Council Agreed Position on E-Privacy Regulation - some highlights

There was some significant progress last week in the never ending saga of the e-Privacy Regulation. The Regulation, originally proposed by the EU Commission in January 2017 with the expectation that it be implemented at the same time as the GDPR, has got rather bogged down, as EU Member States had significant disagreements about how to balance privacy protections with the need for businesses to develop and deliver effective electronic communications services.

This is by no means the end of the story, as the EU Council, Commission and Parliament must now enter into the “trilogue” negotiating phase with a view to reaching a final agreed text. Given the number of points of contention, the fact that the Council approved the text over the opposition of certain Member States including Germany, and the reactions of privacy activists, it is likely that the trilogue will be a lengthy and difficult process. 

There is a lot of detail here, and therefore a lot to unpick. At a high level, a few of the points which interested me (particularly from an adtech and direct marketing perspective) are:

1. Territorial scope - The draft Regulation takes a similar approach to the GDPR in terms of territorial application, in that it applies based on whether the end user of the services, or the recipient of direct marketing, is located in the EU, rather than whether the service provider is. This clears up some of the jurisdictional confusion inherent in the current Directive and its various Member State implementations.
2. Cookies - there has been no drastic overhaul of the approach to regulating the use of cookies and similar technologies, insofar as they are still largely underpinned by a requirement to obtain the consent of the user. The draft makes clear that users must be given a “genuine choice” in relation to this. An earlier draft opened up the possibility of a “legitimate interest” ground for the use of cookies, but this door appears to be closed for now.
3. Terminal equipment - The cookie consent requirement applies where a service provider uses “processing and storage capabilities of terminal equipment and the collection of information from end-users’ terminal equipment, including about its software and hardware”, which is arguably a broader definition than under the current Directive and is likely to catch a range of tracking technologies whose status may have been uncertain under the Directive. This means that it is likely that cookie consent mechanisms on websites and apps are here to stay.
4. Alternative approaches to cookie consent: Nonetheless, the draft does lay out some potentially helpful exceptions to the cookie consent requirement. For example, the draft clarifies that consent is not required where cookies are used for security, fraud prevention, or audience measurement purposes. It also allows users to provide consent to certain types of cookies by whitelisting certain providers through their browser settings.
5. Cookie walls - making consent to the use of cookies a condition of providing access to an online service is generally prohibited, and will only be allowed if the user has the option to choose an equivalent offer that doesn’t require cookie consent. However, this does at least open up the possibility of websites being creative about how alternatives are offered in order to essentially force cookie consent.
6. Direct marketing - the rules on direct marketing emails and calls are largely unchanged, with the existing “soft opt-in” retained.
7. Communications content and metadata - the draft text maintains the position that content and metadata is confidential and must not be interfered with except in limited cases. However there are new provisions allowing service providers to process metadata for a purpose other than that for which it was collected, provided the new purpose is compatible and subject to certain safeguards as to the likely impact on the individual.

There has already been plenty of noise from the EU Parliament about how this draft is likely to be received, so we should definitely all watch this space!