Revised ePrivacy Regulation Draft introduces ability for organisations to rely on “Legitimate Interests” legal basis in relation to cookies

Another revised draft ePrivacy Regulation (“ePR”) was recently published which introduces the ability for organisations to rely on the “legitimate interests” legal basis to drop cookies on end users’ devices.

This change has been criticised by some commentators for ambiguities and watering down data protection rights despite accompanying safeguards. It remains to be seen if it will be retained in future draft iterations or indeed, the agreed version of the ePR, in relation to which there is no clear timetable for implementation at present.


First published in January 2017, the ePR covers specific data regulation reforms such as cookies, electronic direct marketing, over-the-top services and machine-to-machine communications. The overall approach, including a more stringent sanctions regime, would bring ePrivacy regulation into much closer alignment with the GDPR and was originally intended to coincide with the GDPR’s implementation in 2018.

Despite revised proposals from numerous Presidencies of the Council of the European Union, Member States have been unable to agree a final version of the ePR. At the moment, this means that it is unlikely to take effect before 2023 as a grace period of up to 2 years will need to elapse following adoption of the final draft.

With regards to Brexit, since the ePR is unlikely to be effective by the end of the transition period, it will not be incorporated into UK law under the withdrawal legislation (in contrast to the intended implementation of a UK GDPR). Therefore, the existing Privacy and Electronics Communications Regulations 2003 (“PECR”) will continue to apply following the end of the transition period. Once the ePR takes effect, the UK may choose to mirror the drafting or bring in its own drafting which diverges from the ePR. In any event, the ePR (in its current form) will likely still have implications for UK organisations dealing with individuals in the EU due to its intended extra-territorial scope.

The Proposed Amendments to the Draft ePrivacy Regulation

The latest draft, which simplifies the text of the core provisions and further aligns them with the GDPR, was proposed by the Croatian Presidency when it became clear that the majority of the Member States would not support the existing text.

One of the key proposals has been the introduction of the “legitimate interests” ground for introducing cookies (or similar technology) on end users’ terminal equipment represent a notable change in position from prior drafts and a step away from the consent-based model dictated by the most recent ICO cookies guidance and implemented by most organisations via cookie banners preventing users from accessing a webpage until they have set their cookie preferences accordingly. Critics have argued that this consent model is flawed as their ubiquity is leading to users ignoring them and “consent fatigue”. The introduction of the “legitimate interests” legal basis expands on previous ePR drafts’ attempts to help address this problem although the latest drafting is subject to various safeguards including fairly restrictive commentary as to when the “legitimate interests” legal basis can be relied on (e.g. not where the end user is a child, the organisation intends to use cookies to collect special categories of data or where the cookies are used to profile end users).

Commentators have criticised the drafting which seems to contain some inconsistencies. Firstly, it directly contradicts the EDPB’s statement in May 2018 that ePrivacy Regulation should not allow processing “on open-ended grounds, such as “legitimate interests” that go beyond what is necessary for the provision of an electronic communications service.” The introductory text to the draft, conversely, states that proposed safeguards mean that the new legal ground remains “in line with the GDPR”. Furthermore, tech advertisers wishing to rely on the “legitimate interests” ground may do so on condition that the end user is provided with clear information and has “accepted such use”. How an end user would confirm acceptance in practice is however unclear and this seems to cut across the prohibition on using the ground for profiling purposes.

The new proposal clearly intends to address some of the more contentious drafting points and cater to business needs (e.g. advertising). Nonetheless, given the lack of agreement to date and the ambiguities in the drafting, it remains far from certain that this draft will become the enacted version of the ePR.

Miriam Everett
Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378
Duc Tran
Duc Tran
Senior Associate, Digital TMT, Sourcing and Data, London
+44 20 7466 2954

Tamsin Rankine-Fourdraine
Tamsin Rankine-Fourdraine
Trainee Solicitor, London
+44 20 7466 7508

The Encryption debate is far from ‘going dark’

Shortly after the release of the communiqué from the most recent ministerial meetings of the ‘Five Countries’ security alliance — Australia, Canada, New Zealand, the UK and the US — at the end of July, we warned that the issue of the use of, and access to, encrypted services and technologies ‘remains front of mind for the alliance and further legislative or regulatory action in the Five Countries may follow’.

This week, It became clear that three of the Five Countries planned to follow through. On 4 October 2019, representatives of the Australian, UK and US governments planned to release:

Continue reading

Schrems II heard in Europe: potential huge impact on global data transfers

  • The Court of Justice of the European Union (“CJEU“) has heard oral submissions in the latest case questioning the legal validity of international data transfer mechanisms under the GDPR, such as Standard Contractual Clauses and the EU-US Privacy Shield;
  • The Irish Data Protection Commissioner (“DPC“) is seeking a ruling that would find the so-called Standard Contractual Clauses, which are used to legitimise the transfer of personal data from Europe all around the world, as invalid because they do not provide adequate protection for individuals’ data;
  • The CJEU heard yesterday from the DPC, Facebook, the Electronic Privacy Information Center, DigitalEurope, the Business Software Alliance, the European Commission, the European Data Protection Board, the US government, several EU Member States and representatives of the original complainant Mr Schrems;
  • The Advocate General will give his non-binding opinion on the case on 12 December this year, with a full decision expected from the CJEU by early 2020;
  • If the Standard Contractual Clauses are declared invalid, this will have a huge impact on global trade, effectively putting the brakes on the international transfer of data.

Continue reading

Cookie consent walls crumble: ICO publishes guidance on cookie consent

Following its recent admission that its own cookie consent mechanism was non-compliant (see previous blog post here), the UK privacy regulator (the ICO) updated its cookie notice last week (see our previous blog post here) and has now published guidance on cookies and similar technologies. Key messages are:

  • No implied consent for non-essential cookies allowed, including consent obtained via sliders/toggles which are defaulted to ‘on’
  • Analytics cookies are not ‘strictly necessary’ and so require consent
  • The position regarding the use of ‘cookie walls’ to restrict website access remains unclear, although is likely to be inappropriate in many circumstances

Continue reading

Cookie Compliance: How can companies get it right when the regulator does not?

  • The UK privacy regulator has admitted that its own cookie consent process does not comply with the current GDPR and ePrivacy rules.
  • According to the regulator, a new process will be implemented during the week beginning 24th June 2019, which could give organisations a valuable insight into how to navigate the complex interaction between the GDPR and ePrivacy rules in a compliant manner.
  • The regulator has also promised detailed guidance on cookies “soon“.

Continue reading

EU Council publishes Progress Report on draft EU ePrivacy Regulation

On 15 May 2017, the Council of the European Union published its progress report (the “Report“) on the first draft of the ePrivacy Regulation (the “Draft Regulation“).

The Draft Regulation focuses on the processing of personal data and protection of privacy in electronic communications. Among other areas, it covers direct marketing, cookies and other forms of online tracking; principally seeking to bring e-privacy law up to date with the “evolution of technological and market reality” and align the law with the incoming EU General Data Protection Regulation (“GDPR“). It was published by the European Commission in January of this year and is expected to replace the existing Privacy and Electronic Communications Directive (the “ePrivacy Directive“).

Continue reading