Louwers Advocaten
CONTACT
Louwers Advocaten
  • Expertise
    • IP & innovation
    • Privacy & security
    • IT & IT outsourcing
    • Internet & e-commerce
  • About us
  • Contact
Internet & e-commerce
  • nl
  • en
  • Expertise
    • IP & Innovation
    • IT & IT-outsourcing
    • Privacy & security
    • Internet & e-commerce
  • Services
    • Advice
    • Contracts
    • Litigation
    • Maintenance & support
  • Products
    • Webshop check
    • In-house training
    • Helpdesk
Specialists
  • Attorney-at-law
  • Ernst-Jan Louwers
  • Eva van Groezen
  • Annemarie Bolscher
  • Frank Rutgers
  • Paralegal
  • Sven van Dooren
  • Senior associate
  • Pieter de Laat
  • Lidian de Weert
  • Senior jurist
  • Lidian de Weert
  • Our team
References
  • Agrifirm
  • Balans Uitzendbureau
  • Bavaria
  • BeSporty
  • BTW Plaza
  • Cimpress
  • CycloMedia
  • Deloitte
  • Deryan
  • Driscoll’s
  • All references
News
  • Louwers further strengthens its team with Lidian d.. Lidian de Weert joined Louwers IP|Technology Advoc..
  • All news
Events
  • Walk-in hours – The Gate – Brainport E.. As partner of The Gate we will be available on Monday 3 October 2022,..
  • All events
Contact
  • nl
  • en
Internet & e-commerce
  • Services
    • Advice
    • Contracts
    • Litigation
    • Maintenance & support
  • Products
    • In-house training
    • Helpdesk
  • Specialists
  • References
  • News
Internet & e-commerce » News » The e-Privacy Regulation: will it come after all?

The e-Privacy Regulation: will it come after all?

18 February 2021

Last year, we wrote that the e-Privacy Regulation was becoming a headache for the European Union and we wondered aloud whether the regulation would ever come into being. The latter now seems to be a step closer. The European Commission (‘EC’) published a revised text proposal on 5 January 2021 and not long afterwards, on 10 February 2021, the Council of the EU’s Permanent Representatives Committee (‘Council’) reached agreement on a text proposal. Below we will discuss some interesting provisions of these recent proposals.

What is the e-Privacy Regulation again?

The e-Privacy Regulation is intended to eventually replace the existing 2002 e-Privacy Directive. That directive contains rules on the processing of personal data and the protection of privacy in the electronic communications sector.

Revision of the directive is necessary to bring the e-Privacy rules more into line with the digital developments that have occurred in recent years.

Among other things, provisions are added that deal with new technological and market developments, such as Voice over IP services, webmail and other messaging services, as well as techniques to track users’ online behaviour, including cookies. Also, alignment will be sought with the terminology and rules set out in the General Data Protection Regulation (‘GDPR’).

Territorial scope

The territorial scope of the ePrivacy Regulation will be extended. The regulation will apply not only to parties established within the EU, but also to parties established outside the EU in places where Member State law  applies by virtue of public international law.

The location of the end-user is also relevant to the scope. When located in the EU, the e-Privacy Regulation generally applies. This includes end-users within the EU to whom electronic communication services are provided, or whose content of and metadata about those electronic communications are processed, or to whom direct marketing communications are sent, etc.

In the aforementioned cases, parties established outside the EU (and where Member State law does not already apply by virtue of public law) must appoint a representative within the EU within one month form the start of its activities. This is not required where the activities falling within the scope of the regulation are occasional and are unlikely to result in a risk to the fundamental rights of end-users.

Cookies and similar techniques

Both the EC and the Council text proposals indicate that the use of cookie walls is permitted under certain circumstances. It is no longer considered necessary for an Internet user to be able to access the same online content by the same provider without accepting cookies. According to the EC, this would in practice mean too great a burden for online content providers (e.g, the online press), because such providers would then be obliged to simultaneously offer “free” content (without direct monetary payment) and paid content websites.

In practice, this means that the use of cookie walls is permitted as long as there are enough alternative providers of similar content.

