On February 21, 2020, the Presidency of the Council of the European Union (“EU Council Presidency”) published a revised part of the proposed Regulation concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications and Repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), better known as “the Draft ePrivacy Regulation.”

These revisions follow from meeting discussions of the Working Party on Telecommunications and Information Society (the “WP Tele”), the Permanent Representatives Committee, and the Transport, Telecommunications and Energy Council. According to the EU Council Presidency, it became clear during these discussions that the existing proposed text of the Draft ePrivacy Regulation would not be supported by the majority of the Member States delegations who expressed their wish for substantial changes, in particular, the rules for the processing of metadata and use of cookies or similar technologies (i.e., Articles 6 and 8 of the Draft ePrivacy Regulation and related Recitals). Accordingly, the EU Council Presidency is proposing substantial revisions to these key provisions of the Draft ePrivacy Regulation, with the aim of further aligning the Draft ePrivacy Regulation with the EU General Data Protection Regulation (the “GDPR”).

The most significant revision proposed by the EU Council Presidency is that it introduces the possibility to rely on the “legitimate interest” ground to (1) process electronic communications’ metadata, and (2) place cookies or similar technologies on end-users’ terminals, subject to specific conditions and safeguards, namely:

  • conducting a data protection impact assessment and, where appropriate, consulting the relevant supervisory authority;
  • implementing appropriate security measures;
  • providing information to end-users about the data processing activities taking place;
  • providing end-users with the right to object to such data processing; and
  • refraining from sharing metadata or information collected via the use of cookies or similar technologies with third-parties, unless it has been previously anonymized.

However, pursuant to the proposed revisions, the end-users’ interests will be deemed to outweigh the interests of the electronic communications network or service providers if the metadata or information collected through cookies and similar technologies is used to determine the nature and characteristics of end-users, or to build individual profiles, as well as if sensitive personal data within the meaning of the GDPR is involved. Furthermore, the end-users’ interests will be deemed to override the interests of the service provider in the use of cookies or similar technologies if the end-user is a child.

The EU Council Presidency also proposes a number of revisions to the recitals of the Draft ePrivacy Regulation, in which it gives some examples of situations where the legitimate interest ground can be relied upon for the use of cookies or similar technologies. In particular, the revised recitals refer, for example, to situations where end-users are in an existing customer relationship with the service provider and (subject to certain conditions) cookies are used to ensure the security of information society services, to prevent fraud or detect technical faults, to fix security vulnerabilities and other security bugs, or for website content or services that are accessible without direct monetary payment and that are wholly or mainly financed by advertising (such as online newspapers and other press publications or audiovisual media services).

The EU Council Presidency’s revisions will be discussed at the next WP Tele meetings on March 5 and March 12, 2020. The EU Council Presidency also indicated that it is currently reflecting on additional revisions and intends to issue an additional document to be discussed during these meetings.