Foto di Pavan Trikutam
    / [pdf]

The subject is pretty challenging indeed, considering that the EU proposal on the e-Privacy regulation is under the Institutions’ attention and not defined yet. I created a map consisting of eight sections, where I included all (I hope) the issues related to the proposal on the ePrivacy Regulation, and I will comment on it in each Section.

First Section - The Directive 2002/58/CE

Starting from the beginning, it’s clear that we are not talking about a new Regulation on this subject. Indeed, it’s well-known that we already have in Europe the Directive 2002/58/CE, currently in force, “concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).”. The mentioned Directive is also well-known because the GDPR expressly recalls it. Firstly, we want to mention a part of the Whereas (173) - the latest in the GDPR - that says:

This Regulation should apply to all matters concerning the protection of fundamental rights and freedoms vis-à- vis the processing of personal data which are not subject to specific obligations with the same objective set out in Directive 2002/58/EC of the European Parliament and of the Council (2), including the obligations on the controller and the rights of natural persons. In order to clarify the relationship between this Regulation and Directive 2002/58/EC, that Directive should be amended accordingly. Once this Regulation is adopted, Directive 2002/58/EC should be reviewed in particular in order to ensure consistency with this Regulation.

Moreover, in the GDPR, Article 95, entitled “Relationship with Directive 2002/58/EC”, expressly says

This Regulation shall not impose additional obligations on natural or legal persons in relation to processing in connection with the provision of publicly available electronic communications services in public communication networks in the Union in relation to matters for which they are subject to specific obligations with the same objective set out in Directive 2002/58/EC.

Last but not least, Article 21, entitled “Right to object”, in paragraph 5 says

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.

All this being stated, the proposal on ePrivacy will repeal the Directive 2002/58/CE.  

Second Section - The relationship of the proposal on ePrivacy with the GDPR

In the Second Section, I refer to the relationship of the proposal on ePrivacy with the GDPR. We already said about the relationship of the Directive 2002/58/CE with the GDPR. What about the relationship of the proposal on ePrivacy with the GDPR? If we read all the documents about the proposal on ePrivacy, we became aware of a strict relationship with the GDPR, particularly in terms of dependency of the proposal from the GDPR. Dependency means that the GDPR has a primary role in the protection of natural persons with regard to the processing of personal data. At the same time, the proposal supports the GDPR in electronic communications. Being a proposal of regulation on electronic communications in the protection of natural persons with regard to the processing of personal data, it’s clear that the primary reference remains the GDPR. The proposal on ePrivacy represents completion in the field of data protection, covering the area of electronic communications.  

Third Section - Chronology

In this section, I will go for a strenuous virtual stroll from the beginning to now because the institutional work on the proposal on ePrivacy - as probably you know - was very hard. Notably, we cannot currently know the final text and when the entire process will end (hopefully soon, but rumours from the palaces say 2023). Let’s start with the chronology of five years from 2017 to 2021.  

First-year: 2017

All formally started in 2017 when the European Commission proposed the first version of the Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications). Later, in April 2017, the EDPS published the “Opinion 6/2017 on the Proposal for a Regulation on Privacy and Electronic Communications (ePrivacy Regulation)". It is a lengthy document of 40 pages. Trying to summarize the content, we briefly underline that the EDPS referred to the need for a dedicated legal instrument for ePrivacy, highlighting key concerns and recommendations, especially regarding:

  • the definitions that must not depend on the separate legislative procedure concerning the Directive establishing the European Electronic Communications Code;
  • the provisions on end-user consent need to be strengthened
  • the Proposal lacks ambition with regard to the so-called ’tracking walls’ (also known as ‘cookie walls’);
  • the Proposal fails to ensure that browsers (and other software placed on the market permitting electronic communications) will by default be set to prevent tracking individuals’ digital footsteps;
  • the exceptions regarding tracking of location of terminal equipment are too broad and lack adequate safeguards.

In October 2017, the European Parliament issued a draft of the proposal on ePrivacy.

