Spring Cleaning for the ‘Other’ European Privacy Law: ePrivacy Directive Update

Background on the ePrivacy Directive

While the General Data Protection Regulation (GDPR) is an omnibus law on data protection and privacy for personal data, the Privacy and Electronic Communications Directive 2002/58/EC (ePrivacy Directive or Cookie Directive) is more focused than the general law and covers electronic communications. The ePrivacy Directive specifically covers “traffic data” (i.e., metadata) and due to its requirements regarding cookies, it is largely the reason behind the cookie banners appearing on websites across the Internet.

The ePrivacy Regulation has been pending since 2017, when the EU Commission presented the first draft of the text. The updates in the ePrivacy Regulation are designed to account for new technological and market developments. Once enacted, the ePrivacy Regulation will also cover a larger scope of electronic communications, including instant messaging applications, web-based email services, social media platforms, and Over-the-Top (OTT) communications. Additionally, a regulation is stronger than a directive, because regulations are binding for all European Union Member States.

On February 10, 2021, the Council of the European Union (Council) announced that the Member States had finally agreed on a negotiating mandate (Mandate) to move forward with the next step in finalizing the text of the ePrivacy Regulation with the European Parliament. The President of the Council says the Mandate “strikes a good balance between solid protection of the private life of individuals and fostering the development of new technologies and innovation.”

Details on the Council’s Agreed Upon Mandate to Finalize the ePrivacy Regulation

The Mandate authorizes the Council to move forward with negotiations and reflects the agreement of the Member States for the revised ePrivacy Regulations. The Mandate outlines that the final text should, in accordance with the current draft of the ePrivacy Regulation, cover electronic communications content, related metadata, and the Internet of Things for end-users in the European Union. Additionally, the final text should have rules on line identification, public directories, and unsolicited and direct marketing.

Generally, processing without user consent will be permitted to ensure integrity of communications services, such as processing metadata for malware or viruses. Processing is also permitted for detecting or stopping fraudulent activity. Otherwise, processing without user consent should be limited to situations that involve no, or very limited, intrusion of privacy, such as storing cookies for a single session to track input when filling in online forms that spread across several pages.

Regarding cookies, the Mandate emphasizes addressing the risk of cookie consent fatigue, where users are overloaded with requests to provide consent to cookies. To address this, the Mandate requires that users are able to give consent to certain types of cookies by whitelisting certain providers in their browser settings, which is stronger than the ePrivacy Regulation text which just “encourages” web browsers to allow users to whitelist certain websites or cookies.

When the ePrivacy Regulation Will Come Into Effect

Next, the Council will negotiate the terms of the final text with the European Parliament. When a final text is ready, the ePrivacy Regulation will become effective twenty days after it is published in the EU Official Journal. Companies will then have two years to come into compliance.

The Council’s press release can be found here, and the text of the mandate can be found here.