NEWS published on 16 Mar 2020

The EU’s proposed ePrivacy Regulation: latest movements

The EU’s draft ePrivacy regulation will modernize the existing ePrivacy directive and complement existing EU law on the protection of personal data (GDPR).


It has had a bumpy journey through the legislative process since it was first proposed three years ago. The proposed Regulation aims ensure the “right to a private life” for users of electronic communications. This means, for example, that forms of electronic communications such as text or video messages are generally considered private and confidential. It is up to the user to give consent to the data  - including personal data -  being stored, shared or otherwise processed, with some strict exceptions.


EBU has been working to ensure that the evolving text of the proposed ePrivacy Regulation reflects our Members’ best interests, particularly around Article 8 that relates to the protection of end-users' privacy and the use of cookies for website analytics that do not intrude on their privacy - the so-called cookies’ consent rule. The current EU Council Presidency has released a new version of the proposal on March 6 which will be discussed in the upcoming weeks by the telecoms working party, representing all Member States, with the aim of getting a common position agreed. 


Of most potential impact to EBU Members is the issue of how audience measurement would be treated under the ePrivacy Regulation. Therefore, we are pleased to see that the conditions foreseen in Article 8.1.(d) of the draft proposal to enable data analytics for audience measurement purposes are maintained and tailored in the new version of the text. These conditions apply to audience measurement conducted by a service provider (i.e. PSM) and/or conducted by a third party under a contractual agreement with the service provider. 


The latest Council Presidency text introduces the possibility to invoke the legal basis of “legitimate interests”, similar to those in the GDPR, in storing or processing the users’ data. However, strict conditions are attached to it, including the obligation to carry out a prior data protection impact assessment, to implement appropriate security measures and to inform the user in advance - who may at any time object. Moreover, the legal basis of “legitimate interests” may in no way be used in certain cases: when the user is a child; for profiling; and when sensitive data are involved. 


We are closely monitoring the evolution of the discussion particularly on the audience measurement exception and the inclusion of the “legitimate interests” legal basis. It remains to be seen how “legitimate interests” would be implemented – and how it will align with the conditions of the “legitimate interests” legal basis under the GDPR - as it seems at first sight that the ePrivacy conditions go beyond those of the GDPR.


We will continue to keep you updated with the outcome of the discussions on ePrivacy.