The European Parliament's lead rapporteur on the ePrivacy Regulation has responded with fury to the news that the Austrian presidency of the Council of the European Union intends to produce no more than a status update on the law's progress by the end of the year.
Germany's Birgit Sippel, who took over as lead rapporteur on the file last year after Estonia's Marju Lauristin left the Parliament for city politics, told The Privacy Advisor that "the Austrian presidency wants to sell citizen rights and democracy to profit," and its stance requires "resistance."
The ePrivacy Regulation, which deals with privacy in electronic communications and has implications for everything from online media to the "internet of things" industry, has been an extraordinarily heavily lobbied piece of legislation.
It was supposed to come into force in May, alongside the better-publicized EU General Data Protection Regulation. However, despite the fact that Parliament wrapped up its preferred text in October last year, the file has become stuck in the subsequent legislative process. In the first half of this year, it became apparent that the Bulgarian presidency of the Council wasn't going to achieve much more than "a good basis to continue discussion," and now the Austrians are set to follow suit.
For those eagerly awaiting the regulation's arrival so they can make their processes ePrivacy and GDPR compliant, the news is dire. It now seems certain that the file will be passed to the Romanians to approve a common council position in the first half of next year, and it's quite possible that trilogue negotiations between the EU institutions will be only conducted after the European Parliament elections next May. The law now appears extremely unlikely to come into effect until 2020 at the earliest.
"At the very first meeting of the council working party Austria presented a draft, which led to constructive and intensive discussions," a spokesman said for Austria's innovation ministry. "The complexity of the topic is one of the main reasons that further discussions will be needed in the foreseeable future. In this context and throughout our presidency, we are committed to act as an honest broker, facilitating dialogue and negotiations, and help achieve tangible progress together with our fellow EU member states.
"From today´s point of view, we are not sure if a common position in this topic is reachable. We hope to be able to produce a status report about ePrivacy Regulation."
The news of Austria's limited ambition was first reported by Germany's Netzpolitik, which characterized the situation as Austria bowing to the demands of media interests that have been very supportive of the country's current leadership and effectively kicking the legislation into the long grass.
Sippel, Parliament's rapporteur, sees it as an attack on democracy itself.
"ePrivacy is indispensable to safeguard the fundamental rights of our citizens in the digital environment or to put a stop to unfair manipulation. Essentially, it is about the protection of democratic principles," she said. "Regarding this background, the position of the Austrian presidency is absolutely unacceptable. Their aim seems to be to stop dealing with the commission's proposal and to boycott this important law.
"Following this, massive manipulation would remain possible — for the maximization of profit, as well as for criminal purposes, including election manipulation. In short, the Austrian presidency wants to sell citizen rights and democracy to profit. The commission, the Parliament and also the member states must oppose that. Democracy needs resistance. Now."
Carlo Piltz, head of the data protection unit at the German legal firm Reuschlaw, disputed Sippel's characterization of the Austrian stance as a "boycott" of the file. He noted that the ePrivacy Regulation has a broader scope than the GDPR does, as it also covers communications to legal entities and between machines, and said this necessitated a cautious legislative process, as "neither consumers nor companies would be satisfied with an ePrivacy Regulation which leaves too much room for interpretation."
Plitz added, "Since old legislative proposals will not automatically be canceled, also with a new EU Parliament, there exists a slight chance that the current proposal and also the position of the Parliament will be upheld by the new Parliament. But one has to keep in mind that the whole legislative process is also a political battle, and I assume that members of the new EU Parliament would be happy to present an agreed version of ePrivacy after the formation of the new EP as 'their victory.'"
Piltz said that he had always thought it was "quite ambitious" to try to converge the go-live dates for the GDPR and ePrivacy Regulation, as the former took four years to finalize and the latter's draft was only presented in January 2017.
As for the sticking points that are making the Austrians doubt whether a common position on the regulation is "reachable" for now, a few are set out in a response from the German government to a recent Parliamentary question in that country, handily translated and summarized in bullet-point form by Piltz in a blog post last week.
Notably, the Germans want to ensure that the use of ad-financed online services can be made dependent on users agreeing to the installation of ad cookies. They want a ban on software presets that default to data being stored and read on the user's device without their knowledge and — in more bad news for urgency fans — they also want a two-year transitional period for the regulation's entry into effect.
Top image courtesy of Wikipedia