With the general data protection regulation (GDPR), the EU delivered strong rules for privacy and data protection for its citizens. It's now time to also update the rules on privacy and confidentiality in electronic communication, as laid out in the 2002 ePrivacy directive. Back then, we did not use Skype or WhatsApp, so it is high-time to catch up. We must also address the cookie notification fatigue that has resulted from the implementation of the 2009 revision.
The proposal for an ePrivacy regulation, which the European Commission presented on 10 January, is a good first step. Including modern communication methods in data protection rules for electronic communication is a long overdue reform. Data protection and privacy rules must apply to all means of electronic communication, especially in a time when SMS and internet messengers are just different apps on our smartphones.
Therefore, it is essential to include all electronic communication methods in the scope of the new ePrivacy regulation. They do not have to have fully identical obligations like the telecommunications incumbents, but they must ensure the confidentiality of communications.
After all, the ePrivacy regulation does not only further specify the right to the protection of personal data, but it also implements the right to privacy of communications. Therefore, despite the GDPR being applicable to all data processing, generally there is still the need to deviate from some of these rules in order to provide for a higher level of protection.
However, the proposed rules around tracking user activity need important improvements. Service providers should require the consent of users if they want to track their activity. The carve-out for 'web audience measurement' would maintain the current situation where every citizen's online behaviour is constantly being tracked and monitored.
In order to overcome the current practice of annoying cookie notification banners, it is good that the proposal follows the GDPR approach to allow consent or objection by automated means. It is also good that for the first time, software manufacturers will have an obligation to ensure that this option is available for all electronic communications. But the default setting should always be the most data protection-friendly, as stipulated by the existing data protection regulation.
The Commission's proposal would legalise the emerging practice of tracking persons in the physical space, such as shopping malls, based on their smartphones' electronic signals when searching for a wifi hotspot, even without an option to object to this.
This is clearly not acceptable if it leads to individualised profiles. We also will have to address the convergence of online and offline tracking and the fact that a growing number of smart devices now listens to our conversations at home.
We also know that intelligence agencies are applying blanket data collection, thereby infringing the essence of the right to confidential communication. Service providers should respond by doing everything technically possible to secure our right to communications privacy.
End-to-end-encryption without any backdoors must become the rule. We also need specific rules for smartphone manufacturers and other end-user devices to make sure safety standards and security updates are being applied to offer users the highest standards of confidentiality of communication.
We expect the European Parliament and Council to bring forward the changes needed to make sure this promising proposal truly delivers for users. This is an opportunity to show that they care about European citizens' fundamental rights.