Consent Rule Conflict With GDPR Arises in EU ePrivacy Overhaul

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

Companies fear that the European Union’s forthcoming ePrivacy Regulation may set rules for processing communications data that are out of step with the standards laid out in the bloc’s upcoming General Data Protection Regulation (GDPR), privacy professionals told Bloomberg BNA.

Among the most contentious issues in the ePrivacy overhaul will be the consent parameters for use of communications traffic data, such as time and duration of calls, web-browsing behavior, and geolocation data.

Under the European Parliament draft of the ePrivacy Regulation, prepared by Estonian center-left lawmaker Marju Lauristin, the processing of traffic data would be allowed only if necessary to provide the communications service, or if the user of the service or equipment where data is stored gives specific consent.

Lawmakers in the European Parliament will in September begin to discuss more than 800 proposed amendments to the draft, including a number of amendments from center-right lawmakers that would introduce legitimate interest as a basis for communications data processing.

Jorg Hladjk, privacy and data protection counsel at Jones Day in Brussels, told Bloomberg BNA July 24 that allowing a legitimate-interest basis for processing would be “almost a necessity” to provide flexibility for telecommunications and internet companies in developing new services.

Lawmakers want to make the ePrivacy Regulation consistent with the GDPR, which goes into effect May 25, 2018, he said. The GDPR, unlike the current draft of the ePrivacy rule, allows for legitimate interest as a basis for data use.

The ePrivacy Regulation, proposed in January, would replace the EU ePrivacy Directive (2002/58/EC), which covers the confidentiality of communications data and regulates issues such as the placement of cookies.

The much broader GDPR provides one EU-wide regulation to replace a more than 20-year-old directive that required each country to pass its own privacy laws. The GDPR will bring stricter standards for user consent to the use of their personal data, mandatory data breach notification, and fines as high as $20 million euros ($23.3 million) or 4 percent of a company’s annual worldwide income, among other reforms.

The GDPR allows data processing where necessary for a legitimate interest. Consent, as recognized under the GDPR, “is not always the best and only way to ensure citizens’ privacy,” the European Telecommunications Network Operators’ Association (ETNO) told Bloomberg BNA July 25. The association represents companies including BT Group, Deutsche Telekom AG and Telefonica S.A.

The ePrivacy Regulation should be “aligned with the GDPR, including on the legal basis for processing data,” ETNO said. “There is no reason for Europe to impose double-regulation on its providers of communication services and networks,” it said.

Legitimate Interest

Matthias Matthiesen, senior privacy manager at the Interactive Advertising Bureau (IAB) Europe, told Bloomberg BNA July 24 that issues around user consent were among “the most contentious issues of the entire ePrivacy Regulation.” IAB Europe speaks for digital advertising companies including eBay Inc., Facebook Inc., and Alphabet Inc.'s Google.

“Consent doesn’t work for everything” said Matthiesen, adding that processing of communications data should be allowed on the basis of the processor’s legitimate interest as long as the rights of data subjects aren’t violated. For instance, a legitimate interest might include the processor’s interest in improving services or protecting them against cyberattacks.Anna Pateraki, a privacy and data protection senior associate with Hunton & Williams LLP in Brussels, told Bloomberg BNA July 24 that processing based on a legitimate interest “should be allowed in the ePrivacy context, especially where the user can reasonably expect that the processing takes place and safeguards are implemented.”

To contact the reporter on this story: Stephen Gardner in Brussels at

To contact the editor responsible for this story: Donald G. Aplin at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security