On 4 November 2020, nearly four years on from the European Commission’s initial proposal, the German Presidency of the Council of the European Union released the latest draft of the proposed ePrivacy Regulation. EU Member States are yet to agree on a final version of the text.
Amongst other things, the latest proposal re-introduces the prospect that website operators can use ‘cookie walls’ to make access to their website conditional on the user consenting to the use of cookies, provided there is an alternative “equivalent offer by the same provider that does not involve consenting” (in other words, the user has a choice between consenting to the use of cookies or paying for the service). It also enables publishers to use cookies under the ‘strictly necessary’ exemption where the publication is wholly or mainly financed by advertising, provided that the user is given clear information about the use of cookies. On the other hand, the latest text also removes the broad right of a website operator to rely on legitimate interests for the use of cookies, which was found in earlier texts issued by the Croatian presidency.
The latest proposal also prevents organisations from relying on legitimate interests as a ground for processing electronic communications metadata (e.g. details of the sender and time a communication was sent) which undermines the ability of electronic communications service providers to use such data for their own purposes. It’s therefore no surprise that the latest draft has been rebuffed in a joint statement of the European Telecommunications Network Operators' Association and GSMA Europe, which calls on Member States to not support the German Presidency’s proposal.
It’s not just the telecoms industry that has concerns. The EDPB – the consortium of EU data protection supervisory authorities – has issued a statement cautioning that the latest Council discussions risk creating fragmented supervision, procedural complexity, and a lack of consistency and legal certainty for individuals and companies. To ensure harmonised interpretation and enforcement across the EU, the EDPB calls on Member States to use the cooperation and consistency mechanism, established by the GDPR, for the supervision of the ePrivacy Regulation.
The latest draft doesn’t diverge from previous versions in respect of direct marketing requirements, but readers are reminded that the ePrivacy Regulation is set to significantly change the landscape. In particular, it will bring a broader range of services into the scope of the rules for sending direct marketing communications, meaning that some channels of communication which can presently be used by marketers on an opt-out basis (including, for example, live phone calls) will be subject to a requirement to obtain consent.
It’s unclear how close a final text of the ePrivacy Regulation is. Birgit Sippel, German MEP and the European Parliament’s rapporteur on the draft, has quashed any hopes of it being agreed before the European Commission’s deadline of 21 December 2020 (Politico reports), so it seems likely that the debate is set to continue in to the New Year.
The draft text creates a restrictive framework for processing communications metadata that is neither future-proof, nor aligned with the GDPR... Germany’s proposed text fails to bridge the gap between protecting privacy and confidentiality and stimulating innovation in European service providers.
unknownx500
