ePrivacy Regulation: An update into modern times or hollowing out fundamental rights?

Introduction

On 10 February 2021 the Council of the European Union reached an agreement on a proposal text for the ePrivacy Regulation, which is set to update and replace the incumbent ePrivacy Directive. The text will form the foundation of negotiation talks with the European Parliament for the final version of the rules on the protection of privacy and confidentiality of electronic communications.

The ePrivacy Directive entered into force in 2002 and, needless to say, technological development since then has been staggering. To update the regulatory framework surrounding electronic communications the European Commission presented a draft Regulation in 2017. Since then, the text has been heavily influenced by various interest groups and lobbies. Now, after four years, the Council of the European Union has agreed on a shared text for the draft.

Below we summarise general trends that have come to our attention reading the proposal text, as well as specific high-impact changes relevant for service providers and individuals. Our summary raises the question whether the proposed text is merely an update into modern times or if the fundamental rights of individuals have been hollowed out on the way.

General trends

Facilitation of the data economy
In line with the European data strategy, the draft proposal seeks to facilitate and enable the extraction of value from data. Throughout the text various mechanisms have been put in place to realize this, most striking the inclusion of secondary use of data within the same organisation, discussed below, as well as the explicit referrals to sharing data with third parties. Metadata to be shared with third parties must reach the high threshold of anonymity, while end-user terminal equipment information must be shared either anonymous or pursuant to the GDPR. This greatly facilitates the sharing of data and is a clear step by the Council to foster a European data economy.

Legal grounds besides consent
Other noticeable general trends include the insertion of legal grounds besides consent, most prominently the inclusion of secondary use. Secondary use is a familiar concept from the GDPR and allows the processing for purposes other than the one the data was originally processed for. Secondary use is now explicitly permitted for compatible processing of electronic communications metadata (draft article 6c) and end-users’ terminal equipment information (draft article 8). For both types of data an initial assessment is required and when it is deemed compatible it must make use of anonymous data, if that is not possible pseudonimised data and not used for profiling or in a way that “similarly significantly affects” the end-user.

Additionally, communications data have been divided into meta- and content data, with different legal grounds applying to the processing of both. Metadata may rely on several legal grounds besides consent, some already familiar to us from the GDPR, such as performance of a contract or the vital interests of a natural person, as well as other reasons such as network management or to meet technical quality of service requirements. The processing of content data remains bound to the stricter consent requirement.

Derogations and exceptions for security and crimefighting
Finally, the impact of the global yearning for security post 9/11 is very apparent in the text. The incumbent ePrivacy Directive only has a single reference that leaves Member States to adopt restrictions to the scope due to national security, defence, public security and the prevention, investigation, detection and prosecution of criminal offences. The draft proposal contains this generic derogation in its material scope as well, however added “regardless of who is carrying out those operations, whether it is a public authority or a private operator acting at the request of a public authority”. While this phrase may seem to have aligned with the reality of increasing cooperation between the private and public sector, it is especially critical when read in conjunction with the newly inserted secondary use provision and the second alteration, which elevates crimefighting to a legal ground, based on which communications data may be processed. This elevation explicitly permits the processing of communications data in the broad sense (referring to both meta- as well as content data) for reasons of crimefighting. Additionally, the word prevention is critical as it implies pre-emptive action and as such, despite having become a standard phrase, stands opposed to the assumption of innocence until proven guilty that forms a fundamental cornerstone of the rule of law.

Specific changes

Fines
One of the major changes of the draft Regulation is the inclusion of fines, to be given out by supervisory authorities. These fines resemble the fines of the GDPR, having a two-tiered approach depending on the violation. Violations of data processing related to end-users’ terminal equipment information, publicly available directories, direct marketing communications and failure to appoint an EU representative may be fined with up to (the higher of) €10m or 2% of the total worldwide annual turnover. Violations regarding electronic communications data, number blocking or failure to comply with an order by a supervisory authority may be fined with (the higher of) €20m or 4% of total worldwide annual turnover.

