The battle over the EU’s far-reaching ePrivacy Regulation enters its final and crucial stage

Posted on Feb 16, 2021 by Glyn Moody

The EU’s GDPR has had a massive effect on privacy worldwide. But as a post explained back in 2018, there’s more EU privacy legislation coming through which could have a similarly broad impact globally. Where the GDPR governs how personal data is stored, the ePrivacy Regulation is about how personal data is transmitted. The European Commission published its draft ePrivacy Regulation back in 2017, and the European Parliament produced its amended version a few months later. The third member of the EU’s legislative system, the Council of the EU, has been bickering over its own text for the last four years. Politico has produced an excellent history of the twists and turns, as different nations have taken the EU Presidency, and tried to come up with a version that was acceptable to all – and failing. This was due in no small part to the unprecedented lobbying that has been unleashed, a reflection of how far-reaching the legislation will be. The Council of the EU has at last agreed on its version of the text, which means that negotiations can now begin to produced a final compromise version.

The press release of the Council of the EU has a good summary of its main features. Importantly, the ePrivacy Regulation will cover not just electronic communications content, but also communications metadata. Also welcome is that the rules will apply to machine-to-machine data, for example generated by Internet of Things devices. Unfortunately, one of worst proposals in the new text concerns metadata. As is well recognized now, metadata is arguably richer and more revealing than even content, and therefore requires strict safeguards in order to preserve privacy. The Council of the EU wants to create a huge loophole that would allow companies to process metadata for a purpose other than that for which it was collected, even when this is not based on the user’s consent. This would be subject to a variety of vague “safeguards”, including the use of pseudonymization, which offers very little protection for privacy.

The other area where the Council of EU text is deeply problematic is cookies. Some of the most vocal early opponents to strong privacy protections in the ePrivacy Regulation were publishers, who wanted their “right” to use tracking cookies enshrined in the law, as Privacy News Online reported in 2019. A key issue for the ePrivacy Regulation is whether cookie walls – initial screens requiring visitors to accept tracking cookies before they can access a Web site – would be allowed. The Council of the EU text includes a compromise position that is dangerously vague – and thus likely to be abused. The following passage is certain to be one of the most contested parts of the new law during the final negotiations:

In contrast to access to website content provided against monetary payment, where access is provided without direct monetary payment and is made dependent on the consent of the end-user to the storage and reading of cookies for additional purposes, requiring such consent would normally not be considered as depriving the end-user of a genuine choice if the end-user is able to choose between services, on the basis of clear, precise and user-friendly information about the purposes of cookies and similar techniques, between an offer that includes consenting to the use of cookies for additional purposes on the one hand, and an equivalent offer by the same provider that does not involve consenting to data use for additional purposes, on the other hand. Conversely, in some cases, making access to website content dependent on consent to the use of such cookies may be considered, in the presence of a clear imbalance between the end-user and the service provider as depriving the end-user of a genuine choice. This would normally be the case for websites providing certain services, such as those provided by public authorities. Similarly, such imbalance could exist where the end-user has only few or no alternatives to the service, and thus has no real choice as to the usage of cookies for instance in case of service providers in a dominant position.

It’s not clear from this what “an equivalent offer by the same provider” means here. If it means complete access to the site, or nearly, then it might be acceptable. If it refers to a substantially cut-down version, then it would not. We should find out soon enough, when the “trilogues” – the three-way negotiations between the Council of the EU, the European Commission, and the European Parliament – begin. Back in 2017, the European Parliament stated that a ban on cookie walls, was “among Parliament’s priorities.” If the European Parliament follows through on that, the above text would need to be dropped completely. The Council of the EU is unlikely to accept that without a fight, though.

There is a solution to this tension between the advertisers’ desire to match ads to visitors’ interests, and privacy. A move to contextual advertising would make the most intrusive kind of tracking cookies unnecessary. Instead, cookies could be kept for low-level analytical uses, keeping tabs on overall traffic, not individual clicks. The good news is that there are signs that this viewpoint is being considered by many of the most important online players. This makes supporting it in the ePrivacy Regulation by banning cookie walls a crucial step for the future strengthening of privacy. As a Regulation, not a Directive, the new law would apply directly across the whole of the EU, and would not require local legislation that might water down key aspects.

Feature image by Image by Wolfgang Lützgendorf