A proposal for a regulation on the respect for private life and the protection of personal data in electronic communications (proposal for e-Privacy Regulation) has been published on 10 January 2017.

It will replace Directive 2002/58/EC (e-Privacy Directive) and specify the General Data Protection Regulation (GDPR). The objective of both initiatives is to reinforce trust and security in the Digital Single Market, while providing flexible regulatory tools to enable innovation.

The proposal on e-Privacy, applying both to natural and legal persons, includes in its scope also market-players using the internet (e.g. ‘Over-the-Top communication services’, as instant messaging apps and web-based e-mail services), with the aim of ensuring a level playing field for companies. Its purposes include:

• Enhancing security and confidentiality of communications (including content and metadata, e.g. sender, time, location of a communication);
• Defining clearer rules on tracking technologies such as cookies (including more friendly ways for users to express consent) as well as on spam.

In the European Parliament (EP), the file was assigned to the Civil Liberties Committee (LIBE) and the initial rapporteur, MEP Marju Lauristin (Estonia, S&D), presented the report in June 2017, aimed at strengthening the confidentiality of communications including in machine-to-machine communications. The EP confirmed the committee's negotiating mandate in October 2017 and since then, Birgit Sippel (Germany, S&D) took over as responsible MEP. She has been re-appointed as rapporteur on 4 September 2019.

The European Data Protection Authorities (DPAs), assembled in the EDPB (European Data Protection Board), adopted in March an opinion on the interplay between the e-Privacy Directive and GDPR (in particular on the competences of DPAs). They also called not to lower the level of protection offered by the current e-Privacy Directive.

In the Council, the discussions were stalled for approximately four years. The Council published several redrafts of the proposal since September 2017. Among the issues discussed: the need to clarify the relationship between e-Privacy and the GDPR; privacy settings; the legal grounds for data processing other than consent, as well as the applicability of the new rules to service providers assisting competent authorities for national security purposes, and the concept of public interests as a basis justifying restrictive measures. But the Austrian, Romanian, Finish and Croatian presidencies were unable to reach a compromise. In July 2020, the German Presidency published its first discussion paper. National delegations recently rejected a revised version of the paper and on 23 November 2020 the German Presidency presented its progress report, stating it would ‘closely [work] with the forthcoming Portuguese Presidency to facilitate further discussions and to ensure smooth progress on the file’. The initiative was given utmost priority in the Joint Declaration of the European Parliament, the Council and the European Commission from 17 December 2020. On 10 February 2021, the Member States agreed on a mandate for negotiations with the European Parliament and trilogues began on 20 May 2021. On 28 March 2022, the former French Presidency released its latest four column table in preparation of the trilogues. Some progress was made at a technical level under the Czech Council Presidency (1 July to 31 December 2022), but the file stalled again under the Swedish Council Presidency (1 January to 30 June 2023). While the incumbent Spanish Council Presidency emphasises its commitment to protecting European rights and values, especially, the rights to non-discrimination, privacy, and data security, it does not highlight the e-privacy regulation as a priority file. 

References:

• EP Legislative Observatory, Procedure File on the Proposal for a Regulation “Respect for private life and the protection of personal data in electronic communications” (e-Privacy Regulation), 2017/0003 (COD)
• European Parliament, Parliament’s negotiation mandate on ePrivacy, 26 October 2017
• EP IMCO Committee, Opinion on the Commission proposal, 29 September 2017
• EP ITRE Committee, Opinion on the Commission proposal, 4 October 2017
• EP JURI Committee, Opinion on the Commission proposal, 5 October 2017
• Council of the EU, Presidency, Mandate for negotiations with the EP, 10 February 2021
• Council of the EU, Presidency, Préparation du trilogue, 28 March 2022
• Council of the EU, Presidency, Progress Report, 23 November 2020
• European Data Protection Board, Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR, 12 March 2019
• European Commission, Proposal for a Regulation concerning the respect for private life and the protection of personal data in electronic communication, COM(2017) 10 final, 10 January 2017
• The Spanish presidency programme, Spanish Council Presidency

Further reading:

• European Parliament, EPRS, Reform of the e-Privacy directive, Briefing Legislation in progress, September 2017
• European Data Protection Supervisor, The urgent case for a new ePrivacy law, 19 October 2018
• Leading MEP enraged by Swedish presidency’s neglect of ePrivacy Regulation, EURACTIV, 8 March 2023
• ePrivacy: EU legislators chase compromise on processing electronic communications data, EURACTIV, 15 November 2022

Author: Hendrik Mildebrath, Members' Research Service, legislative-train@europarl.europa.eu