News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | European Commission proposes formal ePrivacy Regulation Related reading: EPrivacy leaked draft: The 'good,' the 'bad' and the 'missing'

rss_feed

""

The battle lines for Europe’s new ePrivacy Regulation have been drawn, as the European Commission presented its formal proposals on Tuesday.

Alongside other communications on the data economy, data protection rules for the EU institutions, and a consultation (expect more on this in this week’s IAPP Europe Data Protection Digest), Commission Vice President Andrus Ansip and Commissioner Věra Jourová unveiled their plans for data protection in the realm of electronic communications.

A leak of an early draft of the regulation, reported by The Privacy Advisor in December, means that few of the proposals will come as a surprise.

Expanded scope

As expected, the new regulation (an update of the current ePrivacy Directive) will be extended to apply to any company processing data in connection with communications services, not just traditional telco providers; that means so called over-the-top service providers (often referred to as "OTT"), even those where communications is an ancillary feature, such as dating apps or review sites.

This has prompted concern from Computer & Communications Industry Association Vice President James Waterworth: “Today’s proposal applies to all services that have a communications element meaning dating apps, video game services, travel and ecommerce sites, dramatically enlarging the range of services covered. This proposal will need work to ensure it delivers on the promise of strong and clear protections, instead of coming at the cost of free, innovative online services. Unfortunately it risks incoherence and confusion with the General Data Protection Regulation requiring one approach to safeguarding privacy and ePrivacy another,” he said.

The type of data covered is likewise extended to include machine-to-machine communications in order to regulate the Internet of Things. The current ePrivacy Directive broadly focuses on the processing of personal data, but the new regulation will go much further. “The emphasis on consent for access to device data is going to require much creativity from everyone,” Eduardo Ustaran, CIPP/E, a partner at Hogan Lovells, told The Privacy Advisor.

"This framework has been drafted with the Internet of Things and its users’ privacy in mind." - Eduardo Ustaran

“This framework has been drafted with the Internet of Things and its users’ privacy in mind. There are two sides to the regulation: one that looks at the providers of communications services and another at businesses that rely on digital means to interact with customers. So everyone under the sun, really!” Ustaran added.

The telco industry has long called for OTT and web service providers to be subject to the same rules as it, so you would think it would welcome the proposals. Not so.

The European Telecommunications Network Operators association and GSMA Europe said that although they “recognise the European Commission’s goal to protect the confidentiality of electronic communications and establish a harmonised framework for electronic communications data,” they fear that when combined with the GDPR, the new ePrivacy rules could result in “unfair double regulation” of their sector.

“While we embrace the need to fully protect consumers, we believe that the General Data Protection Regulation already provides a technologically-neutral and future-oriented framework to this end,” said the groups, noting in particular the permission to further process data “when compatible with the initial purpose for which the data was collected, when an impact assessment has been performed and if appropriate safeguards apply.”

“In this way we can, for example, perform big data analytics in the interest of customers or for public purposes,” they added.

Metadata

But they may have something to cheer in the proposals on the processing of metadata, which is not subject to as stringent protections as content. “The processing of electronic communications data can be useful for businesses, consumers and society as a whole. Vis-à-vis Directive 2002/58/EC [the current ePrivacy Directive] this Regulation broadens the possibilities for providers of electronic communications services to process electronic communications metadata, based on end-users’ consent,” reads the Commission draft. 

“Location data that is generated other than in the context of providing electronic communications services should not be considered as metadata. Examples of commercial usages of electronic communications metadata by providers of electronic communications services may include the provision of heatmaps; a graphical representation of data using colors to indicate the presence of individuals,” continues the proposal.

Afke Schaart, vice-president Europe at GSMA, said: “Just like the Commission, we consider it is fundamental to create a privacy framework that enhances consumer trust in the context of electronic communications. However, we must ensure that the detailed requirements, such as the limited lawful grounds for processing, do not inadvertently frustrate use of metadata that is both innovative and sensitive to privacy concerns.”

Cookies

In its document the Commission also admits it got the previous law wrong on cookies. “We have tried to overcome banner-fatigue,” said a Commission representative.

“In terms of effectiveness and efficiency, the REFIT evaluation found that the Directive has not fully met its objectives. The evaluation further showed that some provisions have created an unnecessary burden on businesses and consumers. For example, the consent rule to protect the confidentiality of terminal equipment failed to reach its objectives as end-users face requests to accept tracking cookies without understanding their meaning and, in some cases, are even exposed to cookies being set without their consent.

“The consent rule is over-inclusive, as it also covers non-privacy intrusive practices, and under-inclusive, as it does not clearly cover some tracking techniques (e.g. device fingerprinting) which may not entail access/storage in the device,” reads the Commission document.

This means that fingerprinting, spyware and other tracking practices will henceforth also require explicit consent. 

To get around the problem of cookie-consent fatigue, the Commission proposes that web browser settings be taken as consent.

