The Finnish presidency of the Council of the EU (Finnish Presidency) released an updated draft of the Regulation on Privacy and Electronic Communications (ePrivacy Regulation) on October 30, 2019 (available here). The Working Party on Telecommunications and Information Society (WP TELE) will discuss the new draft at its meeting on November 7, 2019.

Amendments put forward by the Finnish Presidency

The amendments that the Finnish Presidency plans to discuss at the November 7, 2019 meeting include:Continue Reading Updated draft of ePrivacy Regulation – Finnish presidency of the Council of the EU aims for final text by the end of the year

In its response dated 3 July 2019 (Response; file no. 19/11351, available in German here) to an inquiry by members of the German parliament (Inquiry), the German government took stand on the current draft Regulation on Privacy and Electronic Communications (ePrivacy Regulation), and particularly on “tracking”. The German government summarises its assessment of the ePrivacy Regulation:

“Germany has declared its view at a session of the Council of the EU on 7 June 2019 in Luxembourg. The ePrivacy Regulation must guarantee a high level of protection that goes beyond the protection that the GDPR provides. The current draft does not achieve this objective. Germany cannot support the current draft.”

German government’s assessment of the ePrivacy Regulation

The Inquiry sought, among other things, the German government’s responses on (i) whether “tracking” should be regulated more extensively at an EU level and (ii) what specific amendments have to be made to the ePrivacy Regulation.
Continue Reading Update on ePrivacy Regulation: “Current draft does not guarantee high level of protection and cannot be supported”, German government states

The General Data Protection Regulation (“GDPR”) will enter into force 25 May 2018, and will provide new general data protection standards. In its draft ePrivacy Regulation of 10 January 2017 (“ePrivacy Regulation”), which includes specific provisions for electronic communications, the European Commission sought to ensure that both sets of rules will enter into force at the same time.

Current legislative status of the ePrivacy Regulation

The European Council published its first revisions to the ePrivacy Regulation (read more on our blog here) on 8 September 2017, and European Data Protection Supervisor Giovanni Buttarelli issued recommendations on specific aspects of the ePrivacy Regulation on 5 October 2017 (read more on our blog here). The European Parliament adopted a report, including its draft resolution on the ePrivacy Regulation (“Report”), on 23 October 2017. Adhering to the requirements for processing personal data under the ePrivacy Regulation, the Report does not allow further data processing for compatible purposes or on the basis of legitimate interest. On 5 December 2017, the European Council released a consolidated version of the ePrivacy Regulation (“Consolidated Version”) which summarizes the work done so far in the European Council as a basis for its future work. The Consolidated Version also outlines that further internal discussions will be necessary, i.e., on Art. 6, 7, 9 ePrivacy Regulation as well as on further grounds for processing.Continue Reading Pre-Christmas Update on the ePrivacy Regulation

We are only eight months away from the new EU data protection regime entering into force. In addition to the General Data Protection Regulation (“GDPR”), which includes the general data protection provisions, the ePrivacy Regulation shall provide specific rules for electronic communications. However, the legislative process of the ePrivacy Regulation is still in its early stages. The European Commission published the draft ePrivacy Regulation on 10 January 2017 (“ePrivacy Regulation”), and the European Council has weighed in with its first revisions on 8 September 2017 (read more on our blog here). Now, European Data Protection Supervisor Giovanni Buttarelli (“EDPS”) has provided some further guidance, issuing a list of recommendations (“Recommendations”) on 5 October 2017. Some of the key messages of the Recommendations relate to consent, legal grounds for processing, and exceptions to the processing of data relating to terminal equipment.


The EDPS notes that the definition of consent in the ePrivacy Regulation must be identical with the provisions relating to consent in the GDPR. Thus, Article 9 of the ePrivacy Regulation should refer to all relevant provisions (Articles 4 (11), 7 and 8 GDPR). The EDPS also highlights the requirement that consent must be “freely given”. He calls for clarification that the processing of personal data must not be a condition to the access to services and functionalities, or the use of terminal equipment. With regard to the requirement that consent must be “specific”, the EDPS calls for an amendment to Article 9 (2) of the ePrivacy Regulation that technical settings that may be used for expressing consent must “allow for sufficient granularity”. It must be easy for users to update their privacy settings (e.g., adding or deleting an organization). Further, software placed on the market permitting electronic communications shall require privacy protective settings by default.

Legitimate interests

The EDPS demands that justifications for the processing of communications data should not be too broad. Thus, he rejects a legal ground to process electronic communication data based on legitimate interests. He notes that this would risk creating a back door to the high level of protection of the confidentiality of communications.
Continue Reading EDPS releases recommendations on ePrivacy Regulation – Still a long way to go

On 8 September 2017, the European Council published its first revisions (“Revised Draft”) to the draft EU ePrivacy Regulation (version COM(2017) 10 of 10 January 2017, “ePrivacy Regulation”). The Revised Draft is based on the discussions held in previous meetings of the European Union’s Working Party for Telecommunications and Information Society (“WP TELE”), and on comments provided by delegations.

The Revised Draft

The Revised Draft aims for clarifications compared with the previous draft by the European Commission, and outlines issues to be discussed in further WP TELE meetings. The Revised Draft does not make changes to the general scope addressed by the ePrivacy Regulation. It tries, however, to be clearer about the territorial scope of applicability of the ePrivacy Regulation, and also about excluding legal entities from the definition of data subjects. Even in the form of the Revised Draft, the ePrivacy Regulation seems like an “elephant” that hampers innovation in Europe.

In terms of tracking technologies and commercial communications, the proposed amendments include, inter alia, the following elements:
Continue Reading Updated Draft of ePrivacy Regulation: Still Hampering Innovation

The ICO recently published its Information Rights Strategic Plan for 2017 – 2021  (the ‘Plan’). Within it, the ICO Commissioner, Elizabeth Denham, asserts that we are on the “edge of a new frontier,” and that the data protection landscape is about to be reshaped by the “game changing” General Data Protection Regulation (the ‘GDPR’). Noting the significant changes for organisations, the public and regulators, the Commissioner sets the key aim of ensuring that data protection regulators stay relevant. According to the Commissioner’s opening statement, this entails increasing the public’s trust in government, public bodies and the private sector in terms of not only transparency, but also their involvement in the digital economy and digital public services.

The Plan specifies five clear goals:

  1. Increase the public’s trust and confidence in how data is used and made available;
  2. Improve standards of information rights practice through clear, inspiring and targeted engagement and influence;
  3. Maintain and develop influence within the global information rights regulatory community;
  4. Stay relevant, provide excellent public service and keep abreast of evolving technology; and
  5. Enforce the laws the ICO helps to shape and oversee

Continue Reading ICO’s Strategic Plan for the ‘New Frontier’ of Data Protection