After seventh presidencies suffered devastating defeats in the Council, the German BMJV brought forward another (unbalanced) draft for a General Approach and will very likely suffer a similar fate.
On Wednesday, 11 November the Council working party rejected the new ePrivacy proposal by the German Presidency. Since the next Telecoms Council will already take place on 7 December, the chances for a successful redrafting - including an agreement in COREPER - are rather slim. On the one hand, this is great news for Europe's citizens and businesses as well as Europe's digital transformation in general. Confusing and overlapping new rules that would affect many digital services and applications are - for now - off the table again. On the other hand, we just do not understand why such a dreadful file is still existing.
The new (failed) proposals
Our old but still timely position
When the European Parliament was writing its report in 2017 as response to the legislative proposal by the European Commission, our office was already involved in the political negotiations. In our eyes, both the Commission's text as well as the parliamentarian response were heavily flawed and would severely hamper digital innovation across Europe. Two points of criticism stand out and are still valid:
Excessive and overlapping scope: if the ePrivacy proposal becomes lex specialis and keeps protecting more than just the confidentiality of communication, the GDPR becomes rather obsolete in many areas. The legal uncertainty for citizens and businesses would continue to grow. Especially since they are already dealing with a difficult GDPR implementation and a legal limbo when it comes to third-country data transfers thanks to Schrems II (*RIP* EU-US-Privacy Shield).
Factual ban on processing data: many new digital services & products need a vast amount of data and our digital economy and modern lifestyle rely heavily on data transfers. While the GDPR was offering six legal bases in Article 6 for processing data, Article 6 of the new ePrivacy proposals largely focus on 'consent' (esp. the EP version). This outdated concept is however not able to deal with most new technologies, which would require other approaches (such as transparency, anonymization or encryption) if we really want to guarantee data privacy effectively.
"Consent is the death of data privacy as the vast majority of users will just accept the terms without actually reading them in order to use the service"
We think that after - soon - eight failed presidencies the European Commission should finally accept that this legislative proposal was a huge mistake and cannot be cured. Our best option is now, to include the necessary rules (from the old ePrivacy directive, which is still in force) and create a new GDPR chapter on communication data, metadata and content. We could use the upcoming GDPR review in May 2021 for this legislative operation and by doing this, finally close this tedious chapter.
Read more about our concerns in the attached position paper from 2017. Please also have a look at the excellent 'Policy Paper on Economic Effects of the ePrivacy Regulation' from Clark Parsons and his IEF-team.