Beyond the GDPR: here comes the EU’s ePrivacy regulation – but not yet

Posted on Aug 25, 2018 by Glyn Moody

The General Data Protection Regulation (GDPR) is the most important – and controversial – privacy law passed in recent years. Despite its origin in the EU, its reach is truly global, since it affects anyone storing the personal data of EU citizens, no matter where the organization is located. In part because of a flurry of annoying pop-ups asking visitors to sites to agree to new terms and conditions, most people know about the GDPR by now. But few have heard of its sibling, the EU’s proposed ePrivacy Regulation, which in many respects will be even more far-reaching than the GDPR.

Where the GDPR protects personal data when it is gathered and stored, the ePrivacy Regulation protects personal data when it is transmitted. Traditional telecoms companies are already subject to laws in this area; the ePrivacy Regulation aims to extend that to the new generation of online services that transmit personal data over the Internet. In particular, the proposed law seeks to regulate how metadata is gathered and used, and to limit how people are tracked online, for example using cookies.

The European Commission published its draft ePrivacy Regulation text, designed to update the old 2002 regulations governing this area, in January 2017. As is customary with the EU legislative process, the European Parliament then set to work to produce its own version of the text, amending the European Commission’s original proposal. The German site Netzpolitik, which has followed the legislation closely, summarized the six main points of the European Parliament’s draft as follows (original in German).

No data processing without consent

The rich metadata that online activity routinely generates may only be analyzed and exploited by Internet companies if they obtain explicit permission from users. This contrasts with the current situation, where metadata is collected and used for analyzing the interests of visitors, and targeting them with advertising. Naturally, the Internet companies that make their profits from this kind of metadata use are fighting hard against this provision. Instead, they want companies to be allowed to use this data as long as they have a “legitimate interest” in it, where “legitimate” is so vague as to allow more or less anything.

Simple protection against online tracking

Currently, everyone is tracked everywhere they go online unless they take often quite extreme measures to avoid this. Most people don’t bother, which means that online tracking is routine. The European Parliament wants the ePrivacy Regulation to make it easy to opt out of tracking – for example, by using settings in a browser or smartphone operating system. In addition, so-called “tracking walls”, which block access to sites unless visitors agree to be tracked, would be forbidden.

Privacy by default

As with the GDPR, it must be easy for users to avoid being tracked when they use online services. This means that privacy must be the default, not something buried deep within confusing menus of options.

Limits for physical world tracking

The increasingly common practice of tracking people as they move around physical spaces – for example, shopping areas – using Wifi or Bluetooth signals, will be regulated. Offline tracking will only be permitted if users have given their explicit consent, or if data gathering is limited in time and space, and used for purely statistical purposes.

A right to encryption

The European Parliament’s text requires service providers to protect users’ communications with “state of the art” technology, and explicitly mentions cryptographic methods, such as end-to-end encryption. It also includes the following strong statement against the use of crypto backdoors by governments:

member States shall not impose any obligations on electronic communications service providers or software manufacturers that would result in the weakening of the confidentiality and integrity of their networks and services or the terminal equipment, including the encryption methods used.

Greater transparency for government access to communications

As you might expect, the draft text contains exceptions to the right to confidential communications, for reasons of law enforcement or national security. However, the ePrivacy Regulation would also introduce comprehensive reporting requirements for both communication providers and national governments, which would detail when and how data access to personal information was requested.

Given the far-reaching and often quite radical nature of the ePrivacy Regulation’s measures, it is hardly surprising that the lobbying against it has been intense, as a report from Corporate European Observatory explores. Jan Philipp Albrecht, the German MEP largely responsible for steering the GDPR through the European Parliament, told The Privacy Advisor how opponents of the new law made some outlandish claims:

It’s the death of the press, it’s the death of all apps and free services online, it will be shutting down the internet, it is the end of the telcos, we will lose everything. This is really very radical lobbying with regard to the tone, and in my view it is completely over-exaggerated.

Despite that opposition, the European Parliament approved the amendments to the original European Commission text in October 2017, by 318 votes to 280, with 20 abstentions. The lead MEP for the ePrivacy Regulation, Marju Lauristin, created a document with a side-by-side comparison of the two versions, which shows how the European Parliament strengthened many measures.

However, that does not mean that the ePrivacy battle is over. Because of the complex interaction of the various parts of the EU political machine, the presidency of the Council of the EU – the third body alongside the European Parliament and European Commission – must now draw up its own version of the proposed text. Once that happens, the three bodies get together for so-called “trilogue” negotiations to come up with a final, compromise text, which can then become law.

In a further complication arising from the EU’s political structure, the presidency of the Council of the EU rotates among all the member states. It is currently held by Austria, which unexpectedly proposed weakening two key sections of the ePrivacy text – one that forbids “tracking walls”, and the other requiring “Privacy By Design and By Default”.

A few days later, in an agenda document for a meeting in December this year, the Austrian Presidency announced that it would be providing a “status report” for the ePrivacy Regulation. That was a coded way of saying that it would not be making it one of the priorities for its six-month Presidency, and that no further progress would be made with the law. Since there are important elections for the European Parliament in May 2019, the practical effect of the Austrian Presidency’s decision is that the earliest the ePrivacy Regulation could enter into force would be 2020.

The surprise move by Austria to halt work on the new privacy law is almost certainly down to yet more lobbying, notably by the German publishing industry. It’s part of a continuing attempt to de-rail this important legislation, which would greatly strengthen privacy protections for EU citizens. Moreover, as with the GDPR, if passed in anything like its current version, the ePrivacy Regulation is also likely to have important knock-on effects for Internet users around the world.

Featured image by European Commission.