On January 5, 2021, the Council of the European Union released a new, draft version of the ePrivacy Regulation, which is meant to replace the ePrivacy Directive.  The European Commission approved a first draft of the ePrivacy Regulation in January 2017.  The draft regulation has since then been under discussion in the Council.

On January 1, 2021, Portugal took over the presidency of the Council for six months.  Ahead of the next meeting of the Council’s working party responsible for the draft ePrivacy Regulation, the Portuguese Presidency issued a revised version of the draft regulation.  This is the 14th draft version of the ePrivacy Regulation (including the European Commission’s first draft).

Once approved, the ePrivacy Regulation will set out requirements and limitations for publicly available electronic communications service providers (“service providers”) processing data of, or accessing devices belonging to, natural and legal persons “who are in the [European] Union” (“end-user”).  The regulation aims to safeguard the privacy of the end-users, the confidentiality of their communications, and the integrity of their devices.  These requirements and limitations will apply uniformly in all EU Member States.  However, EU Member States have the power to restrict the scope of these requirements and limitations where this is a “necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the general public interests.

Latest draft of the ePrivacy Regulation

The Portuguese Presidency’s draft largely follows the structure adopted by the preceding German Presidency.  The draft is divided into the following five chapters:

  • chapter I sets out the material, subjective, and territorial scope of the draft regulation (including the requirement to appoint a representative for non-EEA service providers), defines the terms used in the regulation, and establishes the standard of consent;
  • chapter II sets out requirements and limitations for accessing data on end-users’ devices (e.g., through cookies and pixels), and additional requirements and limitations for processing (1) electronic communications content, (2) electronic communications metadata, (3) data relating to the end-users’ devices (including about software and hardware); chapter II also restricts the use of processing and storage capabilities of the end-users’ devices;
  • chapter III sets out requirements and limitations for (1) number-based interpersonal communications services (e.g., public telephony services and Skype), including for offering publicly available directories, and (2) direct marketing communications (e.g., emails and other e-messages);
  • chapter IV identifies the authorities responsible for enforcing the regulation and their powers; and
  • chapter V describes remedies, liability and penalties.

The Portuguese Presidency’s substantive amendments to the draft regulation propose to “simplify the text and to further align it with the GDPR,” and further “reflect the lex specialis relation of ePrivacy to the GDPR.”  In this respect, the Portuguese Presidency follows the same approach taken by the previous Presidencies of the Council.  The Portuguese Presidency’s most noteworthy amendments include:

  • Widening the territorial scope of the draft regulation so that it also applies to the processing of personal data by a controller not established in the EEA, but established in a place where Member State law applies by virtue of public international law; according to the Presidency, the aim was to fully align the territorial scope of the ePrivacy Regulation with Article 3(3) of the GDPR.
  • Adding the definition of “location data” to the draft regulation.
  • Reinserting provisions that authorize the processing of electronic communications data (including metadata) for purposes compatible with the initial purpose(s) for which the data was collected; this provision had been deleted by the Croatian Presidency (January – June 2020).
  • Inserting the GDPR standard of processing for the “performance of a contract” in the ePrivacy Regulation; the previous version of the draft regulation authorized service providers to process electronic communications data without consent for the purpose of “achiev[ing] the transmission of the communication.”  The Portuguese draft authorizes service providers to process electronic communications data (and metadata) for the purpose of “providing an electronic communication service.”  According to the Portuguese Presidency, the previous version included a “too restrictive lawful basis” that was not fully aligned with the GDPR legal basis authorizing data processing for the performance of a contract (Article 6(1)(b)).
  • Requiring service providers sharing anonymized statistical electronic communications data with third parties to carry out a data protection impact assessment and inform end-users of the envisaged processing operations; the previous version of the draft ePrivacy Regulation did not include limitations on the sharing of anonymized statistical electronic communications data.
  • Authorizing service providers to access data on the end-users’ devices where necessary for the performance of a contract; the previous version of the draft regulation authorized service providers to access data on the end-users’ devices only where technically necessary to perform the contract.  The word “technically” was deleted.

Similar to the ePrivacy Directive, the ePrivacy Regulation will include provisions that apply alongside those in the GDPR to the processing of personal data collected by electronic communication service providers.  This explains the need to align some of the ePrivacy Regulation’s provisions with the GDPR.  However, the ePrivacy rules are broader than the GDPR’s because they apply not only to the processing of personal data  —  they apply to the processing of any electronic communications data (and other data collected from end-user’s devices), whether personal or not.  This has increased the difficulty of the Council’s task of, at the one hand, ensuring that the ePrivacy Regulation is in line with the GDPR, while, on the other hand, ensuring that (some of) its provisions can stand on their own and are independent of the GDPR.

This difficult balancing act was apparent in earlier draft versions of the ePrivacy Regulation.  The previous Presidencies of the Council have in many cases attempted to align the ePrivacy Directive with the GDPR, although often were forced to abandon their proposals based on opposition from other Member States.

It is too early to tell whether the Portuguese Presidency’s draft will secure the support of the other Members States, although the precedents to date are not favorable.  We will continue to monitor developments in the Council.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.

She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).

Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.

Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.