Greetings from Brussels!

In case you did not get the memo, there was a shift in posture on the ePrivacy Regulation Wednesday here in Brussels. The Council of the European Union agreed on its negotiating position on the EU draft ePrivacy Regulation. In other words, an agreement was reached by the Coreper, the committee of EU member state representatives. You really do have to "tip your hat" to the Portuguese for the accomplishment. Let us recall the timeline here, the text was unveiled by the EU Commission back in January 2017 and intended to come into force alongside its sister legislation the GDPR. Four years on, and multiple drafts and rotating EU presidencies later, it has taken a ninth consecutive EU Council Presidency to get consensus and a text over the line: To our Portuguese friends, I say, "meus parabéns," and "muito obrigado."  

It has been a journey, so this news is welcome. You’ll read a lot of reaction in the coming days on how we arrived at this new juncture, and I recommend IAPP Editorial Director Jedidiah Bracy’s concise and compact summary, which looks at some of the key stakeholder reaction to the announcement.

While the proposed ePrivacy Regulation involves data protection in the electronic communications sector, it has been a challenge for member states with key areas of contention as to how best to create a level playing field between the new generation of internet players and the telecom providers. Major revisions over the years have ranged from the inclusion of legitimate interest as a lawful basis of the processing of metadata, placing of cookies, through to the introduction of stricter consent requirements, as well as the detection and the deletion of child pornography. All of which have fueled three years of continuous debate in different directions. 

The updated ePrivacy rules per the Council are geared towards defining cases and "exceptions" where service providers are allowed to process electronic communications data or have access to data stored on end-user devices. There has been mixed reaction to the Council position, some of which has been quite stern. Straight out of the gate, Ulrich Kelber, the German Federal Commissioner of the BfDI expressed a series of concerns, including the reintroduction of data retention provisions, which he states have already failed before the courts. 

Importantly, this week's agreement put in motion the trilogue talks with the European Parliament (and European Commission) on the final text. It is worth noting that the European Parliament laid out its negotiating position nine months after the proposed regulation was published by the Commission back in 2017. The European Parliament’s lead negotiator, MEP Birgit Sippel, reportedly said earlier in the week that she believed the Council's text did not go far enough to protect privacy rights and that the European Parliament position remains clearly one of protecting privacy and confidentiality of communications. The forthcoming trilogue negotiations may prove challenging as the Council’s text could be characterized as less privacy-protective than the original proposal of the European Commission or the position of the Parliament. We could well be into a new year before a potential agreement is reached.

Of interest, the council is also proposing a two-year grace period before the regulation enters into effect. In other words, it would enter into force 20 days after its publication in the EU official journal and start to apply two years thereafter. If that condition is confirmed by the trilogue negotiations, it may be 2024 before we see an ePrivacy Regulation come into play. There is still plenty of debate ahead between European institutions, so we will keep you all updated as it unfolds.