EU-28: Adopted Council position on ePrivacy Regulation containing data governance measures

The Council adopted a position on the EU Commission proposal for the ePrivacy Regulation. The council position changed a variety of features. Firstly, the Regulation now applies to all the users located in the EU, without regard to whether the data processing or the service provider are located outside the EU. Secondly, new exceptions are introduced to process electronic communication data without user consent: when an organization aims to ensure the integrity and security of communications services, to comply with EU or member state law related to criminal offences prosecution or threats to public security. Thirdly, exceptions for metadata processing without consent are introduced when processing for billing purposes, for detecting fraudulent use and to protect vital interests of the users. Furthermore, metadata processing without consent may be pursued for a purpose different from the one for which it was collected if such purpose is compatible with the initial purpose and strong safeguards apply (e.g., pseudonymisation/anonymisation). Fourthly, the access to website contents can be made conditional on the users' consent (so-called "cookie walls") if there exists an equivalent page that does not require cookie consent. Finally, the Council facilitated the possibilities to retain traffic and location data, as preventive measures in case of emergency and for scientific or statistical purposes in a pseudonymised or anonymised form.