by Laura Fannin , Ruth Prendeville March-12-2021 in Data Protection

The Council of the European Union recently announced that it has agreed its negotiating position in respect of the draft ePrivacy Regulation which, once approved and signed into law, will replace the existing ePrivacy Directive1.  This is a significant development for the draft Regulation, which has been wading its way through the EU legislative process for more than four years now.

 

Introduction

The ePrivacy Directive and the Irish ePrivacy Regulations of 20112 (which implement the ePrivacy Directive in Ireland) (the “ePrivacy Laws”) set out the rules for protecting privacy and confidentiality in the operation of electronic communications services.  Key activities that are governed by the ePrivacy Laws include using cookies and similar identifiers to monitor online behaviour for different purposes, and sending direct marketing communications to individuals by electronic means such as via email and text message.

The ePrivacy Laws were due to be updated in line with the introduction of the General Data Protection Regulation in 2018.  This has not yet occurred in circumstances where, to date, EU Members States have not been able to agree on the final text of the new Regulation.

 

The revised draft of the Regulation

A revised draft of the Regulation was published on 10 February 2021.  Some of the key features of this latest draft are as follows:

  • In addition to applying to electronic communications content, the Regulation will also apply to metadata relating to such communications. Metadata includes, for example, details concerning the location, time and recipient of the communication in question.
  • The general rule will be that electronic communications data is confidential and any interference, such as by listening to, monitoring or processing the data, will be prohibited unless specifically permitted by the Regulation. Permitted purposes will include ensuring the integrity of communications services, checking for the presence of malware or viruses, or for the investigation and prevention of crime.
  • Examples of circumstances in which metadata will be permitted to be processed include for the purposes of billing or for detecting or preventing fraudulent use. Metadata will also be permitted to be processed to protect users’ vital interests, for example for the purpose of monitoring epidemics and their spread.
  • The draft Regulation provides that users who have consented to the processing of electronic communications data will be reminded of the possibility to withdraw that consent at periodic intervals of no longer than 12 months, unless they request not to receive such reminders.
  • Storing information on users’ terminal equipment (such as by placing cookies and other online identifiers on their devices) will only be permitted with the users’ consent or for other specific purposes laid down in the Regulation. Such purposes are stated in the draft Regulation to include where storing information on the users’ terminal equipment is strictly necessary for providing a service specifically requested by such users.

As was the case with the previous draft of the Regulation, the revised draft allows for cookies and other online identifiers to be stored on users’ devices without consent for the purpose of audience measuring, subject to specific safeguards being in place.  This provision will be important for service providers who rely on analytics in order to optimise and improve their services.

  • Users must have a genuine choice as to whether they wish to accept cookies or similar online identifiers. It will be permissible to give users the choice of accepting cookies as an alternative to paying for the service in question, so long as users are able to choose between that offer and an equivalent offer by the same provider that does not involve consenting to cookies.
  • To avoid cookie consent fatigue, end users will be able to programme their browser settings to permit the use of certain types of cookies by one or several providers (known as “whitelisting”).
  • The rules in respect of unsolicited and direct marketing communications will broadly remain the same as those under existing ePrivacy Laws.

 

What will happen next?

The EU Council and the European Parliament will now negotiate the text of the draft Regulation, with the European Commission facilitating those negotiations.  We will provide further updates in respect of the negotiations as they occur.

You can access the text of the current draft of the Regulation here.

 

For further information, please contact Laura Fannin lfannin@hayes-solicitors.ie or Ruth Prendeville rprendeville@hayes-solicitors.ie at Hayes solicitors.

[1] 2002/58/EC.

[2] S.I. 336 of 2011.

Back to Full News
Share this article:

About the Authors

Laura Fannin
Laura Fannin

Laura is a partner in the Commercial & Business team at Hayes solicitors. Laura advises clients on a diverse range of corporate and commercial matters and regulatory requirements. She is an experienced adviser on terms and conditions of sale and purchase, IT issues, data protection, product liability, advertising and promotions, intellectual property and a wide range of commercial agreements.

Ruth Prendeville
Ruth Prendeville

Ruth is an associate solicitor in the Commercial & Business team at Hayes solicitors. She advises on an array of commercial and regulatory matters, including in the areas of privacy and data protection, intellectual property, terms and conditions of purchase and sale, advertising and promotions and commercial contracts.  Her clients include those from key business industries including media and entertainment, advertising, motor, food, accountancy, manufacturing and business networking.