The EU ePrivacy saga: no political will to protect users’ rights

In the European Union, the reform of ePrivacy legislation has stalled, yet there has never been more need for increased online privacy protections. How did we get here? Where do we go now?

Not so long ago, in a galaxy not so far away, the EU legislative process for ePrivacy reform began. Here is a (slightly simplified) recap of how this process works:

  1. The EU Commission, the executive body, makes a proposal for legislation.
  2. The draft bill is presented simultaneously to the two EU legislators: the EU Parliament, representing the 500 million EU citizens, and the Council of the EU, representing the 28 Member States. The legislators work in parallel on the bill, propose amendments, and adopt their own revised version of the bill. They can take as long as they want to complete this step, which usually varies from six months to three years.
  3. Once both legislators have adopted their version of the bill, they come together with the EU Commission in a process called “trilogue” to agree on a final common text.
  4. Once an agreement is reached, the final text must be voted by the Council and the Parliament for it to become an EU law.

2017 – A new hope

In January 2017, the European Union embarked on the reform of the ePrivacy Directive, the only piece of EU legislation that protects the rights to privacy online and the confidentiality of communications. This legislation is a complement to the EU General Data Protection Regulation (GDPR), which protects the separate — but linked — fundamental right to data protection.

The objective was to bring the 2002 law in line with the current reality of communications, where we have seen email, instant messages, Snaps, and InstaStories take the place of phone calls. For many of us, MMS and SMS are relics of the past, and around 25% of European smartphone users don’t use their devices to make calls. As we use apps to communicate, we must ensure that privacy and confidentiality protections apply to these services too.

In the EU and around the world, privacy is a fundamental right and people care about it. In 2016, 92% of the respondents to an EU barometer survey said that it is either important or very important that the confidentiality of their emails and instant messaging is guaranteed. We therefore welcomed the ePrivacy reform with high hopes for users’ rights. After all, at the time the reform was introduced, the EU had just completed its Net Neutrality law in 2015 and the EU GDPR in 2016; we had reason to be somewhat optimistic.

The process started off pretty well. In 10 months, the European Parliament amended and strengthened the legislative proposal to improve users’ rights, despite intense external pressure from a number of tech and telecommunications companies lobbying to repeal the law. Because, you see, these companies take our privacy oh, so seriously that they go around Brussels asking for privacy obligations to be repealed.

2018 – The corporate interest strikes back

With the EU Parliament adopting its report on the ePrivacy Regulation and confirming its mandate to enter into inter-institutional negotiations (twice), the pro- and anti- ePrivacy lobbyists shifted their focus to the Council which was still discussing its position on the proposal.

Reports show that representatives of Member States in Council have experienced an unprecedented level of lobbying aiming to undermine the reform, beating the previously established “record” from the negotiations for the GDPR. Publishers and advertisers — who rely largely on tracking-based, privacy-invasive business models to make money — led the charge against the proposed Regulation. A few representatives from this industry went so far as to claim that the Regulation would hinder freedom of the press in the EU. While it is true that advertising represents an important stream of revenue for online media (even if less and less so), this is not the only avenue for newspapers to get income and it does not mean that advertisers have carte blanche to invade readers’ privacy online. Instead of discussing possible forward-looking privacy alternatives, the advertiser industry and some publishers have managed to convince Member States to remove important measures from the Council draft on privacy-by-design and by-default settings.

In parallel to the advertisers’ lobbying, tech giants and telcos also continued their efforts to undermine the reform. They made dubious claims suggesting that the ePrivacy Regulation would hinder innovation and the fight against crime if companies did not have some flexibility to use people’s communication data without their knowledge and consent. These claims were largely unsubstantiated and ignored the fact that the ePrivacy legislation, together with the GDPR, could be the engine for privacy-friendly innovation in the EU. Companies suggested that the ePrivacy legislation would somehow undermine the fight against child pornography, when nothing in the law would limit or prevent the application of obligations under criminal laws. Far too often, companies use very serious matters such as the fight against of terrorism or child pornography as lobbying tactics to derail policy debate from the original matter. Despite all this, the Council moved to incorporate flexibilities for in its draft text. If adopted, these measures would limit the privacy and security obligations for companies to the detriment of users’ rights.

