After three years of delays, it now looks as if the new European e-privacy regulation will enter into effect before the end of 2021. This week’s blog discusses the regulation’s scope, the key changes it is likely to introduce and a number of EDPB recommendations.
After years of delay, the European Council has finally, in a recent press release, announced the upcoming start of negotiations on the e-privacy regulation, a first proposal of which was published as far back as 2017. Originally, the plan was to have this e-privacy regulation enter into effect simultaneous with the GDPR. As it turns out, the proposal enters the last phase of the legislative process only now, in early 2021.
The regulation is intended to complement the GDPR, in an attempt to provide a comprehensive European framework of privacy and data protection.
In this week’s blog, we will take a closer look at what sort of practical changes the e-privacy regulation may ultimately bring about, while also discussing a number of aspects where the EDPB would have preferred an alternative approach. The question we will be trying to answer is, in other words: ‘What are the effects the e-privacy regulation is likely to have?’
First of all, it is important to note that what we are talking about here is a regulation, which means that, as such, it will directly come into effect in all EU member states, applying to the entire field of electronic communication, including telephone and internet.
The current e-privacy guideline is no more than a set of rules, or recommendations, on the protection of electronic communication content. The new regulation is intended to also protect the metadata involved in such communication, for the very good reason that, as we have explained in our previous blog, these metadata may also contain sensitive information. In this context, then, the new regulation will offer users an extended level of protection. In practical terms, what this means is that providers will no longer be allowed to scan emails or make further use of location data provided by text messages and apps.
Without consent from the user, data derived from these types of confidential electronic communication may only be used for ‘purposes dictated by necessity’. For instance, where the purpose is to ensure safe connections or to ensure that, in case of technical malfunctions, messages are still delivered to the recipients.
In a reaction to the proposed law the EDPB emphasises that it is imperative for the new e-privacy regulation not to result in a weakening of the protection of personal data and for the new rules to be in line with the requirements of the GDPR.
Surprisingly, the e-privacy regulation does not include a ban on the use of cookie walls, which are consent banners requiring users to generally accept all cookies in order to enter the site. What makes this remarkable is a statement from the European supervisor specifying that the use of cookie walls precludes the legal validity of obtained consent. Why the choice has been made not to include a ruling on this issue, is unclear. The EDPB has recommended for the e-privacy regulation to also, in line with the GDPR, prohibit the use of cookie walls.
Also, the EDPB has emphasised that the overall premise of the regulation lies in the fundamental confidentiality of electronic communication. Which, among many other things, also means that it cannot be left to the controller to decide whether or not further processing of data is necessary. The interpretation of necessity is not a matter of opinion. It should be the subject of strict interpretation, with further processing only being admissible in the presence of compelling technical reasons.
So, returning to our initial question of ‘What are the effects the e-privacy regulation is likely to have?’ it is safe to say that the new regulation will be a positive extension of the implementation of the right to privacy. For one thing, it introduces the long overdue recognition of the confidential nature of metadata used in electronic communication. Also, the new regulation will add a welcome level of convenience by offering users the option, browser providers willing, to permanently and universally set their cookie preferences with a single action. On the other hand, it remains hard to understand why the new regulation does not include a ban on cookie walls, where, according to the EDPB, it would have been the logical choice to do so.