The ePrivacy Regulation finally jumps out of the frying pan - but into the fire?

The GDPR hasn't been the only EU privacy reform on the lips of politicians and businesses in recent years. The contentious ePrivacy Regulation, intended to replace the 2002 ePrivacy Directive and sit as "lex specialis" (i.e. governing the same area but overriding on specific points) alongside the GDPR, is set to introduce harmonised rules on the processing of information by electronic communications service providers (now broadened to include the likes of WhatsApp and Facebook Messenger). 

The original intention was for the ePrivacy Regulation to be implemented alongside the GDPR in 2018, but progress through the European Council since the Commission's original 2017 version has been torturous and the draft has witnessed 4 years of disagreements between member states.

Now there appears to have been a breakthrough. Portugal took the reins of the Council presidency on 1 January 2021 and swiftly issued an updated draft on 5 January 2021, followed by further amendments. A European Council press release issued on 10 Feburary 2021 confirmed that the Council has reached agreement on a draft as a mandate to go to European Parliament for final negotiation.

How did Portugal get over the line?

Portugal compromised on contested points around the processing and retention of electronic communications "metadata" (e.g. information on location, time and recipient). The new draft permits communications providers to use metadata without end user consent for further “compatible” processing, enabling them to compete with the likes of WhatsApp and establish new business ventures. It also allows countries to require retention of metadata for national security purposes, potentially getting round the challenges posed for member state surveillance programmes by the CJEU ruling in Privacy International in 2020.

Areas to watch

The ePrivacy Regulation will cover ground ranging from direct marketing to cookies. The Council's mandate sees significant changes in some areas but limited reform in others. For example:

• Cookies – cookies and similar technologies can still only be set with a user’s consent or for other “specific and transparent” purposes set out in the Regulation. Consent requires a genuine choice. While so-called “cookie walls” may be acceptable in certain circumstances, the Council has confirmed (in the recitals) that a user’s access to a service can only be dependent on their consent to cookies if the same provider offers an equivalent service without cookies. The Council has also said software companies should look at ways to avoid “cookie consent fatigue”, for example by enabling users to whitelist types of cookies/providers in their browser settings.
• Opt-in/soft opt-in - the existing ePrivacy Directive requires recipients to either explicitly consent, to a GDPR standard, to direct marketing by electronic means, or to fall within the parameters of the "soft opt-in" process (when they are existing customers who have not opted out of marketing messages and provided they are given a clear chance to opt-out in subsequent communications). There have been no significant changes to these provisions so far, which will likely be welcomed by businesses.
• The corporate exemption - the existing rules also exempt direct marketing to corporates (i.e. legal rather than natural persons) from the above opt-in/soft opt-in requirements. This remains unchanged in the current draft, although note that the European Parliament's original draft did remove the corporate exemption and so it remains to be seen whether this will swing the other way in upcoming negotiations.

The road ahead 

Those hoping for plain sailing towards implementation shouldn't celebrate too soon. The Portuguese draft will form the basis for the Council's trilogue negotiations on the terms of the final text with European Parliament, which will be overseen and facilitated by the European Commission. This stage of negotiations can be equally challenging and there is plenty of scope for the tentatively agreed Council terms to be eroded. The European Parliament's original proposal contained some key differences to this text, and there will be lobbying from privacy activists in the knowledge that Parliament traditionally takes a more pro-privacy stance. However, the outlook for the regulation is certainly more positive than it has been previously, and the urgent pressure for ePrivacy reform in Europe may add impetus for the parties to get the text over the line.

 What does this mean for the UK? 

The Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR") implement the old ePrivacy Directive in the UK and is still law. Now Brexit and the transition period is over, the new ePrivacy Regulation will not have direct effect in the UK and the UK will not have to implement an equivalent law. That said, the UK is currently lobbying for an adequacy decision from the EU which which may influence its approach to the alignment of PECR with the ePrivacy Regulation in the future.

In any event, UK businesses should also stay alert to developments since the ePrivacy Regulation, like the GDPR, will have extraterritorial effect. They should therefore monitor the progress of the ePrivacy Regulation through the EU legislative process as they may find themselves subject to the ePrivacy Regulation if they send direct marketing to, or place cookies on the devices of, end-users in the EU.