On November 12, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP published a legal note on the ePrivacy Regulation and the EU Charter of Fundamental Rights. It was written for CIPL by Dr. Maja Brkan, assistant professor of EU law at Maastricht University, David Dumont, Counsel at Hunton Andrews Kurth, and Dr. Hielke Hijmans, CIPL’s Senior Policy Advisor. 

The note contributes to an important and recurring legal discussion on the proposed ePrivacy Regulation.

The proposal aims to protect the confidentiality of communications, and in particular addresses the confidentiality of content data and metadata of individuals and legal persons, implementing Article 7 of the EU Fundamental Rights Charter (“right to privacy”). In contrast, the GDPR implements Article 8 of the Charter (“right to data protection”).

The legal note argues that the difference between Articles 7 and 8 of the Charter has limited relevance  in connection to the ePrivacy Regulation. It aims to demonstrate that EU law, and in particular the Charter, does not preclude a risk based approach, nor the processing of content data and metadata on the basis of legitimate interest, provided that the necessary safeguards protecting the individuals’ communications are put in place. Neither Article 7 nor Article 52.1 of the Charter enumerate the grounds for limitation of fundamental rights. They do not prescribe that the right to privacy can be limited only on the basis of particular justificatory grounds, such as consent of the user.

The note also addresses a few related issues, such as the sensitive nature of content data and metadata, as well as the robust protection GDPR provides individuals if an organization relies on legitimate interests as a legal basis for processing electronic communications data, due to the increased accountability measures organizations need to take.

CIPL’s note also deals with the confidentiality of communications of legal persons and explains that this confidentiality is indeed not a matter of privacy, but is protected under other EU law provisions.