On 10 February 2021, over two and a half years after the anticipated adoption of the e-Privacy Regulation, European Member States have agreed to a revised text. Portending a potential break in the three-year impasse, the Member States directed the Council of the European Union (Council) to start talks with the European Parliament on a final text of new proposed Regulation. To become law, the Regulation must be adopted in the same terms by the Council and the Parliament.
This development comes on the heels of the December 2020 joint declaration of the Council, the Parliament and the European Commission which identified strengthening privacy in electronic communications as one of the EU’s top legislative priorities for 2021.
The joint declaration appears to signal the potential start of the “trialogues” between the Commission, Parliament and Council, and eventual adoption of the Regulation.
The e-Privacy Regulation will replace the 2002 e-Privacy Directive which is widely seen as being out of date: The Directive applies to traditional telecom operators but not many new technologies. The Directive has also failed to sufficiently harmonize Member States' laws on the confidentiality of electronic communications and tracking tools. The Commission's original intent when it issued the proposed Regulation in 2017 was to update it to encompass new technologies, align it with the GDPR, and harmonize national legislation on privacy and electronic communications.
It remains to be seen how the e-Privacy Regulation will interact with other pending legislative proposals, such as the Digital Services Act, and matters currently being examined by several national competition authorities (e.g. online advertising, cookies and the use of data). Several industries, including the advertising sector, privacy advocates and some Member States remain critical of the proposed Regulation. Nevertheless, greater harmonization across the European Economic Area, will make it easier to implement uniform processes for consent and opt-outs for sending marketing messages.
The Member States’ compromise
The Council reached an agreement on the basis of a new text, building on the text the Portuguese Presidency submitted to the Member States on 5 January 2021. The compromise Regulation (i) requires the confidentiality of all electronic communication data, including metadata; (ii) will apply to machine-to-machine transmission; (iii) will allow some types of processing without user-consent, e.g. cybersecurity; (iv) will protect access to the user’s terminal equipment; and (v) enhance regulation on cookies.
The agreed upon Council text:
• Expands the situations in which electronic communication data and metadata can be processed without the user’s consent, always subject to certain safeguards. Similar exceptions were added for the use of and access to the processing and storage capabilities of terminal equipment without the user’s consent.
• Provides safeguards for whitelisting: in case users provide broad consent to specific service providers via software settings, the compromise specifies that consent directly expressed by the end user should always prevail over software settings.
• Reintroduces the ability of Member States or the EU to provide for the possibility to retain metadata in relation to criminal offences or to prevent threats to national security.
• Reinforces obligations of non-EU providers: they will have to appoint an EU representative within one month of the start of their activities and failure to do so exposes them to a fine up to two percent of worldwide turnover.
• Expands the territorial scope of the e-Privacy Regulation to providers located outside of the EU but in territories where Member State law applies by virtue of public international law.
We will continue to monitor and keep you apprised of developments.