Member States have agreed on a negotiating mandate for revised rules on the protection of privacy and confidentiality in the use of electronic communications services. The agreement allows the Portuguese presidency to start talks with the European Parliament on the final text. Pedro Nuno Santos, President of the Council, said that the path to the agreed position “has not been easy”, but that the Council now has a mandate that “strikes a good balance between solid protection of the private life of individuals and fostering the development of new technologies and innovation”.

The Council says that an update to the existing E-Privacy Directive (2002/58/EC) is needed to cater for new technological and market developments, such as the current widespread use of Voice over IP, web-based email and messaging services, and the emergence of new techniques for tracking users’ online behaviour.

The draft E-Privacy Regulation will repeal the existing Directive and complement the GDPR. For example, in contrast to the GDPR, many e-privacy provisions will apply to both natural and legal persons.

Under the Council mandate, the Regulation will cover electronic communications content transmitted using publicly available services and networks, and metadata related to the communication. Metadata includes, for example, information on location and the time and recipient of communication. It is considered to be potentially as sensitive as the content itself. To ensure full protection of privacy rights and to promote a trusted and secure Internet of Things, the rules will also cover machine-to-machine data transmitted via a public network.

The rules will apply when end users are in the EU. The Regulation will have extra-territorial effect and cover cases where the processing takes place outside the EU or the service provider is established or located outside the EU.

As a general rule, electronic communications data will be confidential. Any interference, including listening to, monitoring and processing of data by anyone other than the end user will be prohibited, except when permitted by the new Regulation.

Processing of electronic communications data that is permitted without the consent of the user includes, for example, ensuring the integrity of communications services, checking for the presence of malware or viruses, or cases where the service provider is bound by EU or Member States’ law for the prosecution of criminal offences or prevention of threats to public security. Metadata may be processed, for instance, or for detecting or stopping fraudulent use, but also for billing purposes.

With the user’s consent, service providers could, for example, use metadata to display traffic movements to help public authorities and transport operators to develop new infrastructure where it is most needed. Metadata may also be processed to protect users’ vital interests, including for monitoring epidemics and their spread or in humanitarian emergencies, in particular natural and man-made disasters.

In certain cases, providers of electronic communications networks and services may process metadata for a purpose other than that for which it was collected, even when this is not based on the user’s consent or certain provisions on legislative measures under EU or Member State law. Processing for another purpose must be compatible with the initial purpose, and strong specific safeguards apply to it.

As a user’s terminal equipment, including both hardware and software, stores highly personal information such as photos and contact lists, the use of processing and storage capabilities and the collection of information from the device will only be allowed with the user’s consent or for other specific transparent purposes laid down in the Regulation.

The end user should have a genuine choice on whether to accept cookies or similar identifiers. Making access to a website dependent on consent to the use of cookies for additional purposes as an alternative to a paywall will be allowed if the user is able to choose between that offer and an equivalent offer by the same provider that does not involve consenting to cookies.

To avoid cookie consent fatigue, an end user will be able to give consent to the use of certain types of cookies by whitelisting one or several providers in their browser settings. Software providers will be encouraged to make it easy for users to set up and amend whitelists on their browsers and to withdraw consent at any moment.

The text also includes rules on line identification, public directories, and unsolicited and direct marketing.

The Council and the European Parliament will now negotiate the terms of the final text. The Regulation would enter into force 20 days after its publication in the EU Official Journal and would start to apply two years later. This is not the case for the UK now that the Brexit transition period is over. The UK Government has not indicated whether it will introduce legislation to align with the new EU rules or not. To read the Council’s press release in full and for a link to the draft text, click here.