Brussels, 10 February 2021 – EuroISPA welcomes the conclusion of the discussions in Council on the ePrivacy Regulation. After over four years of complex deliberations, we are now looking forward to the start of the negotiations with the European Parliament and the European Commission. The current text is the first step towards greater legal clarity and interoperability between the ePrivacy Regulation and the GDPR regimes. This clarity is needed for businesses in Europe to plan, operate, and innovate as well as to allow for the commercial support of the free and open internet. We welcome the introduction of further compatible processing and the performance of a contract as legal grounds for metadata processing. We believe that these must be preserved during the future negotiations if we want to have a coherent and harmonised EU data framework which ensures legal certainty for European businesses. However, we consider that further work on the text is still necessary.
We regret that the Council agreed text reinstated a previous version of the “compliance with a legal obligation”, so restricting even further that legal ground and diverging from the GDPR.
In view of the negotiations, we would like to reiterate the key areas which are worth clarifying:
- Material scope: We believe that to ensure consistency in the EU acquis, it would be necessary to further define the interplay with the GDPR and clarify when the GDPR stops applying and the ePrivacy starts.
- B2B processing: In the business-to-business (B2B) context, providers of electronic communications services generally will not have a relationship with the end-users of their services. Clarification is therefore needed that, in such circumstances, consent can be provided by the enterprise customer.
- Enforcement: There is a need to ensure that supervisory authorities, and enforcement and cooperation mechanisms are consistent with the GDPR standards. We need to avoid a situation where providers could be subject to oversight by multiple supervisory authorities for the same activities across the EU.
- M2M processing: The application to machine-to-machine (M2M) communications must be limited in scope to high risk instances, instead of applying to any kind of such communications, so as to limit the risk of making a wide range of critical enterprise processes highly burdensome.
- Privacy-preserving technologies: The industry strives to keep developing privacy-protective data processing alternatives (i.e. on-device machine learning, new aggregation techniques, and other privacy-enhancing advances). The ePrivacy Regulation should not restrict innovative and privacy-protective new approaches that are designed to benefit individuals and strengthen their privacy online.
We look forward to the beginning of the negotiations and we remain willing technical partners to the institutions in defending the much-needed flexibility on the legal basis and the interoperability with the GDPR.