Data retention, location data, cookie banners: the ePrivacy Regulation is coming

Besides cookies, the purpose of the ePrivacy Directive is to regulate a much wider area: it contains specific data protection provisions for electronic communications data, in particular content data, traffic metadata, and location data that accrues when using the internet or talking on the phone. Importantly, it also regulates if and to what extent public authorities can access this data: Article 15 of the Directive provides that restrictions of the data protection provisions need to constitute "a necessary, appropriate and proportionate measure within a democratic society to safeguard national security".

By Epicenter.works (guest author) · June 16, 2021

Even though its effects are very visible, the ePrivacy Directive is hardly known to the wider public. Cookie consent dialogues, familiar to every web user, are often associated with GDPR and widely complained about since 2018. However, they are really a consequence of the ePrivacy Directive’s “cookie clause”, Article 5(3), which was added to the Directive already in 2009. This clause supplements GDPR, as even when a service provider claims a legitimate interest in tracking its users on a website, and does not use consent as a justification, the cookie clause requires that users must consent to the placement of a tracking cookie on their device. Exceptions from this consent requirement are narrow. Consent can be omitted, for example, if a placing cookie is necessary to provide a service that has been explicitly requested by a user. Tracking the user is not such a service.

Besides cookies, however, the purpose of the ePrivacy Directive is to regulate a much wider area: it contains specific data protection provisions for electronic communications data, in particular content data, traffic metadata, and location data that accrues when using the internet or talking on the phone. Importantly, it also regulates if and to what extent public authorities can access this data: Article 15 of the Directive provides that restrictions of the data protection provisions need to constitute “a necessary, appropriate and proportionate measure within a democratic society to safeguard national security”. In combination with the Charter of Fundamental Rights, this provision led to the annulment of the Data Retention Directive by the European Court of Justice in 2014. Subsequently, national data retention provisions in Sweden, in the UKin France, and in Belgium have also been found to be in contravention of EU law. In the UK, even twice — more on that later.

The ePrivacy Directive (originally enacted in 2002) is now to be replaced by the new ePrivacy Regulation, which was supposed to come into force in parallel with GDPR in 2018. However, it didn’t happen this quickly.

Where are we in the legislative procedure?

Legislative acts on the internal market in the EU are passed using the Ordinary Legislative Procedure. In this procedure, the Commission first makes a proposal which is then passed by the European Parliament and the Council (where the member states are represented) in two readings, where amendments can be made, a text can be accepted, or the proposal can be rejected completely. If there is no agreement between the Parliament and the Council after two readings, a conciliation committee can negotiate a joint text which can be passed in a third reading (or not).

Donate to EDRi to build a people-centered, democratic digital future. Donate Now

Because this procedure can take a long time, a shortcut has been inserted into the rules of procedure of Parliament and Council: even before first reading, the competent committee in the Parliament and the Committee of Permanent Representatives of the Council can decide on a negotiation mandate. Based on these mandates, the Parliament, the Council, and the Commission then hold so-called Trilogue negotiations. If the plenary of the European Parliament and the Council then pass the result of these negotiations (i.e. an identical text) in first reading, the legislative procedure ends there and the agreed text becomes law. The European institutions make use of this trilogue procedure very frequently, even though it is not provided for in the EU Treaties.

The Commission published its proposal on the ePrivacy Regulation in January 2017 and the Parliament decided on its negotiation mandated in October 2017. The Council, however, took its time. It took eight Council presidencies until the Council finally agreed on a negotiation mandate in February 2021. Eventually, the Trilogue negotiations started in May 2021.

Data retention

In Austria, data retention of communications data was introduced for use of this data by law enforcement. However, some member states went further and made this data available to their intelligence agencies as well. In the UK, in addition to Parliament passing a law on data retention (later declared incompatible with EU law by the European Court of Justice), the competent minister also passed an order on the transmission of communications metadata to the intelligence agencies. Once this order became public in 2015, EDRi’s member Privacy International initiated judicial proceedings and the case was eventually referred to the European Court of Justice (ECJ).

Before the ECJ, the UK argued Article 4 of the Treaty on European Union which states that “national security remains the sole responsibility of each Member State”. In essence, because the retention of the data would take place with the intelligence agencies and not the telecoms providers, previous jurisprudence of the ECJ should not apply. In its judgment, the ECJ did not agree with this argument: only when member states “directly implement measures”, i.e. the intelligence agencies act by themselves, the ePrivacy Directive does not apply. Because private actors had been mandated to disclose this data, this second data retention measure also had to be measured against the Directive and was found incompatible.

The member states were apparently very unhappy with this judgment: in their negotiation mandate on the new ePrivacy Regulation, they are looking to explicitly exclude it from applying in this case. The text looks to remove from the scope of the Regulation,

activities, which fall outside the scope of Union law, and in any event measures, processing activities and operations concerning national security and defence, regardless of who is carrying out those activities whether it is a public authority or a private operator acting at the request of a public authority.

