The battle lines for Europe’s new ePrivacy Regulation have been drawn, as the European Commission presented its formal proposals on Tuesday.
Alongside other communications on the data economy, data protection rules for the EU institutions, and a consultation (expect more on this in this week’s IAPP Europe Data Protection Digest), Commission Vice President Andrus Ansip and Commissioner Věra Jourová unveiled their plans for data protection in the realm of electronic communications.
A leak of an early draft of the regulation, reported by The Privacy Advisor in December, means that few of the proposals will come as a surprise.
Expanded scope
As expected, the new regulation (an update of the current ePrivacy Directive) will be extended to apply to any company processing data in connection with communications services, not just traditional telco providers; that means so called over-the-top service providers (often referred to as "OTT"), even those where communications is an ancillary feature, such as dating apps or review sites.
This has prompted concern from Computer & Communications Industry Association Vice President James Waterworth: “Today’s proposal applies to all services that have a communications element meaning dating apps, video game services, travel and ecommerce sites, dramatically enlarging the range of services covered. This proposal will need work to ensure it delivers on the promise of strong and clear protections, instead of coming at the cost of free, innovative online services. Unfortunately it risks incoherence and confusion with the General Data Protection Regulation requiring one approach to safeguarding privacy and ePrivacy another,” he said.
The type of data covered is likewise extended to include machine-to-machine communications in order to regulate the Internet of Things. The current ePrivacy Directive broadly focuses on the processing of personal data, but the new regulation will go much further. “The emphasis on consent for access to device data is going to require much creativity from everyone,” Eduardo Ustaran, CIPP/E, a partner at Hogan Lovells, told The Privacy Advisor.
"This framework has been drafted with the Internet of Things and its users’ privacy in mind." - Eduardo Ustaran
“This framework has been drafted with the Internet of Things and its users’ privacy in mind. There are two sides to the regulation: one that looks at the providers of communications services and another at businesses that rely on digital means to interact with customers. So everyone under the sun, really!” Ustaran added.
The telco industry has long called for OTT and web service providers to be subject to the same rules as it, so you would think it would welcome the proposals. Not so.
The European Telecommunications Network Operators association and GSMA Europe said that although they “recognise the European Commission’s goal to protect the confidentiality of electronic communications and establish a harmonised framework for electronic communications data,” they fear that when combined with the GDPR, the new ePrivacy rules could result in “unfair double regulation” of their sector.
“While we embrace the need to fully protect consumers, we believe that the General Data Protection Regulation already provides a technologically-neutral and future-oriented framework to this end,” said the groups, noting in particular the permission to further process data “when compatible with the initial purpose for which the data was collected, when an impact assessment has been performed and if appropriate safeguards apply.”
“In this way we can, for example, perform big data analytics in the interest of customers or for public purposes,” they added.
Metadata
But they may have something to cheer in the proposals on the processing of metadata, which is not subject to as stringent protections as content. “The processing of electronic communications data can be useful for businesses, consumers and society as a whole. Vis-à-vis Directive 2002/58/EC [the current ePrivacy Directive] this Regulation broadens the possibilities for providers of electronic communications services to process electronic communications metadata, based on end-users’ consent,” reads the Commission draft.
“Location data that is generated other than in the context of providing electronic communications services should not be considered as metadata. Examples of commercial usages of electronic communications metadata by providers of electronic communications services may include the provision of heatmaps; a graphical representation of data using colors to indicate the presence of individuals,” continues the proposal.
Afke Schaart, vice-president Europe at GSMA, said: “Just like the Commission, we consider it is fundamental to create a privacy framework that enhances consumer trust in the context of electronic communications. However, we must ensure that the detailed requirements, such as the limited lawful grounds for processing, do not inadvertently frustrate use of metadata that is both innovative and sensitive to privacy concerns.”
Cookies
In its document the Commission also admits it got the previous law wrong on cookies. “We have tried to overcome banner-fatigue,” said a Commission representative.
