The ePrivacy Regulation proposal has been withdrawn, but the fight for your privacy is far from over

So, what went wrong?

It’s official – the ePrivacy Regulation proposal has been withdrawn (yes, cue the collective groan from digital rights advocates in the EU). After years of hard work, hope, and tireless campaigning, it seems that powerful industry interests and some EU member states have successfully blocked this critical reform. But don’t reach for the tissues just yet – while this marks a setback in the fight for stronger privacy protections, it also reinforces the urgency of continuing the struggle for digital rights.

In 2017, the European Commission proposed an update to the 2002 ePrivacy Directive – an important but now-outdated law from the early days of the internet. The proposed new regulation aimed to bring privacy protections into the modern era by addressing growing concerns around online tracking, cookies, and the confidentiality of electronic communications. After all, the digital world has changed quite a bit since 2002, and our privacy laws should reflect that reality.

However, despite widespread support from civil society, policymakers, and individuals who care about their privacy, the proposal has been blocked – largely due to relentless pressure from powerful corporations, such as advertising tech giants, telecom companies, and even some EU member states. These entities, with vested interests in surveillance advertising or using unsubstantiated claims about national security, have once again undermined progress. The result? The much-needed reform has been shelved.

Why does this matter?

The withdrawal of the ePrivacy Regulation proposal highlights deeper systemic issues in EU privacy legislation. The political will to push forward meaningful reform has been lacking, and the influence of commercial pressure and purported government priorities have prevailed over individuals’ fundamental rights.

This decision also reveals a growing, concerning trend: an increasing narrative that prioritises mass surveillance and exploitation over privacy, data protection and other fundamental rights. Whether it’s the dangerously misguided proposals around child sexual abuse material detection or the long-standing issue of data retention laws, or industry’s constant emphasis on deregulation, the justification for mass surveillance – state and commercial is often framed as necessary. But as we’ve consistently argued, such measures violate people’s rights and are incompatible with the principles of due process and proportionality upheld by the Court of Justice of the European Union.

We are also alarmed by the rising acceptance of frameworks that fail to fully protect privacy, such as voluntary business pledges or the increasingly normalised ‘pay or okay’ model for accessing services. These approaches erode genuine user choice and commodify privacy in ways that are deeply concerning. Privacy should never be treated as a luxury – it’s a fundamental right that everyone deserves, regardless of their specific context. We have also identified harms that deeply impact individuals and collectives and are intimately linked to the tracking practices that the ePrivacy Regulation proposal aimed to tackle, through dynamics like deceptive design (so-called ‘dark patterns’), addictive design, or unfair personalisation.

What’s next?

While the ePrivacy Regulation proposal may have been withdrawn, the European Commission is not backing down. In fact, new legislative proposals are on the table (some have been confirmed, some haven’t) that should aim to tackle privacy issues head-on, albeit focusing on separating commercial surveillance from state surveillance. The issue is that while EU rules can successfully limit commercial surveillance and protect people’s rights, they can’t do the same for state surveillance. This was the problem with the now cancelled Data Retention Directive, which weakened the privacy rights guaranteed by the ePrivacy Directive. No matter what, we are committed to making sure these proposals truly safeguard people’s privacy and data. Here’s what we at EDRi will be advocating for in the months ahead:

1. On Commercial Surveillance

• Ban on pay-or-track walls that require users to hand over their personal data just to access basic services or websites.
• Limits to most kinds of tracking and a right not to be tracked to significantly reduce cookie fatigue because we wouldn’t be bombarded with constant consent pop-ups.
• End to surveillance advertising, advocating instead for privacy-preserving alternatives like contextual advertising, which doesn’t require invasive data collection.
• Processing of electronic communications data by companies, i.e. information relating to messages and interactions sent or received through digital devices and platforms, should be limited to strictly defined, legitimate, and proportionate purposes, ensuring that users have clear knowledge of how their data will be used and the ability to withdraw their consent at any time without detriment. Consent should be obtained fairly, and should be fully compliant with GDPR criteria.
• Data collection and processing should be tightly controlled, with information used solely for specific, necessary purposes, in accordance with the principles of data minimisation and purpose limitation.

2. On State and State-Sponsored Commercial Surveillance

• Strict limits on data retention, ensuring that personal information is processed only for specific, legitimate, necessary and proportionate purposes and not for blanket surveillance, in line with the criteria set by the Law Enforcement Directive and the CJEU case law. Protection of our private electronic communications and of encryption, including end-to-end encryption, to ensure online confidentiality and security.
• No undermining of online anonymity through forcing companies to identify people, or to collect or hold on to identifying data, which would threaten the work and security of human rights defenders, investigative journalists and all individuals exercising their freedom of expression in the EU.
• End to mass surveillance practices, including those offering quick technical fixes to complex societal issues, such as the proposed continuous scanning of private communications in the name of child sexual abuse material detection.
• Robust oversight mechanisms to prevent the abuse of surveillance powers by governments and ensure people’s rights are always upheld.

A Call to Action

At EDRi, we are unwavering in our commitment to fundamental rights. The withdrawal of the ePrivacy Regulation proposal is a setback, but it is also a reminder of the critical importance of privacy protections. We will continue to fight for legislation that ensures a safer, more secure digital space for everyone – free from the dangers of unchecked surveillance, whether from corporations or the state.

The upcoming legislative proposals are a pivotal moment in this fight, and we will remain at the forefront, advocating for a rights-centred approach to digital policy. Privacy is not a commodity or a luxury for the few – it’s a fundamental human right, and we will continue to stand firm in our belief that robust protections are essential to maintaining a better internet for people and the planet.

So, while we may be facing a setback, rest assured – we’re just getting started. We will keep pushing for the protections we all deserve.