In 2017, the European Commission proposed a Regulation on Privacy and Electronic Communications aimed at reinforcing trust and security in the Digital Single Market by updating the legal framework on ePrivacy. It will replace the ePrivacy Directive (2002) and specify the General Data Protection Regulation (GDPR).The European Parliament already adopted its report on the file in October 2017, but the discussions in the Council have been stalled for 4 years. The Parliament is still awaiting the Council decision before trilogue negotiations could begin.
State of Play
On 5 January, the Portuguese Presidency of the Council of the EU distributed among national delegations its proposal for the e-Privacy Regulation. In the document, the Presidency states that it aims to “conduct swift discussions” and further align the text with the General Data Protection Regulation (GDPR). The text does not include legitimate interest as a legal ground. Unlike the previous German proposal, the Portuguese text includes provisions allowing communications metadata to be processed (Article 6) and “to use processing and storage capabilities of terminal equipment and the collection of information from end-user’s terminal … for further compatible processing” (Article 8). These changes make the proposal more business friendly but may be opposed by Member States with a more hard-line position on privacy. Allowing “compatible further processing” of data, for instance, even caused ruptures within the German government in the last quarter of 2020, with the more business-minded Economy Ministry in favour of including the provision and the civil rights-minded Justice Ministry against.
The proposal has also been further aligned with the GDPR. For instance, the basis of ‘performance of a contract’ has been brought more in line with the wording in the GDPR: ‘provide an electronic communication service’ instead of ‘to achieve the transmission of the communication’. An important inclusion is the deadline of one month to appoint a representative in the EU (for providers from outside the EU). Furthermore, the period of entry into force and application has been halved from two years to one year, thereby shortening the time to bring services in line with the regulation.
There seems to be broad support for the Portuguese Presidency’s Proposal, according to EU officials and the Presidency intends to take the text to the level of the Committee of Permanent Representative (COREPER) in February. The debate between national governments remains around the inclusion of a provision allowing “compatible further processing” of data, which Germany opposes. It is still unclear whether Germany, which has positioned itself as a privacy hardliner, will attempt and succeed in building a blocking minority within the Council.
The Portuguese Presidency was expected to present a potentially final version of its ePrivacy Regulation proposal during the meeting of the Council’s working Party on Telecommunications and Information Society on 28 January. However, the discussion on ePrivacy has been postponed to February, signalling that the current Presidency needs additional time to work on a final version of the proposal which will have to be acceptable to a majority of the EU Member States. While the delay is a cause for concern for the success of the Portuguese Proposal, delegates from a few Member States have unofficially confirmed that the changes in question were minor details that needed fine-tuning and not a major overhaul of the current version of the proposal. Given the failure of 8 other Presidencies of the Council of the EU to reach an agreement on the ePrivacy Regulation, developments remain uncertain. According to the Portuguese Presidency’s current proposal, if an agreement is reached between the Council and the European Parliament, the ePrivacy Regulation will enter into application 12 months after the date of its official adoption (entry into force).