ePrivacy Reg

> ePrivacy Reg

The Council published a full text of the ePrivacy draft Regulation, as it stands right now. Be aware that this is not the final version adopted by the Council, but only the current version being discussed.
The Register published an interview with Birgit Sippel, the MEP Rapporteur for the ePrivacy Regulation, where she criticizes the slow progress that the Council (Member State governments) makes on the ePrivacy file, while also discussing the possible timeline for adoption of the new Regulation.
The Council published a summary of the latest discussions on the ePrivacy draft regulation.
The Bundesgerichtshof (Federal Court of Justice) sent a set of questions for a preliminary ruling to the Court of Justice of the EU concerning what constitutes valid consent under Article 5(3) of the current ePrivacy Directive. It looks like they specifically address the question of cookie banners and the lack of an effective opt-out provided in the banners. For the time being, the questions are only available in German on BGH’s website, as they have not yet been published by the CJEU.
Tracking Walls, Take-It-Or-Leave it Choices, the GDPR and the ePrivacy Regulation” is a recent research article by Frederik Borgesius, Sanne Kruikemeier, Sophie Boerman and Natali Herberger, published originally in the European Data Protection Law Review, that was made available for open access on the University of Amsterdam’s IViR Center webpage.
The LIBE Committee published their agenda for this week and a vote on the ePrivacy Regulation is scheduled for this Thursday, October 18. Keep in mind that this is just one step towards the final text. The text that will be ultimately adopted by the EP will then be subjected to a “trilogue”, with the EP, European Commission and the European Council having to find a compromise text.
An important step was taken last week in the ePrivacy regulation legislative process: the Plenary of the European Parliament (EP) adopted its version of the draft Regulation, based upon which the EP will enter negotiations with the European Council and the European Commission. Reports from Brussels describe almost dramatic days that led to a close vote in the Plenary. In the end, the amendments as adopted by the LIBE committee gathered enough support (318 to 280) to be adopted with no further amendments.
What’s next? The European Council has to adopt their final position on the text. The EP, Council and Commission will then meet in a “trilogue” to negotiate a compromise text. Follow the legislative procedure here.
The European Data Protection Supervisor, who is the EU legislators’ adviser on all legislative files that touch upon data protection and privacy, published new recommendations for the text of the ePrivacy regulation, referring this time also to the amendments to the text submitted by Members of the European Parliament. The EDPS reminds the legislator that “confidentiality of communications encompasses both content and metadata and data related to the terminal equipment” and advises against the introduction of “legitimate interests” as a lawful ground for processing electronic communications data.
It seems that the vote on the ePrivacy draft Regulation in the LIBE committee of the European Parliament is scheduled for October 11 (but we are still waiting to see the published agenda for that meeting). If you want to have a look at how debates on the text have been going in the past weeks, try this video from September 28.
For the state of play of the vote on the ePrivacy Reg in the different committees of the European Parliament, check out this summary. Some of them already cast the final vote on the amendments that were submitted. However, the LIBE committee has the deciding vote.
Giovanni Buttarelli, the European Data Protection Supervisor, published a blogpost providing insight into his views on “communications privacy” and its “crucial moment”. “The ingenuity, creativity and engineering excellence demonstrated by the targeted advertising ecosystem are impressive“, he wrote and called for the same ingenuity to be used to give back control to users over their data. He sees privacy engineering as a  good solution and he also referred in this context to the privacy engineering workshop the FPF is co-organizing with IPEN, KU Leuven and Carnegie Mellon University in Leuven, on November 10: “The EDPS will continue to provide its advice to the legislator to help them find the best solution. At the same time, we also press ahead with our support for the technological development in privacy engineering. For instance, in November our network IPEN will host with other partners a workshopto take stock of the state of the art and the need to advance technology research which we organise.”

The German Bar Association published the English version of its Opinion with recommendations on the draft ePrivacy reg, which was sent earlier this year to the EU legislator(s) and other stakeholders. It contains a thorough analysis of the draft, with numerous references to consistencies/inconsistencies between this text and the GDPR. 

In case you missed it, here’s a round-up of the amendments submitted by the Members of the European Parliament to the ePrivacy draft reg, including details about the political context surrounding them. 

