EU Council Agrees on Proposed ePrivacy Regulation

The first draft of the ePrivacy Regulation was approved by the European Commission in 2017 and has since been under discussion in the Council. The current agreement in the Council comes shortly after Portugal took over the Council presidency (on January 1, 2021) and released a revised draft of the ePrivacy Regulation (on January 5), which was the 14th draft including the original EU Commission proposal. The present agreement is therefore a breakthrough in the negotiation process and allows the Portuguese Council presidency to start negotiations with the European Parliament on the final text.

The ePrivacy Regulation is meant to replace the existing ePrivacy Directive 2002/58 (ePrivacy Directive), which dates to 2002 and was meant to address the requirements of new digital technologies and facilitate the advance of electronic communication services. It tackles a number of important issues such as the confidentiality of communications, the processing of traffic and location data, unsolicited communications and direct marketing, and cookie requirements.

These issues are still being addressed in the new ePrivacy Regulation — but technology has advanced significantly since 2002, and therefore a revisit of the ePrivacy legal framework was considered appropriate. For instance, the ePrivacy Directive mainly applies to the “electronic communications sector” — essentially targeting traditional telecommunication services. Strictly speaking, it does not cover communications services that use internet to convey signals without involvement of a network operator and are “number-independent,” (i.e., “over-the-top” (OTT) services such as voice-over-IP and web-based email (WhatsApp, Skype, Gmail, etc.)).

In the meantime, however, the EU Electronic Communications Code (EECC), as of December 21, 2020, has extended the scope of the ePrivacy Directive to cover these services to avoid a gap in the current legislative framework (until the new ePrivacy Regulation is adopted). In addition, the new ePrivacy Regulation will regulate technologies such as artificial intelligence and machine-to-machine communications.

Unlike the EU General Data Protection Regulation 2016/679 (GDPR), the ePrivacy legal framework applies only to electronic communications data — which may include both personal and non-personal data and is in that respect broader in scope than the GDPR. The ePrivacy Directive (and the future ePrivacy Regulation) are a lex specialis legal framework to the GDPR, which means that where the two legal frameworks conflict, the ePrivacy legal framework shall prevail. The GDPR also supplements the ePrivacy rules on the protection of personal data.

Key takeaways and differences in the draft agreed on by the Council on February 10, 2021 (Council Draft), as compared to the ePrivacy Directive, include the following.

1. Broad scope of application: The Council Draft emphasizes the intended broad scope of application of the new ePrivacy Regulation, protecting the principle of confidentiality of communications in a broad manner both with respect to natural and legal persons and accounting for new developments in technology: “[t]he principle of confidentiality should apply to current and future means of communication, including calls, internet access, instant messaging applications, e-mail, internet phone calls and personal messaging provided through social media.” The scope of application mirrors the ePrivacy Directive and covers (i) providers of electronic communications services, (ii) providers of publicly available directories, (iii) organizations using electronic communications services to send direct marketing, and (iv) organizations storing or collecting information through cookies or similar technologies.

The Council Draft does require communications to take place between a defined (i.e., not potentially unlimited) number of end users determined by the sender of the communication — for instance, a chat group among 20 friends is covered, but a chat room in an online game that is open to all players in the game is not. Furthermore, only providers of transmission services that are carried out via publicly available electronic services or networks are covered. Transmissions carried out through private or closed networks, such as an organization’s intranet, are not covered.

2. Extraterritorial reach: Like the GDPR, the Council Draft provides for an extraterritorial application of the rules even where the regulated entity is established outside the EU and/or the processing takes place outside the EU insofar as it relates to end users in the EU. The extraterritorial effect of the ePrivacy Directive was limited and extended mostly to organizations outside the EU placing cookies on EU end-user devices or sending them direct marketing. Organizations subject to the ePrivacy Regulation on a purely extraterritorial basis (i.e., they are not established in the EU) must designate an EU representative (similar to the requirement under the GDPR). Note that the Council Draft, unlike the GDPR, does not require that there be an “intent to target” EU users — the extraterritorial application is triggered as soon as users in the EU are implicated regardless of whether there was an intention to direct activities toward the EU market.

3. Metadata: Not only the content of a communication but also the communication metadata (e.g., the specific numbers called, geographical location of the caller and the time, date and duration of the call) may reveal sensitive and private information and is covered by confidentiality in the same way as the contents of communications. Metadata was also covered in the ePrivacy Directive (albeit “metadata” was referred to as “traffic data” in the Directive), but the current Council Draft broadens the options for electronic communications providers to process metadata.

The German Council presidency at the end of 2020, in light of the COVID-19 pandemic, suggested to include a permission to process metadata where necessary for “natural or man-made disasters” and for “monitoring epidemics” because the mapping of metadata is particularly useful to monitor the spread of the virus. This was maintained in the current Council Draft, which provides that metadata can be processed where necessary to protect the vital interests of a natural person (such as monitoring epidemics and their spread) where no other legal basis is available. Other legal bases include, for instance, the end user’s consent and where the processing of metadata is necessary for (i) billing purposes (e.g., telecom services providers invoicing customers on the basis of the amounts of calls made); (ii) stopping or detecting fraudulent use of the electronic communications service; and, more generally, (iii) the performance of an electronic communications contract to which the end user is a party.

