The European Union continues to be at the forefront of regulating privacy and data protection. While some of the world’s largest economies work to apply decades-old laws on the books to ever-changing technologies, the EU continues moving forward with its next-generation privacy laws. Just as the EU General Data Protection Regulation replaced Directive 95/46/EC, the ePrivacy Regulation will soon replace the ePrivacy Directive, which is nearing 20 years old, having entered into force in 2002.

To take a quick journey back in time, 2002 was also the year that euro coins and banknotes went into circulation. Sirius satellite radio and the BlackBerry smartphones were launched that year. It was the year before the appearance of MySpace, two years before the birth of Facebook and three years before the first video was uploaded to YouTube. Given just how much has occurred in the interim, it’s fair to say the ePrivacy Directive “has not fully kept pace with the evolution of technological and market reality” (ePR, Recital 6).

Indeed, communication today is omnipresent. Today’s digital services and applications rely on the content of our communications, from calendars that sync our meetings and appointments to spellcheckers that (usually) fix our text messages, to anti-spam filters that read our incoming email. Ensuring that the confidentiality of communications remains under these new technologies is a key aim of ePR.

The content of our electronic communications can reveal personal and sensitive data “from personal experiences and emotions to medical conditions, sexual preferences and political views, the disclosure of which could result in personal and social harm, economic loss or embarrassment.” Additionally, the metadata pertaining to these communications — “numbers called, the websites visited, geographical location, the time, date and duration when an individual made a call (etcetera)” — can allow “precise conclusions” to be drawn about the people involved in the communication, such as their “social relationships, their habits and activities of everyday life, their interests, tastes (etcetera)” (ePR, Recital 2).

As with a host of other recently developed privacy and data protection laws around the world, the GDPR and ePR are aimed at keeping up with the ever-expanding suite of data-collecting tools and technologies. Indeed, since the earliest discussion, the ePR has had its sights set on voice-over IP, web-based email and messaging services, and behavioral-tracking techniques. One of the main impacts of the replacement of the ePrivacy Directive with the ePR will be the extension of rules that currently apply only to internet access and telecommunications providers to webmail and messaging services. These “personal assistant” digital services that proliferate today mark a drastic shift from the mere “pipeline” services of the past that the ePrivacy Directive aimed to regulate, such as traditional telecommunications providers that merely transmit messages from point A to B.

Evolution

The legal foundation of ePR is Article 7 of the Charter of Fundamental Rights of the European Union, which is the right to respect for private and family life. In particular, the dimension of confidentiality within this right is what the ePR seeks above all to protect. Respect for the principle of confidentiality in the realm of electronic communications requires that “information exchanged between parties and the external elements of such communication, including when the information has been sent, from where, to whom, is not to be revealed to anyone other than to the parties involved in a communication.” The ePR takes this confidentiality principle at the conceptual level and seeks to apply it to “calls, internet access, instant messaging applications, e-mail, internet phone calls and personal messaging provided through social media.”

The first text of the ePR was released in January 2017, when the European Commission adopted its proposal. The Civil Liberties, Justice and Home Affairs Committee in the European Parliament adopted its report on amendments in October 2017.

Since then, the European Council’s examination and revision of the text, which has been conducted by the Working Party on Telecommunications and Information Society, has lasted more than three years. This has transversed nine different council presidencies — the Maltese, Estonian, Bulgarian, Austrian, Romanian, Finnish, Croatian, German and now Portuguese — each of which has made a variety of contributions to the text.

However, on Feb. 10, 2021, the Permanent Representative Committee adopted the Proposal for a Regulation, which was the 14th draft of the text to date. The Portuguese Presidency will now begin talks with the European Parliament on the final text of the ePR.

So, where does the current text stand regarding key issues such as scope, consent and cookies?

Scope

Broadly speaking, the rules of ePR apply to “providers of electronic communications services … and providers of publicly available directories,” as well as those “who use electronic communications services to send direct marketing commercial communications” or “make use of processing and storage capabilities of terminal equipment or collect information processed by or emitted by or stored in end-user’s terminal equipment.”

It is interesting to see that, given the slow pace of ePR but ever-developing technology landscape, “the EU has already started to implement parts of the ePrivacy Regulation into other laws.” For example, since December 2020, the European Electronic Communications Code has essentially expanded the definition of “electronic communications services” to include “over-the-top” services, which include WhatsApp and Skype, presumably along with some services that have recently surged in popularity, including Zoom and Teams. The inclusion of OTT services within its ambit was one of the central contested issues illuminating earlier discussions of ePR.

While OTT services were already within its scope, the current proposal has also notably been extended to include “machine-to-machine data transmitted via a public network.”