The EU Council of Ministers will discuss the compatibility of data retention rules with the ePrivacy proposal in its first meeting in September, according to a leaked document. The main question delegations are asked to answer is “For the purposes of the prevention and prosecution of crime, to what extent can competent authorities rely on traffic and location data processed for billing and interconnection payments or for detecting or stopping fraudulent or abusive use of, or for the subscription to, electronic communication services?” It’s clear the debates in the Council on the ePrivacy reg are complex and go beyond industry and civil society concerns, which complicates the timeline for its adoption.

The deadline for amendments to the ePrivacy reg passed and the MEPs have tabled more than 800 of them. Only part of the amendments have been made public and you can find them here. The rest should be uploaded on the Parliament’s website in the following days. We’ve learned from journalist Jen Baker during FPF’s Privacy Landscape call this week, who managed to see the entire set of amendments, that some of them contain changes that want to introduce legitimate interest as a ground for processing. Expect more reporting in the days to come. 

The rapporteur for the ePrivacy reg, Marju Lauristin, gave a video interview to the IAPP, discussing ePrivacy and GDPR. It’s just over 7 minutes and it provides insight in her reasons for supporting strict ePrivacy rules.

Come this fall, Lauristin will be replaced in the rapporteur’s role with Birgit Sippel, from the same political group (S&D – Socialists and Democrats). The reasons for the replacement are not yet clear, but they seem to be external to the ePrivacy debate. 

The Council (specifically, the Working Party for Telecommunications and Information society – ‘WP TELE’) met to discuss with the European Commission the ePrivacy proposal. The (new) Estonian presidency identified a set of open questions that need to be addressed before discussions can continue: the link to the GDPR and issues related to processing of cookies. “To facilitate the assessment of the proposed changes, this session will focus on technical and economic features of the advertisement ecosystem, including the actors and technologies involved”.

For those of you who didn’t have the time to watch the LIBE committee debate at the end of June on the ePrivacy proposal, there is a good summary available HERE.

The Rapporteur MEP for the ePrivacy Regulation, Marju Lauristin, presented her report in front of the LIBE committee. This prompted the first debate on her report. You have a video recording of the meeting available here. It seems that one of the main takeaways of the meeting was that the Rapporteur committed to ask the Legal Service of the Parliament for an Opinion about the relationship between the GDPR and the ePrivacy reg before the amendments she proposes will be subjected to a vote.

Coalition for Audience Measurement led by ESOMAR adopted a first position on the ePrivacy reform calling for a level playing field for the audience measurement ecosystem and an enabling regulatory framework for this sector. The European Telecommunications Network Operators Association also published its views on the proposal for the ePrivacy regulation, asking for additional grounds for processing electronic communications metadata. 

The draft LIBE Report containing amendments to the ePrivacy Regulation was published on the European Parliament’s website ahead of the LIBE Committee meeting this week. The Report contains substantial discussions of end-to-end encryption, prohibition of backdoors and Do-Not-Track. In terms of legitimate grounds for processing, the Report does not include a ‘legitimate interests’ ground. However, a new exception similar to the GDPR household exception is proposed. You can read a round-up of the main points of the proposal HERE.

Another draft opinion-report was published last week by the JURI committee (Committee of Legal Affairs) of the European Parliament on the ePrivacy Reg. The view taken by the Rapporteur of this Opinion mainly revolves around importing GDPR provisions and transferring them to the ePrivacy Reg, including the entire article providing for lawful grounds for processing. Once adopted, this opinion is merely consultative for the Plenary. The LIBE Committee’s Report is the one which will be subjected to a vote in the Plenary and ultimately become Parliament’s position.

Just in case you were wondering what long, technical, but very interesting document to read this weekend, the Research Service of the European Parliament solved that problem: the report titled “An assessment of the Commission’s Proposal on Privacy and Electronic Communications” was just published. It is drafted by a team of highly regarded researchers in the field, from the IViR Institute for Information Law, University of Amsterdam. Enjoy! 

