ePrivacy Update

The draft ePrivacy Regulation has been talked about for almost as long as the GDPR itself. Initially, there was even consideration of it entering into force at the same time as the GDPR (back in May 2018). Those timings have obviously slipped. There are various sticking points, but the overall issue is that any new law that looks to impact the European digital economy (a key potential source of economic growth across the block) is always going to be sensitive for Member States (and other stakeholders). As such, it is no surprise that draft remains in stalemate within the European Council (the body that comprises Member State government representatives).

By way of update on where things currently sit, on 5 January 2021, the Council of the European Union, under the 6 month Council presidency of Portugal (which lasts from 1 January 2021 until 1 July 2021, when it will pass to Slovenia) released a new, draft version of the ePrivacy Regulation – the 14th draft to date!

One key theme to address is what the text says about businesses’ ability to rely on a lawful basis other than consent in order to process electronic communications’ metadata and place cookies, or similar technologies, on end-user’s terminals (i.e. devices).

The law as it stands (under the ePrivacy Directive and implementing national legislation) is fairly restrictive, requiring the end user’s GDPR compliant consent subject to a few exemptions (generally where the activity is strictly necessary) in order to place a cookie. By way of reminder, this is why we see so many cookie banners on websites these days!

Various drafts of the ePrivacy Regulation since 2017 have gone backwards and forwards loosening or tightening these restrictions. Critics of the consent approach have long argued that the mechanism does not achieve its aim of protecting the privacy of individuals and instead creates frustration and ‘consent fatigue’ amongst individuals. They maintain that other lawful bases should also be made valid.

An earlier draft of the regulation had inserted legitimate interest as a lawful basis to process data, however, this was largely withdrawn during the recent German presidency (which lasted from 1 July 2020 until 1 December 2020) and remains absent from this draft. The current draft does, however, introduce the prospect of relying on the lawful basis of “performance of a contract”.

There are various other amendments which will be considered in detail by the Council over the next 6 months, although it is too early to tell whether this draft will be any more likely to secure the support of the other Members States. Of course, it remains a further open question as to whether the UK would seek to mirror the ePrivacy Regulation under UK law post-Brexit, or whether this will be one of the first areas where we see real divergence.

We will keep you posted.