier drafts, gaps remain.
Zanfir-Fortuna said, "Based on previous drafts, there are some significant differences which will need to be reconciled, especially with regard to the permissions for accessing content and metadata of electronic communications, where the Parliament is pushing primarily for consent, and the Council seems to have added some more permissions and exceptions to the consent rule."
She also noted there may be points of contention regarding data retention provisions, which "will be a complicated negotiation."
But those may not be the only difficult hurdles in negotiations. Tielemans said, "The enforcement provisions in the current draft reflect a different approach than the one-stop shop in the GDPR. No doubt, they will be examined in detail by those who expressed disappointment in GDPR enforcement so far."
Indeed, German Federal Commissioner for Data Protection and Freedom of Information Ulrich Kelber has already criticized the proposal, saying there are "clear errors" in the latest version and warned that several "red lines would be crossed simultaneously in the area of data protection."
In a news release that has been translated to English from the original German, Kelber said the current approved version would be a "severe blow" to data protection, noting he was "stunned by the seriousness of the interference with the fundamental rights of European citizens." He added, "I urge the European Parliament and the EU Commission to advocate raising the level of data protection during the trilogue process."
Among topics of contention, Kelber highlights the reintroduction of data retention in the proposal, "which already failed in so many courts." He also argued the proposal would allow "cookie walls," removes individuals' right to object and data protection impact assessments, and recourse to GDPR guarantees was excluded.
The GSMA, together with the European Telecommunications Network Operators' Association, said ePrivacy must strongly align with the GDPR. "The telecommunications sector recognises the significant efforts undertaken by the Portuguese Presidency, which led to an agreement at this week’s COREPER," the GSMA and ETNO stated. "The introduction of the principle of compatible further processing of metadata, and of the risk-based approach, are important steps in the right direction when it comes to aligning the ePrivacy with the GDPR."
They added, "As emphasized throughout the process, we believe that a flexible, risk-based approach to processing communications metadata will be critical to ensuring that telcos can innovate and participate in the data economy on an equal footing with other digital players."
Access Now, a data and consumer protection advocacy organization, said the agreement was "underwhelming." Though it "applauds the Portuguese Presidency and negotiators in the Council of the EU ... the content hugely misses the mark."
Estelle Massé, a senior policy analyst at Access Now, said, "States poked so many holes into the proposal that it now looks like French Gruyère. The text adopted today is below par when compared to the Parliament’s text and previous versions of government positions. We lost forward-looking provisions for the protection of privacy while several surveillance measures have been added."
Though it's clear difficult negotiations remain ahead in the trilogue process, European Parliament Member Sophie in 't Veld, an outspoken advocate for strong data protection rights, stuck to the cheese metaphor, tweeting, "Council's position has more holes than Swiss cheese, but at least we can start negotiations on updating law from 2002!"
Finally! After swift agreement in @Europarl_EN in Oct 2017(!), national gov’s amongst themselves are done horse-trading endlessly on new ePrivacy Regulation.
— Sophie in 't Veld (@SophieintVeld) February 10, 2021
Council’s position has more holes than Swiss cheese, but at least we can start negotiations on updating law from 2002! https://t.co/Kkge4o21Vu
Photo by Mario Caruso on Unsplash