Greetings from Brussels!

If the GDPR didn’t seem divisive enough among member states, its younger sibling, the ePrivacy Regulation, is proving just as formative in adding to the consternation. Some countries would clearly like to see looser rules than those proposed by the European Commission on when businesses can use consumers' personal data. 

According to a Council of the European Union report from this week on the progress of national governments’ negotiations on the European Commission’s proposal to overhaul the ePrivacy legislation, several national delegations are calling for a softening of the draft rules detailing when telecoms and digital communication services like WhatsApp can process consumer data. The main point held here is that the provision on permitted processing (Article 6) is too restrictive and the ask here is for more flexibility, also considering that the GDPR provides for several legal grounds for processing of personal data. Not to mention, some of the member states are also asking that possible overlaps and contradictions with the proposal on the European Electronic Communications Code should also be taken into consideration.

Under the current draft proposal, telecoms can process users’ data if it is necessary to make sure that communications are secure. They can process metadata if they need to guarantee service quality for billing reasons or if consumers give their consent. However, a grouping of the member state delegations suggested the ePrivacy bill should be closer in substance to the GDPR, which also includes privacy safeguards and allows organizations to process data if they have a “legitimate interest,” as well as when consumers give their consent.

Questions were also raised as to whether the proposed solution for cookies — consent via browser settings — would ultimately satisfy the intended objectives; I have heard on more than one occasion from the industry that, in practice, this is not compatible with many working models for companies for a whole host of reasons. In particular, the online advertising companies or those companies whose business models use third-party cookie systems. Here, as elsewhere, certain delegations were asking for more analysis and impact assessments on trade, most notably in the SME sectors.

In general and in conclusion, the member state delegations welcomed the proposal and supported the objective of a high level of data protection and privacy in electronic communications. Importantly, however, and perhaps rightly so, it was felt that as the ePrivacy proposal is for an EU regulation — far more binding than an EU directive — more clarity and precision through closer examination is required. Consequently, member states dealt a blow to the European Commission’s proposal by casting doubt on its timeline. The 25 May 2018 deadline — to coincide with the GDPR —  for the rules to go into effect was deemed unrealistic, as stated in the report. Clearly, the Commission would like to see both regulations introduced simultaneously or thereabouts. The argument is that companies that fall under both privacy laws would be facilitated in their preparation and adoption of both laws, not to mention in their dealings with third-party providers.

Let’s not forget that the GDPR was more than four years in the making following much debate and only passed last year. It may prove a tad ambitious to have an ePrivacy regulation up and running in the next calendar year.