The Finnish presidency of the Council of the EU (Finnish Presidency) released an updated draft of the Regulation on Privacy and Electronic Communications (ePrivacy Regulation) on October 30, 2019 (available here). The Working Party on Telecommunications and Information Society (WP TELE) will discuss the new draft at its meeting on November 7, 2019.
Amendments put forward by the Finnish Presidency
The amendments that the Finnish Presidency plans to discuss at the November 7, 2019 meeting include:
- Scope of application of the ePrivacy Regulation: The Finnish Presidency included various options to clarify the application of the ePrivacy Regulation, in particular under Recital 19a, Article 2(2)(e), Article 6(1)(a), Article 6a(1)(a) and Article 7(1).
- Recital 19a: The ePrivacy Regulation now clarifies that the processing of electronic communications data should only be allowed with the user's prior consent and to the extent necessary for the provision of the requested functionalities.
- Recital 20: The ePrivacy Regulation further clarifies that cookie walls may not be used. This is in line with previous guidance from the French and German supervisory authorities. In the context of the use of cookies, users must have a genuine choice between an offer that includes consenting to the use of cookies and an equivalent offer that does not involve consenting. Making access to a website dependent on consent to the use of cookies in the presence of a clear imbalance between the user and service provider deprives the user of a genuine choice. Further, the ePrivacy Regulation clarifies that service providers must provide users with clear, precise and user-friendly information on the purposes of cookies.
- Recital 33a: In essence, Recital 33 provides that direct marketing communications require opt-in consent. Email marketing for similar products and services does not require opt-in consent if the contact details were obtained in the context of an existing customer relationship. Recital 33a now further clarifies the legal basis for voice-to-voice direct marketing calls that do not involve the use of automated calling and communications systems. Such voice-to-voice direct marketing calls may be based on an opt-out solution in the context of an existing customer relationship.
- Article 2(2)(f): The ePrivacy Regulation shall not apply to electronic communications processed upon receipt by the user concerned or by a third party entrusted by the user for the purpose of protecting the user's terminal equipment.
- Article 6a(2): Providers of electronic communications services must consult a supervisory authority prior to processing of electronic communications content if such consultation is required under Article 36(1) GDPR.
Comment
It had seemed that negotiations on the ePrivacy Regulations had come to a standstill, but the Finnish Presidency continues to make use of the current momentum (read the previous updates on our blog here and here). The International Association of Privacy Professionals recently reported that the Finnish Presidency aims to push the text of the Council of the EU across the finish line by the end of this year. The agreement on a final text would be followed by trilogue negotiations. The ePrivacy Regulation will thus not be finalized before 2020 and will only apply after the envisaged two-year grace period – so not before 2022.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.