e-Privacy: What happened and what happens next
With the vote on the mandate for trilogues in the European Parliament Plenary session of 26 October 2017, the European Parliament confirmed its strong position on e-Privacy for the following inter-institutional negotiations, also called trilogues.
The e-Privacy Regulation aims at reforming the existing e-Privacy Directive to complement the General Data Protection Regulation (GDPR) regarding communication data and metadata, as well as device security. In order for the text to efficiently protect European citizens’ privacy, some key issues needed to be addressed in the Commission’s proposal.
In October 2017, we encouraged citizens to contact Members of the European Parliament (MEPs) to make sure the entire e-Privacy proposal will not be watered down. We (very exceptionally) asked them to support the mandate being granted to continue the negotiations on the proposal text in the trilogues. Here is the outcome of our campaign:
Protection of communications in transit and at rest (Art. 5)
Communications data is always sensitive. This is why, for instance, there is no point in protecting your email while it is being sent if any company hosting your email can read it once it arrives to your inbox, for example to target you with advertising. Therefore EDRi supports the protection of communication data both when it is in transit and at rest. The proposed Article 5 in the European Parliament (EP) version of the e-Privacy Regulation proposal protects “any interference with electronic communications”, including “data related to or processed by terminal equipment”. This is an important step in the right direction.
Consent as the only legal basis for processing (Art. 6)
Informed and free consent should be the sole legal basis for non-necessary processing of such data. Because of the intricate way online tracking works, only users who are fully informed (and free to make the choice) could allow that by consenting to that feature, if it is in their interest.
Privacy and devices protected by design and by default (Art. 10)
As happens with any other device that may create risks for the user, safety and security need to be part of the design and not an after-thought.This is why we need privacy by design and by default. Article 10 of the proposal states that all software allowing electronic communication should, “by default, have privacy protective settings activated to prevent other parties from transmitting to or storing information on the terminal equipment of a user and from processing information already stored on or collected from that equipment”.
The security of devices are also covered by Article 8 that restricts the use of end-users’ terminal equipment to what is strictly necessary, subject to consent.
Restrictions of users’ rights (Art. 11)
Article 11 limits restrictions to vague general public interests such as national security, defence and public security, but the EP has done a better job at being specific in the three sub-articles. Furthermore, Article 11 also contains provisions to ask for mandatory documentation on the requests to access communications by Member States.
Protection of encryption (Art. 17)
In order to protect citizens’ privacy and the safety of their electronic communications, it is fundamental to ban any attempts to undermine encryption. Article 17, on security risks, states that Member States cannot weaken encryption, for example by forcing companies to include ”back-doors” in their products.
The European Parliament has done a good job with its improvements to the text. Thanks to the strong position of the Committee on Civil Liberties, Justice and Home Affairs (LIBE) and citizens’ mobilisation, the European Parliament voted for a strong text that will protect citizens’ privacy and communication. However the fight is not over yet: the Commission, the Council and the Parliament have yet to reach an agreement during the obscure process called trilogues. The final text will be passed in the Plenary of the European Parliament in 2018, tentatively after the summer.
Tell the European Parliament to stand up for e-Privacy! (25.10.2017)
Report on the proposal for a regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) (23.10.2017)
EDRi’s position on the proposal of an e-Privacy regulation (09.03.2017)
Trilogues: the system that undermines EU democracy and transparency (20.04.2017)
(Contribution by Anne-Morgane Devriendt, EDRi intern)