EU: The ePrivacy Regulation - Let the trilogue begin!

After four years of negotiation, the EU’s proposed ePrivacy Regulation has finally been agreed by Council of the European Union opening the way for the trilogue process to begin. We consider what this means for cookies, direct marketing and the use of electronic communications data.

The ePrivacy Regulation

The ePrivacy Regulation was first proposed by the EU Commission in January 2017, and the EU Parliament quickly adopted an opinion on it in July 2017. It contains additional rules to extend and particularise the GDPR by addressing:

• the use of cookies;
• email and telephone direct marketing;
• the use of electronic communications content and metadata; and
• directory enquiries, calling line identification and nuisance calls.

The Regulation is intended to replace the ePrivacy Directive which was adopted in 2002. Despite being amended in 2009 to include additional provisions on cookies and security, and enhanced by the GDPR and EECC Directive which upgraded the requirements for consent and expanded its scope to cover OTT providers (respectively), the provisions in the ePrivacy Directive have long since been outpaced by changes in technology.  

Four years fighting the devil in the detail

These changes in technology have raised well publicised privacy concerns. However, despite the need for reform, progress in the Council of the European Union has been slow. Only now, four years after the Commission’s original proposal, has the Council agreed a draft to take into trilogue.

The delay in agreeing a draft is likely due to the inherent tensions in the aims of the ePrivacy Regulation. It must walk the fine balance between:

• Avoiding overly specific or restrictive provisions – For example, specific technical measures risk becoming rapidly out of date. Similarly, overly restrictive obligations could prevent legitimate uses of data and hamper innovative new business models.
• Providing additional controls to protect privacy – While the GDPR is based round a set of non-specific and technology-neutral principles (many of which were inherited from the old Data Protection Directive) the same approach is not available for the ePrivacy Regulation. It must, by definition, provide more specific controls on the use of electronic communications data which inevitably means some engagement with the underlying technology.       

The drafts issued by the Council have veered between the two approaches with some containing very specific references to telecoms technology and others falling back on broad concepts, such as the use of legitimate interests to justify the processing of electronic communications data.

The final draft achieves a better balance, but a number of provisions remain restrictive and unclear. The final say on their meaning may ultimately be reserved for the CJEU.

Key changes: Cookies

The Regulation largely retains the current requirement to obtain consent to set or read a cookie unless the cookie is necessary for the provision of the relevant electronic communication services. Consent has the same meaning, and must meet the same strict conditions, as consent under the GDPR.

However, there are a number of clarifications and innovations:

• Some analytics cookies are ok - Certain types of analytics cookies would be allowed without consent. This reflects the existing approach of many data protection authorities who have chosen not to regulate the use of non-invasive analytics cookies.
• Device fingerprinting regulated – The collection of technical information emitted by the user’s device in order to identify the user is regulated in a similar way to cookies. This again reflects the approach of many data protection authorities that device fingerprinting falls within the scope of existing cookies laws.
• Cookie walls may, or may not, be allowed – The recitals discuss cookie walls in detail without coming to any clear conclusion – though there is a strong indication that they are not allowed by dominant service providers or public authorities, but probably can be used by online newspapers.
• Pseudonymised use – There is a right to make further use of cookie information if it is pseudonymised, not used to profile the user and anonymised when the processing is complete.
• Software updates regulated – Finally there are specific provisions regulating software updates. It is unfortunate that these provisions have been squeezed into this part of the Regulation as software updates raise very different issues to the use of cookies.

Key changes: Direct marketing

The position for electronic direct marketing is also largely unchanged. For example, emails and SMS can only be sent to individuals if the individual consents or the similar products and services exemption applies. Again, there are some clarifications and innovations:

• Online advertising out of scope – Earlier drafts of the Regulation suggested these rules would be extended to include targeted web-based advertisements. However, the draft agreed by the Council limits the scope of these rules to messages that are stored for the user and specifically states this does not include web-based advertisements.
• Time limits to the similar products and services exemption – Member States can limit the duration of the similar products and services exemption such that the right to market to individuals on this basis would expire after a certain period.
• Corporate marketing – Similarly, Member States have discretion to extend these rules to email marketing to legal persons.

There are also rules on marketing by telephone that are broadly similar to those under the existing rules.

Key changes: Use of electronic communications data

There are more significant changes to the use of electronic communications data. These rules apply to providers of electronic communication networks services and expressly apply to machine-to-machine (M2M) communications, though there are exceptions for closed networks, such as corporate communication networks.

The Regulation starts from the position that electronic communications data must be kept confidential, and processing of that data by someone other than the end user is generally prohibited. However, the Regulation sets out three groups of exceptions:

• Content and metadata – Electronic communications data (i.e. content and metadata) can be used where necessary to provide a service, for security purposes or to comply with a legal obligation.
• Content – Electronic communications content can also be used where both parties to the communication consent or it is for the provision of a service requested by one of the end users.
• Metadata – Broader rights exist for electronic communications metadata which can be used for network management, with the consent of the end user, to protect vital interests, for scientific or research purposes or for further compatible purposes if the data is pseudonymised.

Level playing fields and Brexit

The Regulation has expansive extra-territorial application and apples to a range of actions that affect end users in the EU. For example, the Regulation will apply to anyone sending direct marketing to, providing services to or processing electronic communications data about, end users in the EU.  

In addition, those caught by the Regulation must appoint a representative in the EU unless their processing is occasional and unlikely to create risks for individuals.

This appears to be much broader than the jurisdictional scope of the GDPR and it is surprising that the Council’s agreed draft does not contain a “targeting” criterion similar to that in the GDPR.

All this means that the provisions of the Regulation will, likely, continue to be relevant to UK business despite Brexit. More broadly, it is not clear if the UK will also look to revamp its ePrivacy laws to reflect the Regulation. The UK Government has given little indication this is a priority and instead is focusing on its broader National Data Strategy and Online Harms regime.

Sanctions

Finally, the obligations in the Regulation are backed up by the threat of substantial fines of up to €20 million or 4% of annual worldwide turnover.

This will be a significant change in some jurisdictions. While some Member States already apply GDPR-style sanctions for breach of ePrivacy rules (as evidenced by France’s recent €135 million fine to Google and Amazon), others have much weaker sanctions (such as Spain where fines are currently limited at €30,000).

Get ready for 2023?

After the long and difficult progress of the draft Regulation though the Council of the EU, it is not clear if it will now rapidly pass through trilogue to adoption. Certainly, initial reactions from civil society have not been positive. This suggest the trilogue will not be about fine tuning the provisions of the Regulation but rather will be a grander debate about the future of online privacy.

Even if the Regulation is finally adopted this year, it will not apply for a further two years meaning, these changes will likely not come into effect until 2023 at the earliest.

By Ceyhun Pehlivan and Peter Church