4. Cookies: As did the ePrivacy Directive, the Council Draft regulates the storage and collection of information (cookies and information gathered through cookies) in an end user’s terminal equipment (PC, laptop, smartphone, smart car, smartwatch, etc.). This point was highly debated during negotiations of the Council Draft — but ultimately agreement was reached that affirmative consent is necessary except in a number of circumstances (which are broader than in the ePrivacy Directive): where necessary (i) for the sole purpose of providing an electronic communication service; (ii) for providing a service specifically requested by the end user; (iii) for the sole purpose of audience measuring (e.g., web analytics, in aggregate form); (iv) for IT security purposes; (v) for a software update; and (vi) to locate the end user’s device in the event of an emergency communication.

5. Child Exploitation and OTT Services: As discussed above, the EECC expanded the scope of the ePrivacy Directive on December 21, 2020, to also cover OTT services such as web-based email, messaging apps, and voice-over-IP, meaning providers of these services are subject to the requirements of the ePrivacy Directive. As such, their processing of OTT communications involving EU users becomes more restricted and, for instance, inhibits the use of software that scans for child sexual abuse imagery and for “grooming” by online predators. In September 2020, an EU legislative proposal was issued to introduce a derogation to these requirements for OTT service providers when using technologies to process data for the combatting of child sexual abuse online.

If this proposal would be accepted, OTT service providers can continue to monitor content for the combat of online sexual child abuse as they have done prior to the EECC’s entering into force (which brought them into scope of the ePrivacy Directive). However, the proposal has not yet passed — despite numerous ongoing discussions between the EU institutions and fundamental rights organizations. This again demonstrates the difficult tradeoffs that sometimes must be made when balancing data privacy rights and public safety — a discussion that the ePrivacy Regulation does not resolve. The current Council Draft has not maintained the provisions related to child exploitation and abuse, and it remains to be seen how this will be handled.

6. Consent Standard: The Council Draft maintains the (high) consent standard of the GDPR — meaning it must be freely given, specific, informed, and an unambiguous indication of the end user’s wishes through a clear affirmative action. The Council Draft extends the consent mechanism to legal persons: Because legal persons are also protected under the Council Draft, they can consent to certain processing in the same way as natural persons (through a legal representative).

Specifically with respect to cookie consent, the Council Draft has reached agreement on the fact that consent may be given by the end user through selecting certain technical settings in software where technically possible and feasible. The EU encourages software developers to develop tools that facilitate this. End users who have provided their consent must in principle be reminded every 12 months of their right to withdraw consent.

7. Alignment With the GDPR and Sanctions: The ePrivacy Regulation’s intention from the beginning was to align with the GDPR where possible. The Council Draft has borrowed a number of GDPR requirements such as the requirement to designate an EU representative; it also refers to and adopts all the definitions in the GDPR and, as indicated, adopts the same consent standard. Last, the Council Draft applies the (significant) fining system of the GDPR mutatis mutandis to infringements of the ePrivacy Regulation — the fining system under the ePrivacy Directive is up to the EU member states and is generally far lower than fines issued under the GDPR. The Council Draft also would provide a private right of action.

8. Regulation vs. Directive: Like the GDPR, the EU has opted for an EU regulation instead of a directive. That means that the new ePrivacy Regulation will have direct effect in all EU member states, and its purpose is to harmonize eprivacy laws across the EU. However, like the GDPR, the Council Draft allows EU member states to deviate from and supplement it with regard to certain topics.

9. National Security Activities: In general, the EU exercises authority granted by its member states, but only to the extent that the member states have transferred that authority to the EU. Building off the general national security exception found in Article 4(2) of the Treaty of European Union, the ePrivacy Directive had expressly stated that “this Directive shall not apply to ... activities concerning public security, defence, State security ... and the activities of the State in areas of criminal law.” In subsequent years, however, the Court of Justice of the European Union (CJEU) expanded its reach into law enforcement and national security matters, prohibiting in one set of cases the “general and indiscriminate” retention of communications data by member states for criminal investigatory purposes and holding more recently in a separate line of cases that member state intelligence services may not, in the name of national security, order communications providers to “indiscriminately” collect, retain, and transfer EU persons’ communications data unless such collection is time limited, necessary, and justified by a legitimate security threat.

Member states typically have resisted the CJEU’s jurisprudential incursions into national security matters, which many of them see as a core sovereign power. It is noteworthy that the Council Draft of the ePrivacy Regulation contains language stating that it “does not apply to: activities, which fall outside the scope of Union law, and in any event measures, processing activities and operations concerning national security and defence, regardless of who is carrying out those activities whether it is a public authority or a private operator acting at the request of a public authority.” If ultimately adopted, this language would essentially overrule the CJEU’s recent decisions on the collection and retention of communications data for national security purposes; would effectively push the CJEU out of the business of opining on data collection and retention issues in the member state national security context; and could introduce interesting disparities between the obligations and limitations under EU law imposed on commercial data transfers to non-EU nations (like the United States), which would remain subject to the CJEU’s rulings in Schrems II, and transfers between and among EU member states themselves.

Originally, the intention was for the ePrivacy Regulation to enter into application around the same time as the GDPR (mid-2018). However, the Council Draft has just been finalized and will now undergo review in the EU Parliament, where the EU Parliament and the Council will negotiate the terms of the final text. Once approved, a two-year transitional period will apply during which organizations will have the time to adjust to the new requirements. During this two-year period, the ePrivacy Directive requirements will still apply. As such, the earliest the ePrivacy Regulation could enter into application is in 2023 (the same time at which a key new US law — the California Privacy Rights Act — will also go into effect).