On February 10, 2021, the Council of the European Union (EU) agreed on its version of the draft ePrivacy Regulation (Council Position). The long-awaited ePrivacy Regulation, which will repeal the existing ePrivacy Directive, overhauls the rules on cookies and regulates the use of and access to electronic communications data.
The new ePrivacy Regulation will directly regulate telecom operators, providers of voice over IP, messaging and web-based email services, as well as other types of digital communication services. Importantly, it will also significantly impact all companies operating on the internet, as it will affect the ad tech ecosystem, including website publishers and any companies using, reading, or dropping cookies or other tracking technologies.
While this version is a critical step towards adoption, it will still take several months before the regulation is finalized. Now, the EU Commission, the European Parliament, and the Council of the EU will negotiate the terms of the final text. The final text of the ePrivacy Regulation will thus differ from what we describe below, which summarizes the critical aspect of the Council’s common position.
The ePrivacy Directive was adopted nearly two decades ago (in 2002) to establish a harmonized framework for regulating electronic communications networks and services.
In January 2017, the European Commission published a first draft of the new ePrivacy Regulation (Commission Proposal). The review aims to address technological developments, given the emergence of new internet-based services and tracking technologies. At the end of 2017, the European Parliament adopted amendments to the Commission Proposal (Parliament Report); the text was then sent to the Council for consideration. It took more than three years for the Council to adopt the Council Position.
Key Points of the Council Position
The following are the key takeaways from the Council Position:
- Lex specialis. The ePrivacy Regulation is a lex specialis to the General Data Protection Regulation (GDPR). It will specify or complement the GDPR (e.g., it also applies to legal persons) and share the concepts and principles set forth in the GDPR, unless specifically noted (e.g., the definition of what is valid ‘consent’).
- The ePrivacy Regulation applies to Machine-to-Machine (M2M), Voice over IP (VoIP), and Internet of Things (IoT) services. The ePrivacy Regulation will also apply to M2M, VoIP, and IOT services, as they constitute an electronic communications service under the European Electronic Communication Code (EECC), provided that i) transmission of signals is carried out via a publicly available electronic communications service or network; and ii) the communication takes place between a limited number of end-users determined by the sender of the communications. Practically, this excludes internal communications through a company’s intranet, communications on a customer care channel where customers can only communicate with the concerned company, or communications on a channel open to anyone (e.g., in online games).
- The territorial scope mirrors the GDPR’s territorial scope. Companies not established or located in the EU will be subject to the ePrivacy Regulation when they target the EU market (i.e., when they provide their services to end-users in the EU) regardless of whether the processing takes place in the EU. They will have to appoint an EU representative within one month from the start of their activities.
- The protection of electronic communications data. Electronic communication data includes both the content and metadata of electronic communications. As a principle, electronic communications data is confidential: there is a prohibition of any interference with electronic communications content and metadata (i.e., listening to, scanning, reading, storing, monitoring, and processing by human intervention or by machine) without the consent of the communicating parties. The text provides a few exceptions to this two-parties consent requirement, including ensuring the integrity of the communications services, identifying malware or viruses, complying with a legal obligation, or preventing threats to public security.
- Consent is the rule for metadata processing. As a general rule, metadata (such as information on location, time, and recipient of communication) can only be processed with the user’s consent. However, consent is not required if the processing is necessary i) for network management or optimization purposes; ii) to meet a service quality requirement laid down by law; iii) for the performance of an electronic communication service contract to which the end-user is a party; or iv) for billing or fraud prevention purposes. Furthermore, under the Council text, metadata can be reused for other compatible purposes without the user’s consent, provided that strong safeguards are in place (e.g., reusing metadata but only after encrypting or anonymizing the metadata).
- Cookie walls are authorized. Contrary to the opinion of the European Data Protection Board (EDPB), the Council Position allows making access to a website dependent on cookie consent (cookie walls) if service providers can demonstrate that the user has a genuine choice, in particular: i) where service providers offer a paid cookie-free version of their services (e.g., a paywall where users can opt for a premium version of the services that does not contain cookies); or ii) where the user can receive an equivalent service from a competitor that does not involve cookies.
- Audience measurement cookies do not require consent. Prior consent is no longer required to deploy first-party audience measurement cookies. Under the Council Position, companies will be able to collect information from the end-users’ terminal equipment, without their consent, for the sole purpose of audience measuring, provided that such measurement is carried out by the provider of the service itself, or by a co-controller or a processor, in compliance with the conditions laid down in Articles 26 or 28 of the GDPR.
- Users can give consent through browser settings. The Council Position aims to simplify consent requirements and allow users to grant or refuse consent to cookies and similar technologies through software settings, for instance, by whitelisting one or multiple service providers in their browser settings. However, it also clarifies that users’ consent provided directly through a cookie banner should take precedence over the preferences they recorded through software settings.
- No one-stop-shop mechanism. The Council Position does not include a mechanism similar to the GDPR’s one-stop-shop mechanism, which means that companies may face enforcement actions from each EU member states’ authorities. As for the GDPR, fines for infringements of the ePrivacy Regulation will be up to €20 million, or 4 percent of a company’s worldwide annual turnover. Also, the Council Position allows EU member states to appoint authorities other than the data protection supervisory authorities to enforce the ePrivacy Regulation, such as telecom regulators. It does so against the EDPB’s statement that data protection supervisory authorities should be responsible for enforcing the ePrivacy Regulation.
Conclusion and Next Steps
Following the Council Position’s publication, the European Commission, the European Parliament, and the Council of the EU will negotiate the terms of a final version of the ePrivacy Regulation. If adopted, the long-expected ePrivacy Regulation will substantially impact all companies operating on the internet, including telecom providers, app providers, and the advertising technology industry. Under the current draft, companies would benefit from a two-year transition period to comply with the new rules.
We will continue to monitor the developments of the negotiations and provide updates on any important news.
Wilson Sonsini Goodrich & Rosati routinely helps clients manage risks related to the enforcement of privacy and data protection laws, along with advising clients on general domestic and international privacy and data security issues. For more information, please contact Cédric Burton, Jan Dhont, Lydia Parnes, or another member of the firm’s privacy and cybersecurity practice.