A long-stalled bid to beef up European Union rules around online tracking technologies and put penalties on a similar footing to the bloc’s data protection framework, GDPR, has been withdrawn by the Commission after co-legislators failed to reach agreement over the plan.
The original proposal to update the ePrivacy Directive and turn it into a fully fledged Pan-EU regulation dates back to 2017, so the writing has been on the wall for considerable time. But the effort is officially dead as of Wednesday — the Commission has included the ePrivacy Regulation in a list of legislative initiatives that are being withdrawn via its 2025 work program, giving as a reason: “No foreseeable agreement.”
The EU also writes, “The proposal is outdated in view of some recent legislation in both the technological and the legislative landscape.”
The move to withdraw the “proposal for a regulation… concerning the respect for private life and the protection of personal data in electronic communications,” as the document’s official title reads, is hardly surprising given how many years the effort has been stalled. The file attracted intense lobbying from both tech giants and telcos whose businesses would fall in scope.
Back in 2021, documents unsealed via a U.S. antitrust lawsuit suggested that Google’s attempts to lobby against the file had included attempts to mobilize other tech giants to join in efforts to delay and, ultimately, derail the reform. A Politico report from 2020 named Amazon as also involved in efforts to weaken support among EU co-legislators for the proposal.
The dominance of behavioral advertising business models that rely on tracking and profiling web users to monetize their attention has raised the commercial stakes for any reform of EU ePrivacy rules.
That could even, potentially, have given legal teeth to do-not-track if parliamentarians’ efforts in this direction had prevailed. The ePrivacy Regulation could have flipped the script and made online privacy convenient for European consumers.
Still, while the Commission’s proposal to replace the ePrivacy Directive with modernized regulation has now been withdrawn, the bloc’s existing ePrivacy rules remain in force. It’s worth noting that several tech giants have faced sanctions for breaches of this regime in recent years.
Both Google and Amazon, for example, faced fines for breaching cookie consent rules. France’s data protection authority, the CNIL, hit Google with a penalty of around $120 million in December 2020 and another fine of around $170 million in January 2022 for failing to obtain proper consent for dropping tracking cookies. Amazon was also stung with a cookie consent fine of around $42 million by the CNIL at the end of 2020. Others facing penalties have included Facebook (aka Meta) and TikTok.
Discussing the demise of the ePrivacy Regulation proposal, Dr. Lukasz Olejnik, an independent researcher and consultant who has tracked the policy area for a number of years, told TechCrunch: “Ending this trainwreck is a good move. The writing was on the wall long ago; this was a funeral in slow motion.”
Olejnik believes the proposal’s chances of reaching a compromise between legislators in the European Parliament and the Council was scuppered by bad timing. In the wake of the bloc passing its flagship update to data protection rules, the GDPR, he suggests there was a surge in scaremongering about expanding privacy rule-making.
“The unwarranted GDPR scare killed it, and the current climate for hostility towards regulations is not a good time to edit any data protection related files, which could severely backfire, even significantly weaken the GDPR.”
A source inside the Commission had a similar analysis. “[Commissioners Viviane] Reding and [Neelie] Kroes should have done ePrivacy and GDPR together… The momentum was lost when everyone was exhausted at the end of the GDPR negotiations,” they told us on condition of anonymity.
Our source also suggested that the original proposal was not well-conceived, dubbing it “a relic of the days when there were just telcos.” “The flaw is that telcos and big surveillance tech are completely different beasts […] If GDPR can’t tame the billionaires, why would ePrivacy? The issue is business models, market power and police efforts to kill E2EE [end-to-end encryption].”
So what’s next for regulating online tracking in the EU? There’s likely to be increased uncertainty and more wiggle room for technologists to evolve their approaches to claim they sit outside an increasingly dated ePrivacy rulebook.
“As new technologies are developed and put to use, they will stay out of the radar,” Olejnik said. “The GDPR is unable to cover it all, and the need to reinterpret the old ePrivacy Directive has its limits, too. So we should expect interpretations and guidance from the ECJ [European Court of Justice], which will build the legal acquis… and perhaps sooner or later someone will come up with a revamp.”
