While the work of privacy can sometimes get caught up in the details of privacy impact assessments and subject access requests, at the IAPP's Global Privacy Summit Wednesday, keynote speaker German MEP Birgit Sippel made it clear the stakes are high indeed. Privacy is vital, she said, for the preservation of human rights and dignity and protecting democracy in the 21st century.

It is her goal as EU Parliament rapporteur for the ePrivacy Regulation, she emphasized, to create the highest standard of data protection, one that sees both human dignity and innovation flourish. 

"It should be self-evident that you are in control of your digital life, but sad news, you’re not," Sippel said to a crowd of 3,500 privacy pros in Washington, D.C. Tech has advanced faster than laws “to the very benefit of businesses but to detriment of citizens whose rights are much too often considered as an obstacle," she argued, citing the recent Facebook-Cambridge Analytica news as evidence. 

In fact, Sippel said, the ePrivacy Regulation, which reforms a set of communication privacy rules most recently refreshed in 2009, is really about freedom. 

One regulatory vacuum ePrivacy aims to address is that involving so-called ancillary services. Sippel used Tinder as an example, the dating app boasting 50 million users. It's that kind of service in which "huge privacy risks" exist, Sippel said. The conversations on such an app "will be very sensitive, and users will not understand their communications should not be protected simply because of a differentiation between 'first' and 'secondary' purpose." Rather, electronic communications should be treated just like a paper letter would be, kept confidential and protected against any form of interference, she said. 

Using the same Tinder example, Sippel illustrated the way ePrivacy makes rules around consent, which has been sort of a "legal gray zone" to date, more explicit as a legal basis for data processing. 

"For me, it should be very clear that it’s the user, using a service, who should be the one deciding, if how and for what purpose his data are processed," Sippel said. Online behavioral tracking will become completely illegal should the Parliament draft of the ePrivacy Regulation become law, she added, because consent has to be freely given, specific and informed. "Can we really consider simply online browsing as freely given, specific and informed consent? I don't think so. ... Access to a service should not depend on agreeing to surveillance measures." 

Online behavioral tracking will become completely illegal should the Parliament draft of the ePrivacy Regulation become law, she added, because consent has to be freely given, specific and informed. 

An additional challenge will be figuring out how to notify consumers that their data is being collected without contributing to "consent fatigue." And she was quick to mention that giving more importance to consent "doesn't mean we leave it up to the user to prevent against unwanted tracking." Rather, the ePrivacy Regulation, in coordination with the GDPR, calls for privacy by design and default. 

"What happens if you want to go online? Most of us will either access browsers or an app," she said. "Already today you can tell your browser you don’t want to be tracked. But many citizens do not really know about it, and it’s not done by default. It needs some work and knowledge to organize that."

Also in need of some work is clarity around the "legitimate interest" provision as a grounds for data processing under the GDPR, Sippel said. It cannot be used for sensitive data, and for Sippel, she said, communications data is highly sensitive. The GDPR offers little guidance on how to determine which interests are legitimate; so who is it that should determine how it's defined?

"Businesses are telling me there is a strict internal assessment before using legitimate interest to avoid high fines," she said. "Sounds good. Funny enough, sometimes these are the very same businesses telling me, oh, we don’t have the manpower to implement both GDPR and ePrivacy rules in a timely manner." 

Sippel appealed to privacy pros in the room to play an active role in helping ePrivacy come to fruition, which she's impatient to have pass soon, given the EU plan was to have the ePrivacy Regulation and the GDPR come into force simultaneously. 

"We need to offer practical solutions for today and to protect people online," she said. "So if we get this reform of ePrivacy right, I’m sure we can make a meaningful contribution to a digital market where innovation flourishes. Not despite but because we understood human dignity shall be inviolable, including when you pick up your phone or start your computer. There are already serious concerns that so-called smart living will be the end of self-determination. Let’s not let this happen. I will too do my part, but together ... we can contribute to setting a high global standard for respect of fundamental rights online, and that’s respect for every single individual for freedom and democracy. I hope for your support."