What chance does the ePrivacy Regulation have of getting anywhere during the first half of this year? As the first month of the Romanian presidency of the Council draws to a close and as elections for the next European Parliament loom, the outlook is not good.

When the Austrian presidency warned in July that it was "not sure if a common position in this topic is reachable" during its six-month term, it wasn't kidding. As it foresaw, the changes proposed during that period did not leave major players ready to push onto trilogues with the other EU institutions.

So it's no surprise to see the Romanian presidency being very cautious about promising significant movement anytime soon.

"Digitalization and the advancement of the EU Digital Single Market are key priorities for the Romanian Presidency and for the future of Europe," said Cosmin Boiangiu, Romania's deputy permanent representative to the EU. "The Romanian Presidency aims to advance as much as possible the discussions on the ePrivacy directive in the Council of the EU. The Presidency will base its efforts on views expressed by the EU ministers during the Telecommunications Council meeting in December 2018."

What are the outstanding problems? Germany, one of the biggest beasts in the room, set out its concerns in a report following that Dec. 4 meeting:

  • It doesn’t want any mention of national security and defense unless "it is made clear that these are examples of activities outside the scope of Union law."
  • It insists that Article 5 (about the confidentiality of electronic communications data) "shall cover all communications data in the hands of the providers, i.e., also after receipt of a message."
  • It's dead against the Austrians' proposed version of Article 6 (about permitted processing) and prefers the version set out by the previous Bulgarian presidency. Also: "The Regulation must give greater consideration to the goal of protecting children and minors."
  • As for Article 8 (about information stored on terminal equipment, such as cookies), the Germans are worried about the regulation hindering workplace and smart-industry applications, as well as access "in the vital interest of the person concerned."
  • The Austrians proposed deleting Article 10 — the bit that would have made "do not track" settings legally enforceable. The Germans prefer "further discussion" about the article's design.
  • While the Austrians "significantly simplified" Article 18 (about giving data protection authorities oversight of ePrivacy compliance), the Germans want to entirely scrap the requirement for independent oversight regarding the processing of non-personal data.

The German Economy Ministry indicated last week that its position had not changed since early December.

"We all know that member states have been very split on the issue of ePrivacy for quite some time," said Birgit Sippel, the European Parliament's lead rapporteur on the file. "I would therefore be delighted if the Romanian presidency would indeed do everything in their power to reach a compromise as soon as possible. Finding a common position might be difficult, but it is more important than ever and we must not stop fighting for more fundamental rights online, just because it is difficult."

But with Parliamentary elections taking place in May and the new Parliament sitting in July (as Finland assumes the Council presidency), there are an awful lot of variables at play here. What if there's no common Council position before those elections and Parliament's position falls apart afterward? What happens to ePrivacy if nothing happens in the near future?

Debbie Heywood, a lawyer at Taylor Wessing's London office, notes that while the regulation's cookie requirements may be getting watered down — with Article 10 being entirely zapped— the higher bar for consent to cookies has already been set by the GDPR, and as for the bits about B2B marketing, it looks as though they are not going to end up a million miles away from the current requirements under the ePrivacy Directive.

"The ePrivacy Regulation isn't just about cookies and direct marketing; it also extends the reach of the current Directive's obligations on telecommunications service providers to over the top service providers like WhatsApp and Skype," Heywood noted. "While we may see some watering down of the provisions on cookies compared with what was originally intended by the Commission (and what was recommended by the EDPS and Article 29 Working Party), the ePrivacy Directive still requires modernization. I think work on the Regulation will continue under the new regime even if there is a hiatus for the European elections."

Sippel also pointed out that the regulation was necessary because "there are too many open legal questions regarding the interplay of the GDPR and the current ePrivacy Directive," with cookies providing a crucial example. "Therefore, not only the citizens but also the businesses need more clarity," she said.

"Also, [over-the-top services] shouldn't be too sure that they are not covered by the current directive," Sippel warned. "The newly reformed European Electronic Communications Code will broaden the scope of the ePrivacy directive and will then also include OTTs."

photo credit: jmysharpe Time is everything via photopin (license)