The ePrivacy Regulation is finally at a decisive turning point because the Council of the European Union has reached an agreement on the final version of the text.
The approval of the ePrivacy Regulation by the Council of the European Union
After negotiations that lasted over 4 years, the ePrivacy Regulation is finally at a decisive turning point. The Council of the European Union reached an agreement on the final version of the text, thus approving a negotiating mandate for the final revision of the rules on the protection of privacy and confidentiality in the use of electronic communication services.
The ePrivacy Regulation will apply not only to providers of traditional electronic communication services, such as mobile and fixed telephone operators, but will introduce important changes in key sectors of the digital economy, such as the Internet of Things, online advertising, and online telecommunications.
The draft Regulation presented by the European Commission at the beginning of 2017, immediately aroused the interest of lobbies of the telecommunications, advertising, and media services sector, and underwent numerous modifications due to the influence of the interests – in part opposing – of businesses and consumers. In fact, it took 8 different presidencies of the Council of the European Union to agree on a shared text of the draft ePrivacy Regulation, which was finally reached on February 10, 2021, under the Portuguese Presidency.
Here is a brief recap of some of the most interesting points of the new text.
Default privacy settings
To combat the so-called cookie banner fatigue, software vendors are encouraged (but not obliged) to include by default settings that allow end-users, in an easy and transparent way, to manage their consent to cookies, making precise choices about storage and access to data stored in their terminal equipment, easily setting and modifying white-lists for the categories of cookies accepted or not, so as to have an easily exercisable control of consent. After all, Elon Musk, who lately seems to be more influential than usual, said so too.
Cookie walls and adtech
Consent yes, but with reminders
End-users who have given their consent to the processing of electronic communication data should be reminded of the possibility to withdraw consent at periodic intervals of no more than 12 months, as long as the processing continues, unless the end-user asks not to receive such reminders.
Extended soft spam
The possibility to send marketing communications under the so-called soft spam exception is maintained, also maintaining the same rules as to information and opt-out, but the definition of electronic message is extended. Not only email but also any message containing information such as text, voice, video, sound, or image sent over an electronic communication network that can be stored in the network or in related computer facilities, or in the terminal equipment of its recipient, including SMS, MMS, and functionally equivalent applications and techniques.
Cookies: goodbye legitimate interest
The provision seems to be oriented towards a conservative approach, excluding the possibility of relying on legitimate interest for the processing of data based on cookies (which appeared in previous drafts), providing for the need for consent from end-users, with some strict exceptions, for example for audience measurement, fraud prevention, installation of software updates, in case of emergency and for compatible purposes (under certain conditions and following a precise assessment).
Further processing of metadata, under what terms is it permitted?
More controversial is the possibility of processing metadata for purposes compatible with those for which it was originally collected (again, this requires evaluation and specific security measures such as encryption or pseudonymization). However, it is envisaged that metadata may be processed, other than on the basis of consent, if such processing is necessary for the purposes of network management or network optimization, or to meet the technical quality of service requirements, or for the performance of an electronic communications service contract to which the end-user is a party, or if necessary for billing, calculation of interconnection payments, detection or termination of fraudulent or abusive use of electronic communications services or subscription to such services.
With the approval last February 10, 2021, the Council of the European Union was given the mandate to start negotiations with the European Parliament, with which the terms of the final text will be discussed. The ePrivacy Regulation will enter into force 20 days after publication in the Official Journal of the EU and will begin to apply two years later.
Although approval by the Council of the European Union is an important step, entry into force of the ePrivacy Regulation is not exactly around the corner. However, once applicable it will harmonize the rules at the European level, and it is, therefore, necessary for organizations to consider already at the time of conceiving any product or medium-long term project the impacts that the approach of the new text may have on their business.
On a similar topic, you can read the article “The Italian privacy authority launches a consultation on cookies“.
Image courtesy Dennis van der Heijden