On 10 February 2021, the Council agreed on a negotiating mandate for the planned Regulation “concerning the respect for private life and the protection of personal data in electronic communications” (e-Privacy Regulation). Although the Commission presented its proposal (COM(2017) 10 final) in January 2017 and the Parliament adopted its report in the same year, the project was blocked in the Council for four years. The planned regulation is to replace the e-Privacy Directive 2002/58/EC and regulate the access and processing of communication data.

The main contentious issues are the processing and storage options for terminal devices, the further processing of collected data, the relationship to the General Data Protection Regulation and the retention of data. The current draft of the Council provides in Art. 7 para. 4 for allowing Union or Member State law the retention of “electronic communications metadata” for a limited period of time “in order to safeguard the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the safeguarding against and the prevention of threats to public security.” This is put under the condition that the regime “respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society.”

The planned regulation thus attempts to tie in with the CJEU rulings of 9 October 2020 (Cases C-623/17, joined Cases C-511/18, C-512/19 and C-520/18 à eucrim 3/2020, 184-186), which permit the retention of data in cases of threats to public security and to combat serious crime within narrow limits.

The Council’s agreement on a negotiating mandate means that the trilogue negotiations between the Council, the European Parliament and the Commission can now begin.