The Portuguese presidency of the EU has rebutted claims from the European Commission’s Executive Vice-President for Digital, Margrethe Vestager, that Portugal’s proposed text for the ePrivacy regulation poses a risk to EU data protection standards as outlined in the General Data Protection Regulation (GDPR).
A presidency source has informed EURACTIV that the future ePrivacy regulation constitutes a ‘lex specialis’ in relation to the GDPR and as such, introduces rules that are specific to the domain of electronic communications but still ensures a general level of protection for personal data as mandated for in the GDPR.
Vestager said recently that the EU executive has “reservations about the Council agreement”, due to her reading that it “is not fully in line with the General Data Protection Regulation.”
“It is very important that the two laws are aligned,” she said, stressing that “it would become a very confusing situation if there was a General Data Protection Regulation and ePrivacy legislation without the two laws being aligned.”
“They are not supposed to play the same role, but they should be aligned and we will work on that issue,” Vestager added.
Portuguese aimed for ‘maximum consistency’
However, the source said the Portuguese presidency has, in fact, “sought to ensure maximum consistency between the two legislative instruments,” particularly across areas including user consent, the legal grounds for processing data, and the obligation for service providers based outside the EU to appoint a representative in the EU, whose infringement will now be penalised, as in the GDPR.
“All the general principles established in the GDPR are fully applicable,” the source added, highlighting that, in particular, the purpose limitation principle, the principle of accountability, and the principle of data minimisation will be safeguarded in the scope of the foreseen ePrivacy regulation.
“Our proposal maintains the same high level of privacy and personal data protection in electronic communications already generally guaranteed by the GDPR,” the source said.
Asked to comment on the presidency source’s claims, the European Commission reaffirmed to EURACTIV that one of its main objectives is “to ensure consistency between the ePrivacy Regulation and the GDPR.” A spokesperson added that that it welcomes the fact that EU nations agreed on 10 February to mandate the Portuguese Presidency to start negotiations with the European Parliament on the plans.
The ePrivacy regulation details the conditions under which service providers are able to process electronic communications data. Such data includes those transmitted in the use of online services, including messages sent on WhatsApp and video calls on platforms such as Zoom and Skype, for example.
The overall objective of the regulation is to afford online communications the same privacy protections as those afforded to traditional telecoms communications.
In early February, the Portuguese presidency managed to find common ground with the EU’s 27 countries on a compromise ePrivacy regulation text. It had been the ninth EU presidency to lead the Council’s position on the rules, following failed attempts to find consensus from Germany, Croatia, Finland, Romania, Austria, Bulgaria, Estonia, and Malta.
The proposal has re-introduced the possibility to process electronic communications metadata and to use the processing and storage capabilities of the end-users’ terminal equipment, including the collection of information for further compatible processing.
Negotiations between the EU-27 and the European Parliament on Portugal’s proposed text are forthcoming.
[Edited by Zoran Radosavljevic]