January 12, 2017
As our ever-growing dependency and use of technology grows, so does the digital footprint we leave behind in the form of trivial content – such as one’s browser language preference – to sensitive content, such as one’s bank account details. Such data is all-encompassing; the more data that is developed, the more useful and valuable it becomes.
Harvesting and refining this valuable commodity – described as the ‘new oil’ of the 21st century – is a tantalizing prospect. Not only does industry stand to gain, but also government and citizens, who create the majority of data. Privacy is arguably the most prevalent and sensitive issue of them all, and one which will determine how data is considered in tomorrow’s Europe. How to balance all these interests and issues has been at the heart of the European Commission’s thinking.
Most of the modalities governing privacy in data creation and usage within the EU are covered by the General Data Protection Regulation (GDPR) which enters into force in 2018. Supplementing this regulation is the E-Privacy Regulation, announced on 10 January – the main purpose of which is to address specifically the privacy of data and metadata used by electronic communication providers. Whereas the Regulation’s predecessor – the E-Privacy Directive – addressed the issue to a degree, the European Commission felt it needed modernising and strengthening, primarily to address the issue of fragmented implementation in Member States. The new legislation creates a stronger implementation regime, putting forward the principle of confidentiality horizontally rather that sector-specifically – changing the approach to online cookies, and bringing within its scope Over