EU ePrivacy Regulation takes a big leap forward to adoption | Fieldfisher
Skip to main content

EU ePrivacy Regulation takes a big leap forward towards adoption



United Kingdom

The Council of the EU has today made a surprise announcement that it has approved its negotiating position on the ePrivacy Regulation (i.e. the successor to the ePrivacy Directive), which will further reform EU cookie consent and communications content/metadata rules in the EU. 

The process now is that the ePrivacy Regulation will be negotiated in trilogue negotiations between the Council of the EU and the European Parliament, with the European Commission facilitating / brokering those negotiations.

The compromise text of the ePrivacy Regulation approved by the Council has not yet been published (as at the time of writing this post), but a press release is available which provides insights into the position the Council has agreed. View the press release here: Council agreement on ePrivacy rules.

On communication data rules, the press release reveals that:

"As a main rule, electronic communications data will be confidential. Any interference, including listening to, monitoring and processing of data by anyone other than the end-user will be prohibited, except when permitted by the ePrivacy regulation.

Permitted processing of electronic communications data without the consent of the user includes, for example, ensuring the integrity of communications services, checking for the presence of malware or viruses, or cases where the service provider is bound by EU or member states’ law for the prosecution of criminal offences or prevention of threats to public security.

Metadata may be processed for instance for billing, or for detecting or stopping fraudulent use. With the user’s consent, service providers could, for example, use metadata to display traffic movements to help public authorities and transport operators to develop new infrastructure where it is most needed. Metadata may also be processed to protect users’ vital interests, including for monitoring epidemics and their spread or in humanitarian emergencies, in particular natural and man-made disasters.

In certain cases, providers of electronic communications networks and services may process metadata for a purpose other than that for which it was collected, even when this is not based on the user’s consent or certain provisions on legislative measures under EU or member state law. This  processing for another purpose must be compatible with the initial purpose, and strong specific safeguards apply to it."

On cookie consent rules, the press release reveals that:

"As the user’s terminal equipment, including both hardware and software, may store highly personal information, such as photos and contact lists, the use of processing and storage capabilities and the collection of information from the device will only be allowed with the user’s consent or for other specific transparent purposes laid down in the regulation.

The end-user should have a genuine choice on whether to accept cookies or similar identifiers. Making access to a website dependent on consent to the use of cookies for additional purposes as an alternative to a paywall will be allowed if the user is able to choose between that offer and an equivalent offer by the same provider that does not involve consenting to cookies.

To avoid cookie consent fatigue, an end-user will be able to give consent to the use of certain types of cookies by whitelisting one or several providers in their browser settings. Software providers will be encouraged to make it easy for users to set up and amend whitelists on their browsers and withdraw consent at any moment."

On direct marketing rules, the press release provides little by way of insight – noting only that the agreed text includes rules on direct marketing.  However, in a previous draft published by the Portuguese Presidency of the Council in January 2021, the ePrivacy Regulation's direct marketing rules did not extend to online display advertising, and the Portuguese Presidency had proposed to preserve soft opt-in rules for email marketing.

According to the press release, the Council proposes that the ePrivacy Regulation will have a 2-year grace period before it enters into effect: "The regulation would enter into force 20 days after its publication in the EU Official Journal, and would start to apply two years later."  Obviously, this will need to be agreed at a trilogue level.

While the ePrivacy Regulation still has to pass through trilogue negotiations, today's announcement comes over four years after its initial proposal by the European Commission in January 2017, and some three-and-a-half years after the Parliament agreed its negotiating mandate on the proposal in October 2017.  Progress at a Council level had, since that time, reportedly stalled due to disagreements between Member States.  Today's announcement is, for this reason, a huge step forward in the process.

Also important to note is that the ePrivacy Regulation, once adopted, will be the first major EU-wide legislative development in EU data protection law post-Brexit – and, because the UK is no longer an EU Member State, will not apply in the UK.  All eyes will therefore be on the UK government to see whether it will introduce UK domestic legislation to align with the ePrivacy Regulation or whether it will decide to forge a different path.

Definitely one to watch going forward.