The E-Privacy Regulation: light at the end of the tunnel?

On 10 February 2021, after years of failed attempts, the Council of the European Union finally agreed on a negotiating mandate for the E-Privacy Regulation (the Mandate). The Mandate enables the Portuguese presidency to start discussions with the European Parliament in order to reach a consensus on the legislation that should replace the existing ePrivacy Directive (Directive 2002/58/EC, which is nearly 20 years old) and should particularise and complement the GDPR with rules on the protection of privacy and confidentiality in the sector of electronic communications.

The Mandate contains a proposal for an E-Privacy Regulation that is over 80 pages long (the E-Privacy Proposal). Please find below some key takeaways.

1.  Under the Mandate, the E-Privacy Proposal will apply to end-users in the European Union. In this regard – and in contrast to the GDPR – it should be noted that end-users can be both natural and legal persons.

2.  The E-Privacy Proposal covers electronic communications data, which includes both electronic communications content and electronic communications metadata (such as data used to trace and identify the source and destination of a communication, data on the location of the device, data on the date, time, duration and type of the communication, etc.). 

As a main rule, electronic communications data shall be confidential. Any interference with electronic communications data, including listening, tapping, storing, monitoring, scanning or other types of interception, surveillance and processing of such data, by anyone other than the end-users concerned, shall be prohibited, except when expressly permitted by the E-Privacy Proposal. 

The E-Privacy Proposal allows such processing of electronic communications data without the consent of the end-user(s) in certain specific circumstances, for instance if it is necessary to maintain the integrity of communications services, to detect malware or viruses, or in cases where the service provider is bound by Union or Member States law on the prosecution of criminal offences or the safeguarding of public security. 

Additionally, the E-Privacy Proposal provides for a wide range of permitted uses for electronic communications metadata and even allows such metadata to be processed for purposes other than those for which it was initially collected (in certain cases and under certain circumstances).

3.  The E-Privacy Proposal also aims to protect the end-user’s terminal equipment, considering such terminal equipment may store highly personal information (e.g., videos, pictures or contact information). Consequently, the use of processing and storage capabilities and the collection of information from end-user's terminal equipment will only be allowed with the end-user's consent or for certain specific and transparent purposes laid down in the E-Privacy Proposal. 

4.  Moreover, the E-Privacy Proposal tries to tackle information fatigue (which is a common issue as a result of the broad range of transparency obligations under the GDPR). The E-Privacy Proposal establishes that (cookie) consent can be expressed "by using the appropriate technical settings of a software application enabling access to the internet placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet". Hence, the E-Privacy Proposal allows end-users to whitelist one or several providers in their browser settings. 

Note that the E-Privacy Proposal includes several other rules on important topics, such as unsolicited and direct marketing (need to obtain the prior consent of the end-user except in case of existing client for similar services, namely the exception we already know under Belgian law) and public directories. 

Even though the Mandate is an important milestone in the legislative process, the saga is far from over. Some data protection experts (e.g. Prof. Ulrich Kelber, German Federal Commissioner for Data Protection and Freedom of Information) have already criticised the E-Privacy Proposal, stating that it would be a serious blow to data protection. 

Moreover, the Mandate provides that the E-Privacy Proposal shall not be applicable until 24 months after its entry into force (i.e., 2023 at the earliest).

To be continued.