In January, the European Commission presented its draft of the new ePrivacy Regulation. The regulation will replace the e-Privacy Directive, adopted in 2002 and revised in 2009. The regulation has been met with resistance from industry lobbyists who argue that the General Data Protection Regulation should be sufficient. However, the commission points out that although the GDPR covers many issues related to data protection, it does not specifically cover the right to confidentiality of communications and the right to freedom of expression, Articles 7 and 8 of the European Charter of Fundamental Rights, respectively.
On April 11, the European Parliament’s civil liberties committee held its first major hearing on the topic, bringing together representatives from the commission, industry, civil society, data protection authorities and academia.
Despina Spanou, Director of DG CONNECT at the European Commission explained, “There is of course a very obvious link with the GDPR, but the scope of the ePrivacy regulation is different. We want to protect not just natural persons, but also legal entities, and we are also trying to take into account new technologies.”
She added that there must be sufficient safeguards so that data can flow. Another commission objective is the creation of a level playing field. “Technology has evolved so that people no longer use traditional means of communication," she continued. “There are people who only use the internet, and these services are comparable to traditional telecommunications but are not subject to the current rules.”
The method proposed by the commission to ensure user consent is to rely on browser settings. Spanou said the commission considered this to be the fairest way of ascertaining user preferences. Referring to enforcement, she explained it would be carried out by the same authorities that enforce the GDPR.
One of those enforcers, European Data Protection Supervisor Giovanni Buttarelli, welcomed this idea, saying the plan to grant the enforcement powers to data protection authorities (including the soon-to-be-formed European Data Protection Board) will contribute to “more consistent and effective enforcement.
“We need a specific tool to protect the right to a private life guaranteed by Article 7 of the charter. I welcome and support the commission proposal that aims to do just that. I also welcome the choice to use the instrument of a regulation that will guarantee a greater level of consistency and to make it apply to a broader range of services and providers, including so-called OTT (over the top) providers,” said Buttarelli.
However, he continued: “Most of the definitions on which these laws rely will be set out in the Electronic Communications Code, and most of these definitions are not suitable in the fundamental rights context of the ePrivacy Regulation.” Buttarelli also raised concerns about further processing and cookie walls, and he conceded, “the complexity of the proposals is daunting,” He questioned whether metadata should be subject to a different level of protection, but did not elaborate. The formal EDPS opinion is due after the Easter holiday.
Frederik Borgesius, from the Institute for Information Law at the University of Amsterdam, presented the results of a study commissioned by the Policy Department for Citizens’ Rights and Constitutional Affairs. For Borgesius, the biggest problem with the current proposals is Article 8, which would allow WiFi and Bluetooth tracking so long as companies put up a sign notifying people they can be tracked in a particular space. “Wifi and Bluetooth tracking should only be allowed by proper informed consent,” he said. Or, if necessary for crowd management, data should be immediately anonymized and aggregated. Referring to Article 10 of the draft, he said that with regard to “browser privacy settings, a more technology-neutral idea that should be explored is whether tracking companies should be required to comply with similar standards.” He added that ISPs should have stricter privacy constraints than WhatsApp or Gmail “because they can see everything you do” and that additional protection is needed for IoT devices that listen or film in consumers' homes.
He also addressed the commission’s proposal that browsers should require users to choose their preferred privacy settings before running, but said that “privacy by default is stronger protection than choice by default.”
Antonio Muñoz Marcos, Senior Advisor Consumer Big Data at Telefónica, argued that the biggest problem with the ePrivacy proposal for business is that the same data could fall under different ePrivacy or GDPR rules depending on where it is in the value chain, and added that “some metadata processing activities will have little or no impact on privacy,” at all.
Raoul Grünthal, CEO of Swedish publisher Schibsted Sverige, claimed the ePrivacy Regulation threatens the free press in Europe. “Only 20 percent of our revenue is generated from user payment, the rest is from ads,” he explained. “Today a major part of advertising revenue goes to the global players. Their strong position is linked to their access to data. Publishers, unlike the big players, must work with third parties. The global players can do everything in house. What will happen in practice is that this proposal will favor the big global players."
He also argued that “browsers should not be the gatekeepers to the internet.”
Representing civil society, Fanny Hidvégi, from digital rights NGO Access Now, agreed with Buttarelli’s point that the Electronic Communications Code should not provide the definitions for ePrivacy. “Users care about privacy, but they do not care about the different labels and rules that Brussels gives out,” she said. Fundamentally, the regulation should address the asymmetry between users and providers, said Hidvégi. She also warned the Commission not to follow U.S. President Donald Trump's administration on FCC broadband privacy rules.
Ilias Chantzos, senior director of Symantec’s Government Affairs program for Europe, focussed on the internet of things and machine-to-machine communication, pointing out that “internet access has become more and more independent of browsers.” He warned against any moves to weaken encryption and said that machine-to-machine confidentiality is absolutely necessary.
Guillermo Beltrà, of consumer organization BEUC, said the data on your phone, however, probably reveals more about you than what is in your home. WiFi tracking notwithstanding, he was broadly positive about the proposal saying it could serve as “a world-class trust enhancing mechanism.” He said the outcome should avoid bombarding users for consent, but that should not act as a “loophole” against gaining that consent.
By contrast, Benjamin Strahs, software engineer at Facebook, argued that the draft threatens big data and artificial intelligence development with an over-reliance on consent. He highlighted a Facebook product that reads descriptions of images for blind people and claimed that such a tool would be hampered by the ePrivacy Regulation because it requires data processing.
Closing the hearing, Lauristin pointed out that no one had mentioned children. Interestingly, there was likewise no mention that the the provisions on collective legal action (the equivalent of U.S. class actions) in an early draft were deleted from the current text.
photo credit: Brussels-20 via photopin (license)