Just over four years after the European Commission proposed its draft ePrivacy Regulation, the Presidency of the Council of the EU has announced that member states have reached agreement on a draft text. The proposed Regulation will now enter trilogue negotiations between the Commission, the Council and the European Parliament.

What is the ePrivacy Regulation?

The ePrivacy Regulation is a proposed law to replace existing EU laws regulating the privacy of electronic communications, the use of cookies and other tracking technologies and electronic marketing. Current laws are out of date, do not reflect modern technology or communications services.

Among the proposals in the ePrivacy Regulation are extending the rules on confidentiality of communications to "over the top" service providers (for example, app based messaging services) and updating ineffective laws on the use of cookies, device fingerprinting and tracking technologies. The Regulation will also introduce new rules on the use of metadata.

As with GDPR, the new law will take the form of a regulation. That means it has direct effect in member states, which should ensure greater consistency. It is also backed up by GDPR style enforcement powers for supervisory authorities.

The Commission proposed a draft text in January 20217. Interestingly, it's taken almost exactly the same length of time for the Council to reach agreement on the ePrivacy Regulation as it took the Council to reach an agreed position on GDPR.

What does the Council's proposed text say?

Part of the reason that it has taken the Council so long to reach agreement on a text is to do with differing views on issues such as online behavioural advertising and the use of cookie walls on websites. 

The Commission originally proposed that the ePrivacy Regulation would come into effect at the same time as GDPR - back in May 2018. Many Council presidencies have tried and failed over the last four years to reach a political agreement between member states. The Portuguese Presidency has achieved what  many thought might be impossible.

The Council's text contains a number of amendments and clarifications to the Commission's proposal.

On cookie walls, the Council's text states that organisations can make access to a website conditional upon consent to the use of cookies, but the user has to have a a genuine choice. That means the user must be presented with an equivalent way of accessing the website or service that does not involve consenting to cookies. 

That sounds fine in principle, and reflects the GDPR definition of consent that is referenced in the Regulation, but it remains to be seen what this means in practice. What would that alternative look like? 

As with the current Directive, consent to cookies and tracking technology is not required where it is "strictly necessary" for providing the service requested. The text adds to this by including a number of express derogations from the requirement to obtain consent to access a device, including analytics (or "audience measuring") and updates necessary for security, fraud prevention or to detect technical faults. There is also an exception for necessary software updates.

In line with previous drafts the Council text does not include the Commission's proposal that device and software providers must include settings within their software to enable users to control consents. This is despite the Council text noting that users are often "overloaded" with requests for consent and that software settings can provide users with a more user friendly way of controlling consents - for example by creating whitelists for certain types of cookies or providers.

On electronic marketing, the Council text agrees with the retention of the soft opt-in for marketing to existing customers of goods and services. The Council text does, however, permit member states to limit the period during which electronic marketing can be sent following the purchase of goods or services.

What about Brexit?

As the UK is no longer a member of the EU, the final Regulation will not apply in the UK. UK ePrivacy law is based on the 2002 Directive. While this has been amended over the years, as with ePrivacy laws in the EU, an update is long overdue. It remains to be seen whether and to what extent the UK Government decides to mirror the adopted ePrivacy Regulation.

However, even if the UK Government does not mirror the ePrivacy Regulation it will still be relevant to many UK businesses. That's because the ePrivacy Regulation will contain similar provisions to GDPR on territorial scope. This means UK businesses that provide electronic communications services to users in the EU, use tracking technologies or send electronic marketing to users in the EU will be caught by the Regulation. 

As with GDPR, those businesses may also need to appoint an EU representative.

More information

The Council's draft text is available on the the Council of the EU website (PDF).

You can also read the Portuguese Presidency's press release.

The Commission, Council and Parliament will now enter trilogue discussions to reach agreement on a final text. This may take some time. There are a number of differences to be resolved - in particular in relation to to the thorny issue of OBA and AdTech. Watch this space.

If you would like to discuss the proposed ePrivacy Regulation, or the impact of ePrivacy laws on your organisation, please get in touch with Martin Sloan or Grant Campbell.


Martin Sloan