Council sets out Position on ePrivacy Regulation

At the beginning of 2017 the EU Commission presented a proposal for a regulation on respect for private life and the protection of personal data in electronic communications (ePrivacy Regulation), which is now finally being followed by a mandate of the EU council for negotiations with the EU parliament.

The regulation is intended to replace the ePrivacy Directive of 2002 and to "clarify and complement" the General Data Protection Regulation (GDPR). In particular, it aims to guarantee end users' fundamental rights to privacy, confidentiality of communications and protection of their personal data when using electronic communications services. In addition to classic services such as telephone and SMS, this will in future also include webmail and internet services such as Skype, WhatsApp or Face-book. The cep has examined the proposal in a cepPolicyBrief, see cepPolicyBrief No. 16/2017.

While the responsible committee in the European Parliament was quickly able to agree on a position on the proposed regulation, the Council had a much harder time. Now, after four (!) years, the Council was finally able to agree on a mandate for negotiations with the European Parliament.

Particularly controversial was how to deal with cookies in the future, which many websites use to target advertising. The compromise now reached by the Council provides that access to the terminal equipment of of website users, which is necessary for the setting of cookies, is, in principle, initially prohibited. However, numerous exceptions are defined:

For example, the storage of cookies or the collection of information from the terminal equipment is to be permitted if the user of the device has consented. Without consent, such accesses are permitted in particular for audience measurement, for maintaining and restoring the security of the device or for installing security updates.

In addition, the Council wants to establish an exception for accesses that are absolutely necessary to provide a service specifically requested by the user. This exception includes, for example, cookies that are necessary for online shopping to remember products in the shopping basket or for authentication when making online payments. Online newspaper portals and other press publication portals that provide their services for journalistic purposes in accordance with freedom of opinion and information and are financed in whole or in part by advertising are now also to benefit from this ex-ception. Cookies set by such portals are, thus, apparently also to be considered "necessary" for the provision of a specifically requested service. However, these accesses must be "accepted" by the readers of the news portals, who must be informed beforehand in a clear and user-friendly manner. It is unclear how this differs from consent.

Cookies can also be used without the user's consent if they serve to measure the "effectiveness" of a service, for example with regard to the design of a website or also with regard to advertising. However, such cookies must never be used to identify the nature of the user as such.

In order to facilitate consent, users will in future also be able to grant it via software settings or allow certain providers in "whitelists" to track for certain purposes. The regulation does not oblige software providers to do this, but "encourages" them to provide settings that allow end users to manage consent provision in a user-friendly and transparent way. However, directly given consents should always prevail over consent decisions made in software settings.

Effective user consent requires, among other things, that the user has given consent voluntarily. For this to be the case, the user must have a genuine choice, which is questionable in the case of so-called cookie walls, which make access to the content of a website dependent on the acceptance of cookies that are not necessary. The Council is of the opinion that a website user has a genuine choice if he or she is able to switch to an alternative offer without a cookie requirement, which does not necessarily have to come from the same provider. Stricter rules should apply if there is a clear imbalance between providers and users, such as in the case of providers with a dominant market position. In these cases, the website user cannot, or can only with difficulty, switch to an alternative service from another provider. If such an imbalance exists, these providers may not make access to their website dependent on consent to cookies being set for "additional purposes". This also applies to websites of public authorities, for example, since users often cannot de facto switch to alternative websites.

It is also new that providers may in future process information that they have permissibly collected with the help of cookies in the user's devices for other purposes under certain conditions. However, the prerequisite is that the new purpose is "compatible" with the purpose for which the data was originally collected, and that the providers comply with certain conditions. In particular, they must pseudonymise the data, may not build profiles of the users and may only pass the data on to third parties in anonymised form.

Now that the Council and the European Parliament each have a negotiating position on the ePrivacy Regulation, they can enter the trilogue negotiations. Let us hope that it will not take another four years until the next step in the legislative process is completed.


Philipp Eckhardt and Anja Hoffmann