The Council of the European Union (Council) released a new draft of the ePrivacy Regulation (Council doc. 5642/21) on January 5, 2021. Various versions of the ePrivacy Regulation have been under consideration in the Council since 2017, but the EU member states have been unable to reach an agreement on a final version. The regulation, originally intended to go into effect with the GDPR, provides specific rules governing electronic communications. If enacted, it would replace the ePrivacy Directive of 2009, supplement the GDPR’s general principles, and bring significant changes particularly in two areas: the processing of metadata on end-user devices and obtaining cookie consents from website users. The current draft places more restrictions on how companies handle metadata but simplifies the process for obtaining cookie consents.
Companies operating in the European Union should continue to monitor developments with the ePrivacy Regulation, including how the latest proposals on metadata processing and cookie consents are received by EU member states and the Council.
Rapid technological developments and the absence of uniform rules on metadata processing in the European Union have increased calls for more regulation in this area. The drafters of the current version of the ePrivacy Regulation emphasized that metadata requires added protections beyond the GDPR because such data provides vast insight into the private lives of data subjects. The current draft would regulate metadata that reveals the location, time, and identity of persons involved in electronic communications.
Supplementing existing requirements under the GDPR, the latest draft also addresses when disclosures must be made to end users about metadata processing, the circumstances under which metadata may be stored, and the length of time metadata can be stored. With the user’s consent, service providers could, for example, use metadata to display traffic movements to help public authorities and transport operators to develop new infrastructure where it is most needed.
In addition to metadata, the draft regulation also attempts to reform cookie consent obligations. If enacted, companies operating in the European Union could be relieved of some data protection and notification burdens related to website cookies. In turn, these changes should reduce the extensive cookie banners and policies users face when visiting websites. Critics have contended that current rules on cookie banners have led to “cookie banner fatigue” among website users.
While the current draft follows the structure adopted by the preceding draft, the new draft includes several substantive changes.
The new draft also includes several amendments on the proposed rules on processing of metadata from the European Economic Area and United Kingdom. In particular, the most important suggested changes are the following:
On cookies consents, the draft addresses the existing requirement that companies under the GDPR and the recent judgments of the CJEU must obtain specific, revocable, and informed consent from ends users, unless the cookies are “strictly necessary” for the website. Under the GDPR, this means that individual consent must be obtained through cookie banners and cookie settings. The consent requirement applies to everyone who is doing business in Europe (cf. Art. 3 GDPR) and operates a website that processes EU personal data, not only to companies in the telecom sector.
Some of the ePrivacy regulation’s current provisions, such as clarifying the legal basis for processing metadata, are unlikely to meet resistance from EU members. However, in light of the GDPR and the strict interpretation of “cookie consent” by EU courts, proposed changes in this are likely to be more controversial. The draft regulation was on the agenda for the EU Council on 02/04/21. The EU Council voted on February 10, 2021 on a mandate to negotiate the draft regulation with the EU Parliament. It is unclear whether this new draft will gain enough support to pass or whether it will undergo further changes and stall like prior versions over the last four years.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact the following Morgan Lewis lawyer:
Washington, DC
Dr. Axel Spies