On 10 July 2018, the Council of the European Union has published a draft of revisions to the proposed ePrivacy Regulation (ePR). The ePR is likely to come into force in 2019.
The ePR will repeal and replace the Privacy and Electronic Communications Directive 2002/58/EC. The ePR will align Europe’s ePrivacy regime more closely with privacy regime set out in the General Data Protection Regulation (GDPR). The GDPR took effect on 25 May 2018.
The ePR focuses on the confidentiality of users’ electronic communications. It will also regulate activities such as:
- direct marketing,
- website audience measurement,
- the transmission of communications across devices and browsers, and
- cookies set on users’ machines.
According to ePR Recital 2, it intends to “particularise and complement” the provisions for personal data laid down by the GDPR by “translating its principles into specific rules”.
The draft focuses on ePR Articles 6, 8 and 10.
(i) Article 6: Permitted processing
The draft introduces the possibility for “further compatible processing of electronic communications metadata”. It suggests broadening the scope to allow the processing of certain types of metadata for research, allaying fears about stifling scientific research and innovation. The draft calls for the ePR to be “more future-proof” (borrowing from GDPR Article 6(4)), providing flexibility for developments in a rapidly changing digital environment, such as artificial intelligence and the Internet of Things.
In order to do so, language has been added in a new section, Article 6(2a), as well as additional safeguards to ensure the lawful and responsible treatment of data. New language in Article 6(2)(b) also clarifies that the processing of metadata for calculating and billing interconnection payments (everyday business for operators) is permitted.
(ii) Article 8: Protection of end users’ terminal equipment information
Article 8 addresses the storage and processing of data on end users’ equipment. It focuses on the protection of devices used to transmit electronic communications. ePR seeks to clarify Article 8 through an update to Recital 20, loosening the restrictions on using identifiers, such as cookies.
A revision to Recital 20 states that:
The responsibility for obtaining consent for the storage of a cookie or similar identifier lies on the entity that…collects of [sic] information from end-users’ terminal equipment, such as an information society service provider or ad network provider. Such entities may request another party to obtain consent on their behalf.
The term ‘information society service’ is defined by Directive 2015/1535. It means any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services. The term ‘terminal equipment’ refers to a user’s device, for example, a smartphone, tablet or computer.
Recital 20 further states:
The end-user’s consent to storage of a cookie or similar identifier may also entail consent for the subsequent readings of the cookie in the context of a revisit to the same website domain initially visited by the end-user.
(iii) Article 10: Privacy settings
The draft suggests the deletion of ePR Article 10 “and the respective recitals”, which oblige software providers to inform the end user every time privacy settings are updated. Several member states had questioned the value of this article citing:
Several member states had questioned the value of this article citing:
- the potential impact on end users and on innovative businesses,
- competition concerns,
- the burden it could place on browsers and apps,
- potential end-user consent fatigue,
- doubts about the obligation’s added value, and
- unease at the link to fines for noncompliance.
The ePR was originally scheduled to come into effect simultaneously with the GDPR. After several postponements, it will be interesting to see how these new proposals are received in the EU trilogue process. EU businesses face considerable uncertainty in this area and eagerly await more clarity on the final form of ePR and its implementation date. This is made all the more pressing due to a recent statement from the European Data Protection Board, calling for a swift implementation of the ePR.