Three years ago, the media and advertising industry was awaiting the imminent introduction of the EU’s General Data Protection Regulation (GDPR) with bated breath. While many still weren’t clear on exactly what was expected of media and ad tech companies under the new privacy regulation, and how harshly the laws would be enforced, it was fairly universally accepted that the impact would be significant.
Some spotted even greater disruption lurking behind GDPR. The EU’s ePrivacy Regulation, a separate but related regulation covering digital privacy which was first proposed in January 2017, looked set to come into effect at the same time as GDPR. While GDPR is mostly concerned with personal data, the ePrivacy Regulation was designed to more broadly govern online confidentiality, and the tools and practices which track users across the web.
Most importantly for the advertising industry, this would regulate use of cookies on web browsers, requiring users to opt in or out of cookies at the browser level, rather than consenting to or rejecting cookies on a site-by-site basis.
But now, three years down the line, the ePrivacy Regulation still hasn’t been passed, with no clear finish line in sight.
Internal Politics and Lobbying Efforts
The ePrivacy regulation has been held up by internal politics within the European Council. For the regulation to come into effect, the European Council first has to agree on a draft version of the law, before negotiating on the final text of the regulation with the European Parliament. But for years, the Council has been unable to agree on its own position, let alone work through negotiations with Parliament.
The regulation has proven contentious among Council members, given its far reaching consequences for digital media companies, online advertising, and telcos.
One common point of contention has been deciding how closely ePrivacy should align with GDPR. A progress report released by the European Council last year said there was something of a split between Council representatives. Some (notably Germany and Belgium) wanted ePrivacy to provide stronger consumer protections at the expense of being less aligned with GDPR. Others preferred weaker protections which would sit more comfortably alongside GDPR.
This logjam has, in part, been facilitated by the nature of the European Council. The presidency of the Council, which has the power to chair meetings and set the agenda for the Council, rotates to a new member state every six months. This can lead to a lot of back-and-forth on legislation, where items are submitted and subsequently deleted by consecutive presidents.
One example of this is the inclusion of ‘legitimate interest’ as legal grounds for processing and storing data under ePrivacy.
If the term ‘legitimate interest’ sounds familiar, that’s because it’s an important part of GDPR. Within GDPR, legitimate interest allows companies to process user data without collecting consent in cases where data collection processing might reasonably be expected by consumers, and the risk to privacy is minimal.
In late 2019, the Croatian presidency which was in charge at the time rewrote the draft text to include a clause covering legitimate interest, arguing this was necessary to align ePrivacy with GDPR. But less than a year later, when Germany held the presidency, this clause was removed and replaced with a specific list of cases where businesses would be able to freely process data.
Legitimate interest is just one of the areas which have proven controversial, alongside regulation of smart home devices, and the ability to process data where necessary for detecting and reporting child abuse imagery.
And these internal negotiations have been fuelled by intense lobbying from tech companies, telcos, and pressure groups.
The Corporate Europe Observatory, an NGO devoted to unveiling lobbying influence within the EU, released a report on ePrivacy back in 2018. One experienced insider told the group that ePrivacy had been beset by “one of the worst lobbying campaigns I have ever seen”. Another said “I cannot recall another legislative proposal that has attracted this much lobbying.”
Publishers and digital advertisers have been the most active lobbyists, according to the report, with the vast majority seeking to weaken privacy protections included in the draft text. Lobbying consultancy Fleishman-Hillard for example ran a campaign targeted at MEPs describing ePrivacy as ‘like a bad movie’ outlining industry concerns that the regulation would lead make ad-supported journalism unsustainable.
ePrivacy’s Impact Blunted by Google’s Cookie Changes
After years of stalling, there has finally been some progress. Earlier this month, the current Portuguese presidency announced that the Council has finally agreed on a draft version of the regulation. Now, the Council must negotiate with the European Parliament on the final version of the regulation. Once a final version of the law has been published, it will come into effect 20 days later, and then will then be enforced two years later.
Pedro Nuno Santos, the Portuguese Minister for Infrastructure and Housing and current President of the Council, acknowledged the rocky path the regulation has had so far.
“Robust privacy rules are vital for creating and maintaining trust in a digital world,” he said. “The path to the Council position has not been easy, but we now have a mandate that strikes a good balance between solid protection of the private life of individuals and fostering the development of new technologies and innovation. The Portuguese presidency is very pleased to launch talks now with the European Parliament on this key proposal.”
It’s not yet clear how long these next set of negotiations will take – it could still be quite some time until a final regulation is passed.
And somewhat ironically given the intense negotiations which have gone into the debate, the size of the regulation’s impact on digital advertising when it finally does pass has been somewhat blunted by wider industry changes which have taken place over the past few years. Concerns about cookie consent being set at the browser level are now somewhat moot, given that third-party cookies’ days are numbered anyway.