The Draft Report of the ITRE Committee (Industry, Research and Energy) was published this week, containing amendments to the Commission proposal for the ePrivacy Reg. This Report, once adopted, will inform the LIBE Committee, as committee responsible, and their Report. The ITRE draft report strongly supports end-to-end encryption. The Rapporteur MEP for ITRE is Kaja Kallas is from Estonia, “the ultimate connected society”, just like Marju Lauristin, the main Rapporteur MEP for the ePrivacy file. Two more committees are expected to adopt “opinion” reports, IMCO (Internal Market and Consumer Protection) and JURI (Legal Affairs), but only LIBE’s report will be put to a vote in the Plenary to become the Parliament’s draft. Follow the intricate legislative process of the ePrivacy Reg HERE.

IAPP’s Angelique Carson interviewed Marju Lauristin, the Estonian Rapporteur MEP for the ePrivacy Reg. Read the whole interview HERE.

The Maltese presidency of the European Council released a summary of the state of play of the discussions in the Council on the ePrivacy Reg proposal. The main points:

European Commission (EUCO)’s DG CONNECT announced the Digital Assembly 2017 will take place June 15-16 in Valetta, Malta. Registration for the event is still possible. The program features a workshop on the ePrivacy Regulation, having the rapporteur MEP, Marju Lauristin, as one of the speakers. 

CNIL published short guidance on cookies and online advertising, addressing the question of who has to inform the user about the existence of cookies and third-party cookies. The conclusion is that the website owner/publisher must inform users both when they are controllers (they place their own cookies) and when they are processors (they place third-party cookies). However, in the latter case the legal responsibility stays with the third party.

Marju Lauristin, the rapporteur for the ePrivacy draft Regulation in the European Parliament, offered a glimpse last week in how she looks at the reform. She said she will be ‘very strong’ against loopholes for encryption. She also mentioned that ‘in the privacy debate the starting point is not the consumer, but the individual as a whole’ and said she is expecting that ePrivacy rules will become a norm for smart cars, just as ‘eco concerns’ became standard for the auto industry.

The European Data Protection Supervisor published today his Opinion on the ePrivacy Regulation. He calls for a ‘smarter, clearer and stronger’ set of rules. He also points out that “the complexity of the rules, as outlined in the Proposal, is daunting”. EDPS calls for clearer consent rules, privacy by default obligations for browsers, purpose limitation rules for processing activities that fall under the ePrivacy Reg (to avoid possible loopholes from the GDPR-ePrivacy relationship), among other points.

The LIBE Committee of the European Parliament held its first hearing on the ePrivacy draft regulation last week, on April 11, bringing together representatives from the European Commission, industry, civil society, data protection authorities and academia. You can find a summary of the discussions HERE and a more detailed report HERE.

The European Academy of Freedom of Information and Data Protection published its Opinion on the ePrivacy reform. The Academy is led by the former Commissioner of the Berlin Data Protection Authority, Alexander Dix (an influencer of European thought in the data protection area).

Mark your calendars: a big hearing was announced for April 11 in the LIBE committee of the European Parliament(link expired) on the ePrivacy regulation proposal, where data protection authorities, industry, civil rights activists and academics will be heard by the MEPs. The hearing will be live-streamed. 

Two position papers on the ePrivacy reform were recently published by IAB Europe (Interactive Advertising Bureau Europe) and EDRi (European Digital Rights). Highlights:

IAB: “The ePrivacy Regulation doubles down on the approach that has irritated internet users with ubiquitous consent banners and other forms of consent requests over the past five years. By failing to revise this consent approach in favour of the principles-based approach of the GDPR, the ePrivacy Regulation will trigger even more irritating consent pop ups than the ePrivacy Directive”. “IAB Europe recommends to amend Article 8(1) ePR to fully align it with the principles- based approach of the GDPR on lawful processing, including processing necessary for a legitimate interest where the fundamental rights of a data subject are not overriding.”

EDRi: “EDRi is deeply concerned about the proposed exception for tracking users of communication devices in public spaces in the physical world (“device tracking”)”. “Compared to the current ePrivacy Directive, the proposal increases the scope for processing metadata and content by providers of electronic communications services. eDri has serious concerns that these changes can lead to voluntary data retention for all subscribers on a level that may even be comparable to the mandatory data retention that the CJEU has ruled on in April 2014 (the Data Retention Directive) and December 2016 (national data retention laws).”

If you want to receive weekly updates on developments in EU data protection law and policy, contact Gabriela Zanfir-Fortuna at [email protected].