Data Protection & CybersecurityPrivacy & Cybersecurity

ePrivacy Regulation – Final text approved by the Council of the European Union

The ePrivacy Regulation is finally at a decisive turning point because the Council of the European Union has reached an agreement on the final version of the text.

The approval of the ePrivacy Regulation by the Council of the European Union

After negotiations that lasted over 4 years, the ePrivacy Regulation is finally at a decisive turning point.  The Council of the European Union reached an agreement on the final version of the text, thus approving a negotiating mandate for the final revision of the rules on the protection of privacy and confidentiality in the use of electronic communication services.

The ePrivacy Regulation will apply not only to providers of traditional electronic communication services, such as mobile and fixed telephone operators, but will introduce important changes in key sectors of the digital economy, such as the Internet of Things, online advertising, and online telecommunications.

The draft Regulation presented by the European Commission at the beginning of 2017, immediately aroused the interest of lobbies of the telecommunications, advertising, and media services sector, and underwent numerous modifications due to the influence of the interests – in part opposing – of businesses and consumers. In fact, it took 8 different presidencies of the Council of the European Union to agree on a shared text of the draft ePrivacy Regulation, which was finally reached on February 10, 2021, under the Portuguese Presidency.

Here is a brief recap of some of the most interesting points of the new text.

Default privacy settings

To combat the so-called cookie banner fatigue, software vendors are encouraged (but not obliged) to include by default settings that allow end-users, in an easy and transparent way, to manage their consent to cookies, making precise choices about storage and access to data stored in their terminal equipment, easily setting and modifying white-lists for the categories of cookies accepted or not, so as to have an easily exercisable control of consent.  After all, Elon Musk, who lately seems to be more influential than usual, said so too.

Cookie walls and adtech

The possibility of conditioning access to websites on the user’s provision of consent to the installation of cookies is maintained, provided that it “does not deprive the user of an effective choice“.  This condition is deemed to be met if the end-user is placed in a position to choose – consciously – between a service offering that includes consent to the use of cookies for additional purposes, on the one hand, and an equivalent offering from the same provider that does not involve consent to the use of data for additional purposes, on the other.  An imbalance could exist, for example, when the end-user has only a few or no alternatives to the service, and therefore has no real choice regarding the use of cookies, for example in the case of service providers that hold a dominant position.  With respect to the issue of awareness, as already provided by the GDPR the information must be clear, comprehensive, and user-friendly (confirming that legal design will not be just a trendy hashtag in the coming months).

Consent yes, but with reminders

End-users who have given their consent to the processing of electronic communication data should be reminded of the possibility to withdraw consent at periodic intervals of no more than 12 months, as long as the processing continues, unless the end-user asks not to receive such reminders.

Extended soft spam

The possibility to send marketing communications under the so-called soft spam exception is maintained, also maintaining the same rules as to information and opt-out, but the definition of electronic message is extended.  Not only email but also any message containing information such as text, voice, video, sound, or image sent over an electronic communication network that can be stored in the network or in related computer facilities, or in the terminal equipment of its recipient, including SMS, MMS, and functionally equivalent applications and techniques.

Cookies: goodbye legitimate interest

The provision seems to be oriented towards a conservative approach, excluding the possibility of relying on legitimate interest for the processing of data based on cookies (which appeared in previous drafts), providing for the need for consent from end-users, with some strict exceptions, for example for audience measurement, fraud prevention, installation of software updates, in case of emergency and for compatible purposes (under certain conditions and following a precise assessment).

Further processing of metadata, under what terms is it permitted?

More controversial is the possibility of processing metadata for purposes compatible with those for which it was originally collected (again, this requires evaluation and specific security measures such as encryption or pseudonymization).  However, it is envisaged that metadata may be processed, other than on the basis of consent, if such processing is necessary for the purposes of network management or network optimization, or to meet the technical quality of service requirements, or for the performance of an electronic communications service contract to which the end-user is a party, or if necessary for billing, calculation of interconnection payments, detection or termination of fraudulent or abusive use of electronic communications services or subscription to such services.

What’s next?

With the approval last February 10, 2021, the Council of the European Union was given the mandate to start negotiations with the European Parliament, with which the terms of the final text will be discussed.  The ePrivacy Regulation will enter into force 20 days after publication in the Official Journal of the EU and will begin to apply two years later.

Although approval by the Council of the European Union is an important step, entry into force of the ePrivacy Regulation is not exactly around the corner. However, once applicable it will harmonize the rules at the European level, and it is, therefore, necessary for organizations to consider already at the time of conceiving any product or medium-long term project the impacts that the approach of the new text may have on their business.

On a similar topic, you can read the article “The Italian privacy authority launches a consultation on cookies“.

Image courtesy Dennis van der Heijden

Don't miss our weekly insights

Show More

Tommaso Ricci

Tech addict and privacy geek, working with Giulio Coraggio in the Intellectual Property and Technology Department of DLA Piper. I write about latest news in the legal-tech framework to help intercept the trends and gain a competitive edge in the market.

Related Articles

Back to top button