It took four years, but European governments have at last agreed on new privacy rules.
EU deputy ambassadors on Wednesday signed off on the e-Privacy Regulation, which aims to protect the privacy of online communications by regulating how telecom operators, tech companies and the online advertising industry use personal data.
Despite a long road still to becoming law — the final version of the bill must be negotiated between representatives of the Council of the EU, European Commission and the European Parliament — this week’s approval is a big step forward after years of bickering between national capitals without much progress.
“The path to the Council position has not been easy, but we now have a mandate that strikes a good balance between solid protection of the private life of individuals and fostering the development of new technologies and innovation,” said Portugal’s Infrastructure Minister Pedro Nuno Santos, who led Wednesday’s meeting because Portugal currently holds the Council’s rotating presidency.
The text was first presented by the Commission in January 2017, months after Europe’s flagship data protection reform, the General Data Protection Regulation (GDPR), was finalized.
The e-Privacy rules were welcomed by the Parliament — which adopted its own version in October 2017 — and digital rights advocates, but immediately raised the alarm in European capitals and within industry.
Until Wednesday, eight countries at the helm of the EU Council tried, and failed, to find an agreement among governments. It didn’t help that the bill was subject to one of the most intense influence campaigns ever seen on digital files. Big Tech, European telecom operators and press publishers intensively lobbied against the text, arguing it would hamper innovation and limit media pluralism.
According to EU diplomats who worked on the negotiations, the bill impacted so many different things — including online advertising, media, telecoms and national security — that it was difficult to find a compromise that would work for a majority of capitals.
Every time an EU presidency tried to please some unhappy capitals by tweaking the text, they lost the support of others who felt the balance was broken.
“It’s a bit of a cursed text,” one EU official said.
The lengthy negotiations highlighted the difficulty of finding a compromise between data protection and innovation, and how so many companies — who launched a concerted battle to kill or at least weaken the bill — rely on collecting personal data. With the grueling negotiations to finalize the GDPR still fresh, at some point the Council ran out of steam.
In the spring of 2018, it became obvious that there was no willingness in powerful capitals like Paris to wrap up the talks before the end of Jean-Claude Juncker’s term as Commission president, despite having a year and a half left to run. By November that year, all hopes were dead of reaching an agreement on the file before a new Parliament and Commission would take over.
The e-Privacy Regulation is also a textbook case of how hard it is to pass legislation when France and Germany, the EU’s two heavyweights, aren’t in sync. Berlin’s privacy-friendly approach put it at odds with Paris, which wanted looser rules for press publishers and telecom operators, and surveillance powers for itself to aid its fight against crime and terrorism.
In the final vote this week, Paris backed the text after some last-minute tweaks, while Berlin abstained.
This is the story of the negotiations, based on conversations and interviews with dozens of EU officials, industry lobbyists, activists and politicians over the four years of tense talks. Many spoke to POLITICO on the condition of anonymity to discuss confidential talks more candidly.
Kicking the can
Since 2017, the bill outlasted eight EU presidencies and two Commissions and Parliaments before Wednesday’s vote, presided over by Portugal.
The e-Privacy Regulation was already on life support when it first arrived in the Council.
Even before the Commission officially presented it, industry had been lobbying to scrap its predecessor, the e-Privacy Directive. Telecom operators wanted to use location metadata more freely; publishers wanted to continue using cookies for targeted advertising purposes; Big Tech feared for its personal data-based business model.
Meanwhile in the Council, having spent years negotiating privacy rules for the GDPR, national capitals, including Warsaw and Dublin, said they didn’t understand how the Commission’s new rules would work alongside the law they had just passed. That would become one of the main arguments in the Council to delay the legislation’s adoption.
“The first years of work on the reform in Council were dedicated in demonstrating the need for this regulation,” said Estelle Massé, senior policy analyst at digital rights NGO Access Now. “For several years, there was a lack of political will in advancing this reform.”
The task was also made more difficult because some governments couldn’t decide on a position, several EU diplomats said.
In Berlin, the economy and justice ministries bickered over the proposal — even while Germany itself was trying to broker an agreement during its EU presidency last year. The economy ministry wanted more relaxed rules, which it believed would foster innovation and the development of artificial intelligence; the justice ministry insisted on a high level of data protection. (Justice won: The German presidency dropped a clause allowing metadata to be processed “further.”)
The Council also stalled because of a staggering amount of industry lobbying against the legislation.
For years, industry groups such as tech lobby DigitalEurope, telecom lobbies ETNO and GSMA, press publishing lobbies EMMA/ENPA (including Axel Springer, POLITICO Europe’s co-owner) and many, many others sent countless letters both to Brussels and to national governments to try and sway policymakers. Telecom operators and tech companies tried to get the legislation scrapped entirely.
“One of the worst lobbying campaigns I have ever seen,” is how one Parliament insider described it, quoted in a 2018 report by the Corporate Europe Observatory, a transparency NGO.
One tactic European companies used successfully was to argue the proposal could further strengthen U.S. tech giants.
The Commission’s original text would have allowed users to set privacy settings on their internet browsers. But with the dominant browsers owned by Google, Apple and Microsoft, European industries argued the text would have given American companies greater control over European users’ online experience.
