The approval of the ePrivacy Regulation by the Permanent Representatives Committee of the Council of the European Union failed again. I had published the details on the latest draft version of the ePrivacy Regulation. However, on November 22, 2019, no final approval of the ePrivacy Regulation was reached, which means that – despite the efforts of the Finnish Presidency – it will not be approved during this year, and it will be up to the Croatian Presidency to restart the process.
The long process of approval of the ePrivacy Regulation
The ePrivacy Regulation was proposed in January 2017, with the European Parliament agreeing on its position in October 2017.
During the last months, the draft was reviewed on several occasions by the Working Party on Telecommunications and Information Society as well as by the European Data Protection Supervisor and European Economic and Social Committee that issued their opinions.
However, no final approval has been reached so far.
The open issues for the approval of the ePrivacy Regulation
According to the report published by the Finnish Presidency, the main problems that are still open relate to the “concerns about the way the ePrivacy proposal would interact with new
technologies, in particular in the context of Machine-to-Machine, Internet of Things or
Another issue related to the processing of electronic communications data for prevention, detection, and reporting of child abuse imagery, “while there was support for addressing this issue at the EU level, delegations had diverging views on whether and how to do so in the ePrivacy proposal.” A number of delegations argued that if preventing child abuse imagery should warrant an exemption, so should other serious crimes.
There are also different views on data retention issues. In particular, the matter is whether it could leave room to maintain the possibility for existing and future data retention regimes to be compliant with the principles set out by the decision of the Court of Justice of the European Union, which invalidated the Data Retention Directive 2006/24/EC.
Finally, there are considerable discussions on the level of flexibility to be given to the EU Member States as to the level of independence to be given to data protection supervisory authorities as well as on cross-border cooperation and the role and involvement of the European Data Protection Board.
My view on the current status of the ePrivacy Regulation
I don’t see the current failure of the negotiations on the ePrivacy Regulation as bad news. The latest draft of the ePrivacy Regulation risks to slow the growth of existing as well as innovative technologies in the European Union through limitations that, in some cases (e.g., on cookies), might be considered disproportionate.
The GDPR already sets out some general principles that can be adapted to ePrivacy regulations without the need in some cases of an additional lawyer of stricter regulations. In particular, a risk-based approach is the backbone of the GDPR, and it appears not fully reflected in the current draft of the ePrivacy Regulation.
Invasive technologies are already subject to a stringent regime under the GDPR, and ePrivacy rules, in my view, should grant a higher level of flexibility when they identify a benefit for the general public deriving from the exploitation of such technologies, also in terms of available services.
In the meantime, we are experiencing some uncertainties as to issues like cookies whose applicable data protection regime has been differently interpreted by authorities, with the additional complexity arisen from the decision of the European Court of Justice on the Planet49 case. The main challenge of data protection compliance in the EU is to ensure consistency throughout the European Union on the basis of a business-oriented approach by regulators and authorities.
You can read on the topic at this link, “How Italian consent to cookies might change after CJEU Planet49 decision“.