On December 3, 2019, the EU’s new Commissioner for the Internal Market, Thierry Breton, suggested a change of approach to the proposed e-Privacy Regulation may be necessary. At a meeting of the Telecoms Council, Breton indicated that the Commission would likely develop a new proposal, following the Council’s rejection of a compromise text on November 27.
The proposed Regulation is intended as a replacement to the existing e-Privacy Directive, which sets out specific rules for traditional telecoms companies, in particular requiring that they keep communications data confidential and free from interference (e.g., preventing wiretapping). It also sets out rules that apply regardless of whether a company provides telecoms services, including restrictions on unsolicited direct marketing and on accessing or storing information on users’ devices (e.g., through the use of cookies and other tracking technologies).
Substantively, the proposed Regulation aims to extend the rules that currently apply specifically to telecoms companies to “over-the-top” service providers. Initial versions included stringent restrictions on when electronic communications data (including both content and metadata) could be used without consent, which was the subject of significant debate and disagreement. Despite proposals from both the European Commission and Parliament, negotiations on a Council proposal have been in deadlock for more than two years, culminating in the rejection of the Finnish Presidency’s text after substantial, but ultimately unsuccessful, efforts to find agreement.
The Council has released a progress report, noting the areas on which agreement could not be reached, including:
- The scope of the Regulation, particularly its application to processing of electronic communications data by end-users of a service or by entrusted third parties who might receive that data.
- The appropriate solution to allow the processing of electronic communications data for the purposes of prevention of child abuse imagery.
- Whether an exception should be included to permit the processing of electronic communications data for the prevention of other serious crimes, in particular terrorism.
- The appropriate rules for storing or accessing information on users’ devices, which should protect existing business models and also respect the GDPR’s rules. For example, there was disagreement around whether giving consent to the use of cookies or other tracking technologies could be a condition of access to a website or service.
- How to facilitate effective cooperation between national supervisory authorities, and what role the European Data Protection Board should have.
- How the proposed Regulation will operate in relation to new technologies, particularly machine-to-machine and Internet of Things services.
Following the Council’s failure to agree a proposal and in light of the installation of the new Commission, questions were asked about the viability of the current proposals. Although Breton later stated to the press that all options remain on the table, including continuing with negotiations on those existing proposals and taking into account agreed elements of the current proposal successes, his statement suggests that the Commission ultimately may reconsider the approach to e-Privacy. It remains to be seen, and we will continue to monitor, exactly how any new approach will address the concerns raised in the Council and be reconciled with the views of the European Parliament.