Paul Voigt, Axel von dem Bussche: the EU ePrivacy Regulation – Preliminary Guidance and Commentary

Introduction

Introduction

Introduction

The proposed ‘Regulation of the European Parliament and of the Council concerning respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications)’ (hereinafter ‘ePrivacy Regulation’) is supposed to regulate a number of subject matters associated with electronic communications on a European level. It is concerned, in particular, with the processing of communications data and the use of cookies and similar technologies. Other issues covered include tracking of devices – online and offline –, calling line identification, electronic (telephone) directories and direct marketing communications.

As the ePrivacy Regulation has not (yet) been adopted, this commentary is mainly based on  a draft version which has been approved by the Council of the European Union on 10 February 2021.[1] Any subsequent mention of the ePrivacy Regulation is a reference to the respective provision of the Council’s proposal, unless explicitly declared otherwise. However, considerations and suggestions made by other European institutions, particularly by the European Commission in its initial proposal for an ePrivacy Regulation of 10 January 2017 (‘ePR Commission Proposal 2017’),[2] as well as the EDPB and positions of Member States will be taken into account as well and referred to eventually.

When evaluating the ePrivacy Regulation, reference can be made not only to the actual legal text in the Articles of the Regulation, but also to the Recitals that precede them. These serve as a guide for the regulatory subject matter and may be referred to for means of application and interpretation. Basically, the recitals are an interpretation aid offered by the legislator. In addition, the ePR Commission Proposal 2017, which essentially initiated the legislative project, also provides an Explanatory Memorandum, which can be consulted in order to understand the reasoning leading to the legislation.[3] In this memorandum, general statements are made with respect to the grounds and needs for regulation, as well as declarations on competences and means of legislation. The statements in the Explanatory Memorandum remain useful when interpreting the current Council version of the ePrivacy Regulation as well.

It is the main object and purpose of the ePrivacy Regulation, as defined in its Art. 1 Sec. 1 and highlighted in its associated Recital 1, to promote the protection of fundamental rights and freedoms, particularly the respect for private life in accordance with Art. 7 of the Charter of Fundamental Rights of the European Union (‘EU Charter’), the protection of personal data and, in particular, confidentiality of communications of individuals and – which is a novelty – legal persons alike, as explicitly stipulated by Art. 1 Sec. 1a ePrivacy Regulation (Art. 1 No. I.1.a)).[4] Confidentiality of communications is considered a major facet of the more general right to privacy.

With a focus on electronic communications, the ePrivacy Regulation intends to complement and particularise the European General Data Protection Regulation (‘GDPR’)[5], mainly by laying down more specific rules for electronic communications, see Art. 1 Sec. 3 of the ePrivacy Regulation.[6] This interplay between the regulatory purposes of the ePrivacy Regulation on the one hand and the GDPR on the other hand leads to difficulties in distinguishing between the scope of application of each regulation: Depending on the circumstances and the matter in question, the scope of the ePrivacy Regulation might be both broader and more restricted than that of the GDPR (Art. 1 No. I.2.a)).

[1] Council of the European Union, Doc. No. 6087/21 from 10 February 2021, Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) – Mandate for negotiations with EP (hereinafter: ePrivacy Regulation).

[2] European Commission, COM/2017/010 final – 2017/03 (COD) from 10 January 2017, Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) (ePR Commission Proposal 2017).

[3] See ePR Commission Proposal 2017, Explanatory Memorandum.

[4] With regard to the protection of legal persons, the ePR Commission Proposal 2017 and the version of ePrivacy Regulation adopted by the Council of the European Union both correspond, see recital 1 ePrivacy Regulation and ePR Commission Proposal 2017), Explanatory Memorandum, at 1.1.

[5] Regulation (EU) 2016/679, applicable since 25 May 2018.

[6] See below, Art. 1 No. II.1.

In 1995, the European Community adopted the Data Protection Directive,[7] the predecessor of the GDPR, in order to create a common standard for the protection of personal data within the EU. However, soon new and more advanced digital technologies emerged, which had not yet been foreseen and covered by the Directive. In order to ensure an adequate level of data protection in the electronic communications sector,[8] the European Community adopted the ePrivacy Directive in 2002.[9] It supplemented the Data Protection Directive, focussing on electronic communications data. In 2009, the so-called Cookie Directive[10] amended and updated the ePrivacy Directive, introducing new requirements for the placement of cookies, the security of processing and unsolicited communications.

When evaluating the ePrivacy Directive in 2016,[11] the European Commission found the objectives to be sensible but regarded their implementation on EU and national level as out of touch with the pace of technological advancements over the past decade, especially regarding the rapid rise of Internet-based services.[12] This led to reform efforts, resulting in the proposal for the ePrivacy Regulation published by the Commission on 10 January 2017, marking the starting point of the still pending legislative process.

The European Parliament discussed the Commission’s proposal in different committees over the course of 2017, resulting in the adoption of a report containing the Parliament’s amendments to the proposal on 26 October 2017.[13] In the later course, the proposal of the Commission has been considered by the Council of the European Union, which represents the governments of the EU Member States. As the process reached the Council, a regulatory limbo unleashed consisting of various own proposals of the changing Council Presidencies since 2018 and rejections by a number of Member States, which often have their own position and expectations on the content of the ePrivacy Regulation.[14] The legislative process seemed stuck, until the Portuguese Presidency commenced in January 2021.