“Web browsers mediate much of what occurs between the end-user and the website. From this perspective, they are in a privileged position to play an active role to help the end-user to control the flow of information to and from the terminal equipment. More particularly web browsers may be used as gatekeepers, thus helping end-users to prevent information from their terminal equipment (for example smart phone, tablet or computer) from being accessed or stored,” reads the Commission document.

“By centralising the consent in software such as internet browsers, a significant proportion of businesses would be able to do away with cookie banners and notices,” it added.

“It may become more difficult for online targeted advertisers to obtain consent if a large proportion of users opt for 'reject third-party cookies' settings,” reads the document, and instead proposes a range of options from “accept all” to “reject all.” Yet, despite touting the proposals as “privacy by design,” the draft would not require web browsers to have “reject all cookies” set as default.

A Commission representative told The Privacy Advisor that a “reject all cookies” default was not the correct approach “because there can be value added services given to consumers to improve their use of the internet” via cookies.

A Commission representative told The Privacy Advisor that a “reject all cookies” default was not the correct approach “because there can be value added services given to consumers to improve their use of the internet” via cookies.

Monique Goyens, Director-General of the European Consumer Organisation, commented: “This reform is the opportunity to confront the widespread problem of online tracking. Consumers must have an alternative to being under 24/7 commercial surveillance when using digital services. When 89 percent of respondents to a recent EU survey say they want their browser to protect their communication by default, then the EU should heed their call. Smart devices and apps should not track consumers’ behaviour by default.” 

These proposals will of course have to get the thumbs up from the European Parliament. Jan Philipp Albrecht, the MEP in charge of steering through the GDPR last year, welcomed the move to include OTT providers such as Skype and WhatsApp, but said, “the rules around tracking user activity are completely back to front. Service providers should require the explicit consent of users if they want to track their activity; under these proposals, they would be able to assume consent unless the user says otherwise.

“The default service should always be the most data protection-friendly, as stipulated by the existing data protection regulation. We know that intelligence agencies are applying blanket data collection and service providers should respond by doing everything technically possible to secure the fundamental right of privacy. We expect the European Parliament and Council to bring forward the changes needed to make sure this promising package truly delivers for users.” 

Former Commissioner, and now MEP, Viviane Reding agreed with Albrecht: “I welcome today’s proposal to strengthen the right to privacy in electronic communications. The choice of a regulation over a directive lowers compliance costs for businesses and increases protection for end-users in all Member States. I also salute the extension of the scope to over-the-top services. The key red line is that this legislation must be fully aligned with the General Data Protection Regulation. The use of the same definitions and the reference to the principle of ‘Privacy by Design’ are therefore steps in the right direction. Our new framework is a state-of-the-art data protection legislation that is stoking global admiration and must be complemented by this new initiative, not diluted.” 

“The European Commission has resisted the most extreme demands from certain parts of industry,” said Joe McNamee, executive director of European Digital Rights. “However, to promote trust, privacy and innovation, the proposal still needs significant improvement.”

Some confusion spawned by the December leak has already been cleared up. On the question of withdrawal of consent, users must be reminded of this possibility every six months. Fines are likewise tough: up to €20 million or 4 percent of worldwide annual turnover.

But expect much debate over definitions and technicalities in the coming months.

Author
Headshot Jennifer Baker Nonmember Contributor
Tags
Marketing/Retail
Telecommunications
Europe
Big Data
Internet of Things
Privacy Law
Comments

If you want to comment on this post, you need to login.

Related Stories
Next on the EU agenda? The ePrivacy Directive
Now that the General Data Protection Regulation has passed, the EU privacy regime will be uniform once it comes into force, right? Well, not unless the ePrivacy Directive gets a refresh. Otherwise, reported panelists at the IAPP Data Protection Intensive here in London, privacy law in the EU will b...
Read More queue Save This
Catching up with Max Schrems
2
Max Schrems, the man infamous for taking down Safe Harbor, says he’s also confident he’ll win his case against Facebook on standard contractual clauses. Jennifer Baker catches up with Schrems to discuss the case, as well as what he thinks about the GDPR and the Privacy Shield, and why he thinks data...
Read More queue Save This
EU Commission aims to ban forced data localization
After a year of turmoil following the abolition of Safe Harbor, and the controversial birthing of its replacement, Privacy Shield, the European Commission now looks more determined than ever to keep EU-U.S. data flows going at any cost. Commission Vice President Andrus Ansip is due to present a dra...
Read More queue Save This
For data transfers, uncertainty is the only certainty
2
Great uncertainty has followed the judgment of the EU’s Court of Justice in Schrems, in which the CJEU held that the EU Commission’s Safe Harbor Decision was invalid. That decision had enabled the easy transfer of personal data from the EU to the U.S.; its invalidity has thrown all such transfer mec...
Read More queue Save This
Related Stories
Tags
Marketing/Retail
Telecommunications
Europe
Big Data
Internet of Things
Privacy Law
Recent Comments