E-privacy regulation – Good news for the average citizen?

Share
Share on linkedin
Share on facebook
Share on google
Share on twitter

After three years of delays, it now looks as if the new European e-privacy regulation will enter into effect before the end of 2021. This week’s blog discusses the regulation’s scope, the key changes it is likely to introduce and a number of EDPB recommendations.

After years of delay, the European Council has finally, in a recent press release, announced the upcoming start of negotiations on the e-privacy regulation, a first proposal of which was published as far back as 2017. Originally, the plan was to have this e-privacy regulation enter into effect simultaneous with the GDPR. As it turns out, the proposal enters the last phase of the legislative process only now, in early 2021.

The purpose of the e-privacy regulation is to protect the confidentiality and safety of electronic communication in the EU, with the general effect of giving citizens more control over the use of cookies and metadata.

The regulation is intended to complement the GDPR, in an attempt to provide a comprehensive European framework of privacy and data protection.

In this week’s blog, we will take a closer look at what sort of practical changes the e-privacy regulation may ultimately bring about, while also discussing a number of aspects where the EDPB would have preferred an alternative approach. The question we will be trying to answer is, in other words: ‘What are the effects the e-privacy regulation is likely to have?’

Broad scope

First of all, it is important to note that what we are talking about here is a regulation, which means that, as such, it will directly come into effect in all EU member states, applying to the entire field of electronic communication, including telephone and internet.

Currently, the e-privacy guideline is still in force, but its scope is much more limited, as the rules apply exclusively to telecommunications companies. In contrast, the e-privacy regulation, once it will enter into force, will also – or is at least intended to – safeguard the confidentiality of, among other things, email services, texting, WhatsApp, Facebook, Instagram, metadata, telemarketing, data collection through the use of cookies and all other services which entail communication by electronic means. Moreover, the regulation will also apply to devices communicating through the Internet of Things, the intention being to create a system of legislation sufficiently broad in its formulation to also cover future technologies and new electronic communication services.

Key changes

The current e-privacy guideline is no more than a set of rules, or recommendations, on the protection of electronic communication content. The new regulation is intended to also protect the metadata involved in such communication, for the very good reason that, as we have explained in our previous blog, these metadata may also contain sensitive information. In this context, then, the new regulation will offer users an extended level of protection. In practical terms, what this means is that providers will no longer be allowed to scan emails or make further use of location data provided by text messages and apps.

Without consent from the user, data derived from these types of confidential electronic communication may only be used for ‘purposes dictated by necessity’. For instance, where the purpose is to ensure safe connections or to ensure that, in case of technical malfunctions, messages are still delivered to the recipients.

Currently, the common practice is for websites to display a banner offering visitors the option to explicitly refuse or allow the use of tracking and marketing cookies. One of the changes the regulation will introduce, is that users will be given the legally valid option to generally accept or refuse cookies in the settings of their web browser without having to go through the same procedure over and over again for every site they visit. Obviously, the browser they use will have to support this option.

EDPB recommendations

In a reaction to the proposed law the EDPB emphasises that it is imperative for the new e-privacy regulation not to result in a weakening of the protection of personal data and for the new rules to be in line with the requirements of the GDPR.

Surprisingly, the e-privacy regulation does not include a ban on the use of cookie walls, which are consent banners requiring users to generally accept all cookies in order to enter the site. What makes this remarkable is a statement from the European supervisor specifying that the use of cookie walls precludes the legal validity of obtained consent. Why the choice has been made not to include a ruling on this issue, is unclear. The EDPB has recommended for the e-privacy regulation to also, in line with the GDPR, prohibit the use of cookie walls.

Also, the EDPB has emphasised that the overall premise of the regulation lies in the fundamental confidentiality of electronic communication. Which, among many other things, also means that it cannot be left to the controller to decide whether or not further processing of data is necessary. The interpretation of necessity is not a matter of opinion. It should be the subject of strict interpretation, with further processing only being admissible in the presence of compelling technical reasons.

So, returning to our initial question of ‘What are the effects the e-privacy regulation is likely to have?’ it is safe to say that the new regulation will be a positive extension of the implementation of the right to privacy. For one thing, it introduces the long overdue recognition of the confidential nature of metadata used in electronic communication. Also, the new regulation will add a welcome level of convenience by offering users the option, browser providers willing, to permanently and universally set their cookie preferences with a single action. On the other hand, it remains hard to understand why the new regulation does not include a ban on cookie walls, where, according to the EDPB, it would have been the logical choice to do so.

Darinka Zarić

Darinka Zarić

Darinka Zarić is a legal counsel at The Privacy Factory. Legal issues regarding the digital society appeal to her. Especially in the field of Privacy Law and the use of big data. She is currently following the master Internet, Intellectual Property and IT-Law at the Vrije Universiteit Amsterdam.

Follow our publications

cookie

We use only functional and analytical cookies to ensure that we give you the best experience on our website. This means that our cookies do not collect personal data. Learn more.