Consequently, EU governments scrapped the privacy settings provisions from the text, despite an outcry from digital rights advocates.
The other tactic was to divide and conquer.
According to a 2017 document seen by POLITICO, e-commerce giant Amazon boasted of having weakened support among European lawmakers for the proposal. By dividing MEPs, Amazon hoped it would “weaken the Parliament’s negotiation position with the Council, which is more sympathetic to industry concerns,” the document read.
“Our campaign has ensured that the e-Privacy proposal will not get broad support in the European Parliament,” the document read.
Besides the advertising industry and Big Tech, Corporate Europe Observatory noted significant interest in the rules from such diverse sectors as online fashion retailers, hotel booking websites and toy manufacturers.
Along the way, new issues complicated the talks in Council even more.
From 2018 on, capitals including London and Dublin — egged on by the tech industry, including Facebook — argued that the privacy rules would hamper the fight against child sexual abuse online, which pushed back Council discussions further, two EU officials said.
The Commission said that wouldn’t be the case, but eventually had to come up with a derogation to the rules in September last year to allow tech companies to detect and remove child sexual abuse material without requiring consent.
The Commission designed the derogation partly to take out what had become one of the e-Privacy Regulation’s thorniest issues, and to open a path to the bill’s approval, a Commission official said.
“Child sexual abuse material online was one of the most difficult issues during the Finnish presidency,” said one EU official. “[The Commission’s proposal] solved it and swiped it off the table.”
The question of how long companies should keep citizens’ information for government and police access, known as data retention, remained a sticking point until the very end.
In February 2019, security-minded states including Belgium, Estonia, Denmark, France and the U.K. wrote a nonbinding paper arguing that the e-Privacy Regulation should allow for “the possibility for existing and future data retention regimes.” They argued that a provision on data retention was necessary for the “prevention, investigation, detection or prosecution of criminal offences.”
When the Court of Justice of the EU ruled in October last year that the data retention schemes in France and Belgium fell foul of existing EU law, that increased the pressure on the e-Privacy talks.
On Wednesday, France withheld its support of the text until the Portuguese presidency made some last-minute changes that would open the door for EU countries to retain data. The final Council proposal reflects Paris’ wishes, according to an internal note by the French authorities, obtained by digital rights NGO Access Now via an access to document request and shared with POLITICO.
The Finnish compromise
Late last year, it became clear that the only way to get a majority on board was to revert back to the text proposed by the Finnish presidency in the fall of 2019.
Helsinki also failed to reach an agreement — although it did get closer than anyone else.
In November 2019, Finland had hoped its compromise text would gather enough support, but more than a dozen countries, including France and Germany, rejected the proposal — some because they felt the text was going to stymie companies, others because they feared privacy would not be sufficiently protected.
But there were other factors at play, one EU official who took part in the negotiations explained. EU delegations were still hoping the newly installed von der Leyen Commission would come up with a new proposal, and they were waiting for the Court of Justice of the EU to rule on the data retention case. The discussions around child sexual abuse online — before the Commission came up with the derogation — also made it more complicated.
And “a very big lobbying push” by the industry encouraged capitals to reject the text, the official added.
Croatia, which took over the presidency in January 2020, decided to make the text more industry-friendly. In a short-lived win for publishing, tech and telecom industries, Zagreb put forward new proposals that would have allowed companies to process metadata and collect information from users’ electronic devices without their consent, “if it is necessary for the purpose of the legitimate interest.” That provision tanked in the Council.
Germany, which assumed the Council’s presidency in July 2020, went in the opposite direction and presented a more privacy-friendly text. Berlin removed the Croatian legitimate interest clause, and also dropped a provision that allowed companies to process users’ metadata without their consent if the objective is compatible with what the users originally consented to. But the Council didn’t like that either.
“So it turned out that the Finnish compromise was the best one,” said the EU official.
The Portuguese presidency’s proposal effectively repackaged the Finnish compromise, with additional tweaks they believed were necessary to get the bill’s approval.
Despite being framed as middle-of-the-road, digital rights NGOs and the European Parliament’s lead negotiator believe the Council’s text does not protect privacy enough. Privacy settings on browsers is still out, companies can still refuse access to their website to users who don’t accept cookies, and the provision on processing metadata that the Germans had dropped made its way back into the text.
“Clearly still the Parliament’s position is that we need to protect privacy and confidentiality of communications. From what we hear from Council, I’m not convinced that their position will go into that direction,” said MEP Birgit Sippel earlier this week, before Wednesday’s agreement.
Germany’s federal data protection regulator said the Council’s bill was “a serious blow to data protection.”
The bill’s approval only marks the end of the beginning for a text that will now be subject to more negotiations, lobbying and plot twists as the European lawmakers and national capitals gear up for final talks that may extend into next year.
“I couldn’t tell you if we can have a final text already within this year because we have to look more into the details to find out where, with all the different positions, we might nevertheless find common understanding — negotiations will not be easy,” Sippel said.
“But there is always a chance for a compromise.”
Want more analysis from POLITICO? POLITICO Pro is our premium intelligence service for professionals. From financial services to trade, technology, cybersecurity and more, Pro delivers real time intelligence, deep insight and breaking scoops you need to keep one step ahead. Email [email protected] to request a complimentary trial.