Choose Site

LawFlash

Pending EU ePrivacy Regulation Could Bring Major Changes to Metadata Processing, Cookie Consents

February 11, 2021

The Council of the European Union (Council) released a new draft of the ePrivacy Regulation (Council doc. 5642/21) on January 5, 2021. Various versions of the ePrivacy Regulation have been under consideration in the Council since 2017, but the EU member states have been unable to reach an agreement on a final version. The regulation, originally intended to go into effect with the GDPR, provides specific rules governing electronic communications. If enacted, it would replace the ePrivacy Directive of 2009, supplement the GDPR’s general principles, and bring significant changes particularly in two areas: the processing of metadata on end-user devices and obtaining cookie consents from website users. The current draft places more restrictions on how companies handle metadata but simplifies the process for obtaining cookie consents.

Companies operating in the European Union should continue to monitor developments with the ePrivacy Regulation, including how the latest proposals on metadata processing and cookie consents are received by EU member states and the Council.

Background

Rapid technological developments and the absence of uniform rules on metadata processing in the European Union have increased calls for more regulation in this area. The drafters of the current version of the ePrivacy Regulation emphasized that metadata requires added protections beyond the GDPR because such data provides vast insight into the private lives of data subjects. The current draft would regulate metadata that reveals the location, time, and identity of persons involved in electronic communications.

Supplementing existing requirements under the GDPR, the latest draft also addresses when disclosures must be made to end users about metadata processing, the circumstances under which metadata may be stored, and the length of time metadata can be stored. With the user’s consent, service providers could, for example, use metadata to display traffic movements to help public authorities and transport operators to develop new infrastructure where it is most needed.

In addition to metadata, the draft regulation also attempts to reform cookie consent obligations. If enacted, companies operating in the European Union could be relieved of some data protection and notification burdens related to website cookies. In turn, these changes should reduce the extensive cookie banners and policies users face when visiting websites. Critics have contended that current rules on cookie banners have led to “cookie banner fatigue” among website users.

Proposed Changes

While the current draft follows the structure adopted by the preceding draft, the new draft includes several substantive changes.

  • In regard to metadata, the draft provides a more precise definition of “location data” as any “data processed by means of an electronic communications network or service, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service.”

The new draft also includes several amendments on the proposed rules on processing of metadata from the European Economic Area and United Kingdom. In particular, the most important suggested changes are the following:

  • The draft clarifies the definition of covered metadata as including the following types: the telephone numbers called and the websites visited, including the geographical location of the caller or website user; and the time, date, and duration when an individual made a call or visited a website.
  • If the processing of metadata is likely to result in a high risk to the rights and freedoms of natural persons, a data protection impact assessment (Art. 25 GDPR) and a consultation with the supervisory authority should take place before any processing occurs.
  • The amendments to the draft make clear that the processing of metadata for the “performance of a contract” may serve as a legal basis for processing under Art. 6 (1)(b) GDPR. Permitted processing activities include billing, calculating interconnection payments, and detecting and stopping fraudulent or abusive use of electronic communications service.

On cookies consents, the draft addresses the existing requirement that companies under the GDPR and the recent judgments of the CJEU must obtain specific, revocable, and informed consent from ends users, unless the cookies are “strictly necessary” for the website. Under the GDPR, this means that individual consent must be obtained through cookie banners and cookie settings. The consent requirement applies to everyone who is doing business in Europe (cf. Art. 3 GDPR) and operates a website that processes EU personal data, not only to companies in the telecom sector.

  • The draft simplifies the current consent requirements by allowing users to provide consent through browser settings. According to the drafters, “an end-user can give consent to the use of certain types of cookies by whitelisting one or several providers for their specified purposes.”
  • Under this proposed change, it appears each end user would need to actively whitelist “one or several providers for their specified purposes to avoid cookie consents.” A more general cookie setting of the browser would not suffice. Even with these changes, it will still be burdensome for companies to comply with European cookie consent rules.

Some of the ePrivacy regulation’s current provisions, such as clarifying the legal basis for processing metadata, are unlikely to meet resistance from EU members. However, in light of the GDPR and the strict interpretation of “cookie consent” by EU courts, proposed changes in this are likely to be more controversial. The draft regulation was on the agenda for the EU Council on 02/04/21. The EU Council voted on February 10, 2021 on a mandate to negotiate the draft regulation with the EU Parliament. It is unclear whether this new draft will gain enough support to pass or whether it will undergo further changes and stall like prior versions over the last four years.

CONTACTS

If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:

Philadelphia
Tess Blair
William Childress

Washington, DC
Dr. Axel Spies
Stephany Fan