EU member states agree negotiating stance for ePrivacy regulation

The EU-wide regulation, which will replace the existing ePrivacy directive, is intended to bring web-based email and messaging services and voice over internet protocols under privacy rules that previously only applied to telecoms providers.

“As a main rule, electronic communications data will be confidential. Any interference, including listening to, monitoring and processing of data by anyone other than the end-user will be prohibited, except when permitted by the ePrivacy regulation”, the Council said.

The European Council agreed that the regulation will cover electronic communications content and related metadata, such as information about location, time and recipient of the communication. The rules will also apply to machine-to-machine data transmitted via public networks through the Internet of Things.

The suggested plan does permit processing of electronic communications data without consent in some instances, such as ensuring the integrity of communications services, and checking for the presence of malware or viruses.

It would also permit processing in cases where this is necessary for the “prevention, investigation, detection or prosecution of criminal offences” or prevention of threats to public security. This would be allowed via derogations of the law by union or member states.

The text of the agreement says the end-user should have a “genuine choice” on whether to accept cookies. “Making access to a website dependent on consent to the use of cookies for additional purposes as an alternative to a paywall will be allowed if the user is able to choose between that offer and an equivalent offer by the same provider that does not involve consenting to cookies”, the Council says.

Meanwhile, changes to the existing ePrivacy directive in December, which extended the scope of privacy rules to ‘over-the-top’ applications including instant messaging services, continue to cause concern that the ability to tackle online child abuse may be hampered. The changes remove the explicit legal basis for service provider processing users’ content or data.

“This impasse is already having a serious impact on reporting,” said Najat Maalla M’jid, United Nations Secretary-General’s Special Representative on Violence Against Children.

The European Commission had proposed a derogation to solve this issue but this has yet to be adopted and the EU has said it will present legislation to tackle child sexual abuse online in the second quarter of 2021.

GRC World Forums reported last month that the Five Eyes intelligence-sharing network has also raised concerns.