The EU General Data Protection Regulation has been a front-and-center issue for privacy pros and businesses for some time now, but major regulatory issues appear to be just getting started. That was made clear Thursday at the IAPP Europe Data Protection Congress by German MEP Birgit Sippel during her first public speech as the European Parliament's Special Rapporteur for the proposed ePrivacy Regulation.
"Would you allow a stranger to go into your bedroom or look through your drawers without your permission?" she asked. "No, you probably wouldn't." The same concept, she added, should apply to the online world.
With former MEP and Special Rapporter Marju Lauristin winning an election for her local council in Estonia, Sippel now takes the reigns of what has already become a heated and controversial proposed regulation of the telecommunications industry. And Sippel did not mince words during today's sold out event.
"What we are aiming at is to abolish surveillance-driven advertising," Sippel announced.
For Sippel, the ePrivacy Regulation touches upon the fundamental issues involved in human communications. In addition to personal privacy, communications touch upon other fundamental human rights, including that of religion, assembly, and expression.
"Of course, it's not enough to have a nice sentence in the Charter [of Fundamental Human Rights]. It has to be implemented in legislation," she said.
No doubt, this is not a sentiment shared by the advertising industry, as well as other companies potentially affected by a strong e-communications law, such as those considered in the so-called OTT (over the top) space. Sippel clearly wants OTT providers, including services such as messaging and dating apps, to be covered by the ePrivacy Regulation.
"Some of us may send an SMS text, while others may use a service like WhatsApp. One is covered by the current ePrivacy Directive, while the other is not. Consumers need the same protections for both," Sippel argued.
"Some of us may send an SMS text, while others may use a service like WhatsApp. One is covered by the current ePrivacy Directive, while the other is not. Consumers need the same protections for both," Sippel argued. But she did not stop there.
"I consider it important that machine-to-machine communications also be covered, and as the internet of things continues to gain momentum, we have to find a way to protect the communications data here, too."
Sippel argues that all ancillary services should be covered and such protections should not only include the content of communications data, but the metadata itself. For Sippel, this should all be considered sensitive information. And it's the user of the data who should decide how and why his or her data is processed.
She also addressed the two main arguments that have been levied against such strong regulation: so-called consent fatigue and media pluralism. "A lot of businesses are telling us they are afraid of a situation where consumers simply consent to everything," Sippel said. Going back to her original question, Sippel added, "You would not want somebody to go in your house to read your letters, let alone a second, third, or fourth time."
Her proposal? Sippel says businesses are innovative and should be able to create ways of obtaining meaningful consent without causing consumer fatigue.
Sippel says businesses are innovative and should be able to create ways of obtaining meaningful consent without causing consumer fatigue.
And her call to abolish what she calls surveillance-driven advertising? Sippel looks at cookies. Using the IAPP's cookie consent banner, which collects information on IP addresses, region, browser type, and operations systems, all of which is currently legal, Sippel argues cookie banners and the collection of browsing history don't actually offer real consumer choice. She also brushed aside industry arguments that such bans on tracking would lead to worse online content.
Sippel also supports a ban on public WiFi tracking. "Legitimate interests are legal grounds for tracking under the GDPR," she pointed out, "but that cannot include sensitive data. For me, communications data is sensitive data - and not just the content, it's the metadata, too." Sippel says WiFi tracking needs the consent of the user first.
Businesses should not be the ones who define what legitimate interests are, Sippel said. "Businesses conduct intense privacy impact assessments to avoid high fines, but, funnily enough, those same businesses tell us they don't have the manpower or the womanpower to implement rules in the GDPR in a timely manner. But they want us to trust them that their processing is legitimate? I'm not convinced."
Sippel's approach is clearly citizen-centric. "We have to put the user into the very heart of the lawmaking process," she argued. "We need privacy by design and default." To do so, Sippel says that consumers should be able to have informed choice, even if they're not technologically savvy enough to understand Do Not Track or other such opt-outs.
"Everyone should be able to use services in a privacy-friendly way regardless of their knowledge of technology. And yes," she conceded, "they should be able to turn off DNT, but they need the choice." Simply informing consumers is also not enough, Sippel argues.
She also pushed back on the idea of exceptions to confidentiality, calling them "grotesque." "While public security might be a legitimate reason to restrict confidentiality," she noted, financial exceptions or methods to accomplish business objectives "are too broad and not good enough to restrict confidentiality. This is a no-go for Parliament."
"While public security might be a legitimate reason to restrict confidentiality," Sippel noted, financial exceptions or methods to accomplish business objectives "are too broad and not good enough to restrict confidentiality. This is a no-go for Parliament."
Part of the solution, she points out, is with privacy pros. "It's your expertise that is needed to flag potential problems. Secondly, you will be tasked to make these a reality on the ground, so you need to know what's behind the rules so you have resources to do the job," she said.
Moving forward, Sippel hopes to start negotiations with the Commission and European Council when Bulgaria takes the presidency in 2018: "Parliament has done its job, now it's up to the Member States."
Sippel finished her stunning, for some, talk on a optimistic note with a call to action, however. "If we get this right, we can make a meaningful contribution to the European marketplace that flourishes because the fundamental right of confidentiality does not stop when we pick up the phone. By harmonizing with the [GDPR], we can achieve a level playing field for both businesses and citizens alike."
If privacy pros thought the GDPR was tough, complexities in the privacy space are clearly just be getting started.