With the new Presidency of the Council of the European Union, the ePrivacy Regulation could be at a turning point. Still, there are a few open negotiations that might impact the future of the economy.
After the revolution of the data market triggered by the GDPR, the ePrivacy Regulation could have an equally – or perhaps even more – disruptive effect. But the legislative process is substantially behind schedule.
The ePrivacy Regulation aims to ensure privacy in electronic communications, introducing significant changes in key sectors of the digital economy, from the IoT to the activities of telecommunications companies to online advertising and direct marketing, with impacts on all organizations active in the digital sector, including OTTs.
The never-ending negotiations on the ePrivacy Regulation
The draft European ePrivacy Regulation has been the subject of lengthy negotiations that seem endless. After the failure of the negotiations on the drafts proposed by the last two EU Member States that held the EU Council Presidency (Finland and Croatia), Germany took over the Presidency on 1 July 2020. It immediately presented a summary document of the main issues to focus the discussion on the progress of the ePrivacy Regulation.
The German Presidency aims to achieve a general approach, or a mandate to start negotiations with the European Parliament by the end of its term of office (i.e., presumably by the end of 2020 or the beginning of 2021 at the latest).
To reach this objective, the German Presidency considers that EU Member States should agree on Article 6 (protection of electronic communications) and Article 8 (protection of end-user terminal equipment) of the current draft ePrivacy Regulation.
With regard to Article 8, the German Presidency is considering the two approaches of previous Presidencies. It will be up to EU Member States to choose whether to favor the approach proposed by the Croatian Presidency, which includes the possibility to access end-users’ terminal equipment (e.g., to install cookies) based on legitimate interest, or to prefer the approach proposed in November 2019 by the Finnish Presidency, which did not include legitimate interest, but indicated consent as the legal basis and tried to find a balance by introducing some provisions in recitals 20 and 21 regarding the conditionality of access through so-called cookie walls.
If the Croatian Presidency’s proposal is approved, EU Member States will have to dig into issues relating to the security of terminal devices. This is since this proposal would greatly facilitate access to such devices without the user’s consent. On the contrary, if the Finnish Presidency’s proposal is approved, it will have to be assessed whether the current rules will balance the interests at stake adequately, ensuring a high level of protection of end-users’ privacy and the protection of the legitimate interests of online publishers. The issue is pivotal to several companies, as it could put their entire business models at risk if an exception were not made for access to terminal equipment (e.g., in the field of online advertising).
What companies shall do now to get ready for the ePrivacy Regulation
Any organization that intends to create a new website or application may also reconsider the widespread use of tags rather than cookies, opting for alternative identifiers and tracking tools to prevent and address the losses that the online advertising industry may suffer as a result of the phasing out of third-party cookies, which is now being announced by major browsers.
More generally, it may be useful for organizations to identify the main areas of operation impacted by the ePrivacy Regulation. When the final text is published, they will be able to adjust their business model more quickly.
My two cents on the current status of the ePrivacy Regulation
I believe that none expected that the negotiations on the ePrivacy Regulation could take so long. There is no doubt that the interests at stake are extremely high, also in terms of economic value. It is a clash between the traditional protectionist European approach and an innovative and data-driven approach led by American businesses investing in the EU.
The final stage of the negotiations is likely to happen when the friction between the opposite views has already been exacerbated by the Schrems II decision and the subsequent announcement by Facebook that they could quit Europe.
My view is that, after the recent Planet49 decision of the CJEU and the guidelines of the EDPB, the current regime on cookies is already sufficiently protective. But companies need to abide by it. The issue does not pertain to the regulations, but the actual enforcement. The GDPR introduced massive fines, but we still hear several businesses that consider the lack of data protection compliance as a business risk to be taken and adopt a merely formal approach with no actual impact on their business.
If there is no enforcement, no rule will suffice, and governments will lose credibility.
Image courtesy Russ Seidel