On 10 February 2021, the Council of the European Union (Council) agreed its negotiating mandate for the proposed Regulation on Privacy and Electronic Communications (ePR), which will replace the current ePrivacy Directive 2002/58/EC (ePD). The European Parliament (EP) adopted its negotiating mandate in October 2017, based on the original proposal from the European Commission in January 2017. The European institutions will now seek to agree the final text of the ePR by means of the trilogues (insterinstitutional negotiations) process. This article sets out the significant areas of divergence across the three proposals.
The ePR will update European Union rules relating to, amongst other things, cookies and other tracking technologies, electronic communications data, and electronic direct marketing. The rules on electronic marketing and tracking technologies will be relevant for the vast majority of companies operating in or targeting the EU, but certain sectors are likely to be particularly affected:
- The adtech ecosystem (including advertisers and publishers), much of which relies on tracking technologies;
- Machine-to-machine (“M2M”) communications, Internet of Things (“IoT”) devices and services, and artificial intelligence (“AI”), much of which currently relies on the ability to retrieve and use data which may be regarded as electronic communications data under the ePR; and
- Providers of telecommunication and other types of electronic communication services, particularly ‘over-the-top’ messaging services which were not subject to previous rules.
The ePR will also govern how regulators cooperate and ensure consistency in the enforcement of these rules.
In relation to each of these key topics, we set out below the significant areas of divergence between the European institutions. Comments on the EP and Council mandates are made in comparison to the Commission proposal.
| Commission Proposal |
EP mandate |
Council mandate |
| Cookies and other tracking technologies (Articles 8 and 10) |
• Consent required for the ‘use of processing and storage capabilities of terminal equipment’ or the ‘collection of information from end-users’ terminal equipment’ (‘tracking technologies’), except (i) as necessary to transmit a communication or provide a requested service; or (ii) for first party ‘web audience measuring’.
• Compared to the ePD, this consent requirement more clearly captures non-cookie tracking technologies (eg device fingerprinting, pixel tags). The web audience measuring exception is also new.
• Consent for tracking technologies can be collected through browser settings (instead of via a website’s cookie banner). Browsers must request consent upon installation and have the option to block third party tracking technologies.
• Notice required before collecting information ‘emitted’ from terminal equipment, other than as required for connectivity.
|
• Users may not be denied access to a service or functionality on the grounds that they have refused consent for tracking technologies.
• Browsers must default to rejecting tracking requiring consent.
• Adds several conditions to the web audience measuring exception, including that data is aggregated and users have a right to opt-out.
• Permits tracking without consent for additional specified security and employment purposes.
• Consent also required when processing information emitted from terminal equipment other than for ‘statistical counting’ or as required for connectivity.
|
• Permits tracking without consent for additional specified security, fraud prevention, fault detection and emergency purposes.
• Permits tracking without consent for further purposes which are compatible with the original tracking purpose1, subject to certain safeguards, in particular that there is no profiling.
• Consent can be collected through electronic communications software settings, but no specific requirement to request consent upon installation or to provide the option to block third party tracking technologies.
• Consent required when processing emitted information other than for statistical or connectivity purposes, or to provide a requested service.
|
| Electronic communications data (Articles 5 to 7) |
• Prohibits processing of electronic communications content and its associated metadata (ie all data used to transmit the content, including its source, destination, location, date and time) by anyone other than providers of electronic communications networks and services.
• Content can only be processed by electronic communications providers for limited specific purposes laid down in the ePR, to provide a specific service to an end-user with consent from ‘the end-user or end-users concerned’, or for other purposes with consent from ‘all end-users concerned’ and after regulatory consultation.
• Metadata can only be processed by electronic communications providers for limited specific purposes laid down in the ePR, or other purposes with consent from ‘the end-user concerned’.
• Requirement to delete content and metadata once no longer necessary for a permitted purpose. |
• Clarifies that third parties acting as processors for electronic communications networks and services may also process content and metadata.
• Clarifies that processing content or metadata to provide a service requested by a user without consent from ‘all users’ is only permitted where there is no adverse effect on those other users.
• Suggests that data related to or processed by terminal equipment also constitutes an electronic communication.
|
• Clarifies that third parties acting as processors for electronic communications networks and services may also process content and metadata.
• Takes account of recent CJEU case law by adding a condition allowing processing of content and metadata as required to comply with legal obligations.
• Adds additional purposes for which, subject to certain safeguards, metadata may be processed without consent, including scientific or historical research purposes, statistical purposes, and further purposes which are compatible with the purpose for which the metadata was originally collected.
• Requirement to conduct a regulatory consultation before processing content for other purposes replaced with requirement to conduct a DPIA (and any regulatory consultation required by that DPIA).
|
| Direct Marketing (Article 16) |
|
• Consent required to use electronic communications services to send direct marketing communications to natural persons via, except:
• ‘Soft opt-in’ for electronic mail to existing customers remains unchanged from ePD; and
• Member States can choose to allow live marketing calls on an opt-out basis.
• Compared to the ePD, this consent requirement is technologically neutral and so more clearly applies to within-platform messaging services. There is also less scope to relax the consent requirement for B2B marketing.
|
• Scope widened to cover any use of electronic communications services to send or ‘present’ direct marketing communications to users.
• Soft opt-in only valid for 12 months.
• No ability for Member States to allow live marketing calls on an opt-out basis.
|
• Same scope as Commission proposal.
• Soft opt-in applies to all electronic ‘messages’. Member States can choose to set a time limit on its validity.
|
| Cooperation and consistency (Articles 18 to 20) |
• The supervisory authorities responsible for monitoring the GDPR are also responsible for monitoring this Regulation.
• GDPR one-stop shop and cooperation and consistency mechanisms apply. |
• Same scope as Commission proposal. |
• Responsible supervisory authorities can be different from the supervisory authorities responsible for monitoring the application of the GDPR.
• One stop-shop rules replaced with general cooperation obligations. |
1 We note that the wording of this clause 8(1)(g) in fact refers to compatibility with the purpose for which the ‘electronic communications data’ were originally collected, but we presume this is a drafting error.
[View source.]