The Portuguese Council Presidency took action with regard to the ePrivacy legislation right at the beginning of its Presidency period. It published its own proposal for the ePrivacy Regulation on 5th January 2021.[15] This proposal contained a number of modifications compared to previous proposals. In particular, the Portuguese Council Presidency aimed to align the ePrivacy Regulation further with the GDPR, especially with regard to the legal bases for lawful processing of communications data. In comparison to the GDPR, the Portuguese Presidency considered the provisions in the previous proposals for the ePrivacy Regulation to be too restrictive and attempted to soften them in its proposal. This concerns, for example, the expansion of available legal bases for data processing and data collection. In this context, the Presidency introduced the possibility to process and collect data for the performance of a contract as well as for further compatible purposes (other than the original purpose of data collection).[16] The Presidency has thus significantly aligned the ePrivacy Regulation to the broader regime of available legal bases envisaged by the GDPR.[17]

Ultimately, the Portuguese Presidency was able to get a majority of Member States to vote in favour of an adoption of a regulatory text based on its draft. Additionally, a mandate for negotiations with the European Parliament has been issued together with the adoption of the text.

Now that a common position of the Member States has been agreed, the main legislative process can start, including joint negotiations between the Council of the EU, the European Parliament and the European Commission (the so-called Trilogue Negotiations).[18] Eventually, after the Regulation has been adopted, a designated grace period of two years will apply prior to the ePrivacy Regulation coming into effect, as foreseen by Art. 29 Sec. 2 ePrivacy Regulation.

In consequence, it is unlikely that the ePrivacy Regulation will enter into force prior to 2023. In order to keep pace with the ever changing tech landscape despite the temporarily stagnating legislative process, the EU has already started to implement parts of the envisaged ePrivacy legislation into other laws: Starting from December 2020 onwards, the European Electronic Communications Code (EECC)[19] requires EU Member States to expand the definition of ‘Electronic Communications Services’ in their telecommunication laws to so-called ‘over-the-top services’ (OTT services). These transmit signals over the internet, e.g. messengers such as WhatsApp or Skype that have not been regulated in a similar way as traditional telecommunication services before the EECC entering into force. When presenting the ePR Commission Proposal 2017, it was a major regulatory aim of the ePrivacy Regulation to explicitly subject OTT-services to legal provisions (Art. 1 No. II.1.). In a way, thus, the legislative project has been superseded here.

[7] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

[8] Recital 3 ePrivacy Directive.

[9] Directive 2002/58/EC of the European Parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector.

[10] Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws.

[11] The evaluation was carried out under the ‘Regulatory Fitness and Performance Programme’ (REFIT) of the European Commission, see Commission Staff Working Document, Ex-post REFIT evaluation of the ePrivacy Directive 2002/58/EC, Doc. No. SWD(2017) 5 final from 10 January 2017.

[12] Cf. recitals 6, 11 et seq.; Explanatory Memorandum, at 1.1.

[13] European Parliament, LIBE report A8-0324/2017, 20 October 2017; the plenary of the European Parliament confirmed the decision to enter into interinstitutional negotiations on base of this report on 26 October 2017. A formal first reading of the proposed Regulation in Parliament has not yet taken place.

[14] For a complete review and current state of the Council’s action, see, see https://eur-lex.europa.eu/procedure/DE/2017_3.

[15] Council of the European Union, Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) from 5 January 2021, Doc. No. 5008/21.

[16] Council of the European Union, Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) from 5 January 2021, Doc. No. 5008/21, particularly at p. 6 et seq.

[17] Cf. Art. 6 Sec. 1 lit. b) GDPR, as well as Art. 6 Sec. 4 GDPR.

[18] For details on the EU legislative process, see https://www.consilium.europa.eu/en/council-eu/decision-making/ordinary-legislative-procedure/.

[19] Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code (Recast).

When starting the ePrivacy reform process, the Commission chose – like it did with the GDPR – the legally binding and directly applicable form of a regulation.[20] In contrast to a directive, a European regulation applies directly without the need to introduce implementation measures by the Member States.[21] It is the most effective and strongest act of law pursuant to Art. 288 of the Treaty on the Functioning of the European Union (‘TFEU’). By avoiding national legislative implementation, Member States are given limited possibility of adaptation only, thus, maximising the level of harmonisation of the law. Only specific opening clauses allow Member States to introduce deviating provisions on a national level.[22] This has, at least in theory, several advantages: harmonization across the EU can be achieved, creating consistency with the GDPR and ensuring an equal level of protection for anyone in the EU, no matter in which EU Member State they reside. By way of a regulation, the EU strives to stimulate the cross-border flow of data while establishing a high degree of legal certainty and low compliance costs.[23] As a general rule, Union law takes precedence over any divergent national Member State regulations.[24] Furthermore, when applying provisions of the legislative act of the European Regulation such as the ePrivacy Regulation, Member States and their institutions are granted only exceptionally little room for discretion and individual approaches.
[20] ePR Commission Proposal 2017, Explanatory Memorandum at 2.2-2.,4; cf. recital 42. [21] Cf. Art. 288 Sec. 2 phrase 2 TFEU. [22] Recital 7; see Art. 11 Sec. 1, Art. 13 Sec. 2, Art. 16 Sec. 4, 5, Art. 21-24 ePrivacy Regulation; However, this is not unusual for European regulations. The GDPR also provides for various opening clauses, cf. Art. 22 Sec. 2 lit. b), 85, 88. [23] ePR Commission Proposal 2017, Explanatory Memorandum at 2.2, 2.4. [24]This is derived from Art. 4 Sec. 3 TFEU.