On 10 February 2021, the Council of the European Union agreed on a mandate for negotiating the final text of the proposed ePrivacy Regulation (the draft ePrivacy Regulation) with the European Parliament and the European Commission. This is an important milestone in the legislative process. However, it will likely take months before the final version of the Regulation is agreed and adopted, and the final provisions could still deviate significantly from the Council’s draft.
Once adopted by both the Council of the EU and the European Parliament, the ePrivacy Regulation will provide privacy and confidentiality requirements of electronic communications in the EU. It will replace the existing ePrivacy Directive and cover:
- electronic communications content transmitted using publicly available services and networks, including by over-the-top (OTT) messaging services;
- electronic communications metadata, including geolocation data;
- machine-to-machine communication;
- protection of information on end-user devices;
- electronic direct marketing to individuals; and
- public directories of end-users.
Points of note in the Council’s draft include the following:
Confidentiality of electronic communications
- The possibility for further processing of communications metadata for compatible purposes without a user’s consent is reintroduced.
Cookies
- The placing of cookies on the basis of an organisation’s legitimate interests is not permitted.
- Cookie walls are allowed in certain circumstances, where access to a website depends on consent to cookies as an alternative to a paywall, as long as the user can chose between the service offered if they give consent and an equivalent offer.
- End-users may give or withdraw consent to certain cookies (whitelists) in their browser settings, once the software to do this is available.
- The same rules apply to any use of processing or storage capabilities on, or collection of information from, an end user’s device (e.g. tracking pixels, web-beacons, etc.).
Electronic direct marketing
- Member States may set a time limit for direct marketing under the soft opt-in exemption.
Enforcement
- Fines of up to €10 million or 2% of worldwide annual turnover will apply to infringements on the rules on cookies and direct marketing.
- Fines of up to €20 million or 4% of worldwide annual turnover apply for infringing the principle of confidentiality of electronic communications.
- Individuals will have a right to claim compensation for damages suffered as a result of any infringement.
Transition period
- This is proposed to be set at two years.
Implementation and next steps
The final ePrivacy Regulation will apply directly in all EU Member States, with limited scope for national provisions. The European Data Protection Board (EDPB) will be responsible for issuing guidance to support consistent implementation across the EU.
The Council of the EU, the European Parliament and the European Commission will now proceed with trilogue negotiations about the final text of the ePrivacy Regulation.
It remains to be seen how the UK will respond, in due course.
The Council’s version of the draft ePrivacy Regulation is available here and the press release of the Council of the EU here.