“In terms of effectiveness and efficiency, the REFIT evaluation found that the Directive has not fully met its objectives. The evaluation further showed that some provisions have created an unnecessary burden on businesses and consumers. For example, the consent rule to protect the confidentiality of terminal equipment failed to reach its objectives as end-users face requests to accept tracking cookies without understanding their meaning and, in some cases, are even exposed to cookies being set without their consent.
“The consent rule is over-inclusive, as it also covers non-privacy intrusive practices, and under-inclusive, as it does not clearly cover some tracking techniques (e.g. device fingerprinting) which may not entail access/storage in the device,” reads the Commission document.
This means that fingerprinting, spyware and other tracking practices will henceforth also require explicit consent.
To get around the problem of cookie-consent fatigue, the Commission proposes that web browser settings be taken as consent.
“Web browsers mediate much of what occurs between the end-user and the website. From this perspective, they are in a privileged position to play an active role to help the end-user to control the flow of information to and from the terminal equipment. More particularly web browsers may be used as gatekeepers, thus helping end-users to prevent information from their terminal equipment (for example smart phone, tablet or computer) from being accessed or stored,” reads the Commission document.
“By centralising the consent in software such as internet browsers, a significant proportion of businesses would be able to do away with cookie banners and notices,” it added.
“It may become more difficult for online targeted advertisers to obtain consent if a large proportion of users opt for 'reject third-party cookies' settings,” reads the document, and instead proposes a range of options from “accept all” to “reject all.” Yet, despite touting the proposals as “privacy by design,” the draft would not require web browsers to have “reject all cookies” set as default.
A Commission representative told The Privacy Advisor that a “reject all cookies” default was not the correct approach “because there can be value added services given to consumers to improve their use of the internet” via cookies.
A Commission representative told The Privacy Advisor that a “reject all cookies” default was not the correct approach “because there can be value added services given to consumers to improve their use of the internet” via cookies.
Monique Goyens, Director-General of the European Consumer Organisation, commented: “This reform is the opportunity to confront the widespread problem of online tracking. Consumers must have an alternative to being under 24/7 commercial surveillance when using digital services. When 89 percent of respondents to a recent EU survey say they want their browser to protect their communication by default, then the EU should heed their call. Smart devices and apps should not track consumers’ behaviour by default.”
These proposals will of course have to get the thumbs up from the European Parliament. Jan Philipp Albrecht, the MEP in charge of steering through the GDPR last year, welcomed the move to include OTT providers such as Skype and WhatsApp, but said, “the rules around tracking user activity are completely back to front. Service providers should require the explicit consent of users if they want to track their activity; under these proposals, they would be able to assume consent unless the user says otherwise.
“The default service should always be the most data protection-friendly, as stipulated by the existing data protection regulation. We know that intelligence agencies are applying blanket data collection and service providers should respond by doing everything technically possible to secure the fundamental right of privacy. We expect the European Parliament and Council to bring forward the changes needed to make sure this promising package truly delivers for users.”
Former Commissioner, and now MEP, Viviane Reding agreed with Albrecht: “I welcome today’s proposal to strengthen the right to privacy in electronic communications. The choice of a regulation over a directive lowers compliance costs for businesses and increases protection for end-users in all Member States. I also salute the extension of the scope to over-the-top services. The key red line is that this legislation must be fully aligned with the General Data Protection Regulation. The use of the same definitions and the reference to the principle of ‘Privacy by Design’ are therefore steps in the right direction. Our new framework is a state-of-the-art data protection legislation that is stoking global admiration and must be complemented by this new initiative, not diluted.”
“The European Commission has resisted the most extreme demands from certain parts of industry,” said Joe McNamee, executive director of European Digital Rights. “However, to promote trust, privacy and innovation, the proposal still needs significant improvement.”
Some confusion spawned by the December leak has already been cleared up. On the question of withdrawal of consent, users must be reminded of this possibility every six months. Fines are likewise tough: up to €20 million or 4 percent of worldwide annual turnover.
But expect much debate over definitions and technicalities in the coming months.