If the end-user has few or no similar alternatives, and therefore has no real choice regarding the acceptance of cookies, the use of a cookie wall is not allowed. Think for example of content provided by public authorities.

To prevent end-users from getting fed up with constantly having to give their consent for cookies and similar techniques, both the EC and the Council want to make it possible for end-users to give consent to the use of certain types of cookies via browser settings. These cookies will then be placed on a ‘white list’ in advance. Software providers will be encouraged to make it easy for users to create and set such lists. Software providers are encouraged to include settings in their software which allows end-users to manage consent to the storage and access to stored data in their terminal equipment by easily setting up and amending whitelists and withdrawing consent at any moment.

Metadata

The e-Privacy Regulation also includes rules on the use of metadata. Metadata are data about the communication process, for example from which location messages are sent, to whom messages are sent and how often messages are sent. Metadata are potentially as sensitive as the content of messages.

Under both proposals, metadata may be processed without the end-user’s consent under certain circumstances, such as when it is necessary for the performance of the electronic communications service, for billing, calculating interconnection payments, detecting/stopping fraudulent or abusive use of electronic communications services, or for the vital interests of natural persons.

In line with the purpose limitation principle as included in the GDPR, pseudonymised metadata may also be used for purposes other than those for which they were originally collected, based on the recent proposals. Such processing must be compatible with the original purpose and certain additional conditions and safeguards must be met. However, metadata may not be further processed to determine the nature or characteristics of an end-user or to create a profile of an end-user that produces legal effects concerning that end-user or significantly affects him or her. Metadata must also be erased or made anonymous as soon as it is no longer needed to fulfil the purpose in guestion.

Direct marketing

The e-Privacy Regulation also contains rules on unsolicited and direct marketing communications. In this field, few changes seem to be in store for the Netherlands on the basis of the recent text proposals.

The basic principle remains that consent of the end-user is required for the purpose of sending or presenting direct marketing communications to end-users, unless a number of conditions have been met.

For instance, it must concern contact details obtained in the context of the purchase of a product or service, the direct marketing messages may concern own similar products or services only, and such end-users are given the opportunity to object to such use of their contact details clearly and distinctly, free of charge and in an easy manner.

The recent proposals do allow Member States to set a period of time withing which a natural or legal person may use the end-user’s contact details for direct marketing purposes, after the sale of a product or service occurred. Member States are also encouraged to introduce, through national legislation, a specific code or prefix to indicate direct marketing calls, so that end-users can protect their privacy more effectively.

What now?  

The legislative process can now move on to the next stage of negotiations, namely the trialogue between the EC, the Council and the European Parliament. Although it is not yet clear how long this phase will take, the run-up and current differences between the three proposals suggest that it might take some time.

Once agreement has been reached and the final text, a transition period will apply. During this period organisations can bring their business operations into line with the rules of the ePrivacy Regulation. The GDPR contained a two-year transitional period. In the most recent Council proposal this period is also two years. The EC proposal, however, provides for a one-year period.

 

Share this

Older news

  • Louwers further strengthens its team with Lidian de Weert Lidian de Weert joined Louwers IP|Technology Advocaten in Eindhoven on 1 December 2022. Lidian has previously worked as .. Read more
  • 15 years Louwers IP|Technology Advocaten! On 1 December 2006, Louwers IP|Technology Advocaten was established. We celebrated our 10th anniversary with a lively ga.. Read more
  • Software as a medical device in light of the new MDR: 12 points of consideration for developers (part 3 of 3). On May 26, 2021, the Medical Devices Regulation (EU 2017/745), better known as the Medical Devices Regulation (“MD.. Read more
  • The e-Privacy Regulation: will it come after all? Last year, we wrote that the e-Privacy Regulation was becoming a headache for the European Union and we wondered aloud w.. Read more
  • The right to be forgotten of search results The right to be forgotten was introduced in the Google/Costeja judgement of 13 May 2014. In response, Google create.. Read more
  • Online sales of alcohol further regulated More and more products are being sold online. This also goes for alcoholic beverages. This is caused by the increasing d.. Read more
News
  • General conditions & complaints procedure
  • Disclaimer