EU Shifts Focus: Drops ePrivacy, AI Liability for AI Competitiveness

EU Withdraws Long-Stalled ePrivacy Regulation

A protracted attempt to strengthen European Union regulations concerning online tracking technologies, and to align penalties with the General Data Protection Regulation (GDPR), has been officially abandoned by the Commission. This decision follows a failure among co-legislators to reach a consensus on the proposed plan.

Proposal's History and Demise

The initial proposal to modernize the ePrivacy Directive into a comprehensive Pan-EU regulation originated in 2017. However, its ultimate failure became apparent some time ago. On Wednesday, the Commission formally included the ePrivacy Regulation in a list of legislative initiatives slated for withdrawal as part of its 2025 work program, citing “no foreseeable agreement” as the reason.

The EU further stated that the proposal had become outdated in light of recent developments in both the technological and legislative spheres.

Intense Lobbying Efforts

The withdrawal of the regulation, officially titled “concerning the respect for private life and the protection of personal data in electronic communications,” is not unexpected given the years of stagnation. The proposal attracted significant lobbying from both technology companies and telecommunications providers, whose business models would have been impacted.

Unsealed documents from a U.S. antitrust case in 2021 revealed Google’s lobbying efforts, including attempts to mobilize other tech giants to delay and ultimately derail the reform. A 2020 report by Politico identified Amazon as also working to weaken support for the proposal among EU co-legislators.

Commercial Stakes and Potential Benefits

The dominance of behavioral advertising models, which rely on tracking and profiling users to generate revenue, significantly raised the stakes for any reform of EU ePrivacy rules.

The regulation potentially could have provided legal support for “do-not-track” mechanisms. It also had the potential to simplify online privacy for European consumers.

Existing ePrivacy Rules Remain in Effect

Despite the withdrawal of the proposed regulation, the EU’s current ePrivacy rules remain in force. Several tech companies have already faced sanctions for violating these existing regulations in recent years.

Google and Amazon, for instance, have been fined for breaches of cookie consent rules. France’s data protection authority, the CNIL, penalized Google with approximately $120 million in December 2020 and around $170 million in January 2022 for failing to secure proper consent for tracking cookies. Amazon received a cookie consent fine of around $42 million from the CNIL in late 2020. Meta (formerly Facebook) and TikTok have also faced penalties.

Expert Commentary on the Withdrawal

Dr. Lukasz Olejnik, an independent researcher and consultant specializing in this policy area, described the withdrawal as “a good move,” stating that the proposal’s failure was predictable. He suggested the timing was unfavorable.

Olejnik believes that concerns surrounding the GDPR led to the proposal’s demise, and the current regulatory climate is not conducive to revising data protection laws. He warned that such revisions could even weaken the GDPR.

Internal Commission Analysis

A source within the Commission echoed this sentiment, suggesting that former Commissioners Viviane Reding and Neelie Kroes should have pursued the ePrivacy and GDPR updates concurrently. The momentum was lost due to exhaustion following the GDPR negotiations.

The source also criticized the original proposal as being outdated, designed for an era when telecommunications companies were the primary concern. They highlighted the fundamental difference between telcos and large surveillance technology companies, questioning whether ePrivacy could effectively regulate entities that even the GDPR struggles to control.

Future of Online Tracking Regulation

The withdrawal of the ePrivacy Regulation is expected to create increased uncertainty and provide technologists with more flexibility to develop approaches that circumvent the existing, increasingly outdated, ePrivacy rulebook.

Olejnik predicts that new technologies will continue to operate outside the scope of current regulations. He anticipates that interpretations and guidance from the European Court of Justice (ECJ) will shape the legal landscape, potentially leading to a future revamp of the rules.

The Digital Services Act as an Alternative

When asked about alternative legislation protecting citizens’ electronic communications privacy, the European Commission, through spokesman Thomas Regnier, pointed to the Digital Services Act (DSA). He stated that the DSA provides a “strong framework to ensure a high level of privacy, especially for minors (Article 28)”.