Second-year: 2018

In 2018 followed two drafts of the proposal on ePrivacy by the Bulgarian Presidency and the Austrian Presidency. Furthermore, the EDPB issued its first statement. The EDPB stressed the following points:

  1. Confidentiality of electronic communications requires specific protection beyond the GDPR
  2. The ePrivacy Directive is already in force
  3. The proposed Regulation aims at ensuring its uniform application across every Member State and every type of data controller
  4. The new Regulation must enforce the consent requirement for cookies and similar technologies and offer services providers technical tools allowing them to obtain that consent

Third-year: 2019

In 2019 it was issued two texts by the Romanian Presidency and four drafts by the Finnish Presidency. That production demonstrates the relevance of the political intervention, the general interest in a definitive text, and the severe difficulty in finding a balance toward a final draft. Apart from the published drafts, we have to mention the statement 3/2019 on an ePrivacy regulation, adopted on 13 March 2019 by the EDPB. Indeed, the EDPB - holding its standing - reiterated

the positions previously adopted by data protection authorities in the EU, including the Opinion 1/2017 of the Article 29 Working Party and the Statement adopted on 25 May 2018

Fourth-year: 2020

At the beginning of 2020 (February), we had a draft issued by the Croatian Council Presidency and another draft by the German Presidency in November of the same year. Again, the EDPB in November 2020 issued its third document and precisely the “Statement on the ePrivacy Regulation and the future role of Supervisory Authorities and the EDPB”, adopted on 19 November 2020. The EDPB, briefly, expressed mainly in three points:

  1. Firstly, stressing that the statement “is without prejudice to its previous positions”;
  2. Secondly, welcoming “the aim of the Council Presidency to reach a General Approach in order to begin the negotiations with the European Parliament and to adopt the ePrivacy Regulation as soon as possible”;
  3. Thirdly, underlining “that many provisions of the future ePrivacy Regulation concern processing of personal data.” and, hence, highlighting the institutional role of the Supervisory Authorities.

The EDPB concluded by inviting

the Member States to support a more effective and consistent ePrivacy Regulation as initially proposed by the European Commission and as amended by the European Parliament.

Fifth-year: 2021

2021 (this current year) is the most productive year and probably the closest to the final version (hopefully). Indeed, the year starts (January 2021) with a draft by the Portuguese Presidency. The month after (February), another draft by the European Council of Ministers was published. That draft is hugely relevant because the Member States agreed on a mandate for negotiations (trilogue) with the European Parliament. Indeed, in this intervention, we refer to that draft (February 2021), considering it as the last one valid before the negotiations. There are many text modifications in that draft - some are simply wording, and others are significant (there are articles added and deleted) - regarding the original text issued in 2017 by the European Commission. On March 2021, the EDPB published the fourth statement, and precisely the “Statement 03/2021 on the ePrivacy Regulation” adopted on 9 March 2021. Firstly, it is pretty relevant that the EDPB highlights and precisely the following:

The ePrivacy Regulation must under no circumstances lower the level of protection offered by the current ePrivacy Directive but should complement the GDPR by providing additional strong guarantees for confidentiality and protection of all types of electronic communication.

Going into the details of that statement, the EDPB stressed the following points:

  1. Concerns regarding processing and retention of electronic communication data for the purposes of law enforcement and safeguarding national security;
  2. Confidentiality of electronic communications requires specific protection (Articles 6, 6a, 6b, 6c);
  3. The new Regulation must enforce the consent requirement for cookies and similar technologies, and offer service providers technical tools allowing them to easily obtain such consent (Article 8);
  4. Further processing for compatible purposes (Article 6c and Article 8(1)(g));
  5. Future role of supervisory authorities, the EDPB and cooperation mechanism (Articles 18 to 20).

On 20 May 2021, the negotiations (trilogue) officially started among the European Commission, the European Parliament, and the Council of the European Union. On 4 November 2021, a new text highlighted some key points still to be discussed by the institutions involved in the negotiations. Even though that document was confidential, it was published on the Internet due to a lack. In November, after that document, we found two drafts partially accessible to the public and published on the Council of the European Union website. We seem that there was another meeting in November (we know on 18 November), and probably there will be another one in December inside the negotiations, but we couldn’t retrieve the results on the Internet.  

