ePrivacy Regulation: one step closer

[Update (Nov’21): I’ve discovered that Patrick Breyer MEP has published a “parallel text” of the three current proposals (Commission, Parliament and Council). Not exactly easy reading, but it makes it much easier to see where they are similar, and where there remain significant differences]

[Original (Feb’21) post…]

After four years, and nearly three years after it was meant to be in force, the EU Council of Ministers has finally agreed on a text of the proposed ePrivacy Regulation. This isn’t the end of the process: before it becomes law the Council and European Parliament have to agree on a single text. That may take a while, as the version the Parliament agreed on more than three years ago took the European Commission’s original proposal in a significantly different direction.

One area where there does seem to be agreement is the use of data about communications (and in some cases their content) to protect the security of networks, systems and end-users. Whereas the Commission draft only covered the security of networks, the Parliament’s Amendment 15 copied the text of Recital 49 from the GDPR into Recital 16, recognising the need to protect both the security of networks and of connected devices, and the range of organisations involved. Article 6(1)(b) was amended (Amend.72) to explicitly add “availability, integrity, confidentiality” of networks to the “security” permission, and Article 8(1)(da) added (Amend.90) to permit patches to protect the “security, confidentiality, integrity availability and authenticity of … terminal equipment”. The Council add more threats to the list of examples in Recital 16 – viruses, phishing and spam (as a threat to availability) – and explicitly link security measures to the prevention of personal data breaches. Processing of metadata and content to “detect or prevent security risks or attacks on end-users’ terminal equipment” is added to Art. 6(1)(c) and use of end-device capabilities to Art. 8(1)(da). They also recognise the need for security patches in Recital 21b and Article 8(1)(e).

Much less clear is what will be agreed on processing for other purposes. The Parliament retained the Commission’s closed list of purposes: transmission and security; quality of service, billing, and fraud prevention (these three only being allowed to use traffic data, not content); and where the user has requested a specific service and granted consent to the processing it requires. Where possible, the Parliament tightened these permissions, notably by the requirement in Art 6(2a) (Amend.77) that processing likely to result in a high risk to the rights and freedoms of individuals must be subject to a Data Protection Impact Assessment. The Council, however, has extended the Commission’s list, to include “compatible purpose” processing of both network and terminal information (Rec.17aa/20aa & Art.6c/8(g)), protecting “an interest which is essential for the life” of the user (Rec.17a & Art.6b(1)(d)), and scientific research (Rec.17b & Art.6b(1)(e)&(f)) (Parliament also mention scientific use, but only in relation to analytics: Amend 89).

On cookies and other use of end-device capabilities, the permissions for those necessary to transmit a communication (e.g. load balancers) or to provide a service requested by the user (e.g. shopping carts) are largely carried over from the existing Directive; there is also general agreement – though variation in detail – on a point first raised by the Article 29 Working Party in 2013 (!), that at least some analytics cookies should be permitted without prior consent (Art 8(1)(d) Amend 89). Otherwise the Parliament and Council positions are very different. Parliament insist on prior consent for all other use of end-device capabilities and (Amend 92) that refusal to give such consent must not result in the user being denied access to any service or function (often referred to as “cookie walls”). Council Recital 20aaaa, however, allows cookie walls so long as the user has a choice between free and (implicitly) pay-for versions of the service. This does not apply where this would “deprive the end-user of a genuine choice”, for example websites operated by public authorities or dominant service providers. But Recital 21aa suggests that some ad-funded services (online newspapers are given as one example) may not need to offer a choice.

These are the main areas I’ve been keeping an eye on, but there are also significant divergences between the Council and Parliament elsewhere. Resolving those seems unlikely to be quick.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *