The EU’s new ePrivacy Regulation is making slow progress. EU telecom ministers met again in Brussels June 7 but made little headway. The current holder of the EU’s six-month rotating presidency, Romania, will hand over the baton to Finland July 1.
The European Commission proposed its "Regulation on Privacy and Electronic Communications" at the start of 2017. Its aim was to replace the EU’s current ePrivacy Directive and put in place an important pillar of the Union’s Digital Single Market Strategy in order “to reinforce trust and security in the Digital Single Market."
The European Parliament adopted the proposal relatively quickly in October 2017, but the legislation has since been bogged down in the Council of Ministers, where national ministers meet to approve EU legislation.
One privacy lawyer who has been following the legislation believes that EU ministers could still get close to an agreement by the end of this year.
“There has been some progress under the Romanian presidency of the EU but not enough to push it over the finishing line,” said Gabriela Zanfir-Fortuna, senior policy counsel at the Future of Privacy Forum.
The makeup of the new European Parliament following elections in May, however, may also hamper progress when the so-called "Trilogues" start — marathon inter-institutional negotiations on legislation that seek to forge compromises between the Council of Ministers, the European Commission and Parliament. Those will only start once national ministers have reached an agreement.
The previous Parliament was able to rapidly review the commission’s e-privacy proposal in 2017 and, while it took a strong position on civil liberties and data protection, it quickly approved its own text. But the new Parliament elected last month will be politically more fractured, with the center-right no longer as dominant as it was and the Socialist SD bloc much diminished, while the Liberal ALDE-ELDR group, the Greens and right-wing groups will be stronger and more assertive.
“If the council in its general approach departs too much from the Parliament’s vision of strong protections for confidentiality, it could lead to even more protracted negotiations,” Zanfir-Fortuna added.
From the start, the legislation has been very much "requirement-for-consent" focused, say those following the legislation.
"The current law is that tracking requires consent, but there are concerns that an overly strict application of this requirement — setting the standard that nothing short of an explicit opt-in will suffice — will result in very few people giving consent, with severe consequences for free web content," said Phil Lee, partner in Fieldfisher’s privacy law group.
In the 5G ultra-connected future, an ultra-strict approach could have yet more far-reaching consequences, Zanfir-Fortuna suggested:
"There has been a lot of back-and-forward on permissible grounds for accessing electronic communications data other than consent. That has been the sticking point from the beginning. This is a big problem because it is important to make it right, given that the regulation will affect the data flows on most IoT devices and could also cover connected cars,” for example.
Under the old EU ePrivacy legislation, the Directive, there were only a few and limited exceptions of cookies that did not require consent. That created big problems for electronic communications of vital interest to the consumer that were not particularly intrusive either.
"There are also concerns that the law allows for too few exemptions for activities that are not privacy intrusive — like general analytics and security updates — and this is part of what the new law will seek to address," Lee said.
How to regulate cookies to ensure websites can share advertising revenues and at the same time not expose people to too much intrusive tracking remains, of course, the elusive promised land for EU ministers.
The U.K. had at one point proposed that cookie consent be dropped altogether, but this threatened such a seismic culture shift in the EU approach to privacy that it was just unthinkable for many countries. Brexit has since marginalized the U.K.’s voice in this debate.
Germany, surprisingly maybe, given its comparatively aggressive approach to guarding the privacy of its citizens, has been reluctant to sign up for a strict consent approach, apparently due to concerns over what this would mean for its publishing industry.
Lee said the current consent debate is now as polarized as Brexit.
“Some groups view all forms of tracking as an evil. Other groups believe that tracking and targeted advertising are fundamental to the provision of free content on the web,” Lee said.
But there does seem to be hope in the wings.
The upcoming Finnish presidency has made clear it intends to cut through the noise and galvanize the ePrivacy dossier. In a note setting out its policy priorities, it puts an almost overriding emphasis on digital strategy and data protection as important engines of economic growth and job creation.
“Smart connections for sustainable growth” will be the motto of the incoming presidency, the note states, and Finland commits itself to wide consultation with business, the public and stakeholders in order to achieve that goal.
“We wish to turn the discussions towards (a) trusted and human-centric data economy within Europe, respecting the rights and privacy of individuals. Throughout our presidency and through high-level conferences on data and digital transport, we aim to involve businesses, stakeholders and citizens alike in the discussions on European data policy.”
It continues:
“Our aim, too, is to encourage debate on what can be done to promote the access to and the re-use of data in general, in the context of sectoral development and with regard to AI. We will also continue the negotiations on the ePrivacy proposal and further them as far as possible with the aim to ensure high quality of the legislation.”