New EU ePrivacy rules open up avenues to processing without consent

A new draft ePrivacy Regulation is intended to ensure greater protection of privacy on the internet and to adapt the law to new technologies. Data processing is to be possible in certain cases even without the consent of the persons concerned.

About four years after the EU Commission published the proposal for a new e-Privacy Regulation, the governments of the EU member states have agreed on a common position and the EU Council has presented a new proposal for a Regulation. The new proposal will now enter the so-called "trilogue", meaning it will be negotiated between the member states and the EU Parliament with the participation of the Commission.

The new rules are intended to define in which cases service providers may process electronic communications data or gain access to data stored on end-users' devices. It is about buzzwords like cookies, tracking and browser fingerprinting: it is about the electronic trail that every user leaves behind on the net and the question of how much of this data may be read and used by businesses.

The European Council's proposal emphasises the confidentiality of electronic communications. In principle, the processing of both content and metadata should only be allowed with the consent of the user or in the cases specified in the regulation.

The draft regulation opens up potentially far-reaching processing powers, especially for metadata, even without user consent, including processing of pseudonymised data for statistical purposes and for purposes for which the data were not collected, known as further processing. In this respect, the Council's draft clearly goes beyond the proposals of the Commission and the Parliament and is already being criticised by lobby groups for this. It remains to be seen whether these rather generous regulations will be retained. 

The same applies to the use of processing and storage capabilities of end-user devices and information stored in them. The evaluation of this data will be allowed in order to analyse access to a website by statistical cookies.

In the area of direct marketing via electronic means of communication, it is noticeable that consent is only to be required in principle for end users who are "natural persons". According to the text of the draft, a 'natural person', or human being is contrasted with a 'legal person', or organisation. Regulations regarding the latter will be up to the member states.

This could mean that electronic communication with addressees at their professional address will be largely free, depending on the respective countries. The draft also hardly foresees any restrictions on voice to voice calls. If a company has received contact information of an end user in connection with the sale of a good or service, it is to be allowed to continue to use it for the direct marketing of similar goods or services, even without consent.           

Many details of the regulation still seem unclear: the draft declares the General Data Protection Regulation (GDPR) applicable to various aspects, but how this can be implemented in practice is questionable. For example, consent to the use and processing of data is also to be required for organisations. For these consents, the rules of the GDPR are to be applied, with the necessary adaptations. However, national legal provisions on when an organisation may be represented by an individual effectively are to remain unaffected. It is not clear whether consent may only be given once for an organisation or whether several, possibly contradictory consents may be given.

The GDPR talks about consent in relation to people as 'data subjects'. However, the regulations in the draft ePrivacy Regulation indicate that consent can also be related to a device. If the device is used by several people, attribution would no longer be possible. Further questions arise, for example, regarding the permissibility of offline tracking, in relation to updates, as well as on the question under which circumstances the use of a service can be made dependent on the end user giving consent.

Unlike that of the Commission and the Parliament, the Council's proposal does not require member states to put the authorities in charge or regulating GDPR compliance in charge of regulating eprivacy compliance. This could be assigned to other authorities. This could make harmonisation more difficult, at least in those cases where personal data is involved.

For remedies, liability and sanctions, the draft regulation essentially refers to the provisions of the GDPR. This means that in the event of violations, very high fines would also be possible under certain circumstances. 

The EU Council's proposal has already got the attention of some lobby groups. It remains to be seen how it will develop in the trialogue. In any case, the final regulation will enter into force within 20 days of its publication in the Official Journal of the EU, which marks the start of a two-year period until it is effectively applied. The organisations concerned should then use this period for adaptation.