Updates on EU’s e-Privacy Regulation: What you need to know

On 5 January 2021, the Council of the European Union under the Portuguese Presidency released the 14th version of the e-Privacy Regulation. Read our summary of the 14th draft of the e-Privacy Regulation here.

On 10 February 2021, the Council of the European Union agreed on a Negotiating Mandate on the 14th draft. This has happened after 4 continuous years of negotiations. It means that the trialogue negotiations among the Council, the European Parliament and the Commission can begin. Some key aspects of the Negotiating Mandate are as follows:

• The e-Privacy Regulation will cover electronic communications content and associated metadata transmitted using publicly available services and networks as well as cover machine-to-machine and Internet of Things services.
• The processing of electronic communications data is allowed only under limited circumstances:
  • Where it is necessary to provide an electronic communications service,
  • Where it is necessary to maintain or restore the security of electronic communications networks and services, or detect technical faults, security risks, and/or attacks on electronic communications networks and services,
  • Where it is necessary to detect or prevent security risks or attacks on the terminal equipment of end-users,
  • Where it is necessary for compliance with a legal obligation to which the electronic communications service provider is subject.
• The processing of electronic communications metadata may take place for the protection of the end-users’ vital interests, for example, for monitoring epidemics and their spread or in humanitarian emergencies, in particular natural or man-made disasters.
• For further processing of electronic communications data for a purpose other than the one it was originally collected, such another purpose must be compatible with the initial purpose and strong specific safeguards must apply to it.
• The end-user should have a genuine choice on whether to accept cookies or similar tracking technologies. Making access to a website conditional on the user’s consent to the use of cookies is allowed only if the end-user is provided an equivalent alternative offer by the same provider that does not involve consenting to cookies.
• To avoid cookie consent fatigue, the end-user should be able to give consent to the use of certain cookie types by whitelisting certain providers in their browser settings.
• End-users who have consented to the processing of electronic communications data shall be reminded of the possibility to withdraw their consent at periodic intervals of no longer than 12 months, as long as the processing continues, unless the end-user requests not to receive such reminders.
• Direct marketing without the consent of individuals is prohibited. Safeguards should be provided to protect end-users against unsolicited marketing communications and allow them to withdraw consent, free-of-charge, at any time.

On 9 March 2021, the European Data Protection Board adopted a statement on the e-Privacy Regulation, welcoming the Negotiating Mandate but also raising some concerns. Some of the concerns raised by the EDPB are as follows:

• The exceptions that allow the access of electronic communications data to ensure network and end-user device security are broad. Such exceptions need to be proportionate and narrowed down to not undermine the end-user’s right to confidentiality and privacy expectations.
• Strong, standardized, and efficient state-of-the-art encryption is a necessity in the modern digital world and there should not be any possible attempts to weaken encryption even for national security purposes.
• There is a need to include an explicit provision on the prohibition of unfair consent practices such as the “take it or leave it” solution (cookie walls).
• One of the bases on which the use of tracking technologies is allowed is when it is necessary for the sole purpose of audience measurement. The EDPB emphasizes that such derogation for audience measurement should be limited to low-level analytics necessary for the analysis of the performance of the service requested by the user and should be solely limited to providing statistics to the service operator.
• The EDPB emphasizes the need to address “consent fatigue” and that browsers and operating systems should put in place user-friendly and effective mechanisms to allow controllers to obtain consent from users.

What’s next?

Our experts at Securiti will continue to closely monitor the negotiation developments to help you prepare for compliance.