The new draft of the ePrivacy Regulation introduces substantial changes. The final approval still appears far to happen, but companies may start to get ready.
The saga on the ePrivacy Regulation seems endless. Our Tommaso Ricci had given an update on the version published in January 2019 (Read ePrivacy Regulation – Status and interplay with the GDPR) in LawBytes. But on 26 July 2019, the Finnish government issued a revised proposal for the ePrivacy Regulation with some amendments concerning electronic communication content, data & metadata, and further processing of metadata. The EU Council will discuss this proposal on 9 September 2019.
In this post, based on the article published on DLA Piper blog Privacy Matters, there is a summary of the amendments and the broader text as it currently stands.
What changes with the new draft of the ePrivacy Regulation?
The most extensive amendment introduced by the current proposal of ePrivacy Regulation is the division of Article 6 into four distinct provisions, to clarify their respective scope. This provision regulates the processing of electronic communications data by telecommunications operators, precisely the conditions under which different aspects of electronic communication may be processed. The provision has now been split, each Article regulating the processing of a specific type of data:
- Art. 6 – all electronic communications data (content and metadata);
- Art. 6a – electronic communications content;
- Art. 6b – electronic communications metadata;
- Art. 6c – further processing of electronic communications metadata.
Another notable change in the new Art. 6 (all data) is the addition of a general rule according to which data can only be processed
- for the duration necessary for the permitted purposes and
- if those purposes cannot be fulfilled by processing information that is made anonymous.
Some other notable amendments have been made in Recital 32 and Article 16, concerning the scope of rules on unsolicited communications. While the previous version made it clear that advertising displayed online “to the general public” was excluded from the scope of these rules (suggesting targeted advertising was covered), new changes suggest that even targeted advertising might not constitute direct marketing communications under the ePrivacy Regulation. For example, “presenting” advertising was previously covered, in addition to “sending“, but “presenting” has now been deleted. Besides, to fall within the scope of the rules, the marketing must be sent “for reception by that end-user“.
The current status of the draft ePrivacy Regulation
Below is a summary of the current version of the draft ePrivacy Regulation:
1. Anti-spam rules for digital marketing see some flexibility
As under the current framework of the ePrivacy Directive, unsolicited commercial communications by electronic means (“spam”) are prohibited, except if the recipient gave consent. No consent is needed though for the sending of commercial emails to existing customers to advertise their similar products, but every communication must include an opt-out possibility. The scope of these rules still appears to be subject to discussion, in particular, their applicability to online advertising, as mentioned in the paragraph above.
2. Cookies and similar files/tags still subject to the prior consent
The new draft of the ePrivacy Regulation also provides comprehensive rules for the use of web cookies and similar files or tags, considerably extending the current regulations. The scope of these rules has been substantially extended compared to the old ePrivacy Directive, referring now to any use of the storing or processing capabilities of the device (and not merely the storage or retrieval of information). In other words, cookies and stored information remain covered, but so are now specific scripts and tags (which today mainly falls outside of the scope of the current ‘cookie’ rules).
The quality of consent should, in general, correspond to the criteria provided by the General Data Protection Regulation (GDPR). However, the ePrivacy Regulation should, to some extent, allow consent through browser settings, and currently contains several references to the possibility to give consent by software-related technical means. A previous Council draft had removed the Commission’s proposal to impose on Internet browser publishers an obligation to foresee granular settings at browser-level, replacing the obligation with merely an encouragement. The latest draft has not changed this new, less stringent approach.
As far as ‘cookie walls’ are concerned (the practice of blocking access to content until a user gives consent to, e.g., advertising cookies), the Council continues down the path it set a few iterations ago, not prohibiting cookie walls in principle provided the user is offered an ‘equivalent offer‘ that does not involve the need for such consent.
3. Secrecy requirements still applicable to M2M and IoT communications
As indicated above, the new Council draft ePrivacy Regulation attempts to clarify the difference between the rules on electronic communications content, electronic communications metadata, and electronic communications data (common rules for content and metadata).
The common principle remains that of secrecy of electronic communications data, save for specific exceptions, e.g., metadata can now be processed for network management or network optimization, or statistical purposes. There is also now a specific possibility to process metadata for ‘compatible‘ purposes subject to compliance with a specific process.
These rules apply not only to communications between humans, but also the so-called “machine-to-machine” communications relevant for Internet of Things devices.
What is going to happen next?
Since France, Germany, Ireland, and the UK have been updating their guidance on cookies, such provisions will likely give rise to further discussions. Other rules appear to be closer to finalization at the level of the Council. For instance, reports suggest that Article 16 (the anti-spam article) will only require fine-tuning at this stage. In this context, the latest draft’s apparent removal of even online targeted advertising from the scope of the anti-spam rules may prove to be final for the Council. Even then, once the Council agrees on the entire document, it will still be necessary to reconcile the Council’s version with the European Parliament’s version.
The end of the tunnel is still far…
What does this mean for organizations?
While the text of the ePrivacy Regulation is not final, it is useful for organizations to consider it already when contemplating any long-term product or project. For instance, organizations embarking on significant Internet of Things projects may wish to take into account secrecy of electronic communications, to avoid having to stop or redesign the project in a year or two. Any organization contemplating a new flagship website or application may also wish to reconsider widespread use of tags rather than cookies if the intent was to avoid the applicability of the cookie rules, as the rules will at some point be the same.
More generally, it can be useful for organizations to identify key fields of activity that will be impacted by the ePrivacy Regulation, so that when the final text arrives, they can more rapidly engage in a readiness exercise.