The Commission presented its proposal on new ePrivacy rules in January 2017, and Parliament took a major step forward by adopting its mandate for trialogue negotiations in the October 2017. Member states now need to deliver.
Last year in this magazine, I wrote that the Commission proposal was a step in the right direction, but that more needed to be done. While the general data protection regulation (GDPR) protects our everyday data, which may be sensitive, the ePrivacy regulation and its predecessor - the 2002 directive - protect the confidentiality of our communications and personal data with more specific provisions.
Take my house as an example: Under the GDPR, it can be legitimate to use my street address for direct marketing mail, as long as I can expect it and can exercise my right to object. However, what I say inside my house to my wife or child is no one’s business. The same applies to business communication, including machine-to-machine communication.
While market participants are free to send offers to companies and process addresses and other data for doing so, postal delivery services or telecom operators used by those businesses have absolutely no right to open the letters or listen in on B2B phone calls.
As with the GDPR, the European electronic communications code, the rules on net neutrality and other legislation, the ePrivacy regulation is a piece of the digital single market puzzle. Providers of electronic communications services need a single set of rules instead of the existing patchwork of 28 national variants.
Yet by harmonising these rules, we must keep in mind that we are implementing a fundamental right. It is therefore imperative that the existing level of protection from the ePrivacy directive is not weakened.
The proposed rules on tracking user activity needed important improvements. Online service providers must obtain users’ consent if they want to track them. Parliament has strengthened the possibility of expressing an automated objection to being tracked online by means of a standardised signal. It made clear that such signals, which already exist in the W3C’s Do Not Track standard, are legally binding.
If a website still wants to ask for users’ consent, it has to respect the standardised route for such ‘out of band’ consent. Users also cannot be forced to give their consent to being tracked as a condition for using an online service. Such ‘cookie walls’ will not be possible in the future, mirroring the prohibition of tying introduced with the GDPR.
In line with the principle of ‘data protection by default’ under the GDPR, Parliament also introduced obligations for software manufacturers to set the default signal in a way that prevents tracking. The proposed carve-out for ‘audience measurement’ has been limited to purely statistical counting with no individual user profiles whatsoever.
The Commission’s proposal would have legalised the emerging practice of tracking people in the physical space, such as shopping malls, based on their smartphones’ electronic signals when searching for a wifi hotspot, even without an option to object to this.
Parliament clearly rejected this. It also addressed the convergence of online and offline tracking and the fact that a growing number of smart devices now listen to our conversations at home. Such tapping into our physical surroundings by online services or communications providers will be prohibited unless actively requested by the user for a specific service.
In order to respond to mass surveillance by intelligence agencies, service providers will have to secure communications in line with state of the art of technology. This usually means secure end-to-end encryption. Government-mandated backdoors will be banned according to Parliament, as they weaken the security of us all.
We now expect the Council to bring forward the changes needed to ensure that this promising proposal truly delivers for users. Unfortunately, member states seem stuck on discussing the proposal’s basic concepts, such as its relation to the GDPR.
While doing so, they must not forget that the real point of reference is the existing ePrivacy directive from 2002, which was last amended in 2009. The level of protection provided there must not be lowered.
When looking at the GDPR, particularly the legal grounds for processing communications data, the article on sensitive data is the proper comparison, not the one on normal everyday data. Introducing concepts such as the ‘legitimate interest’ of the communications provider as legal ground for snooping into our communications will never be acceptable for Parliament.
Member states have an opportunity to show that they care about the privacy of their citizens when using communications services. In the interest of businesses waiting for reliable and unified rules across a digital single market, they should deliver on this soon.