“Go back to Baltic Avenue!” – this command doesn’t create a good mood in the Monopoly game. The same applies to the EU Member States’ telecommunications and transport ministers who gathered in Brussels on December 3, 2019 for a Council meeting when the new Internal Market Commissioner, Thierry Breton, noted the temporary failure of the governments’ almost three-year efforts to reach a consensus on the draft e-privacy regulation presented by the Commission at the beginning of 2017: „We’ll have to put a new proposal on the table because I definitely think that everybody wants to do something, but obviously you are not in agreement“. He added, however, that the Commission wanted to take up the work done so far and that the process would not have to start entirely „from scratch“.
The European Parliament already positioned on the E-Privacy proposal at an early stage with its opinion adopted in October 2017. The governments are once again proving to be slowing down a project that is extremely important for the future of the European Union, its citizens and the European economy. The failure was foreseeable, in particular because the original Commission draft was to be „enriched“ by governments with all kinds of wishes, from an opening clause for national regulations on data retention to deep packet inspection to combat child pornography. At the same time, data protection requirements have been further weakened by the governments representatives.
In Sunday speeches the governments conjure up the “digital sovereignty of Europe”. Nevertheless, the patchwork of inconsistent data protection laws for electronic services remains for the time being. The E-Privacy Directive (2002/58/EC) has been implemented very differently in the Member States. In Germany, the various federal governments have even completely refused to implement central data protection rules that are legally binding in Europe, especially with regard to the permissibility requirements for the use of „cookies“. The German data protection authorities have therefore quite rightly clarified that the corresponding provisions of the German Telemedia Act are no longer applicable and have been superseded by the General Data Protection Regulation (GDPR) since 2018. The European Court of Justice (ECJ) also recently underlined the invalidity of those provisions of the Telemedia Act, which conflict with the Directive (ECJ, Case C-673/17, judgment of 1 October 2019, “Planet49”). However, the European Commission is partly to blame for this unsustainable situation, as it has so far, contrary to better knowledge, refrained from initiating infringement proceedings against those member states which have not implemented the E-Privacy Directive at all, or have done so incompletely or incorrectly.
Since the adoption of the GDPR in May 2016 it is clear that the general provisions fixed there must be flanked and concretized area-specifically data protection regulations. This applies in particular to electronic services, which are offered normally also outside the providers’ territory. The fact that there are still considerable legal differences between the Member States, particularly with regard to digital services, has a massively detrimental effect on the European internal market. This situation is being exploited – not least by global, non-European players. On the other hand, the different national regulations make life difficult for smaller European companies, for example if a start-up wants to offer its service in more than one Member State. Unlike these small and medium-sized businesses, Microsoft, Google, Facebook, Amazon & Co have large legal departments and can afford expensive specialist lawyers who can handle the 28 different national requirements.
The situation is also very annoying for users: In view of the lack of legal clarity, the market power of Internet giants far too often decides whether and to what extent personal data is protected. This is also due to the fact that the requirements of the (still) valid E-Privacy Directive are less and less state of the art. For example, Google & Co need no longer to use cookies if they want to track the behaviour of users and create meaningful profiles. The new tracking mechanisms, especially „browser fingerprinting“, were still unknown when the E-Privacy directive was formulated many years ago.
Furthermore, it cannot be denied that the repeated requests for consent in the use of cookies does not strengthen data protection, but has led to a „consent fatigue“. A new regulation on E-Privacy, directly applicable to all Member States, is therefore essential.
I believe it is urgently necessary to resume work on the E-Privacy Regulation as soon as possible. A good basis for this is the draft approved by the European Parliament. It will be of central importance to effectively protect users from the increasingly excessive recording of their behaviour, irrespective of whether cookies or other mechanisms are used. In view of the ever-increasing complexity of processing options, users must be given an explicit right to define their data protection preferences by electronic means of appropriate programmes and settings – not just in the browser. And providers must be obliged to follow these user preferences and not – as has often been the case in the past – to avoid adhering to them by means of inappropriate clauses in their terms of use.