The new team in charge of spearheading negotiations for the overhaul of Europe’s ePrivacy law has set out its priorities in a 22-page document.
Bulgaria took over the rolling presidency of the EU on Jan. 1, and, although an overly ambitious May deadline has been abandoned, moved quickly to get the ball rolling. The Commission’s proposal for the ePrivacy regulation was published a year ago, and despite much political wrangling, the European Parliament also reached its position before the end of 2017. Now everyone is waiting on the Council (made up of 28 national representatives) to come up with its view before so-called trilogue negotiations can begin. Some say it's easy to see now that May date to coincide with GDPR implementation was too optimistic.
The Bulgarian presidency said it was “committed to put considerable efforts towards seeking compromise solutions in order to strike the delicate balance between an adequate level of privacy protection and sufficient incentives for innovation,” and the first meeting of the Working Party on Telecommunications and Information Society to discuss the matter took place on January 17.
The question of how the ePrivacy Regulation will dovetail with the GDPR has come up again and again. Essentially it functions as lex specialis, meaning that whenever the two laws deal with the same area, the ePrivacy Regulation applies. However the presidency position paper asks delegates if any further clarification could be given in the text; whether that be in recitals or the articles.
The revised regulation will also have to be compatible with the proposed European Electronic Communications Code (EECC), and the paper also examines to what extent the two are compatible. In particular, in the current draft EECC Recital 17 attempts to define “ancillary services.”
According to the EECC: “Services are not considered as an interpersonal communications service when the interpersonal and interactive communication facility is an ancillary feature to another service and for objective technical reasons cannot be used without that principal service, and its integration is not a means to circumvent the applicability of the rules governing electronic communications services. An example for such an exception could be, in principle, a communication channel in online games.”
The Council will have to work out to what extent that will clash with current ePrivacy proposals.
The presidency paper tends to believe that machine to machine (M2M) communications should be afforded a special category “bearing in mind that the M2M communications are carried out with limited or without human intervention.” It considers that in most cases (excluding obvious examples of personal data transfer such as hospital to hospital communications), a “specific permitted processing for M2M communications data and metadata is an option to be considered.
“It could be clarified that consent to the processing of electronic communications data, including M2M communications data, may be given at the time of subscription. This could be a one-off consent for processing of electronic communications data for the duration of the subscription,” suggests the paper.
On this issue the national data protection authorities’ Article 29 Working Party has already weighed in suggesting that “a narrow category of pure machine-to-machine communications should be exempted if they have no impact on either privacy or the confidentiality of communications.”
Nonetheless the presidency considers that “the differentiation between the application layer and the transmission layer in terms of protection of confidentiality of communications needs further discussions with delegations.”
Under current drafts of the ePrivacy regulation, processing electronic communications metadata (other than for specified purposes) would require end-user consent. Some national delegations have proposed including the GDPR legal basis of “legitimate interest” to allow for further processing.
“Delegations are invited to express their views on whether including a form of legitimate interest legal ground to process metadata would not lower the level of protection offered by the GDPR, and on whether it would not lower the protection of the current ePrivacy Directive?” reads the paper.
This proposal was also the subject of hot debate in the European Parliament and will likely remain so in trialogue discussions.
The Bulgarian paper meanwhile, also asks whether the list of exceptions for processing metadata should be extended, for example, to include purposes such as web analytics or web measurement.
Currently, consent for cookies is required in all situations except when necessary to carry out transmission of electronic communication, provide a service requested by the end-user, carry out audience measurement, or install a security update. There is also a short list of exemptions for short duration cookies and for “third party social plug-in content sharing cookies, for logged in members of a social network.”
Following proposals from the European Parliament to effectively ban “cookie walls,” some national delegations have questioned exactly what the consequences should be if an end-user refuses to give consent for his or her data to be processed: Will a provider be required to provide the service nevertheless, can they refuse access, or can they propose an alternative such as subscription or payment?
The “any other solution” option comes up a lot in the paper, meaning that literally anything is possible.
The next working party meeting will take place on Jan. 30. Given the complexity of the options available and difficulty ahead in striking an agreement with Parliament, a consensus in unlikely any time soon. However Council presidencies are always keen to wrap up big files before the end of their six-month mission, so expect leaps forward and big “breakthroughs” around June.
If you want to comment on this post, you need to login.