Entre Nous rules, ok?

Entre Nous rules, ok?

16 February 2021

Rules that guarantee privacy in electronic communications, which are referred to as ePrivacy rules, have been finally passed.

A European Union (EU) official summed up the problems revolving around the document’s adoption by calling it “[…] a bit of a cursed text.”

Among many others, American tech giants Amazon and Facebook led efforts to amend the rules to their benefit. Facebook even successfully courted Dublin to present its talking points during diplomatic meetings. More about the intense lobbying battle later on.

The Backstory

In the spring of 2016, after years of negotiations, discussions and to-and-fros, both the EU Council and the European Parliament adopted the EU’s General Data Protection Regulation (GDPR).

Not wanting to lose any momentum in its battle for data privacy, the European Commission soon presented its proposal for a new ePrivacy Regulation (ePR). Published in January 2017, the proposed ePR was to repeal and replace the current ePrivacy Directive whilst complementing the GDPR – bound to enter into force in 2018.

The ePrivacy Directive – formally the Privacy and Electronic Communications Directive – has become outdated since its adoption in 2002. People no longer rely on SMS or emails to communicate, most under-twenties can not tell you what an MMS is, and new social media platforms with their own integrated messaging services are plenty.

Many thought it would be an easy win for digital rights advocates with lawmakers even ambitiously aiming to have a final text by May 2018 – the same month the GDPR would come into force.

The Parliament’s adoption of its version of the ePR in October 2017 seemed to bode well for this deadline. The Council had to do the same.

This was not to be. Laura Kayali and Vincent Manancourt from Politico, a newspaper, noted that “the bill outlasted eight EU presidencies and two Commissions and Parliaments before Wednesday’s vote.”

So why did this happen?

Along with the Commission, the Council of the European Union and the European Parliament are the EU’s legislative bodies. The Council is where national ministers of Member States convene to adopt laws and coordinate policies. One seat per Member State is allowed to ensure equal representation between states – unlike the Parliament which distributes seats in a (somewhat) proportionate manner based on population. Ministers lobby for the direct political interests of their government and country in the Council. 

The Parliament had proven impossible to dissuade for lobbyists, and once they lost that battle, they shifted their focus onto the Council – with much more success.

Big Tech’s Even Bigger Battle

The intense ePrivacy lobbying battle that ensued was described as “one of the worst lobbying campaigns I have ever seen” by a seasoned Parliament insider – as quoted by the Corporate Europe Observatory, a transparency NGO.

Tech giants weren’t the only ones who lobbied against the ePR. Telecom lobbies, publishing lobbies, and countless others relentlessly petitioned Brussels and national governments alike.

High stakes all around

Most of these industries’ business model is data-driven. From location metadata for the telecom industry to cookie-based targeted advertising for the publishing industry – this is their (very profitable) modus operandi. 

Some European companies argued that the ePR would give unprecedented advantages and control to U.S. tech giants. This argument led to considerable changes in the text.

E-Commerce industry leader Amazon took a different approach – to divide and conquer. A leaked internal document published by Politico revealed that in 2017 Amazon was planning, “[to] weaken the Parliament’s negotiation position with the Council, which is more sympathetic to industry concerns”. The same document boasted that the campaign was a success and that “the ePrivacy proposal will not get broad support in the European Parliament.”

On the other hand, Facebook petitioned directly to Dublin – where its European headquarters are. This was not the first time that Facebook asked the Irish government to intercede on its behalf, with the company lobbying Ireland to water down the GDPR during its legislative process.

During discussions, an Irish representative claimed that the ePR would hinder efforts to combat child pornography – which also happened to be Facebook’s main argument against the bill. Both the Commission and lawmakers outright negated this notion. 

Estelle Masse, a senior policy official at Access Now said that

“Unfortunately, all too often [the fight against child pornography] is used as a distracting tactic to blur tech policy debates in an attempt to influence or even derail negotiations.”

Birgit Sippel, the Socialist Member of the European Parliament (MEP) in charge of ePrivacy legislation reiterated this sentiment. She commented: 

“When stakeholders want to increase the pressure, they simply mention terrorism or child pornography as a reason why we have to allow more surveillance and less privacy-friendly rules.” 

Ireland was not the only country lobbying for corporate interests, with France echoing arguments from the publishing industry.

So, who won?

Any EU negotiations in which the two heavyweights – Germany and France – are not aligned are bound to be a long, arduous process. A fatigued Council after years of GDPR negotiations only made matters worse. Masse even wrote that “there was a lack of political will in advancing this reform”.

After years of negotiations, amendments, retractions, and unprecedented lobbying, the Council finally agreed to adopt the text. The problematic nature of the text persisted till the eleventh hour. France only agreed to back the text after last-minute amendments, and Germany and Austria abstained from the final vote. 

Portugal’s presidency of the Council was finally the one that put an end to discussions. Berlin and Helsinki had failed to do so during their respective presidencies.

Portuguese Minister Pedro Nuno Santos said that:

“The path to the Council position has not been easy, but we now have a mandate that strikes a good balance between solid protection of the private life of individuals and fostering the development of new technologies and innovation.”

Regardless of the progress, the bill is still a long way away from becoming law. Representatives of the legislative bodies will now engage with the Commission in a ‘trilogue’. Together, they will work on a final version of the bill. The Council and the Parliament must then approve the final bill for it to become law.

This doesn’t mean that the digital rights activists won.

Ulrich Kelber, the German data protection chief had no problem to publicly bash the adopted text, saying that, “If the regulation stays as it is, it would be a harsh blow to data protection.” Dissatisfied with several points – such as the ones concerning data retention – he petitions the Council and Parliament to “demand a rise in data protection standards during trilogue negotiations.”

Masse also publicly stated her dissent of the text. She wrote that the EU “lost forward-looking provisions for the protection of privacy while several surveillance measures have been added.”

Regardless, after more than four years from its original presentation, the cursed text – or a heavily amended version of it – is now well under way to become EU legislation. It’s now up to the Commission, the Council and the Parliament to finalise the bill while ensuring the protection of EU citizen’s privacy.