After four long years of discussions, the Council of the European Union could finally define its position on the draft regulation on the confidentiality of electronic communications. At its meeting on 10 February, the Committee of Permanent Representatives (Coreper) will be invited to support the draft compromise prepared by the Portuguese Presidency of the EU Council (see EUROPE 12630/12).
Four years of discussions
This proposal, presented in January 2017, aims to replace the current Privacy and Electronic Communications Directive (e-Privacy) to cover call or instant messaging services such as WhatsApp (see EUROPE 11700/1).
It clarifies and complements the provisions on data protection, in particular by translating the principles of the General Data Protection Regulation (GDPR - Regulation 2016/679) into specific rules applicable to online communications. In particular, it identifies the legal bases for the lawful processing of content, data and metadata related to online communications.
Originally, this text was intended to be applied at the same time as the General Data Protection Regulation, in May 2019, but given the delay in the EU Council, the Portuguese Presidency is suggesting a deadline of “24 months” for its application.
However, this will still require an agreement with the European Parliament, which adopted its position in October 2017, bearing in mind that the latter defends a much stricter line than that of the EU Council (see EUROPE 11887/8).
The Finnish Presidency's groundwork well done
The Portuguese draft compromise is based on the work of eight rotating EU Council Presidencies. It is particularly inspired by the text submitted to Coreper at the end of 2019 by Finland, but which had been rejected by 14 delegations (see EUROPE 12375/11).
The German proposals, which are very much in favour of confidentiality, and the commitments made by the European Commission on the fight against child pornography have indeed pushed the Member States to return to earlier versions (see EUROPE 12557/13).
“The most important change the Portuguese Presidency has proposed is the re-introduction of the possibility to process electronic communications metadata and to use the processing and storage capabilities of the end-users' terminal equipment, including collection of information for further compatible processing”, the Portuguese Presidency explains in its introductory text.
Subsequent compatible processing, previously withdrawn by the German Presidency, allows processing for other reasons than those originally intended, provided that ‘anonymisation’ is carried out prior to use. The text also recommends that the primary purpose, the context, the nature of pseudonymous metadata, the possible consequences of such processing and the existence of safeguards need to be taken into account.
A few days away from Coreper, both are relatively optimistic. The main difficulty, we are told, could relate to the issue of preserving metadata for reasons of public security. In light of the recent Court ruling, the Portuguese compromise allows such retention “for a limited period that may be extended if threats to public security of the Union or of a Member State persists” (see EUROPE 12575/13).
Cookie walls and ‘consent fatigue’
The draft mandate also takes a less strict stance than the Parliament on cookie walls, a practice whereby a user cannot access a service without first agreeing to be traced. Where the European Parliament suggests a ban, the EU Council text states that this practice can continue to exist, provided that the user has a real choice between a paid offer and a free offer with cookies. However, it points out that this is not the case when an actor is in a dominant position.
Unlike the Commission's proposal, the Portuguese draft deletes the provisions on privacy settings through the browser (Article 10). In order to prevent the user from having to continually give his consent to accept cookies, however, it supports the idea of whitelists in the software settings (recital 20a) introduced by the former Finnish Presidency. In addition, it provides that the user will be reminded once a year, at the most, of the possibility to withdraw consent.
For the rest, in the text, Member States are encouraged to introduce a specific code or prefix to help users identify commercial calls and, in the event of a breach of the principle of confidentiality or the time limit for deleting data, the EU Council draft suggests an administrative fine of up to 20 million or 4% of the company's annual worldwide turnover.
Link to the draft mandate of the EU Council: http://bit.ly/39ZND27 (Original version in French by Sophie Petitjean)