Council of the European Union (Council) has released a long awaited compromise draft of the ePrivacy Regulation, a rewrite of the European Union’s existing rules on the privacy of electronic communications. This new law is intended to complement the General Data Protection Regulation (GDPR). This is an important but preliminary development, and now the Council will begin negotiations with the European Parliament to arrive at final ePrivacy Regulation language. The European Commission (EC) presented its ePrivacy Regulation proposal in January 2017 but lobbying in Brussels has been fierce. The last four years have been spent haggling over the final Regulation. However, as a regulation, the ePrivacy Regulation, like the GDPR, would become EU law throughout all the nations without needing member states to enact implementing legislation as it must for directives even though there is leeway for nations to legislate further in accordance with the draft.
In its press release, the Council asserted:
Today, member states agreed on a negotiating mandate for revised rules on the protection of privacy and confidentiality in the use of electronic communications services. These updated ‘ePrivacy’ rules will define cases in which service providers are allowed to process electronic communications data or have access to data stored on end-users’ devices. Today’s agreement allows the Portuguese presidency to start talks with the European Parliament on the final text (emphasis in the original.)
The Council continued:
An update to the existing ePrivacy directive of 2002 is needed to cater for new technological and market developments, such as the current widespread use of Voice over IP, web-based email and messaging services, and the emergence of new techniques for tracking users’ online behaviour.
The new ePrivacy Regulation would repeal Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) and enact new text to address a number of changes in electronic communications and services since the current regime was enacted. The ePrivacy Regulation was intended to be enacted alongside the GDPR, but this did not come to pass given the competing interests among EU nations.
As for the text itself, a few threshold matters are worth highlighting. First, the ePrivacy Regulation would apply to both natural and legal persons (i.e., actual people in the EU and EU entities such as businesses.) Second, the ePrivacy Regulation does not impinge the national security and defense data processing activities EU member states may undertake. Third, it applies to telecommunications providers and communications platforms. Fourth, the new regime would govern data processing electronic communications data or the personal data of EU residents in specified circumstances regardless of where the processing is occurring (e.g., Google processing EU communications in Egypt) and even if the processor is not established in the EU (e.g., a Taiwanese data broker processing certain communications of EU people or businesses.) Fifth, the ePrivacy Regulation sets up a tiered penalty system just like the GDPR’s with a lesser class of violations exposing the violator to up to a fine of either up to €10 million or 2% of the entity’s worldwide turnover with more serious violations facing liability of €20 million or 4% of worldwide turnover. Sixth, the European Data Protection Board (EDPB) would be given the task “to contribute to the consistent application of Chapters I and II and III of this Regulation) (i.e., the operative portions of the ePrivacy regime.)
In terms of the policy backdrop, the ePrivacy Regulation makes clear:
- Article 7 of the Charter of Fundamental Rights of the European Union (“the Charter”) protects the fundamental right of everyone to the respect for private and family life, home and communications. Respect for the confidentiality of one’s communications is an essential dimension of this right, applying both to natural and legal persons. Confidentiality of electronic communications ensures that information exchanged between parties and the external elements of such communication, including when the information has been sent, from where, to whom, is not to be revealed to anyone other than to the parties involved in a communication. The principle of confidentiality should apply to current and future means of communication, including calls, internet access, instant messaging applications, e-mail, internet phone calls and personal messaging provided through social media.
- The content of electronic communications may reveal highly sensitive information about the natural persons involved in the communication, from personal experiences and emotions to medical conditions, sexual preferences and political views, the disclosure of which could result in personal and social harm, economic loss or embarrassment. Similarly, metadata derived from electronic communications may also reveal very sensitive and personal information. These metadata includes the numbers called, the websites visited, geographical location, the time, date and duration when an individual made a call etc., allowing precise conclusions to be drawn regarding the private lives of the persons involved in the electronic communication, such as their social relationships, their habits and activities of everyday life, their interests, tastes etc.
The Council intends the ePrivacy Regulation to work in concert with the GDPR, specifying that where the former is silent on an issue, the latter shall control:
Regulation (EU) 2016/679 regulates the protection of personal data. This Regulation protects in addition the respect for private life and communications. The provisions of this Regulation particularise and complement the general rules on the protection of personal data laid down in Regulation (EU) 2016/679. This Regulation therefore does not lower the level of protection enjoyed by natural persons under Regulation (EU) 2016/679. The provisions particularise Regulation (EU) 2016/679 as regards personal data by translating its principles into specific rules. If no specific rules are established in this Regulation, Regulation (EU) 2016/679 should apply to any processing of data that qualify as personal data. The provisions complement Regulation (EU) 2016/679 by setting forth rules regarding subject matters that are not within the scope of Regulation (EU) 2016/679, such as the protection of the rights of end-users who are legal persons.
