The Presidency of the Council of the European Union released, on 5 January 2020, its revised text of the proposed Regulation concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications and Repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) (‘the Draft ePrivacy Regulation’). In particular, the Draft ePrivacy Regulation recalls that the Presidency is proposing to simplify the text and to further align it with the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’), introducing modifications to ensure GDPR consistency and legal certainty for users and businesses.
More specifically, the Draft ePrivacy Regulation notes that the introduced amendments reflect the lex specialis relation of the ePrivacy legislation to the GDPR, and that, as such, every principle of the latter must apply, namely the accountability principle. Moreover, the Draft ePrivacy Regulation highlights that the most important amendment to the text is the possibility to process electronic communications metadata and to use processing and storage capabilities of terminal equipment and the collection of information from end-user’s terminal for further compatible processing, in accordance with Articles 5(1)(b) and 6(4) of the GDPR.
Moreover, and in relation to the material and territorial scope of the law, Article 3(6) of the Draft ePrivacy Regulation provides its own application to the processing of personal data by a controller not established in the EU, but in a place where Member State law applies by virtue of public international law.
Furthermore, and in relation to cookies and similar technologies, Article 8(1)(c) of the Draft ePrivacy Regulation has been amended by deleting the term ‘technically’, which was too much restrictive, considering that the ‘performance of a contract’ is already a legal basis under Article 6(1)(a) of the Draft ePrivacy Regulation itself. In addition, Article 8(1)(d) of the Draft ePrivacy Regulation has been amended to allow audience measurement to all service providers, under the conditions laid down in Articles 26 or 28 of the GDPR.
Lastly, Article 29(2) of the Draft ePrivacy Regulation introduces a new deadline of 12 months for its entry into force and application.
You can read the Draft ePrivacy Regulation here.