What would life be like without smartphones? Hard to imagine in 2017. The European ePrivacy Regulation being debated in the European Parliament might make a difference. A study I prepared for the Centre for Information Policy Leadership shows the flaws of the ePrivacy draft.
When I write short emails, I mostly use my phone. Because my phone is smart, it memorizes the addresses of my contacts. If I want to send a mail to my favorite client, I do not have to type in her address, only a couple of letters. My phone shows me a selection of addresses that match these two letters. I just need to click on my client’s address and press the “send” button.
My phone remembers addresses because it is more than just a typewriter. The information I type in is processed, and addresses are stored and linked to my list of contacts. A simple example of smart technology that makes our lives a bit easier.
Where I see progress, the ePrivacy draft sees high risks. In the ePrivacy draft, the processing of addresses (“electronic communications data”) constitutes an “interference” with communication, comparable to wiretapping or interception. According to the current Parliament draft, the memorizing of addresses will require the consent of “all end-users concerned.”
As we all know, repetitive consent requests can be irritating. Who enjoys being asked time and time again whether he agrees to the use of cookies when visiting a website? If I were asked for consent in the “processing” of my “communications data,” my answer would certainly be “yes, please, and get on with it.”
Unfortunately, the memorizing of addresses would not only require my consent, as I am not the only “end-user concerned.” Undoubtedly, the address that I want to be stored belongs to my client. As she is also “concerned,” she needs to be asked before my phone is allowed to remember her address.
While it is unclear how each and every one of my contacts can be asked for consent and by whom (Do I have to ask? Does my or her provider?), there is also the more fundamental question of whether the consent requirements make any sense. I am afraid the answer is no.
As I have pointed out previously, there are many good reasons not to trust consent when it comes to the protection of privacy:
- Consent is easy. A tick in the box, that is all.
- Consent is uninformed. Who seriously reads the fine print?
- Consent is black and white. Take it or leave it.
- Consent is lazy. Yes or no. It is left to the individual to protect his or her own privacy.
The recently adopted EU General Data Protection Regulation does, therefore, not rely on consent. Instead, there are alternative tests for the lawfulness of data processing: Is the processing necessary for the performance of a contract? Does the controller have “legitimate interests” that require data processing?
While companies worldwide are putting a lot of work and resources into GDPR compliance, ePrivacy is moving the goal post. Under the GDPR, memorizing my contacts would be part of the deal I have with my phone provider. Memorizing is necessary for the provider to fulfill his contractual duties. Therefore, it is lawful under the GDPR. Neither I nor my contacts need to be asked for consent. By requiring consent, the ePrivacy is changing the recently adopted rules of the GDPR.
In my study, I analyze the consequences that the ePrivacy draft would have for technologies ranging from wearables, mobile apps, Wi-Fi hot spots, spam filters, and connected and autonomous cars to browser fingerprinting, Wi-Fi, and Bluetooth tracking and to analytics tools. I am demonstrating that the ePrivacy draft would create a variety of new obstacles for data-driven technologies in Europe. As a result, the development of the digital economy in Europe would be slowed down significantly.
It is not too late: The European Parliament and the EU member states should take a deep breath, revisit the draft, and bring it into line with the GDPR. There is still hope that European phones will be permitted to stay smart.
Photo: From Liu Bolin's "Hiding in the City" series, used with permission.