They’re hip, they’re slick and they follow you everywhere. They know you like new shoes, playing tennis and tweeting at odd hours of the morning. Do you know what that says about your health, your relationships and your spending power? No? Well, the online companies do. They follow you everywhere you go online, they have a perfect memory, they know the sites you visited last year even if you’ve forgotten… Look who’s stalking.
European legislation protecting your personal data was updated in 2016, but the battle to keep it safe is not over yet. The European Union is revising its e-Privacy rules. We welcomed the European Commission (EC) proposal as a good starting point, but with room for improvement. The online tracking industry is lobbying fiercely against it. Online tracking and profiling gave us filter bubbles and echo chambers. Yet the lobbyists lobby for it under the pretext of “saving the internet”, “protecting quality journalism” – even “saving democracy”.
The European Parliament is currently debating its position on the EC proposal. Some Members of the European Parliament (MEPs) support “tracking business, as usual” while others support a strong future-proof norm to protect the privacy, innovation and security of future generations of EU citizens and businesses.
Priorities for defending privacy and security:
1) Protect confidentiality of our communications – both in transit and at rest!
Confidentiality of communications needs to be protected both in transit and when it is stored. Lobbyists have been campaigning for a technicality that would allow them to read and exploit your emails stored in the cloud. (Art. 5)
2) Protect our privacy: Do not add loopholes to security measures!
A “legitimate interest” exception was not included in any version of the previous e-Privacy Directives. This would be a major weakening of the legislation compared with existing rules. Our member Bits of Freedom wrote about the problems with “legitimate interest” here. (several Articles and Recitals)
3) Do not let anyone use our data without asking for our consent!
It is crucial to keep consent as the legal ground to process communications data. Neither “legitimate interest” nor “further processing” should be allowed to weaken the security and privacy of European citizens and businesses (Art.6)
4) Privacy should not be an option – what we need is privacy by default!
Provisions about default privacy settings need to be strengthened and improved, certainly not watered down or deleted. e-Privacy must ensure “privacy by design and by default” and not, as in the EC proposal, “privacy by option”. You can find our specific proposals here. The European Parliament previously adopted a Directive that criminalises unauthorised access to computer systems. It would be completely incoherent if it were to adopt legislation that foresees default settings that do not protect against unauthorised access to devices. (Art. 10)
5) No new exceptions to undermine our privacy!
Exceptions for Member States cannot become a carte blanche rendering e-Privacy useless. Therefore, the safeguards established by the Court of Justice of the European Union on cases regarding the exceptions in the relevant sections of the e-Privacy Regulation should be diligently respected – the scope of the exception should not be expanded. (Art. 11)
6) Do not undermine encryption!
Imposing a ban on undermining or attacking encryption should be a priority.
7) Protect our devices (hardware+software) by design and by default!
Hardware and software security need to be protected by design and by default.
MEPs, protect our #ePrivacy – Support amendments that follow the principles listed above!
e-Privacy revision: Document pool
e-Privacy: Consent (pdf)
e-Privacy: Legitimate interest (pdf)
e-Privacy: Privacy by design and by default (pdf)
e-Privacy: Offline tracking (pdf)
Your privacy, security and freedom online are in danger (14.09.2016)
Five things the online tracking industry gets wrong (13.09.2017)
ePrivacy Regulation: Call a representative and make your voice heard!
Who’s afraid of… e-Privacy? (04.10.2017)