In January 2018, the Bulgarian Presidency of the Council of the European Union (EU) picked up where the Estonian Presidency left off on the ePrivacy Regulation. It issued two examinations of the last Estonian “compromise” proposal and asked national delegations for guidance on some issues. Together, the documents cover most of the key points of the text. While the Bulgarian Presidency brings clarity on some points, its questions pave the way to undermine the text – and therefore threatens the protection of citizens’ privacy, confidentiality of communications of both citizens and businesses, as well as the positions of innovative EU companies and trust in the online economy.
One of the main lobbying devices used against the ePrivacy proposal is its alleged redundancy, due to the General Data Protection Regulation (GDPR) coming into force in May 2018. The processing of personal data is already covered by the GDPR, why would we need an additional text? The Bulgarian Presidency addresses this question by clarifying the ePrivacy Regulation’s role as lex specialis of the GDPR. Effectively, the ePrivacy Regulation complements the GDPR, and if the two texts overlap, then ePrivacy applies, as it provides for a higher level of protection of communications data, which are sensitive data.
On privacy settings, covered by Article 10, the Bulgarian Presidency proposes to keep the choices presented by the Estonian Presidency, providing for privacy by default and an easy way to change the settings, or to require more granularity in the settings by blocking the storage or the processing of data by third parties. This offer users a degree of control over third-party activities on their devices.
After this welcome clarification on this (rather simple) issue and this relatively privacy-friendly proposal, the Bulgarian Presidency then follows up on the undermining of the text already initiated by the Estonian Presidency in December 2017.
In the second document that deals with the third Chapter of the proposal on the “rights to control electronic communications”, the Bulgarian Presidency mostly follows the Estonian proposal, except for publicly available directories. There, it proposes to either put obligations both on the providers of number-based communication services and on publicly available directories, or the harmonisation of the rules with opt-in or right to object. As for direct marketing, the Bulgarian Presidency asks the national delegations to give their opinion on the need for uniform rules on voice-to-voice calls.
The Bulgarian Presidency also asks the national delegations to choose between two proposals concerning permitted processing of communications data (provided in Article 6): a middle ground that would be to allow further processing if it has no impact on privacy; or the inclusion of a “legitimate interest” ground for further processing of metadata. It is hard to understand what kind of further processing of communication data – or metadata – would not impact privacy (not least following the latest revelations of security breaches due to “non-personal” data, or how there could be a “legitimate interest” for the further processing of communication metadata, not least due to contrary positions already taken by the Court of Justice of the European Union in the Tele 2 case.
On storage and erasure of electronic communications data, regarding data that is no longer needed to provide a service, the Bulgarian Presidency proposes to either delete the provisions on the deletion of data, or to keep them while deleting the provisions authorising recording or storage of the data by the end-user or a third-party entrusted by them. The first possibility would remove the protection of communication data at rest – ironically creating, at the request of industry lobbyists, the kind of incoherence between ePrivacy and the GDPR of which industry lobbyists have been warning. The second would keep the level of protection agreed upon by the European Parliament.
The worst attack of the Bulgarian Presidency on the text concerns the protection of terminal equipment (Article 8). In addition to the proposals put on the table by the Estonian Presidency, the Bulgarian Presidency proposes different exemptions to the need for consent for the processing of data from an individual device: for “non-privacy intrusive purposes”; based on a “harm based approach” that would consider the levels of impact of different techniques on privacy. It also proposes to couple together the addition of a “legitimate interest to deliver targeted advertisement” and the right to object; and even asks whether the text should cover the “access to services in the absence of consent to process information”. Again, it is hard to see how there could be a “legitimate interest to deliver targeted advertisement”, and how this would contribute to the protection of privacy. Such a convoluted legal construction would, in any event, be only usable by the largest targeted (or “surveillance”) advertising companies. If this approach is followed, the EU would end up with legislation (ePrivacy) that would make it easier to access data on a computer system, as well as legislation (attacks against computer systems – Directive 2013/40/EU) criminalising access to a computer system.
Although the Bulgarian Presidency did take a progressive stance on the links between the GDPR and ePrivacy, the rest of its proposals systematically undermine the text by lowering the level of protection of the communications and privacy.
ePrivacy Regulation proposal – Examination (1) of the Presidency discussion paper (11.01.2018)
ePrivacy Regulation proposal – Examination of Articles 12 to 16 (25.01.2018)
Latest proposal by the Estonian Presidency (05.12.2017)
ePrivacy proposal undermined by EU Member States (10.01.2018)
(Contribution by Anne-Morgane Devriendt, EDRi intern)