Interview European Union nations are holding up discussions on the hotly debated new ePrivacy law, risking unnecessary regulatory confusion, the MEP leading the wrangling through the European Parliament has said.
Initially, the EU intended to implement the ePrivacy Regulation – which sets out privacy rules for electronic communications – at the same time as the General Data Protection Regulation, which covers protection of personal data.
Those hopes have long since disappeared, as GDPR will come into force on May 25, while the ePR proposals were only recently approved by European Parliament and member states are yet to offer their formal group position.
Without that, trilogue negotiations – where the three EU institutions, Commission, Parliament and Council, agree on the final text – cannot begin. However, a November progress report from the presidency was full of references to the need for "further discussions", which disappointed many observers.
Although it took the Parliament around nine months to come to a final agreement, Birgit Sippel, the German Social Democrat rapporteur for the file in Parliament, told The Register that the Council should have started its own discussions already.
"It's not fair that all three institutions need to have a reform on the ePrivacy Directive [last updated in 2009], but... we're now stuck because the Council doesn't yet have a position," she said. "It's not fair and it might even become dangerous, as the GDPR has to be implemented in May next year."
Sippel argued that the ePR and GDPR are meant to work together – the former will clarify the precise rules on communications data not classed as personal, like metadata related to the locations, timing, duration and type of communication.
Another intention was to have laws implemented more coherently across all 28 member states, as the current Privacy Directive is implemented very differently in each of the member states.
EU law bods closer to baking new 'cookie law' after battleREAD MORE
"The idea was to have common rules, but if the Council is not going to find a position, there will be some uncertainty in business continuing with different rules," Sippel said.
Asked whether the distraction of other major national and EU-level political events were a legitimate reason for delay, Sippel was unsympathetic.
"Politics is never easy, but whether there's Brexit or not, we have to find a solution. You can't stop your work simply because some members want to leave," she said.
"When it comes to ePrivacy, the member states believe they have other priorities, like closing borders – but if we don't find routes to protect privacy or the fundamental freedoms of citizens, we will have difficulties in the long run."
There is also unease over the priorities of the Bulgarian presidency, which takes the lead of the Council on January 1, taking over from the much more digitally minded Estonia.
"We are not very convinced that ePrivacy will be very high on the agenda of the Bulgarian presidency," Sippel said, but added that policymakers with an interest in updating the rules plan to keep the pressure on the new team.
However, she emphasised that it was not a case of pushing the Council to come to the same position as the Parliament, acknowledging that it was a close-run thing within her own institution, when a vote in October's plenary meeting returned 318 votes for, 280 against and 20 abstentions.
'If this is your business model, create a new one'
Proponents praise the text's strong pro-privacy stance, arguing that it is a citizen-centric piece of legislation, but opponents say it will stifle innovation and make it impossible for business to offer free online services.
Sippel, though, counters that businesses need to find other ways to work.
"Everybody has the right [to run a business], but if that model means interfering in my privacy, or taking away my freedom of expression, then that's not allowed," she said.
"I do agree that it's a tricky thing – for instance for the media who have to find new ways to finance their work – but simply to say 'that's my business model and that's why I have to track you' – that's not OK."
Sippel said that businesses need to create new models, and see this as an opportunity, not a problem, and that this could be a chance for the EU to take the lead on US companies.
"Some industries are already working on different solutions that are more precise, offer users more opportunities to consent – and we have to do more work in that direction," she said. "Maybe we are the ones to offer new business within the digital world in a way that better protects the interest of users."
Nonetheless, member states will have to deal with strong lobbying efforts from industry – and the November progress report said delegations had "stressed the need to find a balance between ensuring proper privacy protection without undermining legitimate business models".
This balance is set for discussion at a meeting of the Council's working party today. The group will also consider – as part of amendments on three articles – whether grounds for permitted processing need to be extended, and "exchange views" on software privacy settings so it can redraft the text on that article.
'Users need a real choice'
For Sippel, there are some areas that must not be weakened during this process, which centre around the need for users to be given a "real choice" about what happens to their information when they browse, which is not the case for the current legislation and the much-maligned cookie banners.
"One of the most important things is the question of privacy and the tracking wall. We need clear rules that this shouldn't be allowed, or at least users have a real choice to agree or deny. And if I deny, I should still have access to services."
Despite pitching the reforms as being citizen-centric, Sippel herself acknowledged that even if users were given a clear picture of just how widespread tracking is, many just wouldn't care. However, she said, it's partly up to policymakers to challenge the "nothing to hide" argument.
"Many people aren't aware of what's happening; many say: 'What does it matter? I'm not doing anything illegal'," she said.
"But we have to raise awareness. It's the interference in my privacy and my rights. The interpretation of of that information can lead to positive effects, but an also have very negative consequences for the single user." ®
Sponsored: Ransomware has gone nuclear