The Presidency of the EU Council is expected to propose yet another iteration of the ePrivacy text for the next meeting of the Working Party on Telecommunications and Information Society Nov. 7.
Ever since the European Commission first presented its plans to overhaul the ePrivacy law in January 2017, the file has been mired in lobbying and conflicting positions of EU member states. In fact, until Finland took over the presidency in July, it appeared to be completely stalled.
Sources within the Finnish Justice Ministry told The Privacy Advisor they are keen to get an agreement between member states before the end of the year. Only then can the council negotiations move on a final text with the commission and the European Parliament.
Gabriela Zanfir-Fortuna, senior counsel at the Future of Privacy Forum, agreed. “All signs from Brussels point to the general agreement being on the horizon in the council, with the Finnish Presidency looking adamant on delivering as much as possible on this file. The ambition is to reach an agreement, and the presidency has until the end of the year to reach it. However, once the trilogue finally starts, I doubt it will be smooth sailing. There are some differences between the European Parliament’s negotiating mandate and the current draft of the council, particularly on permissible uses, and this may trigger again delays,” she said.
Dutch MEP Sophie in ’t Veld also sounded a warning note regarding trilogue negotiations: “We are waiting for the council to move. We’ll see when there are results, but on the whole, my expectations are not very high. The national governments tend to have a double agenda: They want to regulate tech-giants, while keeping access to the data gold mines, for security purposes. So I expect difficult trilogues. One would say even national governments have learned a few lessons from disasters like Cambridge Analytica, and from a raft of court rulings (not least [last] week’s ruling regarding cookie consent), yet they seem to be unfazed by all that.”
But a common position hasn’t been reached between the EU countries yet. On Sept. 18, the Finns put forward an 88-page compromise proposal with considerable changes and amendments. According to sources, only Germany and Spain gave vocal support for the text, while France and Poland are vehemently against it. Italy is also against agreeing a common position as it believes the new European Commission should sit before a decision is made on such an important file — something that is currently stalled for political reasons.
A new commission is, however, unlikely to make a huge difference to the file, since the new digital vice president will be Margrethe Vestager, who has already voiced her support for the law. To untangle all these political knots, it is likely that the national negotiators will have to begin Committee of Permanent Residents meetings in mid-November.
The law itself
The ePrivacy Regulation will in effect set out what is and isn’t confidential in electronic communications, as well as the general tracking of internet users, and will replace the 2002 e-Communication and Privacy Directive (2002/58/EC). It is intended to cut down on pre-ticked consent boxes for cookies — meaning websites will have to explain what information they are gathering on users and what they do with it, as well as allowing users to opt out. The Parliament version of the text states that even if users do opt out, the website will still have to provide the service. The “no visit if no cookies” status quo — known as a “cookie wall” — could be a thing of the past, but could also make it difficult for websites to generate revenue through behavioral advertising, which relies on cookies.
More broadly, the regulation is also intended to combat problems such as spam by making consent a requirement for communications.
Currently, companies like Skype, Facebook and Google are not subject to the same rules as telecoms providers and can conduct targeting based on content of communications, but this could be ruled unlawful under some drafts of the new law. Metadata — information about information, time, location, etcetera — is also included in the scope of the legislation, limiting further what online businesses can and can’t do with such (non-personal) information.
Given the model for a huge number of online businesses is based on advertising and the associated cookies and tracking, the potential disruption has alarmed the industry. Several members of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs say that this is the most heavily lobbied piece of legislation they have encountered, surpassing even that of the GDPR. Many of those opposed to the GDPR are now engaged in attempting to block the ePrivacy Regulation — ironically, the organizations that were most opposed to the GDPR now argue that the GDPR is so perfect there is no need for an ePrivacy Regulation.
Lobbying
On Oct. 18, the European Publishers Council, along with nine other European publisher and advertiser trade bodies, wrote a letter asking the council to alter the current text. “The ePrivacy Regulation puts the future financial viability of independent, advertising-funded media at risk,” the trade bodies wrote. “Under the current ePrivacy law proposals, publishers and any site owners would need explicit consent in order to use any form of cookie.”
They argued that the current draft of the law could seriously damage publisher advertising revenue, while benefiting the major tech platforms whose products make it very easy for users to stay logged in.
However, Alan Toner, policy expert at Brave, also wrote to representatives to urge the prohibition of cookie walls and the inclusion of privacy by default, arguing that there are good economic and practical reasons to reinstate them
“Advertising is fundamental to financing the web, but it must respect users’ rights and expectations. As technologists, we know that the rights to privacy and data protection enshrined in the European Charter are compatible with innovation. Many companies, including Brave, have developed advertising systems that support publishers with no privacy sacrifice. A robust ePrivacy Regulation will spur further innovation, whereas cookie walls would stifle it. But as currently drafted, the text will permit 'cookie walls' that make pervasive tracking a condition of access to a website. Competition authorities in several member states are examining the problems of the online advertising and media market caused by these same practices,” Toner said.
But DigitalEurope’s Cecilia Bonefeld Dahl remains concerned.
“This proposal has been problematic for virtually everyone in industry. Many [internet-of-things] sectors such as automotive, medical or construction equipment have joined our call to rethink the text. It would have such a broad application that for many services the ePrivacy Regulation would in practice replace the GDPR," Dahl said. "Importantly, very different AI use cases will have to rely on communications data, device data or both, and inflexible rules will only be detrimental. It’s not too late to rewrite the text in a way that avoids hard contrasts with GDPR compliance — this is the right time for the Council and the new Commission to make bold changes.”
European Telecommunications Network Operators' Association, GSMA and Cable Europe also issued a joint statement attempting to strike a balance between their concern at stricter regulation and their joy that so-called "over-the-top" services would also have to follow the rules. “While the ePrivacy Regulation proposal rightly seeks to level the playing field between telcos and digital service providers offering similar services, gaps remain. A viable regulatory framework should protect confidentiality and enable us to innovate and provide ever more relevant services to our customers,” the open letter said.
“Telcos and cable operators ask for the ability to implement a risk-based approach to processing communications metadata. Legislating for the future means leaving some space for unknown use cases. Rules for processing communication metadata need to be more future-proof and not focus disproportionately on consent,” said the organizations.
Recent ruling
However, a ruling from the Court of Justice of the European Union Oct. 1 could supersede such arguments. In the so-called Planet49 case, the European Union’s highest court ruled that people must actively choose to let companies install cookies that track their internet browsing — not just check a box by default. Many experts believe this provides legal certainty that will give a boost to the legislative efforts to adopt the ePrivacy Regulation.
Zanfir-Fortuna explained. “The recent judgment of the CJEU in Planet49 concerning the ePrivacy Directive may help speed up the legislative process. One of the points of contention in the council was to define the interaction between ePrivacy and the GDPR, with some even contesting there is a need for a separate law," she said. "The court clarified in the Planet49 case that the ePrivacy regime protects both personal and non-personal data, and this is because it aims to protect the user from interference with his or her private sphere, regardless of whether or not that interference involves personal data'. Hopefully this will bring some clarity.”
“I do think it is fair to say that the negotiations will be heavily influenced by the recent CJEU court cases, including of course Planet49. I do think that also the Right to be Forgotten cases and the hate speech case will however make an impact,” added Paul Breitbarth, director EU operations and strategy at Nymity.
However, looking ahead to the trilogue negotiations, German MEP Patrick Breyer predicted that tracking walls are "the greatest industry battlefield, but there is also bulk data collection and communications security/encryption where I am concerned the council has moved to unacceptable positions. Clearly publishers and advertising industry are on the forefront of the lobbyism for tracking walls. This is what the much discussed surveillance capitalism is about, and what their business model is built on.”
For now, it looks like we'll wait until November's aforementioned COREPER meetings to find out what progress has been made and how likely it is Finland closes a deal before year's end.