The introduction of the new ePrivacy Regulation, will it ever happen?
By Thomas Nygren
In January 2017, the European Commission presented its proposal for a new regulation on privacy and confidentiality in the use of electronic communications services (the “ePrivacy Regulation”). The proposal was introduced to create a modern and uniform regulation within the EU with the intention to replace the current directive of 2002 at the same time as the introduction of the GDPR, in May 2018.
The proposal quickly faced criticism from both member states and industry, and the planned entry into force was not forthcoming. Over the years, a number of unsuccessful attempts have been made to produce a revised proposal that could be accepted by the Member States. The central problem in the proposal concerns the balance between the need for strong privacy protection and the possibility for companies to develop and provide efficient electronic communications services.
Now, in February 2021, an unexpected opening has taken place when the European Council has been able to agree by a majority decision on a compromise proposal for a new regulation. Under the auspices of the Portuguese Presidency, the Council can now enter into negotiations with the European Parliament on a final text. Although a decision has been reached within the Council, the negotiations are unlikely to be easy as some Member States, including Germany, have opposed to the proposed text.
The current 2002 Directive on privacy and electronic communications undoubtedly needs to be updated to take account of new technological and market developments. In particular, the directive's provisions on the integrity and confidentiality of electronic communications need to be updated, while the rules on direct marketing do not need to be significantly changed. At the time of introduction of the directive, the provisions were primarily aimed at conditions in electronic communications as it was at the turn of the millennium, i.e. when communication took place primarily on public fixed and mobile telecommunications networks and to some extent via the internet. With the current rapid technological development where communication is now taking place in a much greater diversity such as in social media, chat rooms in onlinegames, IP telephony and various messaging services, as well as in relation to internet of things between machines, and where technology allows users' online behaviour to be tracked, the provisions of the directive were simply outdated. In this respect, the ePrivacy Regulation aims to be more technology neutral and to regulate all forms of electronic communications through publicly available communications services.
The provisions of the directive have been implemented in Sweden through the Electronic Communications Act and the rules of the Marketing Act. By choosing a regulation as the legislative act instead of a directive, the new rules will have a direct effect in all Member States, achieving much greater coherence within the EU.
As the ePrivacy Regulation concerns specific rules in relation to the GDPR, the ePrivacy Regulation will specify and supplement the GDPR as lex specialis and, unlike the GDPR, for example, many provisions on ePrivacy will apply to both natural and legal persons.
The rules of the ePrivacy Regulation will apply when end-users are in the EU. Hence, it will also cover cases where the processing takes place outside the EU or where a service provider is established or located outside the EU.
In order to ensure full protection of ePrivacy and to promote a reliable and secure Internet of Things, the rules will also cover data transmitted over public machine-to-machine networks.
As a general rule, data from electronic communications will be confidential. Any interference, including listening to and monitoring and processing of data by anyone other than the end-user, is prohibited, except where permitted by the regulation.
To summarize the present draft of the ePrivacy Regulation:
- The territorial reach of the ePrivacy Regulation will have a similar approach as the GDPR as it applies based on whether the end user or the receiver of direct marketing is located in the EU.
- Sanctions for infringements of the ePrivacy Regulation will be introduced in the form of administrative fines corresponding to the levels of the GDPR.
- As a main rule, all electronic communication data will be confidential.
- Permitted processing of electronic communications data without the consent of the user includes, for example, ensuring the integrity of communications services, checking for the presence of malware or viruses, or cases where the service provider is bound by EU or member states’ law for the prosecution of criminal offences or prevention of threats to public security.
- Metadata (e.g. location, time, date, duration etc.) may be processed for instance for billing, or for detecting or stopping fraudulent use. With the user’s consent, service providers could, for example, use metadata to display traffic movements to help public authorities and transport operators to develop new infrastructure where it is most needed.
- Metadata may be processed to protect users’ vital interests, including for monitoring epidemics and their spread or in humanitarian emergencies, in particular natural and man-made disasters.
- Introduction of a right for service providers to process metadata for other purposes than for which it was collected, even when this is not based on consent. The new purpose must be compatible with the initial purpose.
- The service providers shall erase or make anonymous electronic communications data when it is no longer necessary for the purpose of processing. However, the ePrivacy Regulation reintroduces a right for national legislation on data retention.
- Consent will still apply as the main rule for introducing cookies and similar identifiers on end user’s terminal equipment. An end user shall be provided with a genuine choice to consent to cookies as an alternative to a paywall if the end user is able to choose between that offer and a similar offer not involving cookies.
- In order to avoid cookie consent fatigue (where end users stops to react on all cookie consent messages) white listing of certain service providers in the end user’s browser settings will be allowed, which will be necessary for allowing for the Internet of Things products to conduct machine-to-machine communication.
- No consent for cookies will be required where cookies are used for security, fraud prevention, or audience measurement purposes.
- The rules on direct marketing emails and calls are mainly unchanged with the existing soft opt-in retained.
We will follow the council’s negotiations on a final version of the ePrivacy Regulation. However, we will not expect the regulation to have effect until earliest during 2023, since it will not apply until two years (and 20 days) have passed from it being published in the Official Journal.