The long-discussed and repeatedly amended proposal of the e‑Privacy Regulation had been dropped in December 2019 (cf. here). The Presidency of the European Council has now, at the end of February 2020, new Adaptation proposals The draft contains a number of amendments, including to Article 8 of the draft, which is particularly controversial. This concerns the “protection of information stored in or relating to end-user terminal equipment,” i.e., the Cookies and other technologies such as fingerprinting.
The new proposal moves away from the strict consent requirement for processing that is not operationally necessary. According to the proposed new Art. 8, the use of cookies and other technologies should be permitted under certain conditions. also for legitimate interests (cf. Art. 6 para. 1 lit. f DSGVO) may be permitted:
it is necessary for the purpose of the legitimate interests pursued by a service provider to use processing and storage capabilities of terminal equipment or to collect information from an end-user’s terminal equipment, except when such interest is overridden by the interests or fundamental rights and freedoms of the end-user.
However, the invocation of the legitimate interest shall be excluded in certain cases:
The end-user’s interests shall be deemed to override the interests of the service provider where the end-user is a child or where the service provider processes, stores or collects the information to determine the nature and characteristics of the end-user or to build an individual profile of the end-user or the processing, storage or collection of the information by the service provider contains special categories of personal data as referred to in Article 9(1) of Regulation (EU) 2016/679.
In addition, anyone wishing to invoke legitimate interest must not disclose the data in question to third parties, must carry out a data protection impact assessment, must inform the data subjects and must take security measures such as pseudonymization or encryption.