Article I states the purpose of the ePrivacy Regulation:
This Regulation lays down rules regarding the protection of the fundamental rights and freedoms of legal persons in the provision and use of the electronic communications services, and in particular their rights to respect of communications.
The ePrivacy Regulation will apply to:
- the processing of electronic communications content and of electronic communications metadata carried out in connection with the provision and the use of electronic communications services;
- end-users’ terminal equipment information.
- the offering of a publicly available directory of end-users of electronic communications services;
- the sending of direct marketing communications to end-users.
Electronic communications data (a term encompassing both content and metadata) must generally kept confidential (subject to exceptions) but it may be processed under the following circumstances:
- If “necessary to provide an electronic communication service”
- it is necessary to maintain or restore the security of electronic communications networks and services, or detect technical faults, errors, security risks or attacks on electronic communications networks and services;
- it is necessary to detect or prevent security risks or attacks on end-users’ terminal equipment;
- it is necessary for compliance with a legal obligation to which the provider is subject laid down by Union or Member State law, which respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the safeguarding against and the prevention of threats to public security.
Electronic communications metadata may be processed in a number of scenarios without consent, including for maintaining networks and services, for the fulfillment of a contract to which the end-user is a party, or “it is necessary in order to protect the vital interest of a natural person.” Such processing of metadata may also be part of scientific or historical research and related purposes subject to additional requirements. And, of course, a person or entity could consent to such processing for one or more specified purposes.
There is a subsequent section that seems to contemplate other possible “compatible” processing of metadata without a person or entity’s consent and outside an EU or member state law. The regulations list a number of considerations the provider must take into account in making this determination such as the link between the reasons why these data were first collected and the intended additional processing, the context of the data collection, the nature of the metadata, the possible consequences to the end-user of further processing, and the use of safeguards such as encryption or pseudonymization. However, there are strict limits on how the processing may take place. If the information can be anonymized for processing, it must be. Otherwise, it must be made anonymous or erased after processing. Metadata must be processed in a pseudonymized fashion and cannot be used to determine the nature or characteristics of the user to build a user profile. Finally, metadata collected and processed under this provision of the ePrivacy Regulation cannot be shared with third parties unless it is made anonymous.
And so, it appears providers may engage in additional processing a Spanish resident may not have consented to so long as these conditions are met. However, the regulations do not spell out what sort of situations these may be, leaving the issue to EU courts. Given the lengthy negotiations over the ePrivacy Regulation, this may be one of the places the parties decided to leave open-ended.
Moreover, providers are to erase or anonymize electronic communications content and metadata when there is no longer a need for processing or for providing an electronic communications service subject to exceptions in the latter instance.
There is a broad bar on the use of people or entities’ devices or equipment for processing and against collecting information except subject to enumerated exceptions such as it is necessary to provide service, the person or entity consents, to measure the audience, to maintain or restore the security of the devices or service, or to provide a software update. There is also language as with metadata processing that would seem to allow processing in this context aside and apart from consent and EU or member state law so long as the provider lives within the same types of limits.
When a person connects her device to a network or another device, collection of information is forbidden unless it is needed to establish or maintain a connection, a user provides consent, it is needed to provide a requested service, or “it is necessary for the purpose of statistical purposes that is limited in time and space to the extent necessary for this purpose.”
EU member states may abridge some of these rights through legislation “where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the general public interests referred to in Article 23(1)” of the GDPR, namely
- public security;
- the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
- other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security;
- the protection of the data subject or the rights and freedoms of others;
- the enforcement of civil law claims.
There are further provisions on EU people and entities turning off caller identification and blocking or allowing unsolicited calls and communications.
The regulatory structure will be similar to the one in effect under the GDPR with each member nation having a supervisory authority or authorities in place to monitor compliance with the new regulation and take action if necessary. Likewise, the EDPB shall have significant powers in the oversight and implementation of the ePrivacy Regulation but short of those provided under the GDPR, notably the authority to referee and adjudicate disputes over enforcement between nations. There is language directing all authorities to work cooperatively across borders, but that is it.
As mentioned, violators of the ePrivacy Regulation would face stiff fines just as under the GDPR with the more severe penalty tier being reserved for “[i]nfringements of the principle of confidentiality of communications, permitted processing of electronic communications data, time limits for erasure pursuant to Articles 5, 6, and 7.”
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.