This exception thus also applies to activities of telecoms providers that are in the scope of EU law but which are carried out on behalf of a public authority in relation to national security. Should this exception have to be evaluated by the ECJ in the future, it is questionable that it would endure. The ECJ’s previous jurisprudence is not only based on the ePrivacy Directive but also on the Charter of Fundamental Rights, which EU law must respect and which cannot be changed so easily. Nevertheless, member states would likely introduce new data retention measures of this type which would then painstakingly have to be contested in court until they reach the ECJ.

But even where the Regulation should apply in view of the Council, the member states make it clear that communications metadata retention should be possible in principle:

Union or Member state law may provide that the electronic communications metadata is retained, including under any retention measure that respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society, in order to safeguard the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the safeguarding against and the prevention of threats to public security, for a limited period. The duration of the retention may be extended if threats to public security of the Union or of a Member State persists.

In its jurisprudence, the ECJ has already created various requirements for data retention measures, for example regarding the type and severity of crimes that are supposed to be investigated and the severity of the threats to public security that are supposed to be prevented. These requirements are not part of the Council’s text, which leaves wiggle room for the member states which they could look to exploit.

Use of communications data by telecoms providers

A basic principle of ePrivacy Regulation is that communications content and metadata cannot be processed unless it is for technical or billing purposes. Both the Parliament and the Council also envisage that users should be able to explicitly agree to the processing of their data so they can be provided with an additional service.

The Council mandate however goes significantly beyond this exception. For example, the surveillance of content and metadata should not only be possible to protect the security of the communications network itself but also to protect the security of end-user devices. Location data should be able to be processed for scientific and statistical purposes even if it has only been pseudonymised. In contrast to anonymisation, pseudonymous data still allows the re-identification of persons the data is about. And not only the telecoms providers themselves should be able to process this data but also others under a data processing agreement.

These provisions on location data probably aim at legitimising a practice that is already taking place. For example in Austria, a company called Invenium processes pseudonymous location data of telecoms operator A1’s mobile customers in order to provide statistics to touristic regions on the origin of their visitors. Invenium has become known to a wider public because it carried out similar processing in order to evaluate the effectiveness of lockdown measures, and provided its results to the government’s crisis task force.

The Council mandate also adds a number of provisions according to which previously collected data can be further processed for “compatible purposes”. This quite significantly softens up the basic principle that communications data can only be processed if an exception has been explicitly made in the Regulation.

Cookies and their successors

Cookies are only one way to recognise users on websites and to track their use of various services. Another method is called fingerprinting, whereby information such as window size and installed fonts are combined to calculate a unique identifier. In addition, there are attempts to integrate functionality evaluating website visits into the browser itself. In contrast to the ePrivacy Directive, these methods are clearly captured by the text of the ePrivacy Regulation.

So-called “cookie walls” have become ubiquitous: many websites only grant access to their content if one accepts the placement of cookies for various purposes. So long as one only has the option of accepting cookies, this consent is not considered freely given and thus invalid. However, it is disputed whether it is sufficient to provide a for-pay option as the alternative. In the case of derstandard.at, the Austrian data protection authority considered this acceptable and the Council mandate explicitly legitimises this type of cookie wall.

Especially smaller websites use cookies for purposes of “audience measurement”, i.e. to measure how often particular pages are loaded. Both the Parliament and the Council want to make this use of cookies possible without consent being explicitly given. However, audience measurement often also includes the evaluation of other data on end-user devices, for example, browser type and screen size. Additionally, it is common practice to track sequences of users’ page loads, for example, to find out how many users move from one particular page on a website to another one, but which also allows the creation of profiles on those users. The Parliament wants to restrict the use of cookies for audience management without consent to purely statistical counting. This provision is missing in the Council mandate and it remains unclear what exactly is meant by “audience measurement”. Additionally, the Parliament’s mandate provides that there must be the possibility to opt-out of these kinds of cookies — this provision is missing in the Council’s mandate as well.

In order to meet the problem of ubiquitous cookie consent banners, the Parliament is looking to technical solutions: software on end-user devices (for example, the browser) should be able to communicate the consent to or rejection of the use of cookies for various purposes by means of technical signals, and they should have privacy-preserving default settings. An example of such a signal is the “Do-Not-Track” header which browsers can use to tell websites that the user wishes not to be tracked. In the Parliament’s view, these signals should become legally binding.

The Council takes the opposite position: Its text only refers to the giving of consent, which should be possible through software settings, but also “directly” by users, and the latter should always prevail. Cookie banners would therefore not disappear.

What comes next?

In the Trilogue negotiations, the Parliament’s rapporteur Birgit Sippel (in conjunction with shadow rapporteurs of the various political groups) is going to negotiate with the Council presidency on a common text. This text is then going to be presented to the Parliament for a vote, where amendments are possible. This is going to be the politically crucial phase in which it is decided what form the final Regulation is going to take, whether user rights are going to be strengthened or weakened. We’re going to stay on the ball.

The article was first published by epicenter.works here.

Image credit: Timo Wielink/ Unsplash

(Contribution by: Benedikt Gollatz, EDRi member, epicenter.works)