Prospects for reaching an agreement under the Bulgarian Presidency of the Council on the confidentiality of electronic communications are progressively getting slimmer as time goes by. Two working party meetings have so far been planned on 13 and 28 March, whilst a working party agreement is required by the middle of May, if the ministers are going to be able to give their verdict on the issue at the June Council.
At this current juncture, the most controversial questions are on articles 6, 8, 10 and 11, which are, in fact, all still pending.
It should be recalled that the draft regulation seeks to enhance the confidentiality of online exchanges, whilst allowing service providers to use the personal data of customers that have given their prior consent (see EUROPE 11700). The most controversial questions focus on processing without prior consent (article 6), equipment protection (article 8), confidentiality parameters (article 10) and limitations (article 11).
Work progress under Bulgarian Presidency
The European Parliament established its position on 19 October (see EUROPE 11887), while the Council is still examining the draft. In December, Estonia published an amended draft text (see EUROPE 11919). Since then Bulgaria has taken over the rotating Presidency and has published three working papers: one on articles 6 to 10 (see EUROPE 11939), another on articles 12 to 16 (see EUROPE 11948) and a final one on article 11. The member states have been requested to provide their responses on this final section before the middle of March.
Exceptions to obligatory consent
On article 6, a large majority of member states wanted to extend the list of derogations that would allow data processing without the user’s prior consent. Last January, the Bulgarian Presidency listed several possible derogations, including legal trade practices or those on legitimate interest. According to the information we have received, the Presidency could possibly move towards an intermediate solution, "between the allocation of pseudonyms and extending the list of exceptions for metadata processing”. The reasons of legitimate interest would be abandoned. The question is expected to be discussed by the end of the month or in April.
Tracing
On article 8, two options (out of the five envisaged by the Bulgarian Presidency) have won the support of the member states: option 2, in favour of a risk-based approach (for example, by differentiating tracers or similar techniques based on the level of threat presented) or option 4, which subjects access to content on certain websites to accepting certain tracers if this is necessary for achieving a legitimate objective.
On article 10, the Presidency proposed the following options: (1) a software confidentiality default, with the possibility of modifying this parameter later; (2) the software would have to provide users with two choices and they will also have to be appropriately informed; (3) default confidentiality, with the possibility of authorising tracing for certain sites; (4) all other possible solutions. The subject was discussed on a single occasion in January and is expected to be included in discussions again in April with, as a possible compromise, the idea of software confidentiality not having to be decided during installation phase but during the first time it is used, a kind of “White list" that would allow the user to authorise traces on a case by case basis.
Database preservation
On article 11, the Bulgarian Presidency called on experts to demonstrate creativity in the context of the Télé2 judgement (see EUROPE 11694). It should be recalled that this decision made in 2016 followed the case lodged by Digital Right Ireland which set out the criteria that needed to be respected in the data preservation field (prohibiting mass data preservation, for example) and on access to this data. The most recent Bulgarian Presidency document distributed in February questions the delegations about the need to include additional safeguards regarding the Commission proposal, namely, limitations pertaining to the general interest in reference to article 23 of the general regulations on data protection (2016/679) (points (a) to (e)). According to the Bulgarian Presidency, the member states appeared to agree on recognising that the legislative proposal, “does not constitute a legal basis for preserving data”. There are, however, many questions still pending, for example, access to inspection services and the period of time for preserving data, etc. (Original version in French by Sophie Petitjean)