And then the Cambridge Analytica scandal happened. While the world praised the EU for adopting the GDPR, it also became clear that having strong data protection rules does not unfortunately offer comprehensive safeguards against the practices revealed by the scandal. The ePrivacy rules on tracking and use of communications data should be strengthened to limit the risk of another such scandal. Indeed, the widespread and proven data and privacy violations of the Cambridge Analytica scandal are a consequence of a common business model: the (over) collection and processing of personal information, including users’ communications data, to create profiles, in particular to generate more precise ad targeting. Despite public uproar, legitimate concerns, and widespread international reporting and attention to this abusive business model, with most of the focus on Facebook, no protections were reintroduced in the Council draft text on ePrivacy.

More than two years into the reform, we are still waiting for the Council to agree on a final position, and while their draft text is getting slimmer on user protection, loopholes for the benefit of companies are multiplying.

2019 – The phantom (of) data retention

In the midst of this unprecedented lobbying, the phantom of data retention appeared in the negotiations. In the EU, data retention is indeed closely linked to the current ePrivacy Directive which authorises member states to put forward such measures under specific conditions. In two rulings, the Court of Justice of the EU has further clarified these conditions and the criteria that states must follow to implement data retention to be compatible with the EU Charter and in particular, the rights to privacy and data protection. In that sense, the Court has made clear that mass indiscriminate retention of communication data must not happen in the EU. So far, so good: the two rulings are important pillars of the Court’s jurisprudence in strengthening fundamental rights. Member States, however, have made pretty clear that they do not like these rulings, which they consider too limiting for law enforcement activities.

In that context, the reform of the ePrivacy legislation is becoming an opportunity for national governments to revisit this question. As shown in a document obtained by Access Now through a freedom of information request, Member States still don’t know “how to implement a targeted/restricted retention” (pursuant to what the rulings set forth) and want to ensure that the ePrivacy law “leaves the door open” to future data retention laws. As a result, the current Council draft text includes language that aims at excluding national security activities from the scope of the law while introducing exceptions allowing states to adopt data retention laws for this purpose. However, the Council text omits all of the safeguards for users’ right to privacy that are listed as necessary criteria by the Court.

Where do we go from here?

The reform of the ePrivacy law is now the only major instrument of the EU Digital Single Market strategy that will not be completed under this legislature.

It is evident from the summary of the last two years of negotiations that the reform of the ePrivacy Regulation brings up important questions regarding the business models of online actors and the use of data by law enforcement authorities. We are also conscious of the challenges Council members are facing, including the unprecedented level of lobbying surrounding this proposal.

The many issues related to the  ePrivacy negotiations require careful negotiations, but after many years of debate, it is evident that the main obstacle for completing reform today is the lack of political will by some Member States. It is no secret in Brussels that if the Council wants to adopt a position, it can be done in six months, even for complex issues.

With political will, transparent negotiations, and existing guidance from the Court, we can find answers to many of the challenges raised by ePrivacy. Access Now remains committed to providing input to the Council to help Member States move the negotiations along. Today, we are sending Council representatives recommendations on key aspects of the text to ensure that the law delivers on its core objectives to protect the rights to privacy in the online environment and confidentiality of communications. In the meantime, the ongoing Romanian Presidency of the Council has announced a so-called progress report on the ePrivacy reform to be adopted on 7 June. In EU jargon, this means that the Presidency presents a state of play of the debate and that no further discussions will take place on the reform until the next Presidency. We therefore hope that our recommendations will be useful to the upcoming Finnish Presidency which will begin on 1 July.

EU citizens have a right to privacy which applies to online and off. All lawmakers should hear the clear and wholehearted demand for that right to be protected. In the digital era and as privacy scandals are piling up, it is high time for EU Member States to adopt their position on the ePrivacy law to allow for a swift completion of the reform.