LIBE Hearing on ePrivacy

On April 11, the LIBE Committee held a hearing on the Commission’s proposal for an ePrivacy regulation. 

By Astrid Van Hecke

13 Apr 2017

Claude Moraes (S&D, UK) explained that the Commission proposal was published in January 2017. The regulation repeals the current ePrivacy directive which provides for the rules guaranteeing the rights of privacy in the electronic communications sector. The regulation updates the current rules to align them with the new General Data Protection Regulation (GDPR) and takes into account recent case law of the ECJ. The rules of the ePrivacy regulation should not lower the level of protection of the GDPR.

Institutional aspects – The proposed regulation on the ePrivacy

Despina Spanou, Director, DG CNECT, started off by explaining that she used to have the consumer portfolio in the Commission. A part of that portfolio was taken over by data protection issues. She referred to the G20 meeting where it was agreed to take consumer protection issues into account. This happened at a summit where data protection figured among the top 10 of important issues. At the summit, Europe was seen as the leading example. Traffic data can provide an intrusive picture of persons’ whereabouts, she said. She explained that the proposal also wants to protect legal entities, and not only natural persons. This should be the key enabler for freedom of speech and the free flow of information. There is an important link with the GDPR. The scope of the ePrivacy directive is different from the GDPR, which is referring to article 8 of the Charter of Fundamental Rights, while the directive refers to article 7 of the Charter of Fundamental Rights.

We need a high level of protection when it comes to confidentialities, she said. The purpose is to consider technological developments. The consent rules to communication data should also apply to third parties. It also reflects the work that has already been done in terms of the cookies. Consent needs to be given in full awareness. The Commission proposed two remedies: first, an obligation for internet browsers to offer the option to pervent third parties to store and use the information. Second, require internet browsers to allow people to easily select the privacy settings they are offerecd. In addition, the Commission wants to create a level-playing field while supporting innovation. There has to be a legal framework for new models that comes into the market. They also want to ensure a consistency with the GDPR and the European Electronic Communications Code and align the way in which the rules are enforced. She explained that they have had discussions at the level of the Council Working Group and she hopes the first reading will be finished under the Maltese Presidency and advance fast under the Estonian Presidency. She mentioned the adoption of the Article 29 Working Party opinion and said that the European Data Protection Supervisor will deliver an opinion after the Easter holidays.

Giovanni Buttarelli, European Data Protection Supervisor, started off by stating that the GDPR is one of the greatest achievements in the current legislative term. Confidentiality of communiations is essential. He welcomes the proposal and supports the choice of a regulation. He also welcomes the ambition of the proposal to provide a higher protection level in terms of content and meta data. The EDPS considers that the proposal to grant enforcement powers to data protection authorites, especially the availability of the mechanism in the future data protection board, will contribute to a more consistent and effective enforcement. There are concerns whether the proposal can deliver on its promise to ensure a high level of protection. The complexitiy of the rules is daunting. This complexity may bring about gaps in protection. Most of the definitions on which the proposal relies will be negotiated and decided in a different context: the European electronic communications code. He argued that the communications and market-focused definition for the code are not fit for purpose in the fundamental rights context. They need to pay attention to the questions of further electronic processing other than by the e-communications provider. He stated that they will not achieve the ambition without strong requirements for privacy by design and by default. They should at least match those of the GDPR. They wil provide coherent suggestions on how to solve the most pressing issues by focusing on areas wherer there are serious concerns. It is essential to apply the rules to all EU bodies. The result will be transferred to that framework.

Frederik Zuiderveen Borgesius, Institute for Information Law, University of Amsterdam, Presentation of the preliminary findings of the study on “An assessment of the Commission’s proposal on privacy and Electronic Communications”, commissioned by the Policy Department for Citizens’ Rights and Constitutional Affairs. He referred to the Wi-Fi tracking and article 8. This article could be interpreted as follows: it is permissible to follow people without consent if they walk in a street as long as a sign is put up that says: if you walk here you will be tracked. He suggested a two-part rule instead: Wi-Fi and Bluetooth should be allowed after consent has been given. Article 10 says that browsers should give people the choice regarding tracking cookies. He preferred the earlier version, which he believes is better, according to which the browser should have privacy-friendly default settings. A more technological neutral option should require tracking companies to comply the do not track standard. Browers should have privacy-friendly default settings. In terms of cookies, he said that the easy solution would be to ban tracking walls. However, one could be more nuanced and define certain circumstances where these walls are not allowed such as tax-funded websites, hospital websites, websites with a monopoly position. That makes it more unclear however. As for communications confidentiality, articles 5 and 6 say that there is prohibition on surveillance unless there is an exception or unless the user consents to it. He added that there might be some tweaks needed to the exceptions. It could be explored whether through delegated acts or a re-cast sytem it is possible to create or add exceptions. If there is a possibility to add an exception then one could solve the problem. He welcomed the fact that OTTs that offer communication services must protect communications’ privacy. However, maybe internet access providers should change. Access providers should not do a deep package accception. It is maybe necessary to have a separate ePrivacy rule.

