Authors: Heidi Waem, Alizée Stappers and Simon Verschaeve

With the ultimate purpose of enacting specific rules regarding electronic communications, the ePrivacy Regulation aims, in particular, to replace the 2002 ePrivacy Directive, detail and complement the GDPR’s general rules, and implement important changes in areas such as metadata processing on end-user devices and obtaining cookie consent from website users.

The proposal, however, has come a long way. Various versions of the ePrivacy Regulation have been considered by the Council since the proposal was launched by the Commission in 2017 (read our summary here), resulting only now in an agreement between the EU member states.

In its latest version released under the Portuguese Presidency, the draft ePrivacy Regulation (the “Draft”) includes substantive changes:

• Processing of metadata

The Draft sets forth several modifications regarding metadata processing and subjects this category of data to specific obligations. In a nutshell, the most important changes currently contemplated are the following:

• clarification of the covered metadata’s definition

The said definition now includes telephone numbers called and the websites visited (including the geographical location of the caller or website user), as well as the time, date, and duration when an individual made a call or visited a website.

• compatible further processing of metadata

To align with the GDPR, metadata collected for one purpose can be further processed for a compatible purpose. This is subject to additional requirements such as mandatory pseudonymisation and restrictions on profiling and use to determine end-user characteristics. Compatibility is to be determined using a non-exhaustive list of criteria which resemble those of the GDPR.

• “performance of a contract” under Art. 6 (1)(b) GDPR added as an additional legal basis for processing metadata

Allowed processing activities on this legal basis include billing, calculating interconnection payments, and detecting and stopping fraudulent or abusive use of, or subscription to electronic communications services.

• Cookies consent

The Draft also addresses the existing “cookies consent” requirement, i.e. companies must obtain specific, revocable, and informed consent from end-users, unless the cookies or similar identifiers are “strictly necessary” for the website. However, compared to the current rules, exceptions are stretched, more specified and an explicit exception for certain analytical tracking is added.

The Draft seeks to simplify the current consent requirements by allowing end-users to provide their consent via browser settings: “an end-user can give consent to the use of certain types of cookies by whitelisting one or several providers for their specified purposes.” In this perspective, a general cookie setting of the web-browser would not be sufficient: the end-user would need to actively whitelist one or several providers and one or more services of that provider.

In addition, the rules applicable to machine-to-machine communication data collection are also specified in the Draft. Information emitted by terminal equipment cannot be collected unless (i) the end-user has provided consent or, subject to conditions, (ii) it is to establish or maintain connection, (iii) it is necessary for statistical purposes or (iv) when necessary to provide a service requested by the end-user.

• Direct marketing and SPAM

Similar to previous versions of the Draft, any ‘targeted’ advertising (i.e. directed to one or more specific end-users) sent via a publicly available electronic communications service is – as a principle – subject to prior consent. As under the current ePrivacy rules, the Draft includes a ‘soft opt-in’ regime for natural persons who are existing customers. However, under the new Regulation, Member States would be allowed to set a time limit on the use of contact details after the sale of the product or service based on the ‘soft opt-in’. Slightly modified rules concerning direct marketing calls are also included.

• Enforcement and supervision

The Council also heavily amends the initial proposal with regard to supervision. Unlike the Commission’s proposal, Member States would be allowed to appoint different authorities to enforce the GDPR and the ePrivacy Regulation – therefore disregarding earlier calls of the European Data Protection Board (EDPB) to not split supervision of both instruments. The current draft does not include a GDPR-like one-stop-shop mechanism for the new ePrivacy rules. At EU-level, the EDPB would be the designated supervisory body, although its powers would be more limited than under the GDPR.

In contrast, sanctions and liability remain more aligned with the GDPR – including the power to impose administrative fines of up to EUR 10 or 20 million, or if higher, 2% or 4% of the total worldwide annual turnover of the preceding financial year, depending on the infringed provision. The Draft only states that supervisory authorities must have investigative and corrective powers, as opposed to the GDPR which harmonises these powers to a much larger extent.

On 10 February 2021, the European Council voted on a mandate to negotiate the Draft with the European Parliament. However, it remains unclear at this stage to what extent the Draft will receive sufficient support to pass. Indeed, the Draft has already been met with criticisms, and significant differences with previous drafts have been identified. For instance, the Draft has added more permissions and exceptions to the consent rule; whereas the European Parliament primarily advocates for consent.

Once adopted, the new ePrivacy rules would enter into application after two years.