Suggestive of the increased emphasis on protecting it, the latest draft also includes a definition of location data, which is “data processed by means of an electronic communications network or service, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service.”

Consent and cookies

Consent of end-users remains the centerpiece for processing and storage capabilities and the collection of information from their terminal equipment.

So-called “cookie walls,” whereby access to a website is denied to users who refuse to consent to the trackers present on that site, are permitted by the ePR in certain circumstances when the user has a real choice between services. In cases when an end-user is able to choose “between an offer that includes consenting to the use of cookies for additional purposes on the one hand, and an equivalent offer by the same provider that does not involve consenting to data use for additional purposes, on the other hand,” then access may be made contingent on the consent of the end-user to the storage and reading of cookies (Recital 20aaaa).

What will qualify as “equivalent,” however, is not spelled out in the text of the ePR, so this may be an area where the European Data Protection Board and national authorities need to provide guidance on acceptable practices.

In other cases, however, making access to a website dependent on the consent to the use of cookies, in cases where there is “a clear imbalance between the end-user and the service provider,” may deprive the end-users of a genuine choice. Websites used by public authorities, for example, would normally fall into this camp, given their “dominant position” with respect to the end-user, who would have few or no alternatives to using their services.

One of the features of the latest text is that it allows users to consent to certain types of cookies by “whitelisting” one or more providers through their browser settings. The purpose of this is to prevent users from being “overloaded with requests to provide consent,” which can lead to a situation when “consent request information is no longer read and the protection offered by consent is undermined” (Recital 20a).

What’s new in the latest text is that further processing of metadata for “compatible” purposes without a user’s consent has been reintroduced in Article 6(c). Providers must first ascertain, however, whether the additional processing of metadata is “compatible” with the purposes of initial collection by considering:

  • “Any link” between the purposes of the initial and intended further processing.
  • “The context” in which the collection of metadata occurred.
  • “The nature” of the metadata and the “modalities” of intended further processing.
  • “Possible consequences” of the intended further processing.”
  • The existence of “appropriate safeguards,” such as encryption or pseudonymization.

If the further intended processing is deemed compatible by these considerations, it may take place if these additional conditions are met:

  • The metadata must be pseudonymized.
  • The metadata must be erased or made anonymous as soon as it is no longer needed for the purpose.
  • The metadata must not be used “to build a profile of an end-user.”
  • The metadata must not be shared with third parties unless it is anonymized.

Interplay with GDPR

Perhaps the most apt description of the ePR I have read is that it is “a complex piece of legislation broadening the scope of another complex piece of legislation.” Specifically, the provisions of the ePR “particularise and complement the general rules” of the GDPR. As lex specialis to the GDPR (lex generalis), the provisions of the ePR will take precedence over those of the GDPR. When no specific rule exists within the ePR for the processing of personal data, then the GDPR will apply to that processing.

More precisely, the provisions of the ePR complement the GDPR insofar as they set forth rules regarding the protection of the rights of both natural persons and legal persons, while the GDPR applies only to natural persons (Recital 14).

The areas of greatest similarity between the GDPR and ePR are in the definitions they adopt for core concepts, such as consent, the restrictions member states are permitted to implement (GDPR Article 23, ePR Article 11), their broadly defined material and territorial scopes, and their upper limit for sanctions: 4% of global revenue (although the cap is 2% for violations of the ePR’s rules on cookies and direct marketing). Like the GDPR, the ePR will apply directly in all EU member states, with the EDPB also responsible for issuing guidance in support of its consistent implementation across the EU.

What’s next?

Talks between the Portuguese Presidency and Parliament on the final version of ePR are beginning. As IAPP Editorial Director Jedidiah Bracy, CIPP, pointed out, “difficult negotiations remain as the trilogue process commences.” Legal experts do not expect a compromise agreement to be “easy or swift,” and more changes are all but certain. Yet, if they have not already, now is a good time for organizations to scrutinize the ePR in its current form and consider the impact it will have on their privacy program and data protection operations worldwide.

Nevertheless, we have not yet reached the end of the lawmaking process, and it may be months before the adoption of the ePR final text, which “could still deviate significantly from the council’s draft.” One of the most important questions to pay attention to will be whether the next and perhaps final, version of the text will include or continue to leave out the industry-favored “legitimate interest” as a grounds for processing electronic communications data — which had been added in an earlier draft but was later removed by the German Presidency.

While few ePR observers had expected it to be finalized before 2021, this may be the year for the ePR. But, if last year taught us anything, it’s that what will happen next is too hard to predict. It would not be unprecedented for this new draft to fail to garner support and stall as previous versions did.

Let’s see.

Photo by ål nik on Unsplash