A long stalled bid to beef up European Union rules around online tracking technologies — and put penalties on a similar footing to the bloc’s data protection framework, GDPR, which allows for fines of up to 4% of annual turnover for breaches — has been withdrawn by the Commission after co-legislators failed to reach agreement over the plan.
The original proposal to update the ePrivacy Directive, and turn it into a fully fledged Pan-EU regulation, dates back to 2017 so the writing has been on the wall for considerable time. But on Wednesday the effort is officially dead as the Commission has included the ePrivacy Regulation in a list of legislative initiatives that are being withdrawn, via its 2025 work program — giving as a reason: “No foreseeable agreement.”
The EU also writes that: “The proposal is outdated in view of some recent legislation in both the technological and the legislative landscape.”
The move to withdraw the “proposal for a regulation… concerning the respect for private life and the protection of personal data in electronic communications”, as the document’s official title reads, is hardly surprising given how many years the effort has been stalled. The file attracted intense lobbying from both tech giants and telcos whose businesses would fall in scope.
Back in 2021 documents unsealed via a U.S. antitrust lawsuit suggested that Google’s attempts to lobby against the file had included attempts to mobilize other tech giants to join in efforts to delay and, ultimately — as has happened now — derail the reform. While a Politico report from 2020 named ecommerce giant Amazon as also involved in efforts to weaken support among EU co-legislators for the proposal.
The dominance of behavioral advertising business models that rely on tracking and profiling web users to monetize people’s attention raised the commercial stakes for any reform of EU ePrivacy rules — especially a proposal to underscore the need for entities to obtain affirmative consent from consumers to snoop on them.
And which could even, potentially, have given legal teeth to do-not-track — if parliamentarians’ efforts in this direction had prevailed. Had that come to pass the ePrivacy Regulation could have flipped the script and made online privacy convenient for European consumers, instead of the current dysfunctional web reality where commercial actors with tracking-based business models do their utmost to make it really difficult for consumers to protect their information when they use the internet.
While the Commission’s proposal to replace the ePrivacy Directive with a modernized Regulation has now been withdrawn the bloc’s existing e-Privacy rules remain in force. And it’s worth noting that several tech giants have faced sanctions for breaches of this regime in recent years.
Both Google and Amazon, for example, faced fines for breaching cookie consent rules — with France’s data protection authority, the CNIL, hitting Google with a penalty of around $120 million in December 2020 and another of around $170 million in January 2022 for failing to obtain proper consent for dropping tracking cookies. Amazon was also stung with a cookie consent fine of around $42 million from the CNIL at the end of 2020. Others facing penalties have included Facebook (aka Meta) and TikTok.
Discussing the demise of the ePrivacy Regulation proposal, Dr Lukasz Olejnik, an independent researcher and consultant who has tracked the policy area for a number of years, told TechCrunch: “Ending this trainwreck is a good move. The writing was on the wall long ago; this was a funeral in slow motion.”
As well as being the target of intense industry lobbying, Olejnik believes the proposal’s chances of reaching a compromise between legislators in the European Parliament and the Council was scuppered by bad timing — in the wake of the bloc passing its flagship update to data protection rules, the GDPR, he suggests there was a surge in scaremongering about expanding privacy rule-making.
“The unwarranted GDPR scare killed it, and the current climate for hostility towards regulations is not a good time to edit any data protection related files, which could severely backfire, even significantly weaken the GDPR.”
A source inside the Commission, who we’ve granted anonymity to as they were not authorized to speak to the press on the topic, had a similar analysis. “[Commissioners Viviane] Reding and [Neelie] Kroes should have done ePrivacy and GDPR together… The momentum was lost when everyone was exhausted at the end of the GDPR negotiations,” they told us.
At the same time our source suggested that the original proposal was not well conceived — dubbing it “a relic of the days when there were just telcos”. “The flaw is that telcos and big surveillance tech are completely different beasts,” they said, adding: “If GDPR can’t tame the billionaires why would ePrivacy? The issue is business models, market power and police efforts to kill E2EE [end-to-end encryption].”
So what happens next when it comes to regulating online tracking in the EU? There’s likely to be increased uncertainty and more wiggle room for technologists to evolve their approaches to claim they sit outside an increasingly dated ePrivacy rulebook.
“As new technologies are developed and put to use, they will stay out of the radar,” Olejnik suggests. “The GDPR is unable to cover it all, and the need to reinterpret the old ePrivacy Directive has it’s limits too. So we should expect interpretations and guidance from the ECJ [European Court of Justice], which will build the legal acquis… and perhaps sooner or later someone will come up with a revamp.”
Tech priorities in EU’s 2025 work plan
Meanwhile the Commission has plenty of other tech-focused legislative work to keep it busy this year after its leadership reboot — and a switch of gears that foregrounds competitiveness, with an explicit goal of fostering economic growth through support for tech innovations like AI that looks set to more closely align with private sector interests.
And — notably — also on the list of legislative proposals being withdrawn is the AI Liability Directive, which aimed to update EU product safety rules to cover AI and automation. (On this the EU writes: “No foreseeable agreement — the Commission will assess whether another proposal should be tabled or another type of approach should be chosen.)
Its 2025 work program, meanwhile, includes a plan for an Innovation Act, slated as coming “later in the mandate”, that will aim to support startups, scale-ups and “innovative companies” to invest and operate in the single market through a process of simplifying applicable rules and working towards “a 28th legal regime” [i.e. rather than 27 different ones apiece for each EU Member State].
The Commission says it wants this reform “to simplify applicable rules and reduce the cost of failure, including any relevant aspects of corporate law, insolvency, labour and tax law”.
Also planned is a Cloud and AI Development Act, which the Commission wants to boost access to data in a bid to accelerate homegrown AI.
There will also be an AI Continent Action Plan, dealing with efforts to marshal resources and skills under the EU’s existing AI Factories scheme that aims to fire up “competitive AI ecosystems in Europe”; as well as an Apply AI strategy, as the bloc seeks to push forward adoption of AI by industries and organizations of all stripes.
Another focus is on boosting biotech — with the EU writing that it wants to “use European life sciences to drive innovation in biotechnology, pool resources, break regulatory barriers, tap into the full potential of data and
artificial intelligence, and boost deployment.
Support for high capacity digital infrastructure is also part of the plan, with a Digital Networks Act planned that the EU says will “create opportunities for crossborder network operation and service provision, enhance industry competitiveness and improve spectrum coordination.
The work program also lists an EU Quantum Strategy that’s set to be followed by a Quantum Act — targeting what the EU dubs a “critical” and strategic sector. “The strategy will contribute to building our own capacities to research and develop quantum technologies, and produce devices and systems based on them,” it notes.
A Space Act is also slated as incoming, along with efforts to better protecting undersea comms infrastructure at a time when accidents — or sabotage — appear to be an increasing risk for the region’s undersea cables.
When it comes to consumer protection the EU 2025 work plan offers thinner pickings.
The Commission mentioned that its next Consumer Agenda 2025-2030 will “include a new action plan on consumers in the single market ensuring a balanced approach that protects consumers without overburdening companies with red tape” — but the phrasing suggests its priorities have skewed towards business interests, in the drive to fire up economic growth, with consumers interests having to be “balanced” against that overarching imperative.
On the hot button topic of online disinformation/misinformation the EU workplan reiterates that it will be coming with a “Democracy Shield”. This initiative will “aim to tackle the evolving nature of threats to our democracy and electoral processes” — including by stepping up engagement with civil society organisations.
#abandons #ePrivacy #liability #reforms #bloc #shifts #focus #competitiveness #data #access