Earlier this month the current Bulgarian Presidency of the European Council sent out a “progress report” on the draft ePrivacy regulation, and the question on everyone’s lips was whether there would be a general approach before Bulgaria gives up the presidency at the end of June.

Presidencies always want to be seen to have delivered some sort of breakthrough, but in reality, this can be little more than a biannual back-slapping exercise. Ministers at the Transport, Telecommunications and Energy Council held a debate June 8 about the ePrivacy Regulation, but the headline-grabbing highlight was an agreed position on cybersecurity, and some of them may see that as a big enough deliverable. In the official report of the meeting, there was an attempt to put a good face on things, but the recap does not make a consensus draft seem imminent: "Many ministers thought that the latest presidency text was a good basis to continue discussion. However, most delegations agreed that further work was needed under the next presidency to ensure the quality of this complex legislation. This includes work on the list of permitted cases of processing of metadata, and the protection of terminal equipment and privacy settings. Overall, ministers expressed their readiness to continue to work constructively to conclude this dossier."

On a more practical level, negotiations within the Council’s telecommunications and information society working party are ongoing, but as the presidency draws to a close, just four more meetings are scheduled: June 14, 18, 21 and 27.

Examination of the Presidency ePrivacy text is on the agenda for June 14, but the other meetings are largely taken up with other issues: non-personal data, top-level domains, the European Electronic Communications Code, and the implementation of the Digital Single Market Strategy, among others. 

The full EU Council of heads of state or government will gather in Brussels on June 28 and 29, and, technically, could approve a position if it is reached by those doing the heavy lifting. But they too have more pressing matters to worry about, not least migration, the long-term EU budget, and Brexit. So although some sort of flag-waving about progress is not off the cards, ePrivacy will most likely be kicked down the road to the Austrians who take over July 1. 

This could create an interesting set of conditions for the proposal. Austria is one of a small group of countries with a seemingly pro-privacy agenda. Where France and Spain appear to be caving in to the desires of telcos, and the U.K. and others keen to have broad national security allowances for data retention, Austria in its position as presidency may be able to push back. It's worth noting that Austria is also the chair of the newly formed European Data Protection Board and may want to cement its privacy credentials.

Once a common council position is agreed, Austria may also be in a positive position to engage with the European Parliament in so-called trialogue discussions. And with European Parliament elections scheduled for May 2019, timing is key.

“It is unacceptable that the European Council is until today blocking the regulation on ePrivacy,” ePrivacy Parliament Rapporteur Birgit Sippel said. “For over a year, the national telecommunications ministers have been dragging their feet on this crucial file for the privacy of EU citizens. The European Commission announced the proposal in January 2017 and the European Parliament adopted its position already in October 2017. We are ready to move ahead, EU citizens are ready to move ahead, so the Council needs to move ahead.” 

However, those stalling tactics may not be an accident. At the end of May, an industry group, EDiMA, urged the Council not to rush the proposal. 

According to the Corporate Europe Observatory, officials from the EU28’s permanent representations in Brussels cannot recall a legislative proposal that has attracted so much lobbying, with corporate interests absolutely dominating. Those interests believe their position will be best served by stalling the law in Council until there is a new European Parliament. That is something Sippel does not want to see happen.

“In light of the Facebook and Cambridge Analytica scandal, national governments can no longer put the interests of lobbyists and big business ahead of the privacy of citizens. Now that the Telecoms code is over, it's high time that the Council got serious about protecting citizens online,” she said.

In its six months, the Bulgarian Presidency introduced new permissions for processing electronic communications metadata, including processing for the purposes of network management and optimization, as well as for statistical counting. And on the issue of data retention, exclusions have been included for national security and defense (Article 11). 

Speaking at EURACTIV and Microsoft event in Brussels June 5, Bogdan Mlachkov, attaché on criminal matters, Permanent Representation of Bulgaria to the European Union was cagey about giving any concrete timelines. He said the negotiations were all about getting the balance right: “What the ePrivacy Regulation (especially for Article 11) is trying to do, is just to strike this balance. To open the door to find the solution for not only protecting privacy, but public interests too.” He added that the language of the law also has to take into account court judgements issued on the topic in recent years.

Speaking at the same event, Robert Stankey of Davis Wright Tremaine thought things might be moving too fast. “We’ve just gone through an enormous transition with the GDPR implementation and there’s a lot that needs to be worked out. There are a lot of lessons that can be learned from how that regulation is being put into practice.

“The concern here is that the ePrivacy Regulation has a number of different elements in it, but it’s kind of a grab-bag of different slices of digital policy. There should be a serious evaluation of whether all those issues are properly dealt with. Indeed, do they need to be dealt with? Is the existing law sufficient in providing enough structure and protections? That sort of thoughtful discussion I fear hasn’t taken place.”

Nikolaus Forgó of the Department of Innovation and Digitalisation in Law, University of Hanover, was also cautious: “I think one of the basic promises of GDPR when it was launched by the Commission in 2012 was that Europe would establish some kind of gold standard in ePrivacy. Six years later, I would say I don’t know whether this has come into reality two weeks after GDPR has started to be applicable. And I think that we are facing the same risk once again which means that the ePrivacy Regulation might produce a lot of burdens and a lot of costs on European stakeholders and not really affect global players not based in Europe and therefore not necessarily complying with European law."

Despite describing ePrivacy as “GDPR on steroids,” MEP Daniel Dalton said that “actually what we’ve seen [with the Cambridge Analytica scandal] has probably strengthened people’s views on the Parliament, and we’ve got it right. Now I personally oppose the Parliament position, but the feeling I get is the people think because of what we’ve seen with Cambridge Analytica that actually privacy might now be on the right lines,” he added.

Although the Parliament may be more susceptible to media headlines, Council members are not deaf to public opinion either. So while another major scandal or a big political push by Bulgaria can’t be ruled out, the smart money is on a Council position under the Austrian presidency and another big effort to reach an agreement with the Parliament by the end of the year.

photo credit: kerolic via photopin