The proposed e-Privacy regulation gets a new lease on life and is set to be negotiated with the European Parliament

2021-02-23T15:07:00

On February 10, the Council of the European Union finally approved its position on the proposed Regulation on Privacy and Electronic Communications (the e-Privacy Regulation). Since the European Commission published the legislative initiative in January 2017, the Council has been unable to agree a text at first reading to submit to the European Parliament. Under the new Portuguese presidency, Member States, through the Council, have agreed on a negotiating mandate that will allow negotiations with the European Parliament to start, with the aim of producing a final text.


The proposed e-Privacy regulation gets a new lease on life and is set to be negotiated with the European Parliament
February 23, 2021

On February 10, the Council of the European Union finally approved its position on the proposed Regulation on Privacy and Electronic Communications (the e-Privacy Regulation). Since the European Commission published the legislative initiative in January 2017, the Council has been unable to agree a text at first reading to submit to the European Parliament. Under the new Portuguese presidency, Member States, through the Council, have agreed on a negotiating mandate that will allow negotiations with the European Parliament to start, with the aim of producing a final text.

The e-Privacy Regulation proposes to replace Directive 2002/58, updating it after almost 20 years, and is to be a special law in relation to the General Data Protection Regulation for electronic communications. Among other aspects, it regulates high profile issues such as processing the metadata of electronic communications, using cookies and other tracking instruments, and sending commercial communications.

The new text proposed by the Council aims to strike a balance between protecting private life and developing new technologies. The noteworthy points include:

  • Extending the scope of application to include data processing by data controllers without an establishment in the European Union but established in a territory to which EU Law applies.
  • The possibility of processing the metadata of electronic communications and using information stored in end users’ devices for subsequent processing that is compatible with the initial purpose, under specific conditions.
  • Extending one of the legal bases for processing electronic communications data through cookies or similar technologies by allowing them to be processed when it is necessary to render an electronic communications service. Until now, the wording of the text also made it possible to process these data when required to issue electronic communications.
  • Introducing some requirements to share anonymized statistical data relating to electronic communications. Therefore, for example, to guarantee the privacy of end users, a data protection impact assessment must be conducted before sharing the anonymized data to avoid their re-identification by third parties.

In any case, its entry into force is still twenty days after it has been published in the Official Journal of the European Union for two years. Therefore, the e-Privacy Regulation is unlikely to take full effect before 2023.

Although it too early to determine whether this new document will get sufficient support to be the final version, it clearly signals progress that we will follow closely in this blog.

Authors: Inés Cabañas and Pedro Méndez de Vigo

February 23, 2021