EU Council considers undermining ePrivacy
On 19 October 2017, the European Parliament’s LIBE Committee adopted its report on the ePrivacy Regulation.
The amendments improve the original proposal by strengthening confidentiality requirements for electronic communication services, a ban on tracking walls, legally binding signals for giving or refusing consent to online tracking, and privacy by design requirements for web browsers and apps.
Before trialogue negotiations can start, the Council of the European Union (the Member States’ governments) must adopt its general approach. This process is still ongoing with no immediate end in sight. An analysis of the proposed amendments in Council documents so far shows that the Council is planning to significantly weaken the ePrivacy text compared to the Commission proposal and, especially, the LIBE report.
Metadata for electronic communications should be regarded as sensitive personal data, similar to the categories listed in Article 9 of the General Data Protection Regulation (GDPR). Under the ePrivacy Directive (current legal framework), necessary metadata may be processed for purposes of subscriber billing and interconnection payments, and, with consent of the user, for value added services. Apart from data retention requirements in national law, no other processing is allowed. In the ePrivacy Regulation, the Commission proposal and the LIBE text both uphold the principle of only allowing processing of electronic communications metadata for specific purposes laid down in law or with consent of the end-user. As a new specific purpose, processing for monitoring quality of service requirements and maintaining the availability of electronic communications networks can be done without consent.
The Council proposals significantly expand the permitted processing of metadata without consent by the electronic communications service (ECS) provider. The billing/interconnection purpose is extended to include processing when it is necessary “for the performance of a contract to which the end-user is party”. This will allow the ECS provider to process metadata not directly related to billing through provisions in the contract with the end-user. Service offerings by ECS providers are generally moving towards simpler products with increased reliance on flat rate tariffs, which should reduce the processing and storage of metadata necessary for billing purposes. These privacy benefits will be lost with the Council text.
In December 2017, the Council proposed further processing of metadata without consent for scientific research or statistical purposes based on Union or Member State law. Despite the mandatory safeguards, which include encryption and pseudonymisation, this is a very problematic amendment since a potentially large amount of metadata, which would otherwise be deleted or anonymised, will be retained and stored in identifiable form. Data breaches and law enforcement access are two very specific data protection risks created by this amendment.
The latest text from the Austrian Presidency (Council document 10975/18) goes even further than this by proposing a new general provision for further processing of metadata for compatible purposes inspired by Article 6(4) of the GDPR. This comes very close to introducing “legitimate interest” as a legal basis for processing metadata by the ECS provider, something that has previously been ruled out because metadata for electronic communications is comparable to sensitive personal data under the case law of the Court of Justice of the European Union (CJEU). GDPR Article 9 does not permit the processing of sensitive personal data with legitimate interest as the legal basis. In March 2018, the former Bulgarian Presidency specifically noted that it is highly doubtful whether a non-specific provision for permitted processing would, given the sensitive nature of the data involved, be in line with the case-law of the CJEU.
The LIBE Committee adopted amendments to ensure that electronic communications content was protected under the ePrivacy Regulation during transmission and if the content is subsequently stored by the ECS provider. This is important because storage of electronic communications content is an integral part of many modern electronic communications services, such as webmail and messenger services. However, the Council amendments limit the protection under the ePrivacy Regulation to the transmission of the communication, a period which may be a fraction of a second. After the receipt of the message, the processing falls under the GDPR which could allow processing of personal data in electronic communications content (such as scanning email messages) based on legitimate interest rather than consent of the end-user. As suggested by the Council recital, the end-user can avoid this by deleting the message after receipt, but this would entirely defeat the purpose of many modern electronic communications services.
In Article 8 of the draft ePrivacy Regulation, the LIBE Committee adopted a general ban on tracking walls. This refers to the practice of making access to a website dependent on end-user consent to processing of personal data through tracking cookies (or device fingerprinting) that is not necessary for the provision of the website service requested by the end-user. This practice is currently widespread since many websites display cookie consent banners where it is only possible to click ‘accept’ or ‘OK’.
The Council text goes in the opposite direction with proposed wording in a recital which authorises tracking walls, in particular if a payment option is available that does not involve access to the terminal equipment (e.g. tracking cookies). This amounts to a monetisation of fundamental rights, as EU citizens will be forced to decide whether to pay for access to websites with money or by being profiled, tracked and abandoning their fundamental right to protection of personal data. This inherently contradicts the GDPR since consent to processing of personal data can become the counter-performance for access to a website, contrary to the aim of Article 7(4) of the GDPR.
Finally, the latest text from the Austrian Presidency proposes to completely delete Article 10 on privacy settings. Article 10 requires web browsers and other software permitting electronic communications to offer privacy settings which prevent third parties from accessing and storing information in the terminal equipment, and to inform the end-user of these privacy settings when installing the software. An example of this could be an option to block third party cookies in web browsers. Such privacy settings are absolutely critical for preventing leakage of personal data to unwanted third parties and for protecting end-user privacy when consent to tracking is coerced through tracking walls. The recent Cambridge Analytica scandal should remind everyone, including EU Member States’ governments, of the often highly undesirable consequences of data disclosures to unknown third parties.
If Article 10 is deleted, it will be possible to offer software products that are set to track and
invade individuals’ confidential communications by design and by default, with no possibilities for the individual to change this by selecting a privacy-friendly option that blocks data access by third parties. This goes in the complete opposite direction of the LIBE report, which contains amendments to strengthen the principle of privacy by design by requiring that access by third parties is prevented by default, and upon installation to ask the end-user to either confirm this or select another, possibly less privacy-friendly, option.
The rationale for deleting Article 10 given by the Austrian Presidency is the burden on software vendors and consent fatigue for end-users. The latter is somewhat ironic since technical solutions, such as genuine privacy by design requirements and innovative ways to give or refuse consent, like a mandatory Do Not Track (DNT) standard, are needed to reduce the number of consent requests in the online environment. The Council amendments for articles 8 and 10 would aggravate the current situation, where end-users on countless websites are forced to give essentially meaningless consent to tracking because the cookie banner only provides the option of clicking ‘accept’.
If the ePrivacy amendments in 10975/18 and earlier Council documents are adopted as the general approach, Council will enter trialogue negotiations with a position that completely undermines the ePrivacy Regulation by watering down all provisions which provide stronger protection than the GDPR. This would put a lot of pressure on the European Parliament negotiators to defend the privacy rights of European citizens. For telecommunications services, which presently enjoy the strong protection of the ePrivacy Directive, the lower level of protection will be particularly severe, even before considering the dark horse of mandatory data retention that EU Member States are trying to uphold, in part through amendments to the ePrivacy Regulation.
EDRi, along with EDRi members Access Now, Privacy International and IT-Pol Denmark, have communicated their concerns about the proposed Council amendments though letters to WP TELE, as well as a civil society meeting with Council representatives on 31 May 2018 organised by the Dutch Permanent Representation and the Bulgarian Council Presidency.
e-Privacy: What happened and what happens next (29.11.2017)
EU Member States fight to retain data retention in place despite CJEU rulings (02.05.2018)
ePrivacy: Civil society letter calls to ensure privacy and reject data retention (24.04.2018)
Civil society calls for protection of communications confidentiality (13.06.2018)
Civil society letter to WP TELE on the ePrivacy amendments in Council document 10975/18 (13.07.2018)
(Contribution by Jesper Lund, EDRi-member IT-Pol)