Tackling consent fatigue
To tackle the so-called cookie banner fatigue, software vendors are encouraged, where technically feasible, to include default settings that allow end-users to give broad consent. Examples of this have already been seen, where browser settings let end-users block certain types of cookies by default, so that users do not need to enter their cookie preferences for every website they visit. While this encouragement is not binding, it reveals in a clear manner what regulators will expect from software vendors in the upcoming years.

Beyond cookies
The updated ePrivacy regulation refers to “cookies and similar tracking technologies” in the recitals and even broader to “processing and storage capabilities of terminal equipment and the collection of information from end-users’ terminal equipment” in article 8(1). By using this technology-neutral language it manages to more aptly capture the reality of practices, that tracking technologies are no longer restricted to cookies. What is more, recital 15 clarifies that the general prohibition on tracking also applies to situations when third parties “monitor websites visited, timing of the visits, interaction with others, etc., without the consent of the end-user concerned”. This means it would also apply to practices such as mail pixels, that have attracted a lot of scrutiny lately for relaying information without the awareness of end-users. As most companies use some form of trackers these days, it may be time to review whether current practices will still be allowed under the new ePrivacy Regulation.

Personal (digital) assistants and other services facilitating everyday life
Draft recital 16b is another example of the updated ePrivacy Regulation including realities of current practices. It grants legal certainty to everyday life facilitation services, such as index functionality, personal assistants, translation services and services that enable more inclusion for persons with disabilities, such as text-to-speech software. Processing as a part of one of such services should be allowed with prior consent and to the extent necessary to provide the requested functionality. This recital mainly gives clarity to providers of such services, but may also mean that they will have to comply with a new set of rules they have not considered before.

Specification of network requirements for public networks, such as hotspots
In recital 13 the draft proposal elaborates on the existing requirement of having to guarantee the confidentiality of public communications networks and publicly available electronic communications services. It explicitly names public hotspots, regardless of whether these are offered as an ancillary service, for instance in department stores or hospitals. It therefore clarifies that offering access to such public networks and/or communication services falls within the scope of the ePrivacy Regulation when provided to an undefined group of end-users (therefore excluding office or home networks). As such provisions of hotspots has become commonplace, it might be time for organisations to review the way in which they process data running via their publicly accessible networks.

Potential for unlimited retention of communications metadata
The proposed draft article 7(4) enables the EU or Member States to enact legislation to retain metadata for the purpose of crimefighting, including prevention. This quickly reminds one of the Data Retention Directive, that the Court of Justice of the European Union (CJEU) has declared invalid in the 2014 Digital Rights Ireland case due to its indiscriminate data collection nature and excessive retention period. It is particularly worrisome that such a ‘loophole’ has been built in, especially considering that research has repeatedly shown that metadata is oftentimes more revealing than content data. In the Data Retention Directive communications data was retained for a maximum period of 24 months, which was deemed excessive. Now draft article 7(4) enables retention for an unspecified, limited period of time, which can be extended potentially ad infinitum. This provision is especially critical for individuals and the intrusions into their private lives that may ensue.

Conclusion

Overall, the proposal has managed to update legal provisions to include examples and references to current practices and, in this way, helps to create legal certainty. On the other hand, some of the new inclusions may result in larger intrusions into people’s private life. These intrusions may pose serious threats to the fundamental rights and freedoms of individuals.

At this stage, it is important to note that this is by no means the final text. Some adjustments and nuances may address the red flags we have signalled and so it remains to be awaited what the final version of the text looks like. The next step is for the Council and the European Parliament to negotiate the terms of the final text. We will keep you posted.

In the meantime, if you have any further questions about the proposal of the ePrivacy Regulation after reading this or have any other privacy-related questions, feel free to contact Justin Loew directly via phone under (+31) 6 18 53 62 30 or via e-mail at justin.loew@lexdigitalis.nl.