EU Commission withdraws ePrivacy Regulation and AI Liability Directive

Contents

It is a special feature of the EU legislative process: only the EU Commission can propose new laws - and withdraw them at any time as long as they have not been adopted. This is exactly what is now happening with two relevant pieces of digital legislation: the proposal for a special regulation on liability law for artificial intelligence and the so-called e-privacy regulation, which is intended to regulate the protection of communications data. The withdrawal of both projects has now been officially announced in the new EU Commission's published work program.

E-Privacy Regulation: Commission gives up

It was supposed to be the complementary regulation to the General Data Protection Regulation: Eight years after negotiations on the ePrivacy Regulation began, the EU Commission now wants to officially scrap it. This would mean that years of negotiations between the member states and in the Parliament would be invalid -- and the old ePrivacy Directive from 2002 would remain in force. This has very concrete repercussions: Because the cookie plague will remain with citizens. This is because they are only covered to a small extent by the General Data Protection Regulation, but fall largely under the e-privacy regulations. However, the legal framework for data retention should also be revised. The EU Commission cites two reasons for the withdrawal: Firstly, that the two co-legislators – the Council of Member States and the Parliament – would not reach an agreement. But also that the proposal was no longer up to date, "both in terms of the technological and legislative landscape".

Birgit Sippel, the European Parliament's chief negotiator, regrets the end: "By withdrawing the ePrivacy Regulation, the Commission has missed a great opportunity to create clear rules to protect the confidentiality of our communications." The General Data Protection Regulation alone could not prevent the misuse of communication data, and there was also legal uncertainty due to the different implementation of the old directive in the member states. Sippel is calling on the EU Commission to present an alternative to restrict the cookie banner system and better protect users from being screened.

Bitkom welcomes the end of the ePrivacy Regulation in principle: the IT industry association saw problems in the regulation: "The unclear definitions, the regulatory overlaps with the GDPR and the strict requirements for Machine2Machine communication, which would have significantly hindered innovations in areas such as Industry 4.0 and IoT, were particularly problematic," says Susanne Dehmel. However, a new regulation is still needed that is leaner than the previously planned regime and counteracts a drifting apart of the law in the member states.

Data protection activist Max Schrems sees the end of the ePrivacy Regulation as a logical step: "After a good 10 years of debate, a new start makes sense," he told heise online. "It is foreseeable that parts will now come as individual regulations." He advocates, for example, making it possible to collect data for truly anonymous statistics without consent - the previous regime was too harsh in this respect. "In return, it would make sense to finally stipulate the automatic exchange of consent", for example through the do-not-track signals that browsers and mobile operating systems can send. This could effectively limit the annoying flood of banners.

AI liability law: Voss sees withdrawal as a disaster

The second regulation to be dropped is the AI Liability Directive, a planned special regulation for liability in the use and development of artificial intelligence. This should have been introduced in the last legislative period and clarified the civil liability issues that arise when using AI: When is who liable for potential damage? Is it the model operators, the developers, the agencies using the technology? After it was foreseeable that the proposal would be difficult, the negotiators of an update to the general product liability directive at the end of 2023 included further regulations, for example on software liability. Since October 2024, Article 12 of the directive has already included new liability rules on when, for example, a software manufacturer is responsible for third-party components that it has integrated into its products.

CDU MEP Axel Voss, who negotiated key parts of the EU's AI legislation, is extremely critical of the withdrawal: "This decision is a disaster for European companies and citizens alike," he says. "By scrapping this important framework, the Commission is actively opting for legal uncertainty, a power imbalance between companies and a Wild West approach to AI liability that only benefits Big Tech." In his view, the fragmentation into national responsibilities instead of uniform European rules is a massive problem for all parties involved -- for companies, because there is a lack of legal certainty and the use of AI in the EU internal market is thus weakened, but also for consumers: "The damage associated with AI is already increasing, from discriminatory algorithms to deepfake fraud. Without a harmonized liability framework, it is extremely difficult to claim damages." Voss sees the rejection as a strategic mistake that makes him doubt "that we will ever be able to create a future-oriented digital single market."

Bitkom, on the other hand, is satisfied: the AI Act and the product liability regulations have already created sufficient legal certainty, says Susanne Dehmel, member of the management board: "Excessive double regulation would be a burden for SMEs in particular." Bitkom would have feared "potentially excessive requirements" with a special AI liability directive.

Digital policy projects now with timetables

With the EU Commission's new work program, a number of other projects have also been announced or their presentation has been specified in more detail. For example, the Digital Networks Act (DNA), which is intended to regulate the future of the telecommunications market in Europe, is scheduled for the end of 2025. The project is highly controversial among experts -- critics fear that the EU Commission could use the creation of an overall European telecommunications market to undermine regional competition among telecommunications providers in order to create viable "champions" in international competition. The German Broadband Association (Breko), for example, warns against a "one size fits all" approach. "Scaling back regulation would have serious negative consequences in Germany, where the incumbent's competitors are responsible for over 60% of fiber optic expansion," warns Breko's Head of Policy Lisia Mix. In addition, there are repeated discussions in connection with the DNA as to whether the existing regulations on net neutrality could be changed. The DNA should also include regulations for better protection of undersea cables –. Here, the EU wants to bring about more transparency from operators and stronger resilience obligations, among other things, but is also considering its own fleet of repair ships.

An "AI Continent Action Plan" is also due to be published in the first quarter of 2025, with which Europe intends to consolidate its position in the AI race and which should primarily focus on computing capacities and AI funding – However, the project is not yet included in the concrete plan for the Commission meetings. The EU's quantum computing strategy is due to follow in the second quarter. In contrast to these two projects, the "EU Space Act" is a concrete regulatory proposal with which the EU Commission wants to create the conditions for Europe to play a greater role in space travel and satellite constellations again. Two projects have been announced for the fourth quarter of 2025: firstly, a "digital package", which is primarily intended to simplify the European legal framework and whose content is currently still open. The second is a proposal for a "European Business Wallet", a digital company account that is intended to facilitate digital identification in business transactions, similar to the EIDAS Regulation.

(dmk)