e-Privacy Regulation: Good intentions but a lot of work to do

By EDRi · January 25, 2017

On 10 January 2017, the European Commission published its long-awaited proposal for an e-Privacy Regulation (Regulation on Privacy and Electronic Communications, ePR) to replace the 2002 e-Privacy Directive (Directive 2002/58/EC, ePD).

EU legislation on data protection is divided between general legislation (the 1995 Directive, soon to be replaced by the General Data Protection Regulation) and legislation specifically covering privacy in the communications sector, the e-Privacy Directive.

----------------------------------------------------------------- Support our work - make a recurrent donation! -----------------------------------------------------------------

The ePD has two functions. Firstly, it provides additional clarity and predictability to allow the principles in the general legislation to be implemented in the complex environment of communications. Secondly, it serves as the EU legislative instrument to give meaning to the fundamental right to freedom of communications.

The proposed draft Regulation contains a number of provisions which, if adopted and effectively implemented, should address some of the current gaps or lack of clarity in protection of the confidentiality of electronic communications and information stored on users devices. The process of consultation and polls have shown that citizens are concerned about their privacy and about how companies make use of their personal information online. Although the Commission has rightly identified and addressed most of the key issues and objectives in the proposal, strong forces seem to have watered down the text considerably, compared to the earlier version that was leaked in December 2016. For example, the reference to “privacy by design and by default” that was changed in Article 10 will need to be put back in order not to lower down the protections to the current “privacy by option”, options on the degree of online privacy that the browser would offer to the user.

Among the improvements needed, the European Parliament will need to make sure that the definitions of the text (cross-referenced to the European Electronic Communications Code, EECC, which is still being discussed) do not lead to a reduced scope of the e-Privacy Regulation. Furthermore, the scope of these definitions in the ePR relates to electronic communication networks, while in the leaked version it also referred to electronic communication services. This is a significant reduction in the scope of the proposed ePR.

Regarding the substance of the proposal, one of the key issues, the processing of content (“what we talk about”) and metadata (“when and with whom we communicate”), raise some concerns: both the content and the metadata, which can sometimes be more sensitive than content of our online interactions, could be used for additional purposes by, for example, our email providers, if the user has “consented” to this. The way this consent is obtained in practice will need to be carefully addressed. If the legislator cannot avoid that, in practice, the consent is considered valid if done for example under over-broad Terms and Conditions, or through pre-ticked boxes, the e-Privacy Regulation would be going below the standards needed to effectively protect our communications.

The section on access to devices is probably the one that has drawn the most attention to the proposal, since it regulates the use of tracking technologies such as tracking cookies. The text establishes that terminal equipment of end-users (smartphones, laptops but also, arguably, an e-fitness device or any other device that is part of what we call the “Internet of Things”) are part of the individual’s private sphere. Access to these devices and to any information stored in or emitted by such equipment would be under the scope of the ePR. However, here too, “consent” is the key that could give access to our personal devices, with the same risks commented above. Finally, the exceptions for Member States to restrict the same protections that the Regulation is trying to provide is one of the most worrying parts of the text, along with the unexpected absence of reference to collective redress in the article on remedies (Article 21).

Citizens have expressed repeatedly the need for strong protections for privacy and confidentiality of communications. However, there seems to be a lot of work ahead to complement and particularise the text presented by the Commission.

EDRi: e-Privacy document pool

Proposal for a Regulation on Privacy and Electronic Communications (10.01.2017)

Eurobarometer on ePrivacy (19.12.2016)

(Contribution by Diego Naranjo, EDRi)