Fourth Section - Current Status

Regarding the section on the current status, we understand that it should consist of the latest draft dated 12/11/2021, partially accessible to the public and published on the Council of the European Union website.  

Fifth Section - Overview

The fifth section on the overview shows a schema of the current version of the proposal on ePrivacy, particularly the 43 Whereas and the articles modified, deleted, or integrated. Notably, you can see in the map (as you read in the key) that:

  • the red background is related to the interventions to the latest version of the proposal;
  • the red background and the bold blue text are related to articles under discussion during the negotiations;
  • the yellow background and bold red text are related to the interventions proposed in the version of 10 February 2021;
  • the yellow background and text strikethrough are related to the articles deleted in the version of 10/02/2021.

As we can see:

  1. Article on consent originally was number 9, and now it is number 4a;
  2. Article 6 has been deleted, and now we have three articles 6, and particularly 6a, 6b, and 6c;
  3. Article 10 has been deleted, and the contents have been reviewed, expanded, and put in other articles;
  4. Article 17 has been deleted;
  5. Articles 12, 13, 14, 15, 16, 21, 23, and 26 are the subject of the negotiations.

 

Sixth Section - The European Electronic Communication Code (EECC)

The sixth section is related to the European Electronic Communication Code; it’s almost an exercise on the definitions and thinking about some provocations. In fact, the proposal on ePrivacy expressly recalls the definitions laid down by the:

  1. GDPR;
  2. Directive (EU) 2018/1972 of 11 December 2018 establishing the European Electronic Communications Code;
  3. Commission Directive 2008/63/EC of 20 June 2008 on competition in the markets in telecommunications terminal equipment;
  4. Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services.

In our perspective, among the definitions as mentioned above, we cannot dismiss from those laid down by Directive (EU) 2018/1972, as recalled by the proposal, and mainly the following five:

  1. electronic communications network’;
  2. electronic communications service’;
  3. interpersonal communications service’;
  4. number-based interpersonal communications service’;
  5. number-independent interpersonal communications service’;

Notably, our attention is on the definitions of ‘electronic communications service’ and ‘number-independent interpersonal communications service’. We highlight the following definitions:

interpersonal communications service”:

a service normally provided for remuneration that enables direct interpersonal and interactive exchange of information via electronic communications networks between a finite number of persons, whereby the persons initiating or participating in the communication determine its recipient(s) and does not include services which enable interpersonal and interactive communication merely as a minor ancillary feature that is intrinsically linked to another service.”

and

number-independent interpersonal communications service’:

an interpersonal communications service which does not connect with publicly assigned numbering resources, namely, a number or numbers in national or international numbering plans, or which does not enable communication with a number or numbers in national or international numbering plans.

In the light of the definitions mentioned above, the question is: “What about communicating services, generally open-source and provided for free to people?” There are several such resources, indeed.  

Seventh Section - Key-points

In the seventh section on the key points, we focus on some relevant matters for the analysis. The proposal on ePrivacy:

  1. Is lex specialis to the GDPR;
  2. Completes the data protection regulation ecosystem;
  3. Its legal basis is composed by: a. GDPR b. TFEU c. Charter d. ECHR
  4. Has been considered part of the Digital Single Market Strategy (DSM Strategy);
  5. Applies both to natural and legal persons;
  6. Enhances security and confidentiality of communications (including content and metadata, e.g., sender, time, location of a communication);
  7. Provides the definitions of: a. electronic communications data; b. electronic communication content; c. electronic communications metadata d. electronic message;
  8. Regulates the cookies;
  9. Regulates the security.

 

Eight Section - A privacy perspective

The eighth section reports an overview of the primary production issued by the data protection institutions, showing their specific interest in an adequate legal framework.  

Ninth Section - Expectations

Concluding, we understand that the final version could be published in 2023 and entered into force in 2025 (two years later).