Marju Lauristin (S&D, EE) asked for more data from Mr Zuiderveen’s study and said that according to informal knowledge she has, there was a stricter version regarding the possibility to have privacy by default for the browser settings. She asked why this is no longer the case.

Michal Boni (EPP, PL) said that they need connections with the electronic communications code. It is useful to formulate some kind of balanced situation when they are looking at the future and know what kind of new possibilities they will have. The delegated act focusing on exceptions will make it easier. He also said that the remark on article 8.2 regarding WI-Fi walls is important for future consideration. As for third parties, what kind of unintended consequences will the solution proposed have on local newspaper disseminated electronically? User should know and be informed.

Daniel Dalton (ECR, UK) wondered why the timetable on this file needs to be so quick. He asked the Commission what problem they are trying to solve. He asked whether citizens are saying: I want to use WhatsApp but I do not because of the data? He also pointed out that the internet is all about advertising revenue and cookies are vital for this. If people opt out on mass, there there is no free model anymore and then people will have to pay. He also asked how they are going to deal with ancillary services? Communications is an important part in the gaming sector. Are they going to be included in this?

Jan Philipp Albrecht (Greens/EFA, DE) said that if one looks at the current legal framework and the necessity they are regulating, does one think that one could afford to have a less protective standard for communciations in the future regulation than in the current directive? Where does the proposal uphold the standard of the directive and where does work need to be done to get that standard in particular regarding issues such as web audience measuring and data collection? When talking about free services and the model of free services, then of course some businessmodels are based on remuneration by data tracking and usage. If the new proposal is endangering that, then that reminds him of the following question: what does that mean for the current legal framework?

Cornelia Ernst (GUE/NGL, DE) stated that there is no such thing as a free service. Either one pays with money or with one’s privacy. She said that she prefers to pay with money. She pointed out that there is a cookie banner at the bottom of the Europol website. When she clicked on `more information`, she did not get very useful information. She asked if in the end, the cookies were placed on her computer despite her asking for more information instead of clicking `ok`?

Despina Spanou, Director, DG CNECT, stated that there is an increasing awareness in terms of data usage among consumers. They are trying to give consumers ownership of the data and leave them the choice of what to do with it. 92 percent of citizens are concerned about the confidentiality of their data. People want to have ownership of what happens with their data. We want to give citizens a choice, she said. There is a red line in the Digital Single Market Strategy that requires the Commission to do something to give people better choices and control over what they do. The system is still offering privacy by design. The proposal does not prohibit advertising. The business models on data collection already exist. They also want to guarentee consumer rights when data is given as a counter-performance. This was our philosophy. Business models based on data exchange is an ever-evolving model. There are businesses that develop a system that rewards consumers who decide to give their data. The Commission tries to create a system that would allow evolving models to be catered for.

Giovanni Buttarelli, European Data Protection Supervisor, said that he is not sure that all definitions fit in the aim of protecting fundamental rights. He welcomes the extension of the scope to OTT. He stressed the importance of May 25 2018 as the current ePrivacy directive will otherwise continue to exist and is fully inconsistent with the GDPR. He referred to the four areas of most serious concerns which are summarised in the executive summary of the Article 29 WP’s opinion. If there is an area where design needs to be by default, then this is really ePrivacy. As for Europol, he resssured Ms Ernst that they will enforce existing rules regarding all EU institutions. Cookies are used by all. More respect and clarity for users is needed.

Despina Spanou, Director, DG CNECT, pointed out three very visible differences between the current directive and the proposed regulation: one system everwhere, OTTs are covered and a reference is made to the GDPR and having the same data protection authorities. Under the current system, some Member States have several authorities that are responsible for enforcement.

Frederik Zuiderveen Borgesius, Institute for Information Law, University of Amsterdam, said that one can make many services online without explicitly paying with money. However, one should not forget that advertising is possible without surveillance. Some may say that some people prefer behavioural targeting, etc. Limiting tracking and surveillance does not say much about ad-funded services. Tracking and showing ads are different things. As for web audience measuring, he mentioned a consent requirement for cookies on similar techniques. He agreed that for certain privacy friendly analytics cookies should be an exception for consent. However, that could be phrased more technological neutrally. As for offline data collection, it is not regulated in the proposal. The regulation should protect confidentiality and private life. It would make sense to have an Internet of Things rule.

If you are interested in reading the full briefing, please sign up for a free trial of the Dods EU Monitoring service.

Read the most recent articles written by Astrid Van Hecke - Public hearing on the PSI directive