Revised ePrivacy Regulation Draft introduces ability for organisations to rely on “Legitimate Interests” legal basis in relation to cookies

Another revised draft ePrivacy Regulation (“ePR”) was recently published which introduces the ability for organisations to rely on the “legitimate interests” legal basis to drop cookies on end users’ devices.

This change has been criticised by some commentators for ambiguities and watering down data protection rights despite accompanying safeguards. It remains to be seen if it will be retained in future draft iterations or indeed, the agreed version of the ePR, in relation to which there is no clear timetable for implementation at present.

Background

First published in January 2017, the ePR covers specific data regulation reforms such as cookies, electronic direct marketing, over-the-top services and machine-to-machine communications. The overall approach, including a more stringent sanctions regime, would bring ePrivacy regulation into much closer alignment with the GDPR and was originally intended to coincide with the GDPR’s implementation in 2018.

Despite revised proposals from numerous Presidencies of the Council of the European Union, Member States have been unable to agree a final version of the ePR. At the moment, this means that it is unlikely to take effect before 2023 as a grace period of up to 2 years will need to elapse following adoption of the final draft.

With regards to Brexit, since the ePR is unlikely to be effective by the end of the transition period, it will not be incorporated into UK law under the withdrawal legislation (in contrast to the intended implementation of a UK GDPR). Therefore, the existing Privacy and Electronics Communications Regulations 2003 (“PECR”) will continue to apply following the end of the transition period. Once the ePR takes effect, the UK may choose to mirror the drafting or bring in its own drafting which diverges from the ePR. In any event, the ePR (in its current form) will likely still have implications for UK organisations dealing with individuals in the EU due to its intended extra-territorial scope.

The Proposed Amendments to the Draft ePrivacy Regulation

The latest draft, which simplifies the text of the core provisions and further aligns them with the GDPR, was proposed by the Croatian Presidency when it became clear that the majority of the Member States would not support the existing text.

One of the key proposals has been the introduction of the “legitimate interests” ground for introducing cookies (or similar technology) on end users’ terminal equipment represent a notable change in position from prior drafts and a step away from the consent-based model dictated by the most recent ICO cookies guidance and implemented by most organisations via cookie banners preventing users from accessing a webpage until they have set their cookie preferences accordingly. Critics have argued that this consent model is flawed as their ubiquity is leading to users ignoring them and “consent fatigue”. The introduction of the “legitimate interests” legal basis expands on previous ePR drafts’ attempts to help address this problem although the latest drafting is subject to various safeguards including fairly restrictive commentary as to when the “legitimate interests” legal basis can be relied on (e.g. not where the end user is a child, the organisation intends to use cookies to collect special categories of data or where the cookies are used to profile end users).

Commentators have criticised the drafting which seems to contain some inconsistencies. Firstly, it directly contradicts the EDPB’s statement in May 2018 that ePrivacy Regulation should not allow processing “on open-ended grounds, such as “legitimate interests” that go beyond what is necessary for the provision of an electronic communications service.” The introductory text to the draft, conversely, states that proposed safeguards mean that the new legal ground remains “in line with the GDPR”. Furthermore, tech advertisers wishing to rely on the “legitimate interests” ground may do so on condition that the end user is provided with clear information and has "accepted such use". How an end user would confirm acceptance in practice is however unclear and this seems to cut across the prohibition on using the ground for profiling purposes.

The new proposal clearly intends to address some of the more contentious drafting points and cater to business needs (e.g. advertising). Nonetheless, given the lack of agreement to date and the ambiguities in the drafting, it remains far from certain that this draft will become the enacted version of the ePR.