Council of the EU Released a (New) Draft of the ePrivacy Regulation

On January 5, 2021, the Council of the European Union released a new, draft version of the ePrivacy Regulation, which is meant to replace the ePrivacy Directive. The European Commission approved a first draft of the ePrivacy Regulation in January 2017. The draft regulation has since then been under discussion in the Council.

On January 1, 2021, Portugal took over the presidency of the Council for six months. Ahead of the next meeting of the Council’s working party responsible for the draft ePrivacy Regulation, the Portuguese Presidency issued a revised version of the draft regulation. This is the 14th draft version of the ePrivacy Regulation (including the European Commission’s first draft).

Once approved, the ePrivacy Regulation will set out requirements and limitations for publicly available electronic communications service providers (“service providers”) processing data of, or accessing devices belonging to, natural and legal persons “who are in the [European] Union” (“end-user”). The regulation aims to safeguard the privacy of the end-users, the confidentiality of their communications, and the integrity of their devices. These requirements and limitations will apply uniformly in all EU Member States. However, EU Member States have the power to restrict the scope of these requirements and limitations where this is a “necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the general public interests.“

Latest draft of the ePrivacy Regulation

The Portuguese Presidency’s draft largely follows the structure adopted by the preceding German Presidency. The draft is divided into the following five chapters:

• chapter I sets out the material, subjective, and territorial scope of the draft regulation (including the requirement to appoint a representative for non-EEA service providers), defines the terms used in the regulation, and establishes the standard of consent;
• chapter II sets out requirements and limitations for accessing data on end-users’ devices (e.g., through cookies and pixels), and additional requirements and limitations for processing (1) electronic communications content, (2) electronic communications metadata, (3) data relating to the end-users’ devices (including about software and hardware); chapter II also restricts the use of processing and storage capabilities of the end-users’ devices;
• chapter III sets out requirements and limitations for (1) number-based interpersonal communications services (e.g., public telephony services and Skype), including for offering publicly available directories, and (2) direct marketing communications (e.g., emails and other e-messages);
• chapter IV identifies the authorities responsible for enforcing the regulation and their powers; and
• chapter V describes remedies, liability and penalties.

The Portuguese Presidency’s substantive amendments to the draft regulation propose to “simplify the text and to further align it with the GDPR,” and further “reflect the lex specialis relation of ePrivacy to the GDPR.” In this respect, the Portuguese Presidency follows the same approach taken by the previous Presidencies of the Council. The Portuguese Presidency’s most noteworthy amendments include:

• Widening the territorial scope of the draft regulation so that it also applies to the processing of personal data by a controller not established in the EEA, but established in a place where Member State law applies by virtue of public international law; according to the Presidency, the aim was to fully align the territorial scope of the ePrivacy Regulation with Article 3(3) of the GDPR.
• Adding the definition of “location data” to the draft regulation.
• Reinserting provisions that authorize the processing of electronic communications data (including metadata) for purposes compatible with the initial purpose(s) for which the data was collected; this provision had been deleted by the Croatian Presidency (January – June 2020).
• Inserting the GDPR standard of processing for the “performance of a contract” in the ePrivacy Regulation; the previous version of the draft regulation authorized service providers to process electronic communications data without consent for the purpose of “achiev[ing] the transmission of the communication.” The Portuguese draft authorizes service providers to process electronic communications data (and metadata) for the purpose of “providing an electronic communication service.” According to the Portuguese Presidency, the previous version included a “too restrictive lawful basis” that was not fully aligned with the GDPR legal basis authorizing data processing for the performance of a contract (Article 6(1)(b)).
• Requiring service providers sharing anonymized statistical electronic communications data with third parties to carry out a data protection impact assessment and inform end-users of the envisaged processing operations; the previous version of the draft ePrivacy Regulation did not include limitations on the sharing of anonymized statistical electronic communications data.
• Authorizing service providers to access data on the end-users’ devices where necessary for the performance of a contract; the previous version of the draft regulation authorized service providers to access data on the end-users’ devices only where technically necessary to perform the contract. The word “technically” was deleted.

Similar to the ePrivacy Directive, the ePrivacy Regulation will include provisions that apply alongside those in the GDPR to the processing of personal data collected by electronic communication service providers. This explains the need to align some of the ePrivacy Regulation’s provisions with the GDPR. However, the ePrivacy rules are broader than the GDPR’s because they apply not only to the processing of personal data — they apply to the processing of any electronic communications data (and other data collected from end-user’s devices), whether personal or not. This has increased the difficulty of the Council’s task of, at the one hand, ensuring that the ePrivacy Regulation is in line with the GDPR, while, on the other hand, ensuring that (some of) its provisions can stand on their own and are independent of the GDPR.

This difficult balancing act was apparent in earlier draft versions of the ePrivacy Regulation. The previous Presidencies of the Council have in many cases attempted to align the ePrivacy Directive with the GDPR, although often were forced to abandon their proposals based on opposition from other Member States.

It is too early to tell whether the Portuguese Presidency’s draft will secure the support of the other Members States, although the precedents to date are not favorable. We will continue to monitor developments in the Council.