EU's Portuguese presidency releases new draft of ePrivacy Regulation

Europe

On 5 January 2021, the Council of the EU – with Portugal serving as the President-in-Office – released a new draft version of the ePrivacy Regulation, which is meant to replace the ePrivacy Directive.

New provisions in the recent draft

The new draft does not include any amendments to the conceptual framework of the Regulation, but includes significant changes to the main text of the previous draft. According to the Portuguese presidency, the amendments seek to simplify the text of the Regulation, make it more consistent with the provisions of the General Data Protection Regulation (GDPR) and more clearly reflect the Regulation’s lex specialis relationship to the GDPR. The following is a summary of the main amendments to the draft:

  • The Regulation allows for the processing of personal data by a controller not established in the EEA, but established in a place where the law of a member state applies via public international law. The purpose of this provision is to align the territorial scope of the Regulation with that of the GDPR.

  • “Location data” is defined in the new draft.

  • The Regulation reinserts provisions that authorise the processing of electronic communications data (including metadata) for purposes compatible with the initial purpose of the data collection. (This provision had been previously deleted by the Croatian presidency).

  • The Regulation inserts the GDPR standard of processing for the “performance of a contract” in the ePrivacy Regulation by authorising service providers to process electronic communications data (and metadata) for the purpose of “providing an electronic communication service.” The previous version of the draft authorised service providers to process electronic communications data without consent only for the purpose of “achiev[ing] the transmission of the communication.”

  • The new draft requires service providers sharing anonymised statistical electronic communications data with third parties to carry out a data protection impact assessment and inform end-users of the envisaged processing operations. This is an entirely new provision.

  • The new draft authorises service providers to access data on the end-users’ devices where necessary for the performance of a contract, while the previous draft only granted this for the purposes of the “technical” performance of the contract.

ePrivacy Regulation and GDPR

The scope of the ePrivacy Regulation is wider than the GDPR since the ePrivacy Regulation regulates the processing of all electronic communications data and the data gathered from the devices of end-users, irrespective of whether it is personal data or not. Still, because there may be situations where both the GDPR and the Regulation apply to the processing of data, some amendments explicitly seek to ensure that the principles laid down in connection with the processing of electronic communications data apply without contradiction to the GDPR.

EDPB not entirely satisfied with new draft

After the release of the new draft, the European Data Protection Board (EPDB) issued a statement expressing concerns. The EDPB emphasised the need for further reinforcement of the guarantees provided by the draft possibly through:

  • amending the GDPR to enable it to provide protection for all electronic communications and their confidentiality;

  • allowing for the processing of electronic communications metadata without consent only in an anonymised form;

  • authorising supervisory authorities established pursuant to the GDPR only to assess the processing of data falling within the scope of the ePrivacy Regulation to ensure a single mechanism of supervision.

  • establishing a single contact point for all personal data processing operations falling within the scope of the ePrivacy Regulation.

The draft of the Regulation is scheduled to enter into force on the 20th day after its publication and will be applicable a year after.

Since it is too early to assess how the new draft will be received by EU member states, we will continue to monitor proceedings. For more information on this Regulation and data protection and privacy issues in the EU, contact your regular CMS partner or local CMS experts.

The article was co-authored by Zsolt Zsurzsa.