After seven presidencies suffered defeats in the Council, the German BMJV brought forward another (unbalanced) draft for a General Approach and will very likely suffer a similar fate.
On Wednesday, 11 November the Council working party rejected the new ePrivacy proposal by the German Presidency. Since the next Telecoms Council will already take place on 7 December, the chances for a successful redrafting - including an agreement in COREPER - are rather slim. This is great news for Europe's citizens and businesses as well as Europe's digital transformation in general. Confusing and overlapping new rules that would affect many digital services and applications are - for now - off the table again.
The new (failed) proposals
The biggest change to previous versions was the deletion of 'legitimate interest' as one of the legal bases for processing meta-data. The presidency replaced it with the concept of 'vital interest', which allows processing for the protection of vital interest (e.g. monitoring of epidemics or of natural / man-made disasters). It is kind of obvious that this concept is way too narrow to include important communication services (such as the detection of abusive behavior or the calculation of bills) that so far fell under 'legitimate interest'. In times where the EU tries to establish European Data Spaces and wants to promote data sharing across the continent, the new proposals seem to be from a bygone era. Consequently, most Member States saw this contradiction and reacted with strong disapproval. Other disputed points such as consent requirements or rules for the tracking of online activities through the use of cookies could not be solved either. The stalemate in the Council therefore continues.
Our old but still timely position
When the European Parliament was writing its report in 2017 as response to the legislative proposal by the European Commission, our office was already involved in the political negotiations. In our eyes, both the Commission's text as well as the parliamentarian response were heavily flawed and would severely hamper digital innovation across Europe. Two points of criticism stand out and are still valid:
Excessive and overlapping scope: if the ePrivacy proposal becomes lex specialis and keeps protecting more than just the confidentiality of communication, the GDPR becomes rather obsolete in many areas. The legal uncertainty for citizens and businesses would continue to grow. Especially since they are already dealing with a difficult GDPR implementation and a legal limbo when it comes to third-country data transfers.
Factual ban on processing data: many new digital services & products need a vast amount of data and our digital economy and modern lifestyle rely heavily on data transfers. While the GDPR was offering six legal bases in Article 6 for processing data, Article 6 of the new ePrivacy proposals largely focus on 'consent' (esp. the EP version). This outdated concept is however not able to deal with most new technologies, which would require other approaches (such as transparency, anonymization or encryption) if we really want to guarantee data privacy effectively.
"Consent is the death of data privacy as the vast majority of users will just accept the terms without actually reading them in order to use the service"
We think that after - soon - eight failed presidencies, the European Commission should finally accept that this legislative proposal will not be adopted. The best option is now to include the necessary rules (from the old ePrivacy directive, which is still in force) and create a new GDPR chapter on communication data, metadata and content. We could use the upcoming GDPR review in May 2021 for this legislative operation and by doing this, finally close this tedious chapter.
Read more about our concerns in the attached position paper from 2017. Please also have a look at the excellent 'Policy Paper on Economic Effects of the ePrivacy Regulation' from Clark Parsons and his IEF-team.