Since the IAPP analyzed the five most hotly contested issues of the ePrivacy Regulation in January 2018, a lot has happened with the proposed regulation. No fewer than five Council TELE Working Party meetings have occurred since January, with two more scheduled for this month (May 16 and 17). In total, the Bulgarian presidency has also published several discussion papers and revised texts (one in March, one in April, and one in May) incorporating hundreds if not thousands of changes to the Commission’s January 2017 proposal.
The ePrivacy Regulation also gained greater urgency in the wake of the Facebook-Cambridge Analytica scandal. In seeking to rally support for ePrivacy, some MEPs even voiced the concern that the EU General Data Protection Regulation (GDPR) would not have been enough to prevent this misuse of personal data. Thus, notwithstanding its slow progress to date, discussion of ePrivacy has been energized in recent months.
What are the Bulgarian/Council amendments all about?
Coinciding with the discussion papers and revised texts released by the presidency, the Working Party on Telecommunications and Information Society (WP TELE) has held meetings — twice in January, twice in March, and once in April, and with another one scheduled for May 16 — to discuss proposed amendments. Issues discussed at these meetings have included the ePrivacy’s scope, its relationship with the GDPR and alignment with the European Electronic Communications Code (EECC), machine-to-machine communications, storage and erasure of electronic communications data, protection of information stored in terminal equipment of end-users, and privacy settings. Other issues that have been debated include the presentation and restriction of calling and connected line identification, exceptions to provide access to emergency services, incoming call blocking, publicly available directories, direct marketing, and the permitted processing of metadata. Recent legislative discussions about and amendments to the text of the ePR regarding several of these issues are described below.
Scope
In March, the presidency noted that most delegations remained supportive of the notion that “services, which enable interpersonal and interactive communication merely as an ancillary feature that is intrinsically linked to another service, should remain within the scope of the ePR.” For the presidency, the key question to determine whether a service would fall under the scope of ePrivacy was whether it was an “interpersonal communication” service or not. At that time, modifications were also introduced to Recital 11a to clarify that an ancillary feature would only be included if it qualified as an interpersonal communication service. Because they “enable direct interpersonal and interactive exchange of information via electronic communications networks between a finite number of persons, whereby the persons initiating or participating in the communication determine its recipient(s),” messaging applications would fall into the category of interpersonal communication service. As recital 11a explains, two examples that would not fit into this category would be: (1) “a company that operates a communications channel for customer care that allows customers solely to communicate with the company in question,” and (2) “communications in an electronic communications channel in online games which is open to all persons playing the game.”
Obtaining consent for cookies
Obtaining consent for the use of cookies continues to be a subject of contention in ePrivacy, which is expected to bring changes that will make rules around cookies clearer and simpler, and make consent “more user-friendly and streamlined.” For example, Recital 20 was amended in April to read: “The end-user's consent to storage of a cookie or similar identifier may also entail consent for the subsequent readings of the cookie in the context of a revisit to the same website domain initially visited by the end-user.”
In the presidency’s latest amendments from May, clarification was also added to Recital 22a regarding consent for cookies that places the responsibility for obtaining consent for the storage of a cookie on and penalties for breaches of duty on “the information society service provider.” The presidency also elaborated on explanations related to cookie walls and moved those from Recital 21 to Recital 20, including the conditions for when access to a website can be conditional on consent to storage of a cookie.
Grounds for processing, other than consent
The concept of “public interests” as grounds for processing is another issue still generating significant debate. The presidency’s latest proposed text adds the protection of the data subject or rights and freedoms of others and the enforcement of civil law claims to the list of general public interests in Article 11(1). The presidency also asked WP TELE and DAPIX (the working party focused on data protection and data retention) to reflect on these proposed changes at the May 17 meeting.
Regarding processing to protect vital interests in Article 6(2)(d), the delegations had raised concerns and expressed a desire to revert the text back to the form of “natural person physically and legally incapable of giving consent” in line with the GDPR. As this change would “make the provision almost unusable in practice,” however, the presidency has invited the delegations “to reflect on the best wording of this provision.”
Anticipating and seeking to obviate abuse of the provision, the presidency has also amended Article 6(2)(b) so that processing in performance of contracts is “more narrowly linked to the purposes of billing, calculating interconnection payments etc.”
How will ePR and GDPR interact?
Potential inconsistencies in the rules of ePrivacy and GDPR are at least one source of the delay in the progression of the new ePrivacy Regulation. While this topic has been taken up at various legislative meetings, ambiguities remain about how these two laws will interact once both have fully come into force. Moreover, it is no secret that some provisions of ePrivacy, such as Article 6, on permitting processing necessary for performance of a contract, have been directly “inspired” by similar provisions in the GDPR, leading to substantive overlap in some areas.
Many have pointed out, however, the potential inconsistencies in the application of the two laws. In March, the Italian Institute for Privacy and the Valorisation of Data published a study that concluded current ePrivacy drafts do "not effectively identify and resolve the complexities deriving from the nature of OTT services, which end up being subject to rules that are not consistent with the provisions and objectives of the GDPR …”
Thus, questions about the interaction of the new ePrivacy Regulation and the GDPR remain unanswered, and speculation lingers about whether they will be exclusive or cumulative. This remains an area of uncertainty and something that may evolve significantly from current understandings. Observers have tended to see ePrivacy as something that gives internet users “extra privacy protection on top of” or “expands on” the GDPR. Alluding to a minor, but supplemental, role for ePrivacy, MEP Jan Philipp Albrecht called it “the missing brick in this wall.”
As to whether the new ePrivacy Regulation will be exclusive or cumulative with the GDPR, it seems that the answer is actually “both.” In a discussion paper prepared by the Bulgarian presidency, it sought to resolve some of this ambiguity by explaining that Articles 5, 8, and 10 complement the GDPR, while Articles 6 and 7 particularize it. For example, Article 5 protects “electronic communications data” that does not qualify as personal data and thus triggers protection from the GDPR. To take another example, Article 7 would particularize the GDPR as it “specifies the storage limitation principle of the GDPR by pointing out the moment in time when electronic communications data needs to be erased or anonymised.” The paper also noted that, “whenever the ePR and GDPR norms deal with the same subject matter, the ePR applies.” Proposed amendments to Recital 2(a) have also attempted to further clarify this matter: “The provisions particularise Regulation (EU) 2016/679 by translating its principles into specific rules. They complement Regulation (EU) 2016/679 by setting forth rules regarding subject matters that are not within the scope of Regulation (EU) 2016/679.”
What comes next?
The joint meeting of WP DAPIX and WP TELE on May 17 will focus only on changes to Article 2(2) and Article 11, while the WP TELE meeting to be held on May 16 will focus on the entire proposal save for these two articles.
The Parliament itself has acknowledged that a completion date of 25 May 2018 would be “difficult to achieve.” Other sources have also confirmed that ePrivacy will not apply by this date. In fact, the newest presidency draft for the first time has changed the May 25, 2018 go-live date to say that the ePrivacy Regulation will come into force one year following its publication in the Official Journal of the European Union.
When will that be? First, there must be general consensus on a draft from the Council. The Bulgarian presidency has until the end of June to accomplish that. If they don't, the process will be handed over to the Austrian presidency, which may have different ideas about the future of the draft. Should we have general consensus by July 1, trilogues would be scheduled to reconcile the Council draft with the Parliament's draft. GDPR trilogues took roughly four months. If the trilogues begin in September, we might see a final draft in December, a vote in Parliament in early 2019, and then a published draft in the spring.
That would give us an ePrivacy Regulation coming into force in the spring of 2020, roughly two years following the GDPR's looming go-live date.