The Portuguese Presidency of the Council of the European Union can now negotiate the proposed e-Privacy Regulation. This regulation, yet to be negotiated with the European Parliament, intends on continuing the European Commission's 2017 proposal while defining rules on direct marketing, cookies and metadata, regarding "online privacy” framework.
Once approved, the regulation will revoke e-Privacy Directive, transposed by Law 41/2004 of 18 August into Portuguese domestic law. This Directive and the Portuguese law that transposed it are almost two decades old and no longer keep up with new challenges that come with technological development.
The proposed e-Privacy Regulation includes:
- Electronic communications data confidentiality and the users’ consent to their processing. Listening, monitoring and data processing by a third party will be prohibited, except if allowed by law or for protection against exceptional situations, e.g. guaranteeing the integrity of the services, malicious programs or viruses;
- End users’ choice to accept cookies (or not). To avoid "consent fatigue", users can consent to certain types of cookies by setting permissions in their browser's default settings;
- In marketing communications, the users’ consent rule stands when the user is a natural person (opt-in). If the user is a customer, prior consent to direct marketing communications is not needed, if the seller obtained the client’s electronic contact details during the sale of a product or service where customer had the possibility to opt-out of receiving these communications (soft opt-in). Member States can define the period during which data can be used for sending marketing communications in their domestic law;
- Metadata processing is allowed for billing purposes or to detect or prevent fraudulent use, or if the user consents so. Metadata can also be processed to protect vital interests of users, e.g. to monitor epidemics and their spread, or during humanitarian emergencies.
As lex specialis, the e-Privacy Regulation will set out the rules on privacy in electronic communications and, when and where not applicable, the General Data Protection Regulation (''GDPR'') will apply. One will not replace, but rather complete the other and vice-versa.
The Council will discuss the draft Regulation with the European Parliament. Once approved, the Regulation will enter into force 20 days after its publication and apply after a transitional period of two years.