The DSA includes measures to regulate the use of data for advertising, prohibiting the use of minors’ data for targeted ads and restricting the use of sensitive personal data. It also mandates consent for data usage in advertising, prompting Meta to adopt a “pay or consent” model in the region.

Regulatory Scrutiny of Meta’s Model

Meta’s “pay or consent” approach has faced scrutiny under the DSA’s sister regulation, the Digital Markets Act. This led the company to offer users the option of viewing “less personalized ads” in exchange for either consenting to tracking or paying for an ad-free experience on Facebook and Instagram.

Commission’s Commitment to Privacy

The Commission emphasized that respect for private life, including communications, is guaranteed by the EU Charter of Fundamental Rights. They affirmed that trust and security in the digital economy are essential for Europe to realize the full potential of the digital age.

The EU reiterated its commitment to maintaining a high level of privacy protection while fostering innovation.

EU’s 2025 Work Plan: Key Priorities

Following a recent leadership shift, the European Commission has a substantial agenda of technology-related legislation to address this year. A key focus is now on enhancing competitiveness, with the explicit intention of stimulating economic expansion through support for innovations such as artificial intelligence.

This shift appears to be geared towards a closer alignment with the needs and interests of the private sector.

Legislative Proposals Withdrawn

Among the withdrawn legislative proposals is the AI Liability Directive. This directive sought to modernize EU product safety regulations to encompass AI and automation technologies. The EU has indicated that it will evaluate whether to present a revised proposal or explore alternative strategies.

The Innovation Act

The 2025 work program includes plans for an Innovation Act, scheduled for later in the Commission’s term. This act aims to facilitate investment and operations for startups, scale-ups, and other innovative companies.

The goal is to streamline regulations and work towards establishing a unified legal framework across all EU Member States – a “28th legal regime” – instead of the current 27 separate systems.

Simplifying Regulations and Reducing Risk

The Commission intends for this reform to simplify applicable rules and lessen the consequences of business failure. This includes reviewing relevant aspects of corporate law, insolvency law, labor law, and tax law.

Boosting AI Development

A Cloud and AI Development Act is also planned, designed to improve access to data and accelerate the development of domestically-grown AI technologies.

Furthermore, an AI Continent Action Plan will focus on coordinating resources and expertise through the existing EU AI Factories scheme, alongside an Apply AI strategy.

Focus on Biotechnology

Another significant area of focus is the advancement of biotechnology. The EU aims to leverage European life sciences to foster innovation, pool resources, remove regulatory obstacles, and fully utilize the potential of data and artificial intelligence in this sector.

Digital Infrastructure and Quantum Technology

The plan also includes support for high-capacity digital infrastructure, with a Digital Networks Act intended to create opportunities for cross-border network operations and service provision.

This act will also aim to enhance industry competitiveness and improve spectrum coordination.

The EU Quantum Strategy will be followed by a Quantum Act, targeting what the EU considers a “critical” and strategic sector. The strategy will contribute to building internal capabilities for researching, developing, and producing quantum technologies.

Protecting Critical Infrastructure

A Space Act is also on the agenda, alongside efforts to enhance the protection of undersea communications infrastructure, given the increasing risks of accidents or sabotage to the region’s undersea cables.

Consumer Protection and Disinformation

The EU’s 2025 work plan offers fewer details regarding consumer protection. The upcoming Consumer Agenda 2025-2030 will include a new action plan focused on consumers in the single market.

However, the emphasis appears to be on achieving a balance between protecting consumers and avoiding excessive regulatory burdens on businesses.

Regarding online disinformation, the EU reaffirms its commitment to a “Democracy Shield” initiative. This will address evolving threats to democratic processes and electoral systems, including increased collaboration with civil society organizations.

Note: This article has been updated to reflect responses received from the Commission.