EU countries cannot agree on the wording of the planned new e-Privacy Regulation, causing the proposed reforms to be watered down.
The lack of consensus was acknowledged in a progress report (7-page / 327KB PDF) published last week by the Council of Ministers on the work it has been carrying out on the reforms.
The report confirmed that the Austrian presidency of the Council has removed provisions from the draft Regulation which would have, if introduced, required web browsers, and other providers of software that permit electronic communications, to inform users of their options to “prevent third parties from storing information on the terminal equipment of an end-user or processing information already stored on that equipment”, and to require those users to select a particular privacy setting at the point of installation and thereafter when new privacy options are made available.
Those proposals, which had been set out in article 10 of the draft, “raised a lot of concerns”, the Austrian presidency’s report said.
Concerns included on “the burden for browsers and apps, the competition aspect, the link to fines for non-compliance, but also the impact on end-users and the ability of this provision to address the issue of consent fatigue, thus raising doubts about its added value”, it said.
“Taking these elements into account, the presidency has decided to remove article 10,” the report said. “Some delegations could support the deletion while others would prefer to have a simple and light provision on the information about privacy settings to be provided to the end-user.”
The Austrian presidency also confirmed that it has taken steps to narrow the scope of the e-Privacy Regulation’s rules on the processing of electronic communications data. It said it had proposed “to make clear” that the Regulation “does not apply to the processing, by the end-users concerned or third parties entrusted by them, of content after receipt or of metadata”.
Article 6 of the proposed new e-Privacy Regulation sets out a list of permitted processing of electronic communications data. The report said the Austrian presidency had proposed changes to the list.
“The presidency has introduced a possibility for further compatible processing of electronic communications metadata, inspired by the GDPR,” it said. “At the same time, in order to ensure responsible treatment of data in question, the presidency has complemented this new provision with corresponding safeguards, again taking inspiration from the GDPR. The presidency has also added a new ground for processing of electronic communications data necessary for the protection of terminal equipment and introduced smaller textual changes throughout article 6.”
The Austrian presidency also said that agreement has still to be reached on the wording of article 8 of the draft Regulation, which concerns rules on ‘cookies’ and other “terminal equipment information”.
“The discussions evolved mainly around the issue of conditional access to website content and the need not to undermine business models, such as for instance online services financed through advertising, in particular media websites, while respecting the relevant conditions under the GDPR,” the report said. “The presidency has made several proposals on how to address this issue in respective recitals which appear to present a balanced reflection of member states’ views. Nevertheless, it appears that some member states suggest to work further on this text.”
According to the report, there is further disagreement on provisions that would govern the cooperation of national regulators under the Regulation and on the role the European Data Protection Board would play in supervision.
The e-Privacy reforms cannot be finalised until the Council of Ministers and the European Parliament agree on the wording and formally vote to approve the new legislation. MEPs set their negotiating position on the Regulation in October 2017, but trilogue talks between the Parliament, Council and European Commission to finalise the text cannot commence until the Council agrees its position.
Originally published by Out-Law.com
The largest data protection, privacy and security event of 2020, now available on-demand!
Featuring four whole days of keynote sessions, panel debates, and an opportunity to network and chew over all things data-related through discussions in public boards and virtual booths, PrivSec Global is now available to watch on-demand.
You can access the content from all four days, by registering for access to our PrivSec Global platform below.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.