Proposals for the ePrivacy Regulation: A telecommunications focus

Introduction

On 10 February 2021, some years after the first draft was proposed, the Council of the EU’s Permanent Representatives Committee (COREPER) finally adopted an agreed position on the ePrivacy Regulation, allowing the legislation to progress to the next stage of negotiation, namely the trilogue between the Council, the European Parliament and the European Commission. Judging by the initial reactions to the Council’s draft, this negotiation stage will not be without its challenges and seems likely to be a protracted process. The agreed text can be read here.

We have commented on such proposals in detail here. Telecommunications companies are sure to be scrutinising the next stages of the negotiations to assess the evolution of the legislation and what it means for them.

Particular areas of interest

Some relevant areas of interest for telecommunications companies are likely to be the following:

Direct marketing

There is little substantive change here, although Member States are entitled to provide a specific period of time after which direct marketing consents will expire or assign call identification prefixes to identify direct marketing calls.

Metadata

The draft allows for processing of metadata without consent for certain defined purposes. These relate to information security, fraud prevention, service provision (for example, billing and managing abuse of the service) or for the protection of “vital interests” which follows the same concept used in the GDPR.

Retention and surveillance

The draft provides for an exception from the requirement to obtain consent and to delete or anonymise device data and/or metadata once it is no longer needed to provide the service, where this is required under EU or member state law for the prevention, investigation, detection or prosecution of criminal offences or prevention of threats to public security. Whilst provision for use of data for these purposes was included in previous drafts, the new draft clarifies that the data can specifically be retained for these purposes.

Re-purposing of data

In line with the purpose limitation principle set out in the GDPR, the Council’s draft provides that pseudonymised metadata and device information can be processed for purposes other than those for which it was collected, provided such processes are “compatible” with the original purpose (based on fairly loosely defined criteria). This introduces some uncertainty over how such data will be used over time, particularly taking into account developments in technology. Whilst, this provision will be good news for telecommunications companies there are still some limitations. Data originally processed on the basis of consent or public interest cannot be repurposed in this way, the data cannot be shared with third parties (other than processors acting on the service provider’s behalf) unless in an anonymised form, and use of re-purposed metadata to determine the nature or characteristics of an individual or to build a profile of them is not permitted to the extent this would significantly affect them.

Next steps and UK application

The proposal is essentially a long-awaited mandate for further negotiation (the parties took nearly a year to agree the final form of the GDPR) and, once agreed, there will be an implementation period (currently proposed at two years).

Whilst the ePrivacy Regulation will not apply directly in the UK, the current draft provides that UK service providers would still need to comply with it to the extent that end users are located in the EU. Additionally, the UK government has committed to implementing laws to protect privacy and is currently seeking an adequacy decision from the European Commission following Brexit. As a result, it seems likely that the UK will seek to align with the ePrivacy Regulation, at least to some extent.

The ePrivacy Regulation (the Regulation) has extra-territorial scope. The relevant condition for its application is Article 3(1)(a), which provides that the Regulation will apply to “the provision of electronic communications services to end-users who are in the Union.” It is supplemented by Recital 8aaa which provides that the Regulation “should apply regardless of whether the processing of electronic communications data or personal data of end-users who are in the Union takes place in the Union or not, or of whether the service provider or person processing such data is established or located in the Union or not.” No specific provisions are made in relation to roaming.

At first reading, it may appear that use of roaming services by a UK citizen whilst in the European Union could potentially bring that person’s UK established domestic mobile provider (the UK Provider) within scope of the Regulation. However, the services provided to the end user whilst they are located in the European Union will generally be provided by a mobile network operator (MNO) established in the European Union. The UK Provider will have agreements with EU based MNOs, whereby those MNOs agree to connect calls and text messages and provide data services to the UK Provider's customers. The European Union based MNOs will be subject to the EU GDPR, but the UK Provider will not.

There is one potential exception to this position, relating to inadvertent provision of roaming services in border regions. For example, where the mobile phone of an individual located in Republic of Ireland locks on to a network provided by an MNO located in Northern Ireland (referred to as “inadvertent roaming”). In this instance, the ePrivacy Regulation would apply, as the data subject is located in the EU. Similarly, where a service is inadvertently provided to a data subject located in Northern Ireland by an MNO established in the Republic of Ireland, the ePrivacy Regulation would also apply by virtue of the MNO being established in the EU. Provision has been made in Regulation (EU) No 531/2012 on roaming on public communications networks within the Union requiring the MNO to take reasonable steps to protect their customers from paying roaming charges for inadvertently accessed roaming services. This requirement is replicated in UK law under the Mobile Roaming (EU Exit) Regulations 2019.

Other associated services provided by the UK operator (for example, billing, customer services, potentially voicemail, etc.) in connection with their services offered to UK customers do not fall within scope of the ePrivacy Regulation and will be undertaken pursuant to UK law. The extra-territorial scope of the EU GDPR is not engaged by this service provision, presuming the individual was located in the UK at the point at which the original offer of services was made to them by the UK established provider. Thus, only UK law will apply to this type of processing.