The ePrivacy Regulation: a state of play (again)

Back in 2019, my colleague Laura Poolman wrote an update with the hopeful headline "Will 2019 still be the year of the ePrivacy Regulation?" and a follow-up followed in June 2020. Now, under the Portuguese presidency, things are once again moving forward with the publication of a new draft of the ePrivacy Regulation. This draft contains some interesting changes. We are happy to give you a new update.

The ePrivacy Regulation

For those who are not sharp (anymore) or are new to this topic: the ePrivacy Regulation is part of the Digital Single Market strategy. Its purpose is to ensure that data protection around electronic communications is also guaranteed in the EU. In addition, the ePrivacy Regulation should harmonize the various member state regulations in this field and the goal is to bring these regulations more in line with the General Data Protection Regulation (AVG). As I wrote in the introduction, the debate on the ePrivacy Regulation has increasingly become a headache in recent years. Often, negotiations break down on issues that are crucial for member states, such as the possibilities for the use of cookies.

The latest draft version of the regulation

Portugal ascended to the president's seat on Jan. 1, 2021, after Germany assumed the position on July 1, 2020. Four days later, on Jan. 5, 2021, the new proposal was already published. Meanwhile, this happened for the 14th time. On Jan. 7, 2021, the proposal was discussed in WP TELE.

A summary of key changes:

• To bring the ePrivacy Regulation more in line with the AVG, the territorial scope has been broadened. With the amendment, the ePrivacy Regulation will also apply to the processing of personal data by data controllers not established in the EU, but in a place where, under public international law, member state law applies (in line with Article 3(3) AVG).

• Also reinstated are provisions dealing with "compatible further processing" for the metadata of electronic communications and data obtained from cookies. With these new provisions, which had been deleted in previous versions, a company can further process these data under specific conditions - but without having to seek consent. This brings the Regulation more in line with Art. 6(4) AVG on this point. Conditions that the draft Regulation mentions, among others, is conducting a DPIA and prior consultation with the regulator.

• Provisions allowing sharing of anonymized statistical metadata with third parties have been reinstated, provided a DPIA is conducted and prior consultation is made with the AP.

• Not insignificantly, the draft includes a definition of location data.

• But, most interesting is the change -- or deletion of a phrase -- in the context of "cookie walls. Article 20aaaa removed the criterion that a user must also be able to obtain similar access to the website from the same provider without accepting cookies. The new situation would mean that when other, similar parties offer a similar offer on their website, website owners (apparently) do not have to offer similar access (anymore) to their own website if the user does not accept the cookies. This makes the use of cookie walls permissible in those cases.

The reason given for the latter change is that the phrase "by the same provider" creates too restrictive a policy, making it virtually impossible for providers to offer "free" content. Whereas many changes are concerned with bringing the Regulation more in line with the AVG, this very change seems at odds with it. Indeed, in its guidelines on consent, the EDPB explicitly states that the use of cookie walls is not permitted, even if an alternative is provided by a third party.

Not surprisingly, the EDPB published a statement expressing its concerns about the new draft ePrivacy Regulation after its publication. It stresses that the president missed an opportunity to provide a clear explanation of the use of cookie walls.(1)

And now...?

The question that remains is whether the Portuguese president will succeed in getting an agreement from all member states. In view of the long process, it has now become dangerous to make statements about the chances of success. In any case, what is certain is that the deadline for the entry into force and applicability of the ePrivacy Regulation will be shortened. In Article 29 of the draft, this period has been shortened from 2 years, to 12 months. As a result, when the time comes, companies will have less time to set up their practices in accordance with the final ePrivacy Regulation.