Member states have agreed on a negotiating mandate for new rules to protect privacy and confidentiality when using electronic communications services. The new e-privacy rules will determine when service providers may process electronic communications data or access data on end-users' devices. Now that an agreement is in place, the Portuguese presidency can begin negotiating the final text with the European Parliament.
"Robust privacy rules are crucial to create and maintain trust in a digital world. Our position came with difficulty but we did find a good balance within the Council between protecting private life and betting on new technologies and innovation. The Portuguese Presidency is very pleased to be able to negotiate with the European Parliament on this important proposal."
- Pedro Nuno Santos, Minister of Infrastructure and Housing of Portugal and President of the Council
The existing 2002 ePrivacy Directive is in need of revision. It needs to add provisions on new technological and market developments, such as the widespread use of Voice over IP, webmail and messaging services, and the emergence of new techniques to track users' online behavior.
It will be replaced by a regulation. It will be a so-called lex specialis to the General Data Protection Regulation (GDPR), which will complement this legislation and make it more concrete. For example, a lot of e-privacy provisions will apply to both natural and legal persons, which is not the case in the GDPR.
The Council proposal now on the table deals with the content of electronic communications transmitted over publicly available services and networks, and the metadata accompanying those communications. Metadata is information such as location, time and recipient. These are considered potentially as sensitive as the content.
To fully protect privacy rights and promote a reliable and secure Internet of Things, the rules will also apply to data sent from machine to machine over a public network.
The rules will apply when the end user is in the EU. The same is true when the processing takes place outside the EU, or the service provider is located or established outside the EU.
A basic principle is that electroniccommunication data is confidential. Any form of intervention, such as listening, monitoring or processing of data by anyone other than the end user is prohibited, unless specifically allowed by the e-privacy regulation.
For example, communications data may be processed without the user's consent to ensure the integrity of communications services, or to check for malware or viruses. It is also allowed if criminal offenses have been committed or public security is threatened, and the service provider is thus required to do so under EU or national law.
Metadata may be processed for billing purposes or to detect or terminate fraudulent use. They may also be used, with user consent, to visualize traffic movements to help governments and transportation operators develop new infrastructure where it is most needed. Metadata may also be processed to protect the vital interests of users, including to track epidemics and their spread, or in humanitarian emergencies, such as natural and man-made disasters.
In certain cases, providers of electronic communications networks and services may process these data for a purpose other than that for which they were collected, including when this is not based on the end user's consent or on Union or Member State law. However, this processing for a different purpose must be compatible with the purpose for which the data were originally collected, and strong and specific safeguards apply.
The user's terminal devices - this includes both hardware and software - may contain highly personal information, such as photos and contact lists. As a result, the use of processing and storage capabilities and the collection of information from the device are allowed only with the user's consent or for other specific, transparent purposes set forth in the regulation.
The end user should really be given the choice of whether or not to accept cookies or other identifiers. Cookies are often used as a condition for accessing a service on a Web site, for example as an alternative to a pay wall. In itself this is permissible, but then the user must also be given another option of equivalent access without cookies from the same provider.
To avoid end users getting tired of constantly giving consent, their browsers will allow them to whitelist certain types of cookies from one or more providers. Software providers will be encouraged to make it easy for users to create, modify or delete these types of lists.
It also includes rules on line identification, public directories and unsolicited and direct marketing.
It would enter into force 20 days after its publication in the Official Journal, and would become applicable 2 years thereafter.
This mandate was approved in the Committee of Permanent Representatives of the Council (Coreper).
The Commission submitted its proposal in January 2017.
The Council and the European Parliament will negotiate the exact content of the final text.
