Unless you have been living under a rock (read: outside the “Brussels bubble”) you will likely be aware of the long and winding road on which the proposed ePrivacy Regulation has been for the last three years. This is not unusual for a piece of European Union (EU) legislation – the 2018 General Data Protection Regulation (GDPR) is a great example of the painful, imperfect, but ultimately fruitful processes that EU law goes through, in this case in a marathon spanning almost 25 years! Even now, Data Protection Authority (DPA) fines, litigation and regulatory reviews are testing the benefits and boundaries of GDPR, helping to shape it progressively into an even more effective piece of legislation.
Let us rewind to January 2017, when the European Commission delivered its long-awaited proposal for a Regulation on Privacy and Electronic Communications, also known as “ePrivacy”. In October of the same year, the European Parliament Committee on Civil Liberties, Justice and Home Affairs (LIBE) proposed a comprehensive series of improvements to the text in order to better protect fundamental rights. This included enhanced confidentiality of communications and privacy as a central foundation of online product and service design. We welcomed these amendments for their respect for and promotion of digital rights.
Unfortunately, the European Council has since seriously watered down the draft text, introducing worrying limits to the safeguards that ePrivacy offers for personal data and communications. In response to the worsening protections – and the negotiations lingering like a bad smell – EDRi, Access Now, Privacy International, and two other civil society organisations co-authored an open letter to the EU members states on 10 October 2019, urging them to swiftly adopt a strong ePrivacy Regulation. Yet the most recent European Council text has still not improved in any aspect. Concerningly, its introductory remarks use the emotive age-old arguments of child protection and terrorism to justify some vague “processing of communications data for preventing other serious crimes”. We believe this represents a slippery slope of surveillance and intrusion, and undermines the fundamental purpose of ePrivacy: protecting our fundamental right to privacy and confidentiality of communications.
The political stage of the file is now coming to a close after almost three painful years of back and forth. The imminent fate of the Council’s proposal will be decided on 22 November 2019 at the COREPER level. If the Member States vote to adopt the Council text, the file will move forward to the trilogue stage, where the States will be able to engage in technical discussions about the shape of the legislation. If the Member States vote to reject the Council text, however, all options – including the complete withdrawal of the ePrivacy proposal by the European Commission – will be on the table.
Despite these challenges, ePrivacy remains an essential piece of legislation for safeguarding fundamental rights in the online environment. Complementing the GDPR, a strong ePrivacy text can still protect the privacy of individuals, ensure mechanisms for meaningful consent, and establish rules on the role of each Member State’s Data Protection Authority (DPA) as their supervisory authority. It will embed privacy by design and default, making the internet a more secure space for everyone.
To quote an infamous political figure, we will not “die in a ditch” over ePrivacy. Whatever the outcome of the COREPER vote, we will continue to work tirelessly to secure the right to online privacy across Europe. So get your popcorn ready, stay tuned for the next episode in this epic saga, and be prepared in the event of some last minute plot-twists!
The History of the General Data Protection Regulation
e-Privacy revision: Document pool
EU Council considers undermining ePrivacy (25.07.2018)
Five reasons to be concerned about the Council ePrivacy draft (26.09.2018)
Open letter to EU Member States: Deliver ePrivacy now! (10.10.2019)
The most recent European Council ePrivacy text (15.11.2019)
(Contribution by Ella Jakubowska, EDRi intern)