As the clock ticks on the ePrivacy Regulation — and the ambitious aim of having it ready for May 2018 — members of the European Parliament’s civil liberties committee have submitted more than 800 amendments.

The big — though not surprising — news is the proposal to introduce “legitimate interest” as a justification for further processing of data. Polish MEP Michal Boni’s amendments in Recital 17 on metadata and Recital 21 on access to information stored on terminal equipment both propose “an exemption from obtaining end-users’ consent in cases … where the processing is necessary for the purpose of legitimate interest, provided that the data protection impact assessment was carried out.”

Despite being a member of the Parliament’s largest political group, the European People’s Party, he will have a fight on his hands. The ePrivacy Rapporteur Marju Lauristin told The Privacy Advisor (in last week’s video interview) that she cannot see any justification for legitimate interest. 

Jan Albrecht is also against it: “Processing of personal data should generally take place only with the explicit consent of the individual. Exceptions to this can only be possible if either a law foresees the processing or the individual can reasonably expect the processing based on its relationship with the data controller. The latter is therefore not possible when sensitive data is processed or the individual has no direct relationship with the controller. Due to the impact on private life and integrity of communication systems, electronic communications data should be treated as sensitive data and therefore only be processed on the basis of consent or specific purposes described by law.”

The ePrivacy Regulation is transposing two specific rights from the EU Charter of Fundamental Rights: Article 8 on Data Protection and Article 7 on privacy and confidentiality of communications. This is where it differs from the GDPR. Because confidential communications are deemed to be sensitive data, previous iterations of the law have never allowed for any further processing of the electronic communications data beyond what is technically needed for the transmission and where the user has given consent.

"The question of the role of legitimate interest in the ePrivacy [Regulation] is still very much up for grabs." — British MEP Daniel Dalton

The only MEP interviewed by The Privacy Advisor who supported legitimate interest was British conservative Daniel Dalton: “The question of the role of legitimate interest in the ePrivacy [Regulation] is still very much up for grabs. There is no justifiable reason that legitimate interest, balanced by careful safeguards, should not have a place in legislation governing the processing of data online, especially when 'consent fatigue' is a real risk. If online businesses have to rely on cookie banners to ask for consent for every little thing, what value does consent have anymore? Other, strictly controlled grounds for processing also alleviate this risk, and put value back on the action of consent.” 

Eduardo Ustaran, partner at Hogan Lovells, also raised the issue of cookies: “My main concern is that while people are distracted by what promises to be an intense legislative process, the clock to put in place a valid cookie consent solution is ticking. Come 25 May 2018, the widespread 'implied consent' practice risks becoming a glaring breach of the existing law.”

He’s certainly correct that there is a huge amount still to discuss in the ePrivacy Regulation — Wi-Fi and Bluetooth tracking, do not track enforcement, and last, but not least, defining what it covers. In particular so-called “ancillary services” need to be pinned down.

According to Dalton, “the EU Commission has wrongly expanded the scope of the legislation too far to cover any service with an ancillary communications element and in doing so risks the viability of many of the services consumers have come to expect and, in cases, rely on.”

Ancillary services are those that provide a communications tool without it being central to the service provided — for example, direct messaging between gamers during an online game or as part of a dating app.

Another shadow rapporteur, Cornelia Ernst, is concerned about metadata: “Traffic data of electronic communications of one person can reveal that person’s relations, the social environment, and how deep the involvement with various contacts are. The same data of a large number of persons can reveal all their relations, everybody's social environment, and finally the social nets and networks that exist between people. In that, it is more sensitive than, for example, the history of transactions of a bank account.”

"We want opt-ins rather than opt-outs." — Dutch MEP Sophie In’t Veld

Dutch MEP Sophie In’t Veld also had her priorities straight: “What we have emphasized in our amendments, and the rapporteur has done the same, is really that the user or data subject retains control and with regard to direct marketing. That also means we want opt-ins rather than opt-outs.”

And Albrecht opened a whole new can of worms with a new Recital (14a) on protocol layers: “Modern electronic communications services, including the internet and the OTT (over the top) services that run on top of it, function on the basis of the separation of layers of protocols and services. That means that what is metadata on one protocol layer is content data for the layers below. Where this regulation lays down different rules for the processing of content and metadata, this should be understood for the respective electronic communications service and the protocol layer it is operating on.”

Expect heavy lobbying on all these issues.

The European Telecommunications Network Operators' Association and the GSMA already released their position: “Rather than specifying each use case in law, which does not provide for a future proof regulation, the ePrivacy Regulation should allow more flexible grounds for processing built upon principles. Such principles should include processing for compatible purposes or legitimate interests which would allow a case-by-case assessment on whether a certain processing activity is allowed or not while being subject to sufficient safeguards.”

The next meeting of all the shadow rapporteurs will take place September 6.