Next-gen privacy: Examining the EU’s ePrivacy Regulation

On 26 May, EACA joined IAB Europe in its webinar on “Policy & Data Protection” during which they discussed the GDPR’s enforcement in the context of ePrivacy trilogues.

On 10 February 2021, EU Member States agreed on a joint position on the draft ePrivacy regulation, which kicked off so-called trilogue negotiations (Commission, Council, European Parliament) on the final text of the envisaged ePrivacy Regulation. Once adopted, the regulation would become applicable 2 years after publication in the Official Journal of the EU.

Scope of the ePrivacy Regulation

The current ePrivacy Directive contains rules on protecting privacy and confidentiality in the use of electronic communication services. Updater are needed in light of new technological developments such as voice communication, email and text messaging, and new techniques for tracking users’ online behaviour. The planned regulation will be directly applicable in all EU Member States, as opposed to a directive that would have to be transposed into national law.

The envisaged ePrivacy Regulation will apply when end-users are in the EU, even when their communications data are processed outside the EU. Many ePrivacy provisions will apply to both natural and legal persons. It will cover not only the content of electronic communications transmitted through publicly available services and networks but also metadata, including, for example, information about the place, time, and recipient of the communication. As a main rule, electronic communications data will need to be confidential, and any processing of such data will only be permitted in specific circumstances.

ePrivacy and the GDPR

The ePrivacy Regulation will repeal the existing ePrivacy Directive and specify and complement the GDPR. Its systematic application contains parallels to that of the GDPR; in particular, the principle that processing is only allowed in certain specific cases. The Council’s position is that the processing of electronic communication data is permitted when the end-user concerned has given consent, when the processing is necessary for the performance of an electronic communication service contract to which the user is a party, or to ensure the integrity of the communication service (e.g., malware or virus control), among others.

The following are some of the legal bases for processing metadata that are acceptable according to the Council: to detect fraud, to protect the vital interests of users, to monitor epidemics and their spread, or in case of humanitarian emergencies. According to the Council position, processing of communications data for purposes other than those for which the data was collected should only be allowed under strict conditions. Any further processing would need to be compatible with the original purpose.