Progress of the draft ePrivacy Regulation (ePR) through the EU’s corridors of power has been slow, to say the least. But on 10 February, the Portuguese EU presidency finally received a mandate from the European Council to start negotiations with the European Parliament on the final version of the draft ePR , the younger sibling of the General Data Protection Regulation ((EU) 2016/679) (EU GDPR), focusing on electronic communications.
The ePR, like the EU GDPR, will have extraterritorial effect and the post-Brexit UK is also expected to closely mirror the final ePR in its domestic legislation. UK businesses therefore need to keep a close eye on developments.
Although the draft ePR’s key regulations have remained unchanged since the first drafts, there have been many modifications to the merits of the detailed provisions (see Article, Latest e-Privacy Regulation proposals: breaking the deadlock?). The final version agreed by the Council contains the following main rules:
Protection of the content and metadata of electronic communications
Processing the content of electronic communications transmitted using publicly available services and networks is allowed only with the consent of all end-users affected by the communication, such as, the sender and all participants in the communication, and only for the purpose of providing services. The service provider must carry out a data protection impact assessment (DPIA).
Processing metadata related to electronic communications, such as location information, time or the recipient of a communication, is allowed if the end-user granted consent for this or without consent only for the purposes listed in the regulation, for example, for network management, network optimisation, performance of a contract, billing, calculation payments, monitoring fraud, to stop abusive use of the services or under certain conditions for scientific or historical research. The Council emphasised in its press release that based on consent, metadata can be used to display traffic movements to help public authorities and transport operators to develop new infrastructure where it is needed most. Metadata can also be used to protect users’ vital interests, which is very important given the COVID-19 pandemic. These data can be analysed to help monitor epidemics and natural disasters.
Protection of information concerning users’ terminal equipment
Users’ devices including software and hardware such as tablets, mobile phones connected to the internet with a subscription (“terminal equipment”) contain several data, including phone numbers, contact lists, photos and location data that can be used with the user’s consent. Without this consent those data can be used only for the purposes listed in the draft regulation, including providing electronic communication services, measuring audiences, maintaining security of the services or the device, and preventing fraud, with special conditions updating software for security reasons or locating the device in the event of emergency calls.
Internet of Things (IoT)
In the area of IoT services, which rely on connected devices such as connected thermostats, connected medical devices, smart meters or automated and connected vehicles, the use of the processing and storage capacities of those devices and access to information stored on them should not require consent to the extent that such use or access is necessary to provide the service requested by the end-user. For example, storing information in or accessing information from a smart meter might be considered as necessary to provide a requested energy supply service to the extent the information stored and accessed is necessary for the stability and security of the energy network or for billing the end-user’s energy consumption. The same applies to storing, processing, and accessing information from automated and connected vehicles for security related software updates.
Cookie consent rules
The regulation regards cookies as software that collects terminal equipment information, so the provisions for the processing of that information will apply to cookies and similar tracking tools, which means that the service providers must obtain end-user consent to store a cookie or similar identifier. The end-user must have a genuine choice between different cookies, or using the service without cookies.
To avoid undermining cookie consent, end-users will be able to give consent for the use of certain types of cookies by whitelisting one or several providers in their browser settings. Software providers are encouraged to include settings in their software which allow end-users, in a user friendly and transparent manner, to manage consent for the storage and access to stored data in their terminal equipment by easily setting up and amending whitelists and withdrawing consent at any time. In light of the end-user’s self-determination, consent directly expressed by an end-user should always prevail over software settings.
Cookies such as session cookies, authentication cookies and cookies that remember the end-user are considered as those necessary to provide a specific service requested b the user and can be placed (stored) without the user’s consent.
Sending unsolicited/direct marketing communications to end-users
A sender of direct marketing messages, either an individual person or legal entity, is not allowed to use electronic communication services to send direct marketing messages to individual persons unless they have given their prior consent. This means that the main rule here is opt-in. This provision covers all types of direct marketing communication sent by email, push notification, in-app messages, SMS, etc.
However, if an individual person has purchased a product or service from a service provider, the provider is entitled to use the person’s contact details to send direct marketing messages related to its own similar products or services. End-users have the right to object to this use of their contact data (opt-out). In practice, questions will arise regarding what can be considered “similar”, for example, is a mobile phone similar to a notebook?
Direct marketing calls can be made if a specific code or prefix is presented. Individual persons can object to voice-to-voice calls, in which case the service provider is not entitled to call them.
The draft ePR also includes rules on line identification and publicly available directories of end-users.
Next steps:
The regulation will enter into force 20 days after its publication in the EU Official Journal and will start to apply two years later.
In the next few months, the European Council and the European Parliament will negotiate the final text.
For further information and to follow the progress of the draft ePR, see Practical Law’s E-Privacy legislation tracker.