After 4 years of procrastination, interinstitutional negotiations on the draft regulation on the confidentiality of online communications will finally be able to start. On Wednesday 10 February, the ambassadors of the Member States to the EU (Coreper) adopted the Council’s position on this text (known as e-Privacy) without the support of Germany and Austria, who abstained.
The draft mandate unveiled by EUROPE a few days ago was adopted with some adjustments. According to information circulated on Twitter and put online by Euractiv, these concern the retention of data for public security purposes (Article 7) and the exclusion of national security from the scope of the Regulation (see EUROPE 12653/4).
A few days earlier, the Portuguese Presidency of the Council of the EU had submitted to the Coordination Committee in the area of police and judicial cooperation in criminal matters (CATS) a working document, of which EUROPE has obtained a copy, interpreting the ruling of the Court of Justice of the EU on data retention.
The main lines of the EU Council’s mandate
The draft regulation, presented in January 2017 by the European Commission, aims to replace the current Electronic Communications Privacy Directive (e-Privacy) to cover call or instant messaging services such as WhatsApp (see EUROPE 11700/1). It identifies the legal bases for the lawful processing of content, data and metadata related to online communications. This includes, for example, activities to ensure the integrity of communications services or to check for the presence of malicious software or viruses.
Overall, the EU Council adopts a less strict position than the European Parliament (see EUROPE 11887/8). For example, it authorises the processing of metadata for purposes other than that for which they were collected. Nor does it prohibit cookie walls, a practice whereby a user cannot access a service without first agreeing to be traced, provided that there are real alternatives.
Data retention and the Court’s judgment
The EU Council’s mandate also attempts to translate the judgment of the Court of Justice on data retention into the draft Regulation (see EUROPE 12575/13).
According to a working document dated 2 September, this ruling allows data to be retained for a limited period of time where there are real threats to national security. It also allows targeted retention of traffic and location data to combat crime and preserve public safety. However, the Portuguese Presidency points out that the Court is being more flexible with regard to IP addresses and civil identity data (although the storage of the former must be limited in time).
The EU Council’s negotiating mandate stresses that the preservation of metadata must be “in accordance with fundamental rights and freedoms” and be “necessary and proportionate in a democratic society”. Link to the negotiating mandate: http://bit.ly/3aSzXoX (Original version in French by Sophie Petitjean)