Additional author: Salome Peters, Legal Intern, Mayer Brown
On 10 February 2021, the EU Member States agreed on a position for revised rules on the privacy and confidentiality of electronic communications, which allows the Council presidency to start discussions with the European Parliament on the final text of the planned ePrivacy regulation.
A Digital Future for Europe
The goal of the EU is to support the digital transformation in Europe. Especially in light of the COVID-19 pandemic, the EU is working to accelerate the technological transition. Digitalisation is crucial in fostering new forms of growth and strengthening the EU’s resilience. The EU is working on several policies contributing to achieving the goal of digital transition and the main policy areas are digital services, data economy, artificial intelligence, enabling technologies, connectivity and cybersecurity. A key element of the digital transition is to protect the values of the EU and the fundamental rights and security of their citizens.
Scope of the ePrivacy Regulation
The current ePrivacy directive contains rules on the protection of privacy and confidentiality in the use of electronic communications services, but it needs to be updated in light of new technological developments such as the widespread use of Internet-based services like voice communication, e-mail and text messaging, and new techniques to track users’ online behaviour. The planned update of the current ePrivacy directive will be in the form of a regulation which will be directly applicable in all EU Member States, as opposed to a directive which would need to be transposed into national law by the EU Member States.
The planned ePrivacy regulation will apply when end-users are in the EU, even when their communications data is processed outside the EU. Many ePrivacy provisions will apply to both natural and legal persons. It will cover not only the content of electronic communications transmitted through publicly available services and networks but also metadata, including, for instance, information on location, time and recipient of communication. As a main rule, electronic communications data shall be confidential and any processing of such data shall only be allowed in specific circumstances.
Other topics such as online identification, public directories, and unsolicited and direct marketing are also within the scope of the draft ePrivacy regulation.
ePrivacy and the GDPR
The ePrivacy regulation will repeal the existing ePrivacy directive and specify and complement the GDPR. Its systematic application contains parallels to that of the GDPR; in particular, the principle that processing shall only be allowed in certain specific cases. The Council's position is that processing of electronic communications data shall be permitted when the end-user concerned has given consent, when processing is necessary for the performance of an electronic communications service contract to which the user is a party, or to ensure the integrity of the communications service (e.g. checking for malware or viruses), among others. The following are some of the legal bases for processing of metadata that are acceptable in the Council's view: to detect fraud, to protect users' vital interests, to monitor epidemics and their spread or in case of humanitarian emergencies. Similarly to the GDPR, the Council maintains that the ePrivacy regulation should only allow the processing of communications data for purposes other than those for which data was collected under strict conditions; in particular, that the new purpose is compatible with the initial purpose.
The revision of the ePrivacy directive is long overdue and very welcome, but it is likely that the current proposal will undergo a few more changes during negotiations with the European Parliament before entering into force. The regulation would start to apply two years after its publication in the EU Official Journal.
ePrivacy Regulation and Brexit
As the UK is no longer part of the European Union, once a final text of the ePrivacy regulation is adopted, it will not apply directly in the UK. However, UK and other non-EU businesses might still find themselves in the scope of the ePrivacy regulation; for example, if they provide electronic communications services to end-users in the EU or send direct marketing communications to EU end-users. It remains to be seen if the UK will reform its Privacy and Electronic Communications Regulations 2003 (which transposed the ePrivacy directive into UK law) and whether any update will contain similar rules to the ones in the ePrivacy regulation.