The road to the new ePrivacy Regulation is long and winding — however, today marks a milestone: The European Council agreed on a negotiating mandate (the “Mandate”) for revised rules on protection of privacy and confidentiality in the use of electronic communications services (i.e., the ePrivacy Regulation). The Mandate was issued in response to the revised ePrivacy Regulation draft released by the Portuguese presidency, who took over the presidency of the European Council in January 2021. Progress on the ePrivacy Regulation had reached somewhat of a standstill following the European Commission’s first draft ePrivacy Regulation in 2017. Although the European Parliament had reached a common position during this period, the European Council had been unable to do so until now. With this Mandate in hand, the Portuguese presidency of the Council may now initiate Trilogue negotiations with the Commission and the Parliament in order to finalize and adopt the ePrivacy Regulation. There is still some work ahead, as there are some outstanding issues that must be resolved, including the inclusion of telephone and B2B marketing, prohibition on the use of cookie-walls, and the maximum level of penalties for infringements.
Below is a summary of the key parts of the Mandate and how this compares to previous positions adopted by the Commission and EU Parliament:
The Commission’s draft proposed that the ePrivacy Regulation should be broader than the scope of the ePrivacy Directive and apply to interpersonal communications such as VoIP, instant messaging and web-based email, collectively called “Over-the-Top communications (“OTT”) services. Given this scope, the rules would then also apply to social media that offer instant messaging and chat functionalities, email providers (e.g., Google or Outlook), and VoIP service providers. Both the EU Parliament and the Council now support this broadened scope, so it will likely be included in the final version of the ePrivacy Regulation.
The Mandate contains several specification on direct marketing, in particular:
Telephone Marketing: Under the current ePrivacy regime, telephone marketing rules are set by the Member States. However, with the Council’s proposed inclusion of voice-to-voice direct marketing calls in the definition of “direct marketing”, the opt-in consent rules under the proposed ePrivacy Regulation would then become applicable to this form of marketing. This inclusion is likely to be a further point of discussion in the Trilogue negotiations so it is not yet certain if telephone marketing will be covered in the final draft. It is worth noting the Council is encouraging Member States to introduce national laws that require the use of a specific code or prefix identifying the call as a direct marketing call to enable end-users to decide whether or not to take the call.
B2B/B2C: The EU Parliament proposed to make explicit that the direct marketing rules apply to B2C as well as certain types of B2B marketing, by clarifying that the rules apply to “users”, acting in a private or professional capacity. Currently, Member State rules differ as to whether or not B2B marketing is included. The Council supports the Parliament’s proposal to include B2B marketing.
Soft Opt-in: In line with the Commission and Parliament, the Council supports maintaining the soft opt-in exception (i.e., the possibility for companies to offer an opt-out for marketing emails sent to individuals whose contacts details were obtained in the context of the sale of a product or service). The only difference is that the Council proposes that Member States be allowed to set the time period within which the soft opt-in should be exercised, thereby suggesting that this exception should be time limited.
The Mandate also takes position with regard to cookies and similar technologies:
Cookie-wall ban: In its ePrivacy Regulation proposal, the Commission had not sought to prohibit the use of cookie-walls. However, in its comments, the Parliament expressly recommended a cookie-wall prohibition because it believes that “cookie walls do not help users maintain control over their personal information or become informed about their rights”. The Council is now taking an in-between approach by recommending that cookie-walls be allowed only where the user has a genuine choice, such as, for example, by being able to choose between paid access and an equivalent offer by the same provider that does not involve consenting to cookies. This approach is commensurate with the position taken by some Data Protection Authorities (DPAs) in recent enforcement actions and guidelines. Of note is that the French DPA attempted to generically prohibit cookie walls; however, the decision was struck down by the French Council of State that decided that a general and categorical ban was outside of the DPA’s powers and, therefore, was invalid. Given that there has been no clear consensus across the EU on this point, this will likely be an area of further discussion across the institutions.
Browser settings: The Council sides with the Parliament that browser providers should offer privacy protective settings to prevent other parties from storing information on the terminal. The Mandate provides that to avoid “cookie consent fatigue”, an end-user should be able to consent to the use of certain types of cookies by whitelisting one or several providers in their browser settings (such as Google). Software providers are encouraged to make it easy for users to set up and amend whitelists on their browsers and withdraw consent at any moment.
The Mandate also describes exemptions to the cookie consent requirement:
Information emitted by terminal equipment to enable it to connect to another device and/or to network equipment, such as with Wi-Fi or beacon scanning or other locations based tracking: Aside from technical exemptions to which all institutions agree, the Commission proposed that processing of emitted information be legitimate only if notice is first provided to the end-user. The EU Parliament agreed with this; however, in addition to the notice, it also wanted consent to be obtained from the end-user. The Council supports the EU Parliament’s view and has added another exemption: “necessity to provide a requested service and statistical analysis”.
Practices