The wounds inflicted by the General Data Protection Regulation (GDPR) are still so fresh for many marketing and in-house compliance departments that the thought of going another round with a new European privacy law is almost too much to bear. And yet, more is coming.

The next step will be adoption of the EU’s ePrivacy Regulation, due towards the end of 2018 or early 2019. Implementation will have impacts on current business operations and future innovation. European tech is already lagging behind Chinese and North American competitors and this will just create one more obstacle.

The substance of the regulation has avoided extensive public scrutiny, overshadowed by the coming into force of GDPR. This is unfortunate, because the law addresses essential issues of data privacy and introduces important paradigm shifts. And like GDPR, the law will apply to companies outside Europe, with heavy fines for infringers. But the proposed text contains serious ambiguities that, unless they are resolved, will only make it harder for Europe to get back in the race.

Once adopted, the ePrivacy Regulation will replace an outdated ePrivacy Directive from 2002. That directive regulates the treatment of traffic and location data by telecommunications companies and internet service providers, restricts direct marketing by email and other channels, and limits the use of online tracking devices, such as cookies. The new regulation will cover much of the same ground, but with expanded scope and stricter application. At its core is an outright prohibition on the processing of “electronic communications data” by providers of electronic communications services, subject to very narrow exceptions.

Electronic communications data includes the content of the messages we send each other using communications services, and also the metadata generated by a message. Industry stakeholders all agree that this data contains very sensitive information about users and that its processing should be controlled. Many players also welcome proposals in the regulation that will simplify the rules governing the use of online tracking devices.

But matters get more complicated when it comes to the question of who will be subject to the new law and who it protects. Indeed, this is where the compliance nightmare begins, along with the uncertainty that can put a chill on new product development.

The ePrivacy Regulation extends the scope of the directive to cover so-called “over the top” (OTT) service providers, which offer communications services via the internet that are “functionally equivalent” to those that traditional voice telephony and text messages provided. Intuitively this makes sense: WhatsApp and Skype provide services that are the same, from a user perspective, as those offered by Vodafone, and they process the same communications data, so they should be subject to the same rules regarding that data.

Except that the regulation will also cover OTT services where the person-to-person communication element is only an “ancillary” feature linked to another service. At this point, what “ancillary” means in practice is still anyone’s guess. But in theory any website or app that offers a communication component is covered. Unsurprisingly, the issue is being heavily lobbied.

Added to the question mark over the law’s scope is ambiguity regarding implementation in relation to different users. In a marked change from the existing directive, legal entities are now squarely covered by the definition of “end-user”, in addition to individuals, and both benefit from the prohibition against the processing of their communications data.

Legal entities, the regulation provides, have a fundamental right to the protection of their privacy, guaranteed by Article 7 of the EU Charter of Fundamental Rights. The regulation even states that one of its objectives is “to ensure an equivalent level of protection of natural and legal persons”.

Granting corporations the same privacy interests as individuals risks real implementation problems. The type of consent required to process communications data will be the strict GDPR standard for both. But GDPR was not drafted to cover companies, because they don’t have personal data. The drafters of the regulation have sought to address this issue by stating that GDPR will apply to legal entities mutatis mutandis — adapted as necessary — which doesn’t clarify matters at all.

Ambiguous laws, especially when backed by big fines, are bad for business and innovation. Established companies and start-ups may avoid launching new products if compliance costs outweigh the unknown benefit. Other companies will just get it wrong. The implementation of GDPR illustrates the point. This can’t be a winning strategy for Europe.

The writer is Twitter UK’s former lead counsel and works for law firm Bredin Prat