On Wednesday 4 November, the German Presidency of the EU Council submitted a new compromise proposal on the draft ‘e-Privacy’ regulation to its telecommunications working party. The proposal takes into account the recent Court of Justice judgment on data retention and European initiatives to combat child pornography.
The text also abandons the notion of “legitimate interest” as a legal basis for processing metadata without consent (see EUROPE 12522/10).
This new version, the fifth under the German Presidency, will be discussed by delegations in working parties on 11 November.
Just like seven Member States before it, Germany hopes, before the end of its mandate, to reach a general approach on this text, the purpose of which is to replace the current directive on the confidentiality of electronic communications (e-Privacy) and cover call or instant messaging services such as WhatsApp (see EUROPE 11700/1).
The new context taken into account
This new compromise takes into account the changed context. On the one hand, it removes the legal basis that allows data to be processed without consent in order to combat child pornography (Article 6d), as a result of the temporary derogation recently proposed by the European Commission and its commitment to present a more permanent proposal (see EUROPE 12592/20, 12557/13 and 12575/25).
On the other hand, it deletes the Articles (6.1.d and 7.4) that allowed data and metadata to be processed for public security purposes (to prevent, investigate, detect or prosecute criminal offences or enforce sentences). The compromise refers to the judgments issued on 6 October by the EU Court of Justice in cases C-623/17, C-511/18 and C-512/18 and C-520/18 (see EUROPE 12575/13).
“An analysis of these judgments has led the Presidency to the conclusion that the general clause on restrictions in Art. 11 enables EU and Member States to regulate data retention in conformity with EU law and there is no further need for additional provisions in the ePrivacy regulation”, the new document states. “Such specific provisions in the ePrivacy regulation could even entail the risk of further restricting potential future legislation on data retention at national or EU level”.
Recital 26 states, however, that the regulation under consideration should not affect the ability of Member States to carry out lawful interception of electronic communications, in particular by requiring providers to enable and help them to carry out lawful interception, or to take other measures, such as legislative measures allowing data to be retained for a limited period of time in order to safeguard the public interest.
Other amendments
On the difficult issue of cookies, Germany is relying on an earlier version prepared by Finland in favour of a white list to avoid the consent procedure. The text does not preclude cookie walls, a practice that prohibits a user from accessing a site if they do not consent to their date being processed. This is permitted as long as there is an alternative or that there is not an “imbalance between the end-user and the service provider”. These imbalances exist with regard to services provided by public authorities or by “service providers in a dominant position”, for example.
Finally, with regard to the protection of devices, the new version reintroduces the rationales related to software updates or cyber security.
The draft compromise can be found at: https://bit.ly/3l1XA23 (Original version in French by Sophie Petitjean)