The e-Privacy Regulation (the ‘Regulation’) seems to have become a never ending story for the European Union. The Regulation aims to modernize the rules for traditional telecom companies and to extend the scope of application to new communication services such as Skype, Whatsapp and Facebook. The Regulation also gives conditions for placing cookies, direct marketing and the use of metadata generated on the Internet.
The Regulation is intended to replace the e-Privacy Directive (the ‘Directive’) that originates from 2002. Replacement of the Directive is necessary in order to bring the legislation more in line with the digital developments of recent years. The advantage of a Regulation is that it does not have to be implemented in national legislation.
An initial proposal for the Regulation was already made in 2017, followed by difficult negotiations between the European Council and the European Parliament. We discussed these negotiations in an earlier article. Subsequently, the European elections in 2019 caused further delay. A new European Parliament now has to give its opinion on the Regulation.
In the meantime, Croatia, as the current president of the Council of Ministers of the EU, has given new impetus to the negotiations on the Regulation and has also made a number of interesting proposals for amendments. This article discusses the latest amendments proposed by Croatia.
The Croatian proposal extends the grounds for the processing of personal data collected through cookies. Personal data collected through cookies may also be processed on the basis of a legitimate interest of the data controller, unless the privacy interest of the data subject prevails. In assessing this, the reasonable expectations of the data subject must be taken into account. The data controller must carefully assess whether this legitimate interest exists.
The privacy interest of the data subject shall prevail in any case if the data subject is a minor, the personal data are used for profiling or segmentation or if it concerns special categories of personal data.
The processing of personal data on the basis of the legitimate interest is subject to a number of additional restrictions. For example, these personal data may not be shared with third parties. Therefore, the basis cannot be used for advertising and social media cookies anyway. In addition, a privacy impact assessment must be carried out on the processing. The data subject must be properly informed about the processing of his or her personal data and about his or her right to object to the processing. Finally, appropriate technical and organizational measures must be taken to protect personal data.
Examples of a legitimate interest given in the recitals of the Regulation include the following:
- maintaining or restoring the security of the services provided or of the end-user’s terminal equipment;
- prevention of fraud and detection of technical errors;
- software updates to mitigate security risks provided that the user can postpone and refuse such updates;
- a service provider that is completely dependent on advertising revenue on its website and is also an online news service. The person concerned must then be provided with clear information about the cookies.
- It is noteworthy that the consideration to this example adds that the person concerned must ‘accept’ this use. This is remarkable, because the basis of a legitimate interest can be useful in the absence of permission from the person involved. The question is therefore whether the heavy demands placed on consent are not introduced through the back door of acceptance in the legitimate interest.
The grounds for processing Metadata have also been extended to include the ground of legitimate interest and also when this is necessary for the provision of the service and invoicing on the basis of a contract with the data subject.
The use of the legitimate interest ground is subject to the same restrictions and safeguards as those that apply for the legitimate interest ground for the use of personal data obtained through cookies.
Examples given of a legitimate interest in the processing of metadata include again the detection of fraud, abuse or registration and invoicing of the services. Scientific and statistical research may also give rise to a legitimate interest.
Furthermore, the latest published document on the Regulation of 6 March shows that the various European bodies are still negotiating the material scope of the Regulation.
All Member States will now have time to react to the planned amendments. The last word has certainly not yet been said about these proposed amendments.