On June 21, MEP Marju Lauristin, rapporteur of the new European ePrivacy Regulation, presented her draft report and sought feedback from fellow MEPs on how to update communications rules for 500 million Europeans. The current laws date back to 2002, predating most of the messaging tools now commonly used, so a revamp is long overdue. 

During the debate, major sticking points seemed to be the draft's provisions on consent, allowances for security exemptions and whether the draft aligns with the European Charter of Human Rights. 

One of the core tenets of the new proposal is that so-called over-the-top services, such as Skype and WhatsApp, should be subject to the same rules as traditional telephony. The plan would also outlaw backdoors into encrypted messaging, putting it on a collision course with many national security agencies.

“The starting point given by the European Commission was very good,” Lauristin said. “But in our discus, ions we also tried to look at the issues that are still controversial, in particular the relationship between ePrivacy and GDPR.”

In an effort to clarify the difference between the ePrivacy Regulation and the GDPR, Lauristin said, “It is important to remember that GDPR is really based on Article 8 of the Charter of Fundamental Rights — the protection of the data. While ePrivacy is based on Article 7 — the confidentiality of private life.

“When we look at private life, there cannot be general legitimate interest for intrusion in private life,” she continued.

“It is clear that the need to have this regulation is created by technological changes. The [current] directive doesn’t cover new communications, media convergence, social media or machine-to-machine communication. That’s really a great challenge. Our work on GDPR has created a very strong frame, and ePrivacy is, in its own area, completing and complementing GDPR,” she said.

But it’s machine-to-machine communication and the definition of “ancillary services” that deserve attention now, Lauristin said. 

She proposes to include machine-to-machine communication “only when it relates to a person.” The question of “when is a communication service not a communication service?” remains open. Services like Facebook Messenger may be more clear cut than online gaming, for example, which allows messages between players, or dating app Tinder, which also has a communications element. 

“Dutch MEP Sophie In’t Veld was not impressed with Dalton’s arguments: 'Everything he said, but the opposite.'”

Shadow rapporteur for the EPP group Michal Boni agreed with Lauristin that the proposal “is to enhance communications and that it pertains more to private life than data,” but said he “will be looking to strengthen exemption for security.” Article 11 of the proposed ePrivacy Regulation includes a carve out for national authorities to demand access to private communications in the interest of national security. However, the European Court of Justice struck down blanket data retention laws on the grounds that they were indiscriminate.  

Boni highlighted the need for definitions to be aligned not just with the GDPR but also with the Electronic Communications Code. “We have to strive for consistency so we do not create any contradictions. I have many concerns related to machine-to-machine. There is no synergy with the Commission proposal.”

On the role of browsers and cookies, Boni said not all third-party cookies are malicious.

“I believe we should focus on their use. Users must be informed so they can make an informed choice. At the same time, we must create incentives and a balance between informed, aware users and engaged companies. I am certain that we can allow innovation while providing safeguards,” he concluded.

“The idea of a new protective wall in the form or a means of granting consent, I don’t think that is the right way to go.” — MEP Axel Voss

British MEP Daniel Dalton, however, was much less supportive.

“I have real concerns with this, initially with the Commission proposal, and with the draft report I am even more concerned. For businesses, consumers and citizens. First of all, the time frame: We just agreed on the GDPR, but I think we should wait and see what the problems are with its implementation,” he said.

Dalton took issue with consent as a grounds for data protection. He said Article 8 of the Charter of Fundamental Rights offers an alternative to consent, namely any “other legitimate basis laid down by law.” “I think browser as gatekeeper is the wrong choice. Demanding consent every six months will just lead to ‘consent fatigue,’ and people will simply agree to everything,” he continued.

The British MEP also said that machine-to-machine communications should not be within the scope of the regulation.

Responding to Dalton’s claim that consent in browser settings was the wrong approach, MEP Jan Phillip Albrecht countered: “Is there a better one? I think that it is certainly better than the cookies banners, but if someone has a better idea, I would be happy to discuss it.”

Like Dalton, MEP Axel Voss, from the JURI (legal affairs committee in the European Parliament), is also opposed to relying on consent.

“The idea of a new protective wall in the form or a means of granting consent, I don’t think that is the right way to go. This focus on consent is perhaps the opposite of what we are trying to achieve. I think that it is misguided to rely on consent,” he said. “I also fail to understand Article 13; consent is required, and then further processing requires further consent. People are not going to make the distinctions. They will get fed up asking for consent over and over again and will just open their whole lives to everything. You can have a right of revision, a right of redress, you don’t always have to go for consent.”

In response, Lauristin said, “When it comes to concrete problems, I only have to stress to Mr. Dalton that we have political differences, [and to Mr. Voss] in this committee we don’t say business first and fundamental rights second.”

Dalton warned that the proposal as it stands will “break the internet” because it will no longer be funded by adverts.

Dutch MEP Sophie In’t Veld was not impressed with Dalton’s arguments: “Everything he said, but the opposite.” 

She continued, “We are talking about people. People who need to be protected. Dalton’s argument is stale and like a broken record. The internet is alive and well and kicking. Most of our citizens are concerned because they like to use the internet and services and communicate. When we did the previous version of the regulation, the iPhone wasn’t even invented,” she pointed out.

In’t Veld backed up Boni’s comments about Article 11 security exemptions.

“I don’t see why there is a change. I see no reason why we should further widen the already wide ability for member states to conduct mass surveillance. It is outside the scope of the reform, which is technological,” she said.

German MEP Cornelia Ernst was also unenthusiastic about Article 11: “We have always resisted this sort of data retention,” she said.

Albrecht, the man behind the GDPR, was keen to clarify the line between the two laws: “It is very important to understand that this is lex specialis to the GDPR. The GDPR applies to all cases, and only in ePrivacy if there is a specialist case. Nonetheless I think it would be good to get a bit more clarification about when the GDPR applies. Everyone seems to be struggling to understand what the exact relationship is, and perhaps we should ask the legal services even now to look into this.

“Politically, it has to be clear to the outside communications that we are not diminishing the existing rights of EU citizens online. We see more and more that people are subject to tracking — and not just online, but when they use apps and phones. In the future, with machine-to-machine, their cars will be tracking them. Maybe even their jackets will be tracking them. When they go through the doors of a shop, they are tracking them. So how can we protect their rights?” he asked.

Finally, Voss asked, “What is it we want? We want to create a digital single market, kick-start the economy, and support SMEs.

“At the same time, we have fundamental rights Articles 7 and 8. So we start with this great objective and then throw it all out because everything is so dangerous to fundamental rights,” he said, before comparing his fellow legislators to Iran's religious leaders “who make rules despite ignorance of the world outside!”

Lauristin reminded MEPs that as they are working on a very tight timeline; the deadline for amendments is July 10. She also agreed with Albrecht to ask the Parliament’s legal service for an assessment on lex specialis.

photo credit: European Parliament EU budget: MEPs want more flexibility and policy debate via photopin (license)