On Feb. 21, the Croatian presidency published its proposals to break the ePrivacy Regulation deadlock.
Seven previous EU presidencies (the holder rotates every six months) have tried and failed to find a compromise between member states.
In a radical departure from previous drafts, the presidency has suggested changes to Articles 6 and 8 that would see “legitimate interest” as a legal basis to process metadata and collect information from the terminal equipment — potentially replacing user consent. “Legitimate interest” is mentioned 25 times in the 32-page document.
According to the presidency, “This legal ground is accompanied, in line with the GDPR, by a number of conditions and safeguards provided in a new Article 6b(2).”
Most privacy watchers have focused on the implications for the advertising technology industry. Here’s the kicker — Recital 21(b): “A legitimate interest could also be relied upon by a service provider whose website content or services are accessible without direct monetary payment and wholly or mainly financed by advertising, provided that these services safeguard the freedom of expression and information including for journalistic purposes, such as online newspaper or other press publications or audiovisual media services and the end-user has been provided with clear, precise and user-friendly information about the purposes of the cookies or similar techniques used and has accepted such use.”
How that “has accepted such use” might be interpreted is still cause for discussion.
Although the new proposals sound very broad and vague, the presidency appears to have given some thought about how and when the interests of the end-user outweigh the interests of the service provider. For example, if the end-user is a child, when the information contains special categories of personal data — in accordance with Article 9 of the EU General Data Protection Regulation — or when the service provider processes, stores or collects data to build an individual profile of the end-user.
But Global Data Protection Lead at Access Now Estelle Masse said the safeguards don’t go nearly far enough: “At this stage, the Council has turned the ePrivacy reform into a surveillance tool. The text is also now contradicting the GDPR by lowering the level of protection on the processing of metadata. This blatant disregard for fundamental rights is simply unacceptable.”
The proposals also seem to fly in the face of advice from the European Data Protection Board. In a statement May 25, 2018, it explicitly said “there should be no possibility under the ePrivacy Regulation to process electronic communications content and metadata based on open-ended grounds, such as ‘legitimate interests,' that go beyond what is necessary for the provision of an electronic communications service.”
But many pointed out that the Croatian proposals are potentially contradictory.
Johnny Ryan, chief policy officer at Brave, said, “It’s an odd text. A paragraph in Recital 21b has strong adtech-friendly language, but Article 8(1)g has the opposite as it rules legitimate interest for profiling out.”
According to Article 8(1)g, “a provider should not be able to rely upon legitimate interests if the storage or processing of information in the end-user’s terminal equipment or the information collected from it were to be used to determine the nature or characteristics on an end-user or to build an individual profile of an end-user.”
“In such cases, the end user’s interests and fundamental rights and freedoms override the interest of the service provider, as such processing operations can seriously interfere with one’s private life, for instance when used for segmentation purposes, to monitor the behavior of a specific end-user or to draw conclusions concerning his or her private life,” continues the text.
Ryan added, “The tracking industry has misused legitimate interest for years.”
Ray Walsh, data privacy expert at ProPrivacy, said, “Service providers have argued that they require metadata to provide necessary services to consumers, including security within their services that protect consumers against spam and malware. The good news is that the proposed legislation does now clearly specify that metadata should not be used to determine the nature or characteristics of an end-user or to build an individual profile of an end-user. This clarification appears to ensure that metadata can not be exploited for purposes that would run contrary to the interests of consumers.
“We’re also pleased to see that these proposals state that consumer data can not be shared with third parties unless it has been sufficiently anonymized and that even then the consumer must be informed of this process and may point object to this use of their data,” he added.
But Hogan Lovells Privacy and Cybersecurity Practice Global Co-Head Eduardo Ustaran, CIPP/E, said, “I personally think that after so many years of flawed cookie consent, it is a productive thing to do to introduce another approach into the legislative debate. My view is that ‘legitimate interests’ is misunderstood and underrated as a regulatory mechanism to protect our privacy.”
Pirate Party MEP Patrick Breyer argued, “The whole point of having a specific ePrivacy regulation is that the privacy and security of our electronic communications and internet use need stronger protection than GDPR because telecommunications are so prone to interception and surveillance. Watering down electronic privacy to what applies to any odd business would make the proposed ePrivacy regulation pointless and be similar to abolishing ePrivacy rules altogether.
“Corporations have no 'legitimate interest' in intercepting and exploiting information on our private communications and tracking our Internet use. This is none of their business. If a business model relies on tracking and invading users’ privacy, it is wrong and needs to be changed. Council can be sure that lawmakers will fight any attack on the current level of protection afforded by the ePrivacy directive. We will rather let this reform die than the privacy and security of everybody’s communications. Governments are trying to hijack this regulation to legalize mandatory and voluntary data retention, tracking and upload filters. Their version of the regulation does not deserve the name ‘ePrivacy’ — ‘dePrivacy’ would be more accurate,” Breyer concluded.
Simon Assion, CIPP/E, senior associate at Bird & Bird, pointed out, “The fact that the Croatian presidency made another ePrivacy proposal is not really surprising, it is the regular course of events. The real (and yet unanswered) question is whether the proposal will get enough support from the member states. I doubt it.”
And this is where all the discussion about the text falls afoul of realpolitik.
The ePrivacy Regulation was proposed by the European Commission more than three years ago, in January 2017, and the European Parliament adopted its position in October the same year, but no amount of wrangling seems able to break the stalemate in the council. Germany has been the traditional hold-out and despite several attempts to push for a common position — most notably by the Austrian Presidency — little progress has been made. With four different ministries involved, Germany does not have a lot of flexibility or room for maneuver internally.
Insiders believe that the Croatians are trying one last-ditch, provocative attempt to force delegations’ hands. If a crisis point is reached, then member states will either have to accept a text or abandon the reform altogether and ask the commission to withdraw the proposal.
Assion believes “the Commission should provide a revised proposal together with (hopefully) a proposal for the revision of the GDPR. Both initiatives are so closely connected that they should not be handled separately. I still think that the initial approach was so flawed that attempts to 'repair' it will either fail completely, or result in a Regulation that will make things incredibly complex,” he added.
Another potential scenario is that Germany will finally agree to a text as it will hold the next rotating presidency. That would put it in a position to drive the trialogue negotiations with the European Parliament without whom no new law can be passed anyway. Therein lies yet another stumbling block: Each iteration of the text at council level seems further and further away from the European Parliament position, so reaching an agreement remains a distant prospect.
Jesper Lund, chairman IT-Political Association of Denmark, summed up the maneuvering, saying, “After three years of discussion in Council, this could open the door for a new batch of amendments to water down the data protection safeguards in the ePrivacy text. Besides delaying the adoption of the Council general approach, this strategy also moves the text further away from the position of the European Parliament, which will make the subsequent trilogue discussions more difficult. In the meantime, fragmented transpositions of the current ePrivacy Directive create problems and legal uncertainty for European citizens as well as the digital single market.”
In the short term, the council’s Working Party on Telecommunications and Information Society will discuss the proposals March 5 and 12.
Photo by Jules Bassoleil on Unsplash