European Council makes progress on the ePrivacy Regulation

Published on 09 June 2021

Where have the negotiations on the ePrivacy Regulation got to and what comes next?

The key takeaway

The European Council has taken a significant step forward in the progression of the draft ePrivacy Regulation (the ePR) by agreeing a mandate to carry forward into trilogue negotiations.

The background

The existing ePrivacy Directive (Privacy and Electronic Communications Directive, also known as the ePD) is an important legal instrument that works to protect privacy in the digital age, with a specific focus on maintaining the confidentiality of communications and providing rules on the tracking and monitoring of individuals. However, in the face of a rapidly changing environment, legislative updates are required in order to tackle new market developments (eg the increasing use of Voice Over IP, web-based email and messaging services etc).

The new ePR is intended to repeal the ePD and is designed to complement and expand on the provisions of the General Data Protection Regulation (GDPR). First proposed in January 2017 as part of the EU’s Digital Single Market Strategy, the draft ePR has been working its way through various stages of negotiation. Given its significance, the consequent importance of getting it right, and the many stakeholders involved, the progression of the draft ePR has been slow to say the least. Progress was further hampered by the 2019 EU elections. With no trilogue negotiations the lengthy inter-institutional negotiations that seek to forge compromises between the Council of Ministers, the European Commission and Parliament – getting underway since the proposal was first adopted in October 2017, concerns were raised over how progress could be expedited.

The development

On 10 February 2021, the European Council’s Committee of Permanent Representatives, successfully moved the draft ePR on a stage by agreeing their negotiating mandate. With this mandate now in place, the Council can commence discussions with the European Parliament in order to agree the final text in trilogue negotiations. Once an informal trilogue agreement is in place, the draft ePR will undergo its first reading at plenary session before the European Parliament, followed by the Council.

Why is this important?

Progress regarding the draft ePR has been glacial. As the draft ePR can only become applicable 24 months from entry into force, the timeline for this legislative change remains distant. While the draft ePR text itself remains unpublished at the time of writing, a press release published provides some insight into the decisions made so far. Key updates include:

  • communications data: “as a main rule, electronic communications data will be confidential. Any interference, including listening to, monitoring and processing of data by anyone other than the end- user will be prohibited, except when permitted by the ePrivacy Regulation
  • cookie consent: the end-user should have a genuine choice on whether to accept cookies or similar identifiers. Making access to a website dependent on consent to the use of cookies for additional purposes as an alternative to a paywall will be allowed if the user is able to choose between that offer and an equivalent offer by the same provider that does not involve consenting to cookies
  • direct marketing: the press release has been fairly tight-lipped around this aspect. It is worth noting that in the previous Portuguese draft (published January 2021) online display advertising did not come within the proposed ePR direct marketing provisions, and the soft opt-in rules for email marketing were to be preserved

  • metadata: may be processed for instance for billing, or for detecting or stopping fraudulent use. With the user’s consent, service providers could, for example, use metadata to display traffic movements to help public authorities and transport operators to develop new infrastructure where it is most needed. Metadata may also be processed to protect users’ vital interests, including for monitoring epidemics and their spread or in humanitarian emergencies, in particular natural and man-made disasters”.

Any practical tips?

Although trilogue negotiations remain ahead, the announcement of an agreed mandate over four years after the initial proposal in January 2017 is a huge step forward, particularly in the face of ongoing disagreements between Member States. When adopted, the ePR will be the most significant development in EU data protection law since the UK’s exit from the block. While the ePR will not apply directly to the UK, eyes will undoubtedly be sharply focused on what steps the UK takes next and whether the government will introduce aligned domestic legislation or whether it will diverge from the EU approach. Irrespective of this, non-EU businesses that operate within EU member states will find themselves within the scope of the ePR eg where they provide electronic communication services or direct marketing to EU subject end-users.

The impact of the ePR is far-reaching and failure to prepare in advance of its implementation will inevitably prove costly.

Stay connected and subscribe to our latest insights and views 

Subscribe Here