TechCrunch asked the European Commission which “recent legislation” protects the privacy of citizens’ electronic communications and spokesman Thomas Regnier pointed to the Digital Services Act (DSA) — which he suggested provides a “strong framework to ensure a high level of privacy, especially for minors (Article 28)”.
The online governance framework includes measures aimed at regulating the use of data for advertising — with a ban on the use of minors’ data to target ads, as well as generally prohibiting the use of sensitive categories of personal data for ads. It also makes it clear that platforms must obtain consent to use people’s data for ads — a measure that forced Meta to shift its regional model to “pay or consent“.
And Meta’s binary choice on ads has since faced regulatory scrutiny under the DSA’s sister regulation, the Digital Markets Act — leading, last fall, to the tech giant offering to display “less personalized ads” to users who do not consent to its tracking nor wish to pay it to access ad-free versions of its social networks Facebook and Instagram.
Regnier also sent us a statement in which the Commission wrote: “Respect for private life, including one’s communications, is guaranteed by the EU Charter of Fundamental Rights. Trust and security in the digital economy and society are essential for Europe to fully grasp the potential of the digital age. To achieve that, European legislation needs to keep up with fast evolving services and ensure a high level of privacy for all electronic communications.”
The EU added that it “remains fully committed to ensure a high level of privacy protection while fostering innovation.”
Priorities in EU’s 2025 work plan
Meanwhile, the Commission has plenty of other tech-focused legislative work to keep it busy this year after its leadership reboot. It’s also switching gears to foreground competitiveness, with an explicit goal of fostering economic growth through support for innovations like AI that looks set to more closely align with private sector interests.
Notably, also on the list of legislative proposals being withdrawn is the AI Liability Directive, which aimed to update EU product safety rules to cover AI and automation. On this the EU writes, “No foreseeable agreement — the Commission will assess whether another proposal should be tabled or another type of approach should be chosen.”
Its 2025 work program, meanwhile, includes a plan for an Innovation Act, slated as coming “later in the mandate,” that will aim to support startups, scale-ups and “innovative companies” to invest and operate by simplifying rules and working toward “a 28th legal regime” [i.e., rather than 27 different ones apiece for each EU Member State].
The Commission says it wants this reform “to simplify applicable rules and reduce the cost of failure, including any relevant aspects of corporate law, insolvency, labour and tax law.”
Also planned is a Cloud and AI Development Act, which the Commission wants to boost access to data in a bid to accelerate homegrown AI.
There will also be an AI Continent Action Plan that deals with efforts to marshal resources and skills under the EU’s existing AI Factories scheme, as well as an Apply AI strategy.
Another focus is on boosting biotech. The EU writes that it wants to “use European life sciences to drive innovation in biotechnology, pool resources, break regulatory barriers, tap into the full potential of data and artificial intelligence, and boost deployment.”
Support for high-capacity digital infrastructure is also part of the plan, with a Digital Networks Act planned that the EU says will “create opportunities for crossborder network operation and service provision, enhance industry competitiveness and improve spectrum coordination.”
The work program also lists an EU Quantum Strategy that’s set to be followed by a Quantum Act, targeting what the EU dubs a “critical” and strategic sector. “The strategy will contribute to building our own capacities to research and develop quantum technologies, and produce devices and systems based on them,” it notes.
A Space Act is also on the slate, along with efforts to better protect undersea comms infrastructure at a time when accidents, or sabotage, appear to be an increasing risk for the region’s undersea cables.
When it comes to consumer protection, the EU 2025 work plan offers thinner pickings.
The Commission mentioned that its next Consumer Agenda 2025-2030 will “include a new action plan on consumers in the single market ensuring a balanced approach that protects consumers without overburdening companies with red tape.” But the phrasing suggests its priorities have skewed toward business interests in the drive to fire up economic growth — consumers’ interests are being “balanced” against that overarching imperative.
On the hot-button topic of online disinformation/misinformation, the EU reiterates that it will be coming with a “Democracy Shield.” This initiative will “aim to tackle the evolving nature of threats to our democracy and electoral processes,” including by stepping up engagement with civil society organizations.
This report was updated after the Commission responded to our questions.
Article by:Source:
