Greetings from Brussels!
It doesn’t look like it's going to get easier for privacy pros just yet. There's been much discussion this week about the ePrivacy Directive as Europe looks to tighten the regulatory grip on online services companies, with the aim of safeguarding users’ privacy. A major overhaul of EU rules on telecoms is expected, with draft proposals to be presented sometime in September.
The European Commission, through its review, is stating that so-called "over-the-top" (often shortened to OTT) service providers — such as Skype, FaceTime and WhatsApp — that use existing telecom and internet infrastructure to provide their services should be regulated in a similar fashion to those more traditional services that they are rapidly replacing; think SMS text and traditional voice calling. In the future, these providers will likely be expected to abide by the current regime of security and confidentiality provisions in place for traditional communications providers, if the reported commission recommendations come into effect. This would mean in practice that OTTs would be made subject to obligations around interception and the processing of data traffic.
The existing EU rules also allow national governments to restrict the right to confidentiality for national security and law-enforcement purposes. Many tech companies, such as Facebook and Google, already offer end-to-end encryption on their messaging and email services. They argue there is no need to extend the telecoms rules to web services and that the EU should not dictate how they protect their users’ communications. In response to the EC’s public consultation on the ePrivacy reform, Facebook, which uses full-scale encryption on WhatsApp, argues an interesting point. By extending the rules to online messaging, in effect the company holds that it would no longer be able to guarantee the security and confidentiality of communication through encryption, as governments would have the option of restriction in the interests of national security or for law enforcement needs. The question is: Would extending the Directive in this sense not have the opposite effect of undermining the user privacy it proposes to protect? It is still early days regarding the overhaul, however, and the European Commission has yet to determine what confidentiality obligations will be proposed for web firms.
Jan Philipp Albrecht MEP, and relentless campaigner for data privacy, said: “It was obvious that there needs to be an adjustment to the reality of today. We see telecoms providers being replaced and those companies who seek to replace them need to be treated in the same way.” Albrecht went on to say that one of his priorities is tough new rules on encryption. The Edward Snowden revelations have made it clear that “every communication needs to be end-to-end encrypted.” The EDPS position is similar, as I highlighted in my Notes of 29 July.
In many respects, this latest debate only goes further to highlight the clear case of opposing culture in what concerns regulating the internet; there is a divergence between the U.S. and Europe on this matter. Simply put, in the U.S., the fundamental right to freedom of speech matters most, governing a more liberal approach to legislation; whereas Europe seems to be increasingly embracing and protecting the right to privacy. Ironically, while Europe tightens its privacy legislation, the impact is largely felt by a predominance of U.S. companies. The messaging technology sector, generally seen as a saturated market, is dominated by U.S. entities, with little chance of a European entrant disrupting any of the big players. Of the 10 biggest messaging services by number of users, just one brand, Skype, was founded in Europe, and now it is owned by Microsoft. One could reasonably argue that while Europe might have failed to penetrate this sector, the EU seems determined to claim a stake in its regulatory arena.
A final draft of proposals for the new ePrivacy Directive is expected by the end of the year before it goes to the European Parliament. In the meantime, you can expect extensive debate among the Member States, as well as a concerted lobbying effort on the part of both the telecoms and OTT players, both in Brussels and capital cities across Europe. Where the line will be drawn at the end of the day is anyone’s guess.