German Presidency charts new COVID19 ‘metadata’ rules in leaked ePrivacy text

The German Presidency is seeking to permit the processing of metadata in online communications for 'monitoring epidemics' or to help in 'natural or man-made disasters,' a leaked text on the ePrivacy regulation, obtained by EURACTIV, states.

In the Council, progress on the ePrivacy regulation has been dogged by many disagreements. [Shutterstock]

The German EU Council presidency is seeking to permit the processing of metadata in online communications for ‘monitoring epidemics’ or to help in ‘natural or man-made disasters,’ according to a leaked text on the ePrivacy regulation obtained by EURACTIV.

However, the Germans’ proposal on the highly controversial ePrivacy regulation has at the same time withdrawn the ‘legitimate interest’ provision for the general processing of metadata, included in earlier versions of the text.

“The processing of electronic communications metadata should also be regarded to be permitted where it is necessary in order to protect an interest which is essential for the life of the end-users who are natural persons or that of another natural person,” the German text states.

Metadata refers to information that reveals the location, time, and persons involved in communications. The German presidency’s proposal aims to allow communications providers to process metadata in certain ’emergency’ scenarios without consent, such as to monitor the spread of infectious diseases.

“Processing of electronic communications metadata for the protection of vital interests of the end-user may include for instance processing necessary for humanitarian purposes, including for monitoring epidemics and their spread or in humanitarian emergencies, in particular, natural and man-made disasters.”

The concept of vital interests is drawn from the EU’s General Data Protection Regulation, which also makes provisions for the processing of such data under these circumstances.

The Commission’s initial proposal for the ePrivacy Regulation was put forward in January 2017, in a bid to “reinforce trust and security in the digital single market.” The European Parliament’s Civil Liberties Committee adopted its report in October 2017, as well as the mandate to commence inter-institutional negotiations.

In the Council, however, progress on the ePrivacy regulation has been dogged by disagreements over issues ranging from the inclusion of provisions in the regulation to allow for the detection of child pornography, to consent requirements and rules for the tracking of online activity through the use of cookies.

Germany is the eighth Council presidency to lead the Council’s position on the rules, following Croatia, Finland, Romania, Austria, Bulgaria, Estonia, and Malta.

‘Legitimate interests’

Although the German Presidency clarified the cases where metadata can be processed under certain ‘vital’ circumstances, they have also withdrawn the right for communications providers to process metadata for ‘legitimate interest’ reasons.

Certain practices that emerged cited as meeting the ‘legitimate interest’ benchmark included those necessary for detecting fraudulent or abusive behavior in the use of electronic communications services, as well as for calculating bills for data use. Scientific research had also previously been cited as a legitimate interest provision.

However, such provisions have now been withdrawn from the presidency’s text, provoking a backlash from some in the telecoms industry, who fear that the potential for ‘data innovation’ may be reduced as a result.

In response to the presidency’s leaked text, telecoms lobbies ETNO and GSMA have urged EU countries to take a stand against the new compromise.

“We are finding that the latest text has taken a dramatic step back, disregarding the constructive compromises achieved so far, negating the positions and interests of many EU Member States and threatening the stability of the digital economy and its growth potential,” said a letter sent to ministries on Thursday morning and seen by EURACTIV.

More broadly, there are those who fear the German position on the ePrivacy regulation runs counter to the EU’s plans to further ‘innovate’ its data economy as part of its landmark data strategy, published by the Commission in February.

The strategy aims to make the most out of the “untapped potential” of vast troves of industrial data, allowing public and private actors “easy access” to huge reserves of information.

Proposals put forward include the creation of nine common EU data spaces across sectors including healthcare, agriculture, and energy, as well as the proposal of a Data Act in 2021, that could “foster business-to-government data sharing for the public interest”.

Meanwhile, the Commission will unveil a data governance act on 11 November, which will outline new rules designed to facilitate the greater sharing of non-personal data.

The ePrivacy Regulation saga three years on

EURACTIV takes a look at what has happened during the three years while the Commission’s proposal has been stuck in the legislative process.

The Croatian Presidency is the latest member state with responsibility to resolve the ePrivacy Regulation conundrum.

The latest texts …

Lawful interception

The Germans have also introduced a clarification on the ePrivacy regulation not interfering with a national authority’s capability to access certain electronic communications data for the purposes of fighting crime.

“This Regulation should not affect the ability of member states to carry out lawful interception of electronic communications, including by requiring providers to enable and assist competent authorities in carrying out lawful interceptions,” the text states.

In terms of lawful interception capabilities for next-generation telecommunications networks, the EU has long been in discussions as to how to allow law enforcement agencies to intercept communications in light of increased security protocols.

In January, it transpired that the Commission had been working alongside Europol and member states to “identify appropriate ways of preserving lawful interception capabilities in 5G networks.”

This is due to the fact that new challenges for law enforcement authorities will arise with the gradual onset of 5G in Europe because the technology employs 256-bit encryption that allows for unprecedented levels of privacy and anonymization in communications networks.

[Edited by Zoran Radosavljevic]

Subscribe to our newsletters