Op:Ed: “The Council’s Position regarding the proposal for the ePrivacy Regulation: out of the frying pan and into the fire? ” by Tiago Sérgio Cabral
1. The Council’s Position
On 10 February 2021, the Council of the European Union (finally) agreed on a negotiating mandate regarding the proposal for a new ePrivacy Regulation (the Council’s text shall be referred to as the ‘Council’s Position’ and the original Commission proposal as the ‘ePrivacy Proposal’), breaking a multi-year deadlock and giving new breath to the proposal which is meant to replace the current ePrivacy Directive 2002/58 and establish a coherent framework between the lex specialis and the general rules contained in the General Data Protection Regulation 2016/679 (GDPR).
While some expectations could be noted due to the long-awaited agreement, public reactions to the Council’s Position were not exactly warm. Notably, the Federal Commissioner for Data Protection and Freedom, Ulrich Kelber, considered that the Council’s Position, if adopted, would be a blow for data protection across the European Union. Particularly controversial were the provisions of the Council’s Position which may allow for the implementation of cookie walls, the rules on data retention and ‘return’ of metadata processing without consent.
For anyone who follows the dynamics between Council and European Parliament in matters of data protection (and, in fact, regarding fundamental rights in general), it should not be surprising that the Council’s Position leans into the ‘lighter side of protection’. In the same manner, it is to be expected that a number of provisions in the Council’s Position will not find many fans in the European Parliament.
Institutions needed 14 trilogues before they could reach an agreement on the GDPR’s final text and it is likely that we are also in for a long journey regarding the ePrivacy Regulation. In a nutshell, we will be studying a very different set of provisions when the final text is agreed in a few months (or years).
With this in mind, it is certainly an important step and the Council’s Position merits a closer analysis. Out of the gate, we cannot ignore that if the Council’s Position was the final text it would lower the level of protection currently enjoyed by European citizens due to the weakening of several key provisions. That much is clear and can be ascertained by comparing the current legislation with the Council’s Position. However, we would argue that there is an even bigger problem with the Council’s Position: interpreting its provisions is a nightmare…
In other words: if the business-friendly vs privacy-friendly trade-off were true (which we do not believe it is), the Council’s Position would be good for neither side. It would fail the privacy-friendly test because of the weakening of key provisions, but it would also fail the business-friendly test due to being unclear and complex, contradictory in itself and even containing options that could raise questions when read in light of EU primary law.
To illustrate that position, the three controversial topics mentioned above are addressed in this Op-Ed: data retention, cookie walls and metadata processing, and it will be shown how the provisions regulating these three topics all suffer from serious drafting-related shortcomings.
2. Data Retention
The first example is data retention. The ePrivacy Proposal did not contain specific provisions and instead opted for a wording similar to Article 23 of the GDPR. As the Commission put it very well, that would mean that ‘Member States are free to keep or create national data retention frameworks that provide, inter alia, for targeted retention measures, in so far as such frameworks comply with Union law’. The Council reinserted a provision on data retention through Article 7(4) and added retention to Recital 26 of the ePrivacy Proposal. However, this provision is still subject to the limitations on restrictions of Article 11 of the ePrivacy Proposal and Council even made clear that Article 23(2) of the GDPR would be applicable to restrictions under the ePrivacy Regulation (which would always be the result of the subsidiary application of the GDPR).
So, it would appear that the end result is the same, but the Council’s Position is much more difficult to interpret. On this matter, one should not forget that excessive and/or indiscriminate data retention policies would always be incompatible with EU law (and no amendment to the ePrivacy Proposal could easily change that), as established by the Court of Justice in Digital Rights Ireland (C‑293/12 and C‑594/12),Tele2 (C‑203/15 and C‑698/15), Privacy International (C‑623/17) and La Quadrature du Net (C‑511/18, C‑512/18 and C‑520/18).
It is interesting to note that Portugal, the country which was finally able to broker the compromise is probably long due an infringement procedure in light of having more or less ignored the fact that the Court of Justice declared Directive 2006/24 to be invalid, and having kept its transposition law unchanged. Notably, the country’s Constitutional Court has issued a decision regarding the transposition law, where it crosses the line into interpreting EU law, without referring the matter to the Court of Justice for a preliminary ruling.
3. Cookie Walls
Recitals can provide clarification on certain aspects of operative provisions, including their scope or purposes. However, by themselves, they have no binding value and a recital that is not reflected in the operative provisions means little (See Nilson, C-162/97 and C., C-435/06). Recital 20aaaa is one such case. To add to this, the rules for consent are established in the GDPR and no relevant exceptions are provided for in the Council’s Position. Therefore, the Council proposes to use the non-binding part of one law to change the rules of consent enshrined within another law…
To be fair, the concept of freely given consent is not defined in the GDPR. However, the Council’s Position appears to favour an interpretation that is broader than anything currently accepted. Furthermore, recital 20aaaa contradicts recital 42 of the GDPR (a recital which is actually reflected in the body of the law). If the objective was to make cookie walls (unambiguously) lawful, that could have been achieved by inserting an exception into Article 4a of the Council’s Position. As it stands, it is just a very chaotic solution. It would not be surprising if the Court of Justice were to decide that recital 20aaaa, in the end, means nothing.
Recital 21aa suffers similar problems. Another Recital that is not reflected within the operative provisions. In this case, it completely tries to waive the need for consent, but it requests an ‘acceptance’, a concept that is not defined anywhere in the law. In both cases, the Council’s Position does not limit in any manner the types of cookies or use of data collected through them, so it appears that this Institution considers even automated decision-making and profiling to be a acceptable, an option which would be problematic even under Articles 7 and 8 of the Charter of Fundamental Rights of the European Union.
4. Compatible Processing of Electronic Communications Metadata
Lastly, we must address Article 6c of the Council’s Position, regarding ‘compatible processing of electronic communications metadata’. This Article provides for a reinforced version of the compatibility test under Article 6(4) of the GDPR (applied to communications metadata). However, after the compatibility test is performed, it is not clear what the legal basis for processing should be. Is it legitimate interests under 6(1)f of the GDPR? If so, do the restrictions of this legal basis apply? Does the data subject have the right to object to this processing? Should the data subject be informed under Article 13 of the GDPR? Alternatively, Article 6c of the Council’s Position may be considered as sui generis legal basis, but then the same questions apply regarding which rights should be guaranteed to the data subject.
Of course, this provision in particular will certainly be the source of some conflict between Parliament and the Council, so it is not even certain that it will survive in the final version of the Regulation. Nevertheless, if it does, at least the above mentioned details need to be fleshed out, otherwise electronic communications providers will not know what rules they should apply, and nor will data subjects be able to exercise their rights.
While we are likely to still have to wait for the final version of the ePrivacy Regulation, the breaking of the deadlock in the Council is a step forward. But it is also a stumble, because the content of the Council’s Position, which along with the ePrivacy Proposal and Parliament’s Position will be the building blocks for the final agreement, is deeply flawed. The ePrivacy Regulation is sorely needed, as the current rules definitely show their age, and their interplay with the GDPR is not always the easiest or most adequate. Replacing a Directive with a Regulation will also be a welcome step in harmonising rules across the single market. However, to achieve a good result and produce a high-quality Regulation, the Council will have to own up to its mistakes and be available to reflect on and compromise on the weaker aspects of its Position, which currently raises both privacy-related and business-related concerns.
Tiago Sérgio Cabral is a lawyer working on Technology, Privacy, Data Protection, Cybersecurity and Artificial Intelligence. He is also a Researcher at the Research Centre for Justice and Governance – EU Law (University of Minho, Portugal).