Insights European Data Protection Board adopts Statement on the draft E-Privacy Regulation


On 9 March 2021, during its 46th plenary session (see item above), the EDPB adopted a Statement welcoming the Council’s agreed negotiation mandate adopted on 10 February 2021, as a positive step towards a new E-Privacy Regulation.

In the Statement, the EDPB makes clear that the Regulation must “under no circumstances” lower the level of protection offered by the current E-Privacy Directive (2002/58/EC), but should complement the GDPR by providing additional strong guarantees for confidentiality and protection of all types of electronic communication. “In no way can the ePrivacy Regulation be used to de facto change the GDPR”, it says.

The EDPB sets out a number of issues that it says should be addressed in the upcoming negotiations with the EU Parliament:

  • concerns regarding processing and retention of electronic communication data for the purposes of law enforcement and safeguarding national security: the EDPB says that legislative measures requiring providers of electronic communications services to retain electronic communication data must comply with the EU Charter of Fundamental Rights, the latest case law of the CJEU, and the European Convention on Human Rights;
  • confidentiality of electronic communications requires specific protection: confidentiality of communications is a fundamental right protected under the Charter already implemented by the E-Privacy Directive; this right must be applied to every electronic communication, regardless of the means by which it is sent;
  • general prohibitions with narrow exceptions for personal data processing: the EDPB is concerned that some exceptions introduced by the Council seem to allow for very broad types of processing. It notes the need to narrow down those exceptions to specific and clearly defined purposes;
  • strong and trusted encryption is a necessity in the modern digital world: strong state-of-the-art encryption should be the general rule to ensure a secure, free and reliable flow of data between citizens, businesses and governments, and is crucial to ensure compliance with the security obligation of the GDPR; end-to-end encryption, from the sender to the recipient, is the only way to ensure full protection of data in transit; encryption must remain standardised, strong and efficient;
  • the new Regulation must enforce the consent requirement for cookies and similar technologies, and offer service providers technical tools allowing them to easily obtain such consent: provisions on consent under the GPDR apply in the context of the E-Privacy rules; the need to obtain a genuine freely-given consent should prevent service providers from using unfair practices, such as “take it or leave it” solutions, which make access to services and functionalities conditional on the consent of a user; the EDPB stresses the need to include an explicit provision in the Regulation to enshrine this so that users can accept or refuse profiling;
  • audience measurement should be limited to non-intrusive practices that are not likely to create a privacy risk for users: the derogation for audience measurement proposed by the Council is too broad and could lower the level of protection of end users’ terminals; the derogation should be limited to low level analytics necessary for the analysis of the performance of the service requested by the user and should be solely limited to providing statistics to the service operator; it must be put in place by the operator or their processors;
  • effective way to obtain consent for websites and mobile applications: browsers and operating systems should have to put in place a user friendly and effective mechanism allowing controllers to obtain consent in order to create a level playing field between all actors; the scope of the Regulation should also explicitly include browser and operating system providers;
  • further processing for compatible purposes: the EDPB welcomes the original proposal of there being a general prohibition, with narrow exceptions and the use of consent; it notes that further processing for compatible purposes entails the risk of undermining the protection afforded by the Regulation, especially for processing electronic communications metadata, by allowing processing for any purpose that is judged by the service provider to meet the “compatibility” clause;
  • future role of supervisory authorities, the EDPB and cooperation mechanism: in order to guarantee a level playing field on the Digital Single Market, it is essential to ensure harmonised interpretation and enforcement of all data processing provisions of the Regulation across the EU; oversight of privacy provisions under the Regulation should be entrusted to supervisory authorities under the GDPR.

To read the Statement in full, click here.