‘The GDPR on steroids’: The ePrivacy Regulation

Posted on 13th June 2018

Even as Europe finished the final preparations for the implementation of the GDPR, the Brussels machine began gearing up for the next round of battles on data protection. This time, the fight is over the ePrivacy Regulation – dubbed by British MEP Daniel Dalton as “GDPR on steroids.”

Celebrated by some privacy advocates and feared by large swathes of the private sector, the ePrivacy Regulation aims to protect a user’s privacy at every stage of an online interaction. A noble goal, but the broad language in the Commission’s draft means that any business “in connection with the provision and use of electronic communications services” falls into scope. In other words, cookies, firewalls, apps on mobile devices, and even gaming consoles that include a messaging app as an extra feature are all covered by the ePrivacy Regulation.

Lose-lose

The draft regulation has provoked some of the most intense and polarising lobbying campaigns ever seen in Brussels. The advertising industry made many enemies by unrelentingly campaigning against the legislation and warning that legitimate business models based on advertising would be decimated. However; responses from MEPs indicate all this did was alienate the European Parliament and solidify its resolve to protect end-users from intrusive tracking and targeting.

The tech industry is equally concerned by the legislation. With only narrow exceptions for the processing of electronic communications data, innovative firms in the EU and beyond are worried that this could throw their entire business models into jeopardy. Even basic tools like spam filters could fall into scope, and that’s before they think about how the restrictions on processing metadata in the ePrivacy Regulation could affect their machine learning and artificial intelligence prospects.

Civil rights organisations and big technology companies do not always see eye-to-eye, but in the ePrivacy Regulation they have found a common enemy. While electronic communications providers worry about what they can’t process or store, NGOs are warning that the allowances for what governments can do with communications data invite overreach. Vague wording in the draft legislation suggests that governments would be able to access data without consent for “reasons of public interest.”

Even supporters of the Regulation are becoming dissatisfied; consumer rights organisations, who support the legislation, have become increasingly angry as they watch EU member states attempt to delay or soften it. Even when it does come into force, it seems unlikely that anyone will be pleased with its final form.

What next?

The European Parliament rushed the legislation without seriously considering the impact on future business models. Having passed the Parliament despite some obscure wrangling, it’s up to member states to negotiate their own version of the legislation — but they’ve been reluctant to move forward, to say the least.

At the last Telecoms Council, ministers politely praised the efforts by Bulgaria, the current holder of the six-month Council Presidency, to find a compromise. But behind the civility, the message was clear: the file was not “mature enough,” in the words of the Czech representative, to begin negotiations.

The Commission had planned for the ePrivacy Regulation to come into force on the same day as the GDPR. It quickly became apparent that this would not be the case. The Austrian Presidency — which begins on 1 July — has set a deadline for concluding the work before the end of the year, but even this is highly ambitious for one of the most controversial digital files of recent times.

If the member states, represented in the Council of the EU, come to an agreement before the end of the year, they can begin negotiations with the Parliament and the Commission. However, that is a big “if.” If negotiations between the institutions have not begun by the end of the year, there is a strong possibility that the proposal could collapse altogether, forcing the Commission to re-start the drafting process. That could be the best opportunity for the EU to create a future-proof piece of legislation that strikes a balance between innovation and privacy.

Author: Kirsten Williams, Policy Analyst, Access Partnership

Back to document archive