It’s time to engage the private sector to let the ePrivacy Regulation happen
Published on April 25, 2019
Anastasiya Kazakova, Public Affairs Manger
The 2017 proposal, which applies both to natural and legal persons, advocates strengthening the security and confidentiality of communications (including content and metadata), as well as providing the Digital Single Market (DSM) with clear rules on tracking technologies (cookies) and spam.
However, after two years of dialogue and debate within the respective European Parliament committees and the Council under five different presidencies, the draft has reached an impasse and will not likely be adopted by the end of this legislature.
We support adoption of the ePrivacy Regulation in the near future since:
- In light of today's key demands from customers for greater transparency, accountability and data privacy, it’s crucial to protect fundamental rights to privacy and the protection of personal data, including those in electronic communications data. In this regard, the ePrivacy Regulation would promote and enforce trust in the digital environment between businesses and consumers;
- There’s a need for legal clarity and harmonization of the EU’s framework for data protection and confidentiality of communications: the existing ePrivacy Directive was transposed into divergent national laws and is now not able to fully address issues of today’s digital world, (whereas the GDPR is a directly applicable law). This unbalanced and fragmented situation creates an economic and administrative burden for companies, and from this perspective, the ePrivacy Regulation would imply a uniform application of EU law in this field.
We also call for greater engagement with private stakeholders to make the Regulation flexible in the rapidly developing technological environment.
In this blogpost, we outline the most contested areas of the ePrivacy Regulation and provide our recommendations on them.
1. Lawful basis for processing
Article 5 of the proposed ePrivacy Regulation, as a general rule, prohibits the processing of electronic communications data (both content and metadata). Few exceptions to this rule are provided in article 6 but are limited to electronic communications services (ECSs) and electronic network providers (ECNs), which are the only types of entities permitted to conduct data processing under the draft regulation.
For reference, recital 11 defines ECSs as ‘not only internet access services and services consisting wholly or partly in the conveyance of signals but also interpersonal communications services, which may or may not be number-based, such as for example, Voice over IP, messaging services and web-based email services’. It also states that the definition encompasses ‘interpersonal communications services that are ancillary to another service’ as well as machine-to-machine (M2M) and Internet of Things (IoT) communications.
From our point of view, these exceptions are very narrow, and the legal position of other players in the DSM, which may not qualify as either ECSs or ECNs, remains ambiguous and problematic – especially for cybersecurity vendors, which have a legitimate need to process content and metadata since this is essential for scanning and analysing malware and malicious files. Being excluded, cybersecurity vendors would have substantially less functionality to provide data security for users.
We, therefore, recommend amending article 6 and expanding the scope to include other parties (not only ECSs and ECNs) in the list of lawful processors.
Together with the GDPR, the ePrivacy Regulation proposal includes consent as a legal basis for processing (Article 6). However, unlike the GDPR, consent under the draft ePrivacy Regulation is the sole ground upon which data is permitted to be processed. Not only does this make the ePrivacy Regulation more restrictive than the GDPR, but it creates inconsistencies with the GDPR, where other grounds for data processing exist. For instance, Article 6 (1) (f) GDPR provides ‘legitimate interest’ as a lawful ground that allows personal data processing without consent if such an interest is not found to override the data subjects’ fundamental right to privacy and the protection of personal data. What’s more, it seems illogical to permit processing of content data and metadata only with end-users’ consent, while the GDPR provides more flexible and less restrictive grounds for personal data processing.
Another point relates to the exclusive reliance on consent under the ePrivacy Regulation proposal, which could lead to possible negative consequences for innovation in technology. The proposed Article 6 (3) (a) notes that ‘the processing of electronic communications content and the provision of a specific service to an end-user is possible with…consent only’. Such a provision might create challenges to software development and software improvement as the processing of electronic communications content might be essential for both processes.
For example, if a provider wants to develop new software features and does not have a means of receiving end-user consent, since the features are still in a ‘draft form’ and have not been introduced yet, and the provider has no relationship with this end-user. In such a situation, it seems impossible to get the consent of all end-users concerned under para (3) (b).
Therefore, we recommend broadening the legal basis for processing and aligning it with the GDPR, e.g. by including the ‘legitimate interest’ ground with additional technical safeguards – requirements to implement privacy by design/default, such as strong encryption and pseudonymization of data processed.
3. Law enforcement access to data
Article 11 (2) of the draft ePrivacy Regulation requires ECSs to establish internal procedures for responding to requests for access to end-users’ electronic communications data from Law Enforcement Agencies (LEAs). We believe that this provision; (1) lacks clarity on the acceptable form of those internal procedures, and (2) could potentially overlap with the currently discussed and developed e-evidence legal regime in the EU.
Therefore, we recommend aligning the provision with the e-evidence proposal to avoid a conflict of law, and clarify thresholds for providing access to LEAs to electronic communications data. It is necessary, for instance, to clarify how a provider should react in case of multiple LEAs requests from several Member States and under which circumstances the company would have rights to challenge such a request.
4. Data ‘in transmission’
Recital 15 of the ePrivacy Regulation proposal prohibits the processing of electronic communications data without consent at the moment of data being ‘in transmission’. We read this as data ‘in transit’ – a widely accepted notion in the industry along with ‘data in use’ and ‘data at rest’.
From Recital 15, it is clearly prohibited to intercept or conduct surveillance of communications data during its ‘conveyance’, or transmission/transit. While we firmly support a provision to prohibit such actions, we see a risk of legal loopholes to conduct the interception or surveillance of communications data at rest or in use, as the text is silent on this regard.
Therefore, we recommend amending the text by explicitly clarifying that the prohibition under Recital 15 applies to data at rest and data in use. Hence, for the latter case, Article 7 seems redundant and we suggest deleting it.
5. Security updates
In Council, Member States amended Article 8 of the proposed ePrivacy Regulation to allow software updates in para (e) when ‘the end-user is given the possibility to postpone or turn off the automatic installation of these updates’.
While we welcome and highly support the amendment for the distribution and installation of software updates, we see the legal basis for doing so as narrowed and restrictive. It seems reasonable to introduce other legitimate purposes – especially for providers of security solutions – to have legal possibilities to provide end-users with automatic security updates. If not, and if users are allowed to turn off these crucial elements for their security, it would create higher security risks due to possible fragmentation of software deployment and increased risks of system vulnerabilities for the users themselves.
Therefore, we recommend introducing additional legitimate grounds for companies to deploy software updates as well as to delete or modify the provision allowing end-users to opt out of automatic security updates’ installation to avoid a weakening of cybersecurity amongst consumers.