Mixed emotions as Council finally adopts position on ePrivacy text

There were mixed emotions yesterday (10 February), as the EU Council finally managed to adopt a position on widespread new data protection rules, as part of the so-called ePrivacy regulation. 

The overall objective of the ePrivacy regulation is to afford online communications the same privacy protections as those afforded to traditional telecom communications. [Shutterstock]

The EU Council finally managed to adopt a position on widespread new data protection rules on Wednesday (10 February), as part of the so-called ePrivacy regulation, although Germany and Austria abstained from voting and Berlin’s data protection authority called for ‘significant changes’ to the text.

The 27 EU nations will now enter into talks with representatives from the European Parliament on the plans, which are expected to be fiercely contested.

The ePrivacy regulation details the conditions under which service providers are able to process electronic communications data. Such data includes those transmitted in the use of online services, including messages sent on WhatsApp and video calls on platforms such as Zoom and Skype, for example.

The overall objective of the regulation is to afford online communications the same privacy protections as those afforded to traditional telecom communications.

“The path to the Council position has not been easy, but we now have a mandate that strikes a good balance between solid protection of the private life of individuals and fostering the development of new technologies and innovation,” said Pedro Nuno Santos, Portuguese minister for infrastructure and housing, who chaired the Council.

Revealed: Portugal’s plans to conclude ePrivacy saga

The Portuguese presidency of the EU has pitched a new text on the controversial ePrivacy regulation, focusing on the processing of communications metadata and data stored on end-user equipment, according to the latest proposal, obtained by EURACTIV.

Revisions to data retention and security articles

The Portuguese presidency was the ninth Council Presidency to attempt to find consensus between member states, following the Commission’s original 2017 proposal.

A compromise text, obtained by EURACTIV, had been circulated by the Portuguese ahead of Wednesday’s talks with deputy ambassadors, reintroducing the possibility to process electronic communications metadata and use the processing and storage capabilities of the end-users’ terminal equipment.

Moreover, a substantial compromise has been pitched to the eventual application of the regulation, which the Portuguese now suggest should apply 24 months from the date of entry into force. It had previously stood at 12 months.

And in a further attempt to appease the sceptics on Wednesday, the Portuguese made further clarifications to the text, including on points regarding data retention and data processing for national security processes.

The ePrivacy saga: the false choice between privacy and funding online publishing

As the Council seems to have (yet again) failed to adopt a general approach for the ePrivacy regulation, one question that bears asking is: would more exceptions for online tracking support online publishers or the advertising industry? Karolina Iwańska argues that here is a way to sustain online publishing and uphold privacy

German data protection authority hits out

Such revisions appeared to have won around some of the opposers, except Germany and Austria, who both abstained from voting.

Subsequent to the vote, Germany’s data protection authority issued some stern words on the plans, with Ulrich Kelber, Germany’s data protection chief not holding back his criticism.

“If the regulation stays as it is, it would be a harsh blow to data protection,” Kelber said in a statement.

Appealing to the European Parliament and the Commission, he asked them to “demand a rise in data protection standards during trilogue negotiations,” highlighting, in particular, his concern over the revisions made to points regarding data retention, in this case, the practice of telecom providers saving data about their clients’ communication without needing justification.

The data protection commissioner, known for his tough stance against corporations such as Facebook, had other criticisms too: ‘Cookie Walls’, pop-ups that only allow access to websites if all cookies are accepted, could become legal again after they had been ruled out by the EU’s General Data Protection Regulation (GDPR).

He also sees some guarantees for users dismantled, such as an evaluation of the consequences for data protection standards of certain actions.

Finally, Kelber fears that the ePrivacy regulation could allow for the processing of user data for other purposes without their consent.

‘I am baffled at this encroachment into basic rights of European citizens’, Kelber said. Should the trilogues fail to bring ‘significant changes’ to the file, ‘red lines’ will have been crossed. The German data protection authority will work to this end both on the national and on the European level.

The concern over the text’s watering down of privacy standards was shared by many civil society representatives, with Estelle Massé, a senior policy analyst at Access Now saying that EU countries “lost forward-looking provisions for the protection of privacy while several surveillance measures have been added.”

However, more broadly, the Portuguese Presidency came in for praise after their success in finding general common ground between EU nations on Wednesday.

“The Portuguese Presidency has found consensus where no one thought it was possible…Now we call on the new Parliament to show flexibility regarding its 2017 position,” said Cecilia Bonefeld-Dahl, director-general of Big Tech trade lobby DIGITALEUROPE, a position also echoed by telecoms trade associations GSMA and ETNO.

The full text to the Council’s ePrivacy text can be found here.

German Presidency charts new COVID19 'metadata' rules in leaked ePrivacy text

The German EU Council presidency is seeking to permit the processing of metadata in online communications for ‘monitoring epidemics’ or to help in ‘natural or man-made disasters,’ according to a leaked text on the ePrivacy regulation obtained by EURACTIV.

Subscribe to our newsletters