The much maligned ePrivacy Regulation appears all but dead and buried after representatives of the EU states have rejected the text presented by the Finnish Presidency, meaning the proposed legislation could stay at a standstill for months or even be withdrawn by the EU Commission.
The review of the ePrivacy Directive – which also includes the Privacy & Electronic Communications Regulations (PECR) – was first proposed in April 2016, over three-and-half years ago.
The move is designed to tighten up the laws on online and mobile marketing, SMS, email and telemarketing activity; the directive was last updated in 2009.
The draft proposals require, for instance, that firms must gain users’ consent before tracking their online activities and must ensure that all electronic communications remain confidential without the user’s consent.
There was also a proposal that consumers would have to agree for their data to be used at a “device level”, which would then apply to all websites and apps used.
The original plan was that it would come into force at the same time as GDPR, however, it has faced fierce resistance almost from the off, especially from the likes of Google, Facebook, Amazon and Microsoft.
They claim the legislation’s “over-reliance on consent and its broad scope will undermine GDPR, as well as legitimate processing of data and business practices within the Digital Single Market”.
Meanwhile, a study funded by the European Interactive Digital Advertising Alliance and IAB Europe warned that “device-level” consent could wipe out up to half of the €526bn (£470bn) digital ad market and threaten up to 6 million jobs.
The DMA and its EU counterpart Fedma have long campaigned for changes, too, arguing that the final text should provide the right balance between protecting individuals’ privacy and continued economic development across Europe.
The DMA claims the new delay has been achieved after a “comprehensive effort” from national and pan-EU organisations who communicated concerns about many aspects of the legislation”. Over a dozen countries, including France, Poland, Czech Republic, the UK, Austria and Germany voted against the legislation.
However, privacy campaigners have branded it a “backward step”. Ahead of the vote, Privacy International urged EU leaders to stop dithering. It claimed the lack of progress is leading to the continued abuse of consumers’ most sensitive data, and threatens to jeopardise Europe’s position as global standard bearer and digital champion gained through the adoption of GDPR.
In response to the latest delay, European Digital Rights head of policy Diego Naranjo said: “In this era of disinformation and privacy scandals, refusing to ensure strong privacy protections in the ePrivacy Regulation is a step backwards for the EU.
“By first watering down the text and now halting the ePrivacy Regulation, the Council takes a stance to protect the interests of online tracking advertisers and to ensure the dominance of big tech. We hope the European Commission will stand on the side of citizens by defending the proposal and asking the Council to ensure a strong revised text soon in 2020.”
Now, the Commission, under first the Croatian and then the German presidency, will have to choose either to withdraw the entire proposal or to redraft it in a new attempt to get sufficient support.
In practice, this means that the rules in the EU around cookies and spam will remain a patchwork of national laws and that companies will have to check their compliance on a country-by-country basis.
In the UK, for instance, the Information Commissioner’s Office has taken matters into its own hands and rather than wait for the ePrivacy Regulation has issued new guidelines for the use of cookies under GDPR.
The move outlaws “implied consent” and legitimate interests, with even analytics cookies now requiring consent, too.
At the time, ICO head of technology policy Ali Shah claimed that for many companies “very little may change” but admitted that “for others, more work will have to be done”. He concluded: “Start working towards compliance now – undertake a cookie audit, document your decisions, and you will have nothing to fear.”
Related stories
Brussels told to get a move on with ePrivacy overhaul
ICO drops data bombshell as cookie law is overhauled
DMA opens twin offensive against ePrivacy overhaul
Industry reprieve as ePrivacy shake-up hits the buffers
ePrivacy shake-up ‘will finally bring tech giants to heel’
Tech and ad giants go to war on EU ePrivacy shake-up
Industry wins more time to fight ePrivacy shake-up
Brussels under pressure to slam brakes on ePrivacy law
UK firms face months in the dark over PECR shake-up
Online giants baulk at EU plan to overhaul cookie law
B2B escapes brush with death after EU opt-in U-turn
Brussels ePrivacy plans may send B2B down the pan
Brands back industry fight over e-marketing opt-in
ICO demands shake-up of unworkable EU cookie law