Last year, we wrote that the e-Privacy Regulation was becoming a headache for the European Union and we wondered aloud whether the regulation would ever come into being. The latter now seems to be a step closer. The European Commission (‘EC’) published a revised text proposal on 5 January 2021 and not long afterwards, on 10 February 2021, the Council of the EU’s Permanent Representatives Committee (‘Council’) reached agreement on a text proposal. Below we will discuss some interesting provisions of these recent proposals.
What is the e-Privacy Regulation again?
The e-Privacy Regulation is intended to eventually replace the existing 2002 e-Privacy Directive. That directive contains rules on the processing of personal data and the protection of privacy in the electronic communications sector.
Revision of the directive is necessary to bring the e-Privacy rules more into line with the digital developments that have occurred in recent years.
Among other things, provisions are added that deal with new technological and market developments, such as Voice over IP services, webmail and other messaging services, as well as techniques to track users’ online behaviour, including cookies. Also, alignment will be sought with the terminology and rules set out in the General Data Protection Regulation (‘GDPR’).
The territorial scope of the ePrivacy Regulation will be extended. The regulation will apply not only to parties established within the EU, but also to parties established outside the EU in places where Member State law applies by virtue of public international law.
The location of the end-user is also relevant to the scope. When located in the EU, the e-Privacy Regulation generally applies. This includes end-users within the EU to whom electronic communication services are provided, or whose content of and metadata about those electronic communications are processed, or to whom direct marketing communications are sent, etc.
In the aforementioned cases, parties established outside the EU (and where Member State law does not already apply by virtue of public law) must appoint a representative within the EU within one month form the start of its activities. This is not required where the activities falling within the scope of the regulation are occasional and are unlikely to result in a risk to the fundamental rights of end-users.
Cookies and similar techniques
Both the EC and the Council text proposals indicate that the use of cookie walls is permitted under certain circumstances. It is no longer considered necessary for an Internet user to be able to access the same online content by the same provider without accepting cookies. According to the EC, this would in practice mean too great a burden for online content providers (e.g, the online press), because such providers would then be obliged to simultaneously offer “free” content (without direct monetary payment) and paid content websites.
In practice, this means that the use of cookie walls is permitted as long as there are enough alternative providers of similar content.
If the end-user has few or no similar alternatives, and therefore has no real choice regarding the acceptance of cookies, the use of a cookie wall is not allowed. Think for example of content provided by public authorities.
To prevent end-users from getting fed up with constantly having to give their consent for cookies and similar techniques, both the EC and the Council want to make it possible for end-users to give consent to the use of certain types of cookies via browser settings. These cookies will then be placed on a ‘white list’ in advance. Software providers will be encouraged to make it easy for users to create and set such lists. Software providers are encouraged to include settings in their software which allows end-users to manage consent to the storage and access to stored data in their terminal equipment by easily setting up and amending whitelists and withdrawing consent at any moment.
The e-Privacy Regulation also includes rules on the use of metadata. Metadata are data about the communication process, for example from which location messages are sent, to whom messages are sent and how often messages are sent. Metadata are potentially as sensitive as the content of messages.
Under both proposals, metadata may be processed without the end-user’s consent under certain circumstances, such as when it is necessary for the performance of the electronic communications service, for billing, calculating interconnection payments, detecting/stopping fraudulent or abusive use of electronic communications services, or for the vital interests of natural persons.
In line with the purpose limitation principle as included in the GDPR, pseudonymised metadata may also be used for purposes other than those for which they were originally collected, based on the recent proposals. Such processing must be compatible with the original purpose and certain additional conditions and safeguards must be met. However, metadata may not be further processed to determine the nature or characteristics of an end-user or to create a profile of an end-user that produces legal effects concerning that end-user or significantly affects him or her. Metadata must also be erased or made anonymous as soon as it is no longer needed to fulfil the purpose in guestion.
The e-Privacy Regulation also contains rules on unsolicited and direct marketing communications. In this field, few changes seem to be in store for the Netherlands on the basis of the recent text proposals.
The basic principle remains that consent of the end-user is required for the purpose of sending or presenting direct marketing communications to end-users, unless a number of conditions have been met.
For instance, it must concern contact details obtained in the context of the purchase of a product or service, the direct marketing messages may concern own similar products or services only, and such end-users are given the opportunity to object to such use of their contact details clearly and distinctly, free of charge and in an easy manner.
The recent proposals do allow Member States to set a period of time withing which a natural or legal person may use the end-user’s contact details for direct marketing purposes, after the sale of a product or service occurred. Member States are also encouraged to introduce, through national legislation, a specific code or prefix to indicate direct marketing calls, so that end-users can protect their privacy more effectively.
The legislative process can now move on to the next stage of negotiations, namely the trialogue between the EC, the Council and the European Parliament. Although it is not yet clear how long this phase will take, the run-up and current differences between the three proposals suggest that it might take some time.
Once agreement has been reached and the final text, a transition period will apply. During this period organisations can bring their business operations into line with the rules of the ePrivacy Regulation. The GDPR contained a two-year transitional period. In the most recent Council proposal this period is also two years. The EC proposal, however, provides for a one-year period.