The ePrivacy Regulation: a state of play

coauthor: T.S.P. Hannema

Taking a step back: origin and purpose of the ePrivacy Regulation

The ePrivacy Regulation proposal was submitted by the European Commission in 2017. The purpose of this Regulation - in a nutshell - is to ensure that data protection around electronic communications is also ensured in the EU, regulations are harmonized and ePrivacy regulations are in line with the currently applicable General Data Protection Regulation (GDPR).

The proposal was part of a broader European strategy to modernize the digital legislative landscape: the Digital Single Market strategy. While other related proposals have already been adopted (Network and Information Security Directive) or entered into force (the aforementioned AVG), the ePrivacy Regulation is still on the drawing board after more than three years. The progress report mentions that the COVID-19 pandemic has also slowed things down considerably in recent weeks.

The main change

A series of discussions between, among others, the European (TTE) Council, the TELE Working Group and the Committee of Permanent Representatives (COREPER) previously revealed that positions and priorities of member states differed significantly. The Finnish Presidency worked hard to find a compromise at the end of 2019, but to no avail either. In that light, the subsequent Croatian Presidency stated that a number of revisions were necessary,(3) including simplifying some of the core provisions and bringing them more in line with the AVG.

The main proposed change relates to the legitimate interest basis and is incorporated in Articles 6b and 8 of the draft Regulation. The proposed Article 6b allows the processing of metadata of electronic communications on the basis of legitimate interest. Article 8 offers the possibility - with the same basis - of accessing or storing information in a user's peripheral equipment via an electronic communications network (in other words, setting cookies).

Some additional safeguards have been proposed here: for example, collected metadata or information may only be shared anonymously with third parties, end users must be informed about data processing, they may object to it, and a DPIA must always be carried out. Moreover, legitimate interest may not serve as a basis if the processing does not outweigh the fundamental rights and freedoms of end users. This is the case, for example, if special categories of personal data are processed. An interesting fact is that in article 6b sub e of the draft, explicit attention is paid to the (vulnerable) position of children.

Comments "from the field

The proposed amendments - including that of the "legitimate interest criterion" in Articles 6b and 8 of the draft Regulation - have elicited mixed reactions. First, a number of member states oppose the legitimate interest criterion in this context. This group prefers an exhaustive enumeration of processing grounds. Second, there is a group that indicates support for (further) aligning the Regulation with the AVG but at the same time is concerned about the balance between the interests and rights of end users and providers. Finally, there are a number of countries that are seeking an ePrivacy Regulation whose provisions are (even) more in line with the AVG. Salient detail is that Germany, which will take over the presidency of the European Council from July 1, 2020,(3) belongs to the latter group. It is not inconceivable that it will use the presidency to move in that direction.

Footnotes

(1) https://www.privacy-web.nl/artikelen/wordt-2019-alsnog-het-jaar-van-de-eprivacyverordening
(2) https://www.dataguidance.com/sites/default/files/st08204.en20.pdf
(3) https://data.consilium.europa.eu/doc/document/ST-6543-2020-INIT/en/pdf
(4) www.consilium.europa.eu/en/council-eu/presidency-council-eu/

More articles by Kennedy Van der Laan