Overview
On February 10, after four years of negotiations, text revisions, compromise proposals, and back and forth, the Council of the European Union agreed on its negotiating position on the EU draft regulation concerning the respect for private life and the protection of personal data in electronic communication (the ePrivacy Regulation).
A deal for what? The deal allows work on the replacement of the 2002 ePrivacy Directive to start. It is a deal to engage in further intra-EU institutions' negotiations (trilogue). When we remind ourselves that the initial plan was to have a text entering into force at the same time as GDPR (in 2018), and when you realize that the current Council's position includes a two year grace period for entry into force (yes, that might mean 2024/2025), time for the final text is far away.
What prompted the unexpected? The deal stems from the Portuguese rotating presidency's presentation of a text that reintroduced provisions on data retention (something that has been regularly challenged by courts across the EU), putting France in the camp of those in favor. More importantly, Germany, who had consistently opposed the inclusion of the provision on "further compatible processing" of metadata (that also found its way in the text), abstained at the Council meeting, along with Austria, thus prompting a deal.
But what is the Council position? The 87-page long text defines cases wherein the processing of electronic communication content and metadata or the access to data stored on end-users' devices will be allowed. Machine-to-machine data, transmitted via a public network, are in scope; a major snag for the Internet of Things (IoT) ecosystem. The basic principle that existed under the ePrivacy Directive, namely "no processing or access, except when permitted," remains. Consent (that should meet the GDPR-test) still plays an important role in enabling processing or access; processing for compatible purposes (also for metadata) will, thanks to the German and Austrian abstention, be allowed (and framed).
An element worth noting is the Council's position on the use of cookies. Moving away from do not track (DNT) browser settings (which most authorities do not consider valid choices and that business often have a hard time honoring), the draft regulation text suggests whitelisting (i.e., allowing end-users to consent) at the browser level. It remains to be seen if this novelty will find its way up to the final text … and serve that purpose; (most) cookies might have been replaced by the time the regulation is finalized (or when technology moves faster than regulation).
And what comes next? The reactions to the deal from EU supervisors (i.e., the future enforcers) are mixed: on one side of the spectrum, the chair of the Belgian data protection authority posted: "Great day for privacy in Europe today! After many years of negotiating, finally, the Council agreed on [...] the e-Privacy regulation." On the other side, the German Federal Commissioner for Data Protection and Freedom of Information, Ulrich Kelber, criticized the proposal. He said: "I urge the European Parliament and the EU Commission to advocate raising the level of data protection during the trilogue process."
Those voices set the tone for the upcoming discussions, and explain why, for now, a deal is not "THE" deal.