The Council of the EU recently issued suggested amendments to the proposed EU E-Privacy Regulation. This article looks at the key aspects of these amendments.
What’s this all about?
Back in January 2017 the EU issued a legislative proposal to upgrade existing privacy rules in electronic communications, including alignment with GDPR as regards electronic communications data that qualify as personal data, i.e. the so-called E-Privacy Regulation, which we have written FAQs about that can be found here: https://www.corderycompliance.com/proposed-eu-e-privacy-regulation/.
In the UK the existing E-Privacy rules are mainly found in the Privacy and Electronic Communications (EC Directive) Regulations. The two areas of these rules that probably affect organisations the most are direct marketing and cookies (small data files stored on a user’s computer, phone or tablet).
It is worth highlighting that the scope of the proposed E-Privacy Regulation covers all electronic communications data, i.e. it is not limited to ‘personal data’ but covers data related to an end-user, including so-called ‘metadata’ – essentially this is data that provides information about other data which in the E-Privacy context, as described in the proposed E-Privacy Regulation is data used to trace source and/or location of a communication, the time, date and duration of a communication etc. The proposed E-Privacy Regulation also provides for a general confidentiality obligation for electronic communications data.
Although the original 2017 proposal was supposed to come into force at the same time as GDPR (May 2018) this didn’t happen. It has had a tortuous history in the EU legislative pipeline (despite being a fairly brief proposal) and ran aground at the end of last year due to major disagreement between the EU Member States about certain areas that had proved highly contentious.
In order to restart things, the Croatian Presidency of the Council of the EU recently issued a limited number of proposed amendments concerning what are understood to have been the main contentious issues.
What are the key aspects of the proposed amendments?
The original version of the proposed E-Privacy Regulation was underpinned by consent (the definition of and conditions for consent will be the same as under GDPR). The interesting new development in the latest proposed amendments allows for the possibility of relying on so-called ‘legitimate interests’ to process metadata and place cookies or similar technologies on end-users’ terminals, subject to the following specific conditions and safeguards:
- Doing an assessment of the impact of envisaged processing on the confidentiality of communications and the privacy of end-users and of the use of the processing and storage capabilities or the collection of information from end-users’ terminal equipment;
- Informing end-users about envisaged processing operations based on ‘legitimate interests’ and of end-users’ right to object to this processing; and,
- Implementing appropriate technical and organisational measures such as pseudonymisation and encryption.
But, end-users’ interests will be deemed to override the interests of the electronic communications service or network provider if the metadata or information collected through cookies and similar technologies:
- Is used to determine the nature and characteristics of end-users, or to build an individual profile of end-users; or,
- Where it contains sensitive/special category personal data (as defined under GDPR).
- “A legitimate interest could be relied upon where the end-user could reasonably expect such storage, processing or collection of information in or from her or his terminal equipment in the context of an existing customer relationship with the service provider. For instance, maintaining or restoring the security of information society services or of the end-user’s terminal equipment, or preventing fraud or detecting technical faults might constitute a legitimate interest of the service provider.
- Similarly, using the processing storage capabilities of terminal equipment is to fix security vulnerabilities and other security bugs, provided that such updates do not in any way change the functionality of the hardware or software or the privacy settings chosen by the end-user and the end-user has the possibility to postpone or turn off the automatic installation of such updates. Software updates that do not exclusively have a security purpose, for example those intended to add new features to an application or improve its performance, should not be considered as a legitimate interest.
- A legitimate interest could also be relied upon by a service provider whose website content or services are accessible without direct monetary payment and wholly or mainly financed by advertising, provided that these services safeguard the freedom of expression and information including for journalistic purposes, such as online newspaper or other press publications […] and the end-user has been provided with clear, precise and user-friendly information about the purposes of the cookies or similar techniques used and has accepted such use”.
A proposed amendment to the recital of the proposed E-Privacy Regulation also has examples of situations where ‘legitimate interests’ can be relied upon for processing metadata, of similarity to the ones referred to for cookies above.
The proposed amendments to the recitals also have the following interesting new provision about cookies and consent:
- “End-users are often requested to provide consent to the storage and access to stored data in their terminal equipment, due to the ubiquitous use of tracking cookies and similar tracking technologies. As a result, end-users may be overloaded with requests to provide consent. This can lead to a situation where consent request information is no longer read and the protection offered by consent is undermined. Implementation of technical means in electronic communications software to provide specific and informed consent through transparent and user-friendly settings, can be useful to address this issue. Where available and technically feasible, an end user may therefore grant, through software settings, consent to a specific provider for the use of processing and storage capabilities of his or her terminal equipment for one or multiple specific purposes across one or more specific services of that provider. For example, an end-user can give consent to the use of certain types of cookies by whitelisting one or several providers for their specified purposes. Providers of software are encouraged to include settings in their software which allows end-users, in a user friendly and transparent manner, to manage consent to the storage and access to stored data in their terminal equipment by easily setting up and amending whitelists and withdrawing consent at any moment.”
The latest proposal can be found here: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CONSIL:ST_5979_2020_INIT&from=EN.
What are the next steps?
The EU Member States are meeting this month to discuss the proposed amendments. The Croatian Presidency of the Council of the EU has also said that it is considering possible changes to other aspects of the proposed EU E-Privacy Regulation and that it intends to issue a proposal about these soon.
Because the UK has now left the EU (under Brexit) the proposed EU E-Privacy Regulation (if and when fully adopted and in force) would not apply to the UK. But, despite recent political declarations about possible regulatory divergence in the area of data protection, it can’t be ruled out at this stage that the UK decides to align UK E-Privacy rules in some way with the proposed EU E-Privacy Regulation.
What should I be doing now?
Businesses should keep track of the progress of the proposed EU E-Privacy Regulation and start planning for possible compliance changes that they may need to make, in particular as regards legitimate interests and cookies.
For FAQs that we have written about the UK’s guidance on cookies please see here: https://www.corderycompliance.com/ico-cookies-guidance-faqs/.
We also recently wrote about the ICO’s updated Brexit Data Protection Guidance which can be found here: https://www.corderycompliance.com/ico-updated-brexit-dp-guidance-and-resources/
We report about data protection issues here: http://www.corderycompliance.com/category/data-protection-privacy/.
For more about GDPR please also see our GDPR FAQs which can be found here: http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/ and our Data Protection Glossary which can be found here: http://www.corderycompliance.com/?s=glossary.
Cordery’s GDPR Navigator includes resources to help deal with data protection compliance. GDPR Navigator includes:
- Detailed guidance on the security aspects of GDPR in paper and on film;
- A template data breach log;
- A template data breach plan; and,
- A template data breach reporting form.
For information about our Breach Navigator tool please see here: https://www.corderycompliance.com/solutions/breach-navigator/
For more information please contact André Bywater or Jonathan Armstrong who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|