With just 11 days to go until it begins operating, the Austrian Presidency of the Council of the EU presented its main proposals on the ePrivacy regulation. Its compromise proposal, focusing on innovation, suggests making the subsequent processing of megadata from electronic communications easier and is looking at the possibility of scrapping the provisions linked to parameterisation (article 10).
It should be recalled that the draft regulation aims to enhance the privacy of online exchanges, including over the top service providers, whilst allowing service providers to use the personal data of customers that have given their prior consent (see EUROPE 11700). Since 26 October 2017, the European Parliament has been waiting to begin negotiations with the Council (see EUROPE 11892).
In this context, the Austrian Presidency published a new compromise proposal on articles 6, 8 and 10, which integrate the main results of the Telecommunications Council on 8 June (see EUROPE 12037). These proposals will be discussed during a working party on 17 July.
Along the main changes, Vienna is suggesting that they quite simply scrap article 10 that makes it incumbent on software providers that facilitate electronic communications from helping end users efficiently choose their privacy settings.
Subsequent processing of meta data
Another substantial change involves the subsequent processing of metadata (article 6). The Council is looking at the possibility of authorising the processing of metadata from electronic communications in cases involving network management or optimisation, invoicing, protecting the vital interests of a natural person or for statistical purposes. The Austrian Presidency, however, would like to go further by allowing the subsequent processing of metadata, namely, for other objectives than those that have been requested. The draft compromise stipulates that this subsequent processing should represent a “proportionate and necessary measure in a democratic society” with regard to the link between the initial and subsequent objectives, the context, the kind of metadata in question, ramifications for the end user and the provision of appropriate safeguards. The text emphasises that this kind of subsequent processing is only possible if, and only if, this kind of processing is not possible on the basis of anonymous information and that the metadata are immediately removed or made anonymous after they have been used and that the processing is restricted to pseudo-anonymous metadata and that the final purpose is not for profiling (art. 6(2a)). Similarly to the previous castings, the text stipulates that network or service providers must not share this metadata (only if they are anonymous) and that they should check the impact of the processing and consult the regulatory authority, as well as inform the user and allow the latter to effectively oppose this use (art 6(2aa).
Cookies
One can recall that at the most recent Telecommunications Council, Germany very clearly indicated that it was opposed to the provisions of article 8 due to the impact on targeted advertising. This article is related to the protection of devices (IPads, telephones and computers).
In its draft compromise, Austria indicates that at the request of the delegation, it will introduce a change in recital 20 that will help clarify this question. That said recital explains that “Making access to the website content provided without direct monetary payment conditional to the consent of the end-user to the storage and reading of cookies for additional purposes would normally not be considered disproportionate in particular if the end-user is able to choose between an offer that includes consenting to the use of cookies for additional purposes on the one hand, and an equivalent offer by the same provider that does not involve consenting to data use for additional purposes on the other hand”. It also stipulates that a website proposing services provided by the public authorities cannot ban access to its content under the pretext that the user has not agreed to cookies. Finally, it should be pointed out that this version removes recital 22 on the parameterisation of browsers/and apps and recital 24 on the level of protection dealing with third-party cookies. The draft compromise can be consulted at the following link: https://bit.ly/2JeheEF . (Original version in French by Sophie Petitjean)