The European Commission is amping up pressure on EU leaders to approve a controversial privacy bill, deadlocked in legal talks for more than a year, after the data breach scandal involving Facebook and Cambridge Analytica.

In a stern warning to leaders before they gather at a summit in Sofia on Thursday (17 May), the EU executive demanded that they “accelerate” and “conclude negotiations as soon as possible on the ePrivacy regulation”.

The EU executive is under pressure to make good on its promise to wrap up legal negotiations by the end of this year on all of the digital single market proposals it has announced since 2015. Time is running out and 17 out of 29 of those initiatives are still wading through negotiations.

“An extra effort is necessary to conclude negotiations on the remaining pending proposals and meet the European Council goal of concluding the digital single market strategy by the end of 2018,” the document said.

Thursday’s European Council summit will be dominated by hot-button foreign policy crises like the United States’ decision last week to pull out of the nuclear deal with Iran. But the Commission is eager to use the event to press leaders for a quick breakthrough on the ePrivacy bill, which has been stumbling through heated legal talks since January 2017.

“There is a great sense of urgency,” one Commission official said.

The Commission is banking on public outrage to persuade politicians to speed up the negotiations. A scandal that broke in March over consultancy firm Cambridge Analytica, which analysed millions of Facebook users’ data for political campaigns without their knowledge, has riled up the EU’s digital policy chiefs. The firm collected data from around 2.7 million Facebook users in the EU.

EU Justice Commissioner Vera Jourova said in a statement on Tuesday that the scandal “confirm[ed] once more that the EU made the right choice to put in place strong data protection rules. Data harvesting with the aim of manipulating public opinion is unacceptable”.

Tech companies operating in Europe already have a storm of new privacy rules coming their way. The EU’s watershed data protection regulation, known as the GDPR, will take effect next week (25 May).

It’s national politicians and their Brussels-based negotiators that have dragged their feet on approving an additional privacy law.

Some EU countries have pushed back on the separate, draft ePrivacy legislation, arguing that it will overburden companies that are already restructuring their business to comply with the GDPR. Technology firms have also raised alarm over tougher measures in the ePrivacy bill that limit how telecoms operators and digital services like WhatsApp can process their users’ data.

One Commission official said the Facebook scandal “shows we can’t have a gap on this. We must have the confidentiality of communications. Now it’s up to the political decision makers”.

The source said politicians around Europe have started to show more openness towards negotiating an agreement on ePrivacy since the Facebook scandal surfaced two months ago.

MEPs called for a breakthrough on ePrivacy during a debate on the data breach last month. “There are signs the Council is realising this too,” the EU official said.

The Commission is hoping that national diplomats will sign off on their version of the legislation by the end of June, and that final negotiations could wrap up before the end of the year.

The Bulgarian government, which holds the rotating presidency of the Council of ministers, circulated a new document to negotiators last week with suggestions to reach a breakthrough.

The legislation can only go into effect after national diplomats, the European Parliament and the Commission strike a compromise. MEPs approved their version of ePrivacy last autumn, but three-way talks between the institutions cannot start until diplomats sign off on the bill.

In its new document, the Commission also issued a last-minute warning to EU countries that have not yet revamped their national laws to make room for the GDPR. Only four EU countries have already approved their laws. Others are unlikely to have legislation in place by the 25 May deadline.

The Commission wants national leaders to pick up the pace. They should take “with utmost urgency all the remaining steps necessary to prepare for the application of the general data protection regulation in all member states,” the document said.