Data Protection Reform – Next stop: e-Privacy Directive
Did you think the data protection reform was finished? Think again. Once the agreement on the texts of the General Data Protection Regulation (GDPR) and the Data Protection Directive for Law Enforcement Agencies (LEDP) was reached, the e-Privacy Directive took its place as the next piece of European Union (EU) law that will be reviewed. The e-Privacy Directive (Directive 2002/58/EC on privacy and electronic communications) contains specific rules on data protection in the area of telecommunication in public electronic networks.
The Directive was first launched as part of the 1999 Communications Review and aimed to provide specific data protection rules for the e-communications sector, following the entry into force of the 1995 Data Protection Directive the previous year. The Directive dropped out of the Review package quite early in the legislative process and was not finally adopted until 2002.
The new instrument needs to cover all online processing of personal data, insofar as not already covered by the GDPR. Not least because of this, the new instrument needs to be enforced by Data Protection Authorities and not Telcoms regulators, as is the case in some EU Member States. It also needs to be updated in relation to the treatment of traffic and location data, as well as other geographical information and how consent is provided in this cases. Location data – even “anonymous” location data – can raise serious security and privacy concerns.
Another element that requires considerable re-thinking is the Directive is the issue of “cookies”. A more consistent and thorough analysis needs to be done on the different types of cookies that exist (tracking cookies, non-tracking cookies, session cookies…) and how to treat them accordingly. The bad joke which consent for cookies has become, have given arguments to anti-privacy/Big Data lobbies for how (meaningless) consent is the new spam. New, clearer rules should have a focus on improving the quality of the (very frequently profoundly misleading) information given to individuals reducing the number of cookie consent requests. Generally, we advise following the recommendations set by the Article 29 Working Party on this point.
The revised instrument should state that the deliberate installation of any piece of software or hardware on any device without the knowledge or consent of the owner of the device is an unauthorised access and/or data/system interference, as defined in the Council of Europe Cybercrime Convention. Another of the topics that cannot be avoided is related to the use of encryption in devices. In the new legislation, legislators should consider whether attempts to remove encryption, including the installation of “backdoors”, should be explicitly forbidden. Attention to how consent is provided (and revoked) for value-added services and the harmonisation and enforcement of the “national security/pubic order/crime prevention” exemptions is also needed.
The agreed text of the GDPR was the best possible outcome in the current political scenario, bearing also in mind the heavy lobby it received. The revision of the e-Privacy Directive needs not to undermine the good parts of the GDPR while at the same time trying to fix the loopholes it has created. Some lobbies call to “leveling the playing field” in this area, which is not objectionable, as long as the playing field is levelled upwards and to the level set by the GDPR and the case law of the courts in Luxembourg and Strasbourg. That is the playing field and any policy development in this are needs to stay up to those levels of protection.
Directive 2002/58/EC on privacy and electronic communications
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:en:HTML
Article 29 Working Party: Opinion 04/2012 on Cookie Consent Exemption (07.06.2012)
http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf
Data Protection Regulation Update: precise implementation depends on exceptions and Recitals (19.01.2016)
http://amberhawk.typepad.com/amberhawk/2016/01/data-protection-regulation-update-precise-implementation-depends-on-exceptions-and-recitals.html
EU Data Protection Package – Lacking ambition but saving the basics (17.12.2015)
https://edri.org/eu-data-protection-package-lacking-ambition-but-saving-the-basics/
Recommendation No. R (95) 4 on the protection of personal data in the area of personal data in the area of telecommunication services
https://wcd.coe.int/com.instranet.InstraServlet?command=com.instranet.CmdBlobGet&InstranetImage=535549&SecMode=1&DocId=518682&Usage=2
(Contribution by Diego Naranjo, EDRi)