E-privacy law stuck as EU governments ponder options, leaked paper shows

Keyboard with Lock

14 November 2017. By Magnus Franklin.

The EU’s attempts to update its privacy laws for the digital age are firmly stuck, with a leaked paper showing national governments failing to make headway on almost every aspect.

The new law, proposed by the European Commission in January, tackles questions such as telecom operators' responsibility to safeguard private online communications and the rights of companies to harvest the data of people surfing the web to target advertising at them.

Estonia, which is chairing the talks on behalf of EU governments as current holder of the EU’s rotating presidency, has acknowledged the poor progress.

In a leaked memo to EU diplomats dated Nov. 8, Estonian officials concede that despite "considerable efforts" and a "constructive approach" from other government officials, "in many cases, the analysis of the proposal at the national level is still ongoing."

Firstly, governments must agree how to make the targeted e-Privacy Regulation fit alongside the more wide-ranging General Data Protection Regulation, which is already approved and will come into effect next May. The e-privacy rules, which will apply to all data in transit, need to be consistent with the GDPR in dealing with personal data, where their scopes overlap.

Because the rules on confidentiality of communications apply not just to interpersonal discussions but also communications of companies, the legislators will also have to work out who, in the case of an organization, is authorized to "consent" to the communications data being used by a provider.

Governments have also proposed that the e-privacy rules only apply to data in transit, and not how it is dealt with by the applications that send or receive the data. But again, translating this idea into concrete legislative text remains difficult.

Advertising

On the theme of online tracking, notably for online advertising, Estonian negotiators are wondering whether "regulation is needed at all" given some of the services emerging on the market that help consumers decide how and when they may be traced.

Governments are also considering whether companies handling data in transit could be given additional legitimate grounds for processing data other than consent — a key demand of the telecom sector, which wants to use "metadata" of subscribers to underpin services like "smart city" transport or energy platforms.

Authorities are also wary of "undermining legitimate business models" as a result of overzealous policing of online tracking techniques. For example, they want to ensure that online newspapers can continue to offer free access in exchange for advertising to tracked visitors.

And when it comes to whether communications data can and should be available to law enforcement agencies to help them prevent crime and terrorism, debate is still wide open, the memo states.

Estonian officials also stressed that the note only covers a selection of topics where some progress had been achieved, and that many other areas are also still subject to open discussion, including the scope or the treatment of "ancillary" services such as chatrooms within online games.

The note is addressed to telecom ministers, who will meet on Dec. 4, and one more technical meeting among experts in Brussels is expected to take place before Estonia hands on the EU presidency to Bulgaria on Jan. 1.

The European Parliament has voted to fix its position on the bill, largely endorsing a pro-privacy stance that has angered online advertisers and technology companies, but with a weak mandate after center-right political groups voted against the proposed text.

Countdown to the GDPR