The Council of EU Member States – one of the two main EU lawmaking bodies – recently released a new draft version of the ePrivacy Regulation (“EPR”). Negotiations on the regulation have been deadlocked for a while, but seem to be gathering new momentum under the Finnish Presidency. Below we highlight some selected topics that may be of interest to readers.
- Users will have to be reminded (probably every 12 months) of their right to withdraw their consent to the processing of electronic communications content or metadata, unless users request not to receive these reminders. This does not apply to consent for cookies or direct marketing by e-mail or SMS.
- Member States continue to reserve the right to implement data retention obligations, for example, for law enforcement purposes. This remains a controversial topic in light of past and pending CJEU case law.
- The consent requirements for cookies do not materially change, although the derogations are more clearly defined; they now include audience measuring and software updates, among others, under certain conditions. In the draft, it is clear that the consent must be a GDPR-consent, which is in line with the recent CJEU Planet49 decision, but the draft also explicitly indicates that consent can be obtained by “appropriate” technical settings of software.
- Recital 21 addresses the issue of cookie walls (e., subjecting a service to consent for cookies used for advertising purposes). The current draft suggests that this is indeed possible and that the required consent (users must “accept such use”) should not be considered an invalid (tied) consent under Art. 7(4) GDPR when the processing for advertising is “necessary” for the performance of the service. In other words the acceptance is freely given. However, the tortured language of the recital demonstrates its political sensitivity – e.g., the recital refers to accept, not “consent”.
- Direct marketing by e-mail or SMS for own products and services to existing customers would still be based on legitimate interest with a right to opt-out. However, Member States could set an expiration time on this, following which the relevant party would presumably have to seek an opt-in consent if it wants to continue sending advertising. This risks creating a patchwork of un-harmonized marketing rules across the EU, despite having an EU-wide regulation.
- Electronic communications metadata can be used for scientific research, without consent, under certain conditions. Interestingly, under the most recent version of the EPR, these conditions no longer require that the research be based on Union or Member State law ( a contrario Art. 9(2)(j) GDPR). This is a welcome change, given that these laws do not exist in most cases.