TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | ePrivacy: Why 'prohibition by default' cannot be an option Related reading: Roundup: Singapore, Australia, US and more

rss_feed
S18_Web_300x250-COPY
iapp-privacycore
OneTrust_tile_ads_300x250_final_20170725_

Until 1989, Germany was a divided country. East Germany was under communist rule. The power base of the communist government was its secret service — the infamous “Staatssicherheit,” also known as the Stasi.

As a West German, I knew that the Stasi was likely to open the envelope when I sent a letter to my friends in the east part of Berlin. I also knew that the Stasi was likely to listen in when I called, so we were careful not to talk politics (or the music tapes I would smuggle across the border on my next visit) on the phone.

Today, 30 years later, communication is mainly electronic. When communicating, we all rely on our smartphones, tablets and laptops.

As the days of the Stasi are long gone, we all trust communication to be safe. We expect our service providers not to read our emails. We expect our telco providers not to intercept our messages. We expect our government not to listen in on our calls.

Trust in the confidentiality and security of communication is essential for the freedom of communication. People will only speak frankly and openly when they can communicate without the fear of surveillance and interception.

In the German constitution, the “secrecy of telecommunication” — “Telekommunikationsgeheimnis” — is defined as a fundamental right, akin to, but separate from, the fundamental right to privacy and “informational self-determination.”

Since the 1990s, the confidentiality of communication is also protected by the ePrivacy Directive. Article 5 ePD prohibits, as a rule, “listening, tapping, storage or other kinds of interception or surveillance of communications.”

The prohibition of interception and surveillance does not only protect privacy and the right to protection of personal data but also the freedom of communication, as recently stressed by the Court of Justice of the European Union in its Tele2 decision on data retention:

“Accordingly, the importance both of the right to privacy, guaranteed in Article 7 of the Charter, and of the right to protection of personal data, guaranteed in Article 8 of the Charter, as derived from the Court’s case-law …, must be taken into consideration in interpreting Article 15(1) of Directive 2002/58. The same is true of the right to freedom of expression in the light of the particular importance accorded to that freedom in any democratic society. That fundamental right, guaranteed in Article 11 of the Charter, constitutes one of the essential foundations of a pluralist, democratic society, and is one of the values on which, under Article 2 TEU, the Union is founded.”

The new, proposed ePrivacy Regulation that is presently being debated needs to meet the high standards set by the CJEU. According to these standards, protecting privacy is not enough. The freedom of communication also needs to be protected.

The European approach to privacy is “prohibition by default.” Any processing of personal data is prohibited unless such processing is covered by one of the grounds for lawful processing spelled out in Article 6 of the General Data Protection Regulation: consent, contract, legal obligation, vital, public or legitimate interests. The European Commission and the European Parliament intend to extend this approach to the new ePR: The existing prohibition of interception and surveillance is to be extended to any “processing” of electronic communications (Article 5 of the ePR). For the lawfulness of such processing, consent will normally be required (Article 6 of the ePR).

From a privacy point of view, the prohibition is consistent as it sets a standard of protection that is equivalent to the GDPR. However, as the CJEU has pointed out in the Tele2 case, the ePD and the ePR are not merely about privacy but also about the freedom of communication.

“Prohibition by default” cannot be the right answer when protecting the freedom of communication. I want my mails, messages and calls to remain confident and protected against interception. At the same time, I want to communicate without restrictions, checkboxes and red tape.

“Prohibition by default” has its side effects that become obvious in Article 6 of the ePR. Communication always involves, at least, two persons – sender and recipient. As it is the aim of the ePR to protect privacy, it will normally not be enough to ask the sender or the recipient for consent. In many cases, “all users concerned” needs to give consent, and it is hard to find a good reason why a spammer does not need to be asked before his mail is filtered out.

As the CJEU rightly pointed out, the freedom of communication is not just an individual right but also essential for an open, democratic and pluralistic society. Therefore, it is communication and not abstention from communication that needs to be encouraged. Communication must neither be prohibited nor burdened with overabundant consent requirements.

In order to meet the standards of Article 11 of the EU Charter of Fundamental Rights, Article 5 of the ePR needs to be revised. While it is vital to protect communication against interception and surveillance, communication is also a fundamental right that needs to be fostered and encouraged. When we're talking about communication, “prohibition by default” cannot be a regulatory option in a free and democratic society.

photo credit: Wguayana Antena via photopin (license)

3 Comments

If you want to comment on this post, you need to login.

  • comment Karima Saini • Nov 7, 2017
    Couple of thoughts come to mind that could offset the concerns expressed in this article.  First, personal data processed by natural persons for purely personal or household activities is out-of-scope - GDPR Art 2(2)(c). Because ePR will be  Lex Specialis to GDPR, as an example, personal emails sent to family members should be exempt. Second, although ‘consent’ is one of the lawful bases in GDPR Art 6(1), there are good reasons why ‘legitimate interests’ is the better choice where balancing the interests of data subjects is respected.
  • comment Alexander Hanff • Nov 17, 2017
    I find this article to be quite misleading.  First of all sending spam is illegal and as such consent of the law breaker is not required and falls under qualified exemptions on providing a requested service, security and basic common sense.  To suggest that consent to filter spam from the spammer is required is quite simply false and deliberately alarmist.
    
    Furthermore, communication is not burdened by the Regulation, quite the opposite in fact - by prohibiting any processing which is not strictly necessary for the delivery of the communication - there is no need for the parties to be concerned about their communications at all.
    
    You also state:
    
    "As the days of the Stasi are long gone, we all trust communication to be safe. We expect our service providers not to read our emails. We expect our telco providers not to intercept our messages. We expect our government not to listen in on our calls."
    
    I cannot see how this can be considered as anything other than deliberately dismissive - especially in recent years.  After the Snowden revelations and multiple academic research papers on consumer trust, to suggest people think their communications are private is quite simply living in denial.  Emergence and popularity of End to End Encrypted Communication Services such as iMessage, WhatsApp, Signal, HTTPS, PGP, SMIME, VPNs, TOR and countless others clearly illustrates the opposite is true.
    
    Also, with regards to Art. 11 of the EU Charter - prohibition of interference with communications has the opposite effect to the one you are suggesting - it prevents censorship, it prevents surveillance and interception and to argue otherwise completely contradicts your fifth paragraph where you state:
    
    "Trust in the confidentiality and security of communication is essential for the freedom of communication. People will only speak frankly and openly when they can communicate without the fear of surveillance and interception."
    
    I will say finally (and I use the word finally merely to indicate is the last thing I will write on this "opinion" as opposed to it being the final thing wrong with the article) you state that prohibition of interference with communications will in someway restrict your ability to communicate... I fail to see how you draw this conclusion and you offer zero evidence to support it.  If you are assuming that service providers will refuse to provide communications services to people who refuse to consent to further processing of their communications data - that too would be illegal under the same Regulation, so becomes a moot point.
  • comment Alexander Hanff • Nov 17, 2017
    Karima Saini, further legal bases under Art. 6 of GDPR are expressly prohibited in the draft ePR - in most cases the only legal basis is consent (with a few exemptions based on necessity to provide the service) and legitimate interest does not currently (and is unlikely to ever be) included in the ePR.  Furthermore, ePR is not about personal data (although often involves personal data) - GDPR addresses personal data, ePR is about Privacy of Communications as per Article 7 of the EU Charter (GDPR deals with Article 8).