Image of transparent glass of RPC building.

Progress report on the ePrivacy Regulation – processing of metadata and use of cookies for “legitimate interests”

Published on 02 November 2020

Can you rely on the “legitimate interest” basis to process electronic communications’ metadata and place cookies or similar technologies on end-users’ terminals?

The key takeaway
On 29 May 2020, the Presidency of the Council of the European Union published its “progress report” on the controversial ePrivacy Regulation confirming what we already know; that there is still a long way to go before the European Commission’s proposal for a Regulation which delivers a clearer, more workable ePrivacy regime aligned with the GDPR is finally adopted by the EU legislature. With Member States failing to reach an agreed approach on the proposed compromise text last year, further modifications to the draft have been made “to simplify the text of some of the core provisions and to further align them with the GDPR”. Most notably, the focus has turned to the processing of metadata and use of cookies for “legitimate interests”. 

The background
In January 2017, the European Commission proposed a new Regulation on Privacy and Electronic Communications (ePR) to replace the current e-Privacy Directive (2002/58/EC). The Commission’s aim was to update the e-Privacy regime by increasing its scope to all electronic communications providers whilst ensuring those rules were paralleled with the GDPR. While the intention was for the new Regulation to come into effect alongside the GDPR, there has been much controversy with Member States failing to reach agreement on several important areas, including cookie consents and the processing of electronic communications metadata. 

Legitimate interests
The most important modification introduced by the Croatian Presidency is the possibility to process electronic communications metadata (Article 6(B)) and to use processing and storage capabilities of, and the collection information from end-users’ devices (Article 8) when it is necessary for the purpose of legitimate interests, provided that specific safeguards are In place. For example, a prohibition on sharing the metadata or the collected information with third parties. Furthermore, the legitimate interests justification cannot be used when the legitimate interests pursued by providers are overridden by interests or fundamental rights and freedoms of the end-users. This would be the case, for example, where the data is used to determine the nature or characteristics of the end-user or to build an individual profile of the end user. 

Why is this important?
The uncertainty over the ePR continues to cast a shadow over the advertising industry, with companies hesitant to commit to new technologies and business models under the current e-Privacy regime. Additionally, the ePR will be a post-Brexit measure and the UK might have its own thoughts on how best to regulate electronic communications data, although EU rules will still apply to UK service providers targeting EU customers.
Any practical tips?
The progress report highlights the mixed reactions of the Member States to the introduction of, among other modifications, the legitimate interests ground. Subsequent deliberations on the draft e-Privacy Regulation were cancelled due to COVID-19. 

Some say the Croatians were forcing a last throw of the dice to try and move through the ePR. The Germans take the presidency next, but how far they are willing to pick up where the Croatians left off – in particular the legitimate interest argument – remains to be seen. 

Autumn 2020