The ePrivacy Regulation was the subject of a technical discussion between representatives from the European Parliament and the EU Council on November 10. Four years after the proposal’s presentation, in February 2021, the EU members finally came to an agreement. However, since then, the two institutions’ negotiating teams have barely made any progress, as the technical discussions have mostly centered on the less controversial aspects of the proposals.
Although the technical conference was not successful, the document provides the framework for further debate.
The clause at the heart of the talk defined the conditions under which electronic communications data can be handled.
“The necessity of the processing of electronic communications data for the purposes provided for in this Regulation should be assessed only on the basis of objective technical requirements and not be based on commercial considerations”
Additional text was added to accommodate specific situations where users’ requests for communication include the storage of sent electronic communications, such as email services where emails are saved in the cloud so that users can search for them later.
In an effort to reach a compromise with the legislators who eliminated this issue entirely, the EU policymakers proposed requiring that service providers cannot analyze data stored in or emitted by users’ devices to discover technical defects and errors.
The subject of data retention was temporarily put on hold due to its complexity.
Metadata, or data on who is talking with whom and how, for example, in terms of time, place, and IP address, is a crucial topic for discussion under the ePrivacy Regulation. Only a few circumstances outlined in the compromise text will allow for metadata processing. Here are a few examples:
- that the users explicitly consented to the use of their data for one or more objectives that would be impossible to achieve without such metadata. A data protection impact assessment would need to be done first if there is a significant chance that the liberty and rights of the users could be jeopardized.
- that processing metadata is absolutely required for billing, calculating interconnection payments, and identifying or preventing unauthorized or abusive usage of electronic communications services.
- that the telecom industry requires metadata analysis to comply with the Open Internet Regulation, prevent network congestion, or enhance network performance.
The goal is to only permit the processing of location data in cases where it is clearly required to safeguard a person’s vital interests in the event of an emergency and only in cases where the person in question is incapable of giving consent.
Additionally, location data may be kept for statistical analysis purposes in response to a governmental authority’s request or in accordance with a specific contractual obligation. In this situation, the location data would need to be promptly pseudonymized, aggregated, kept with encryption, and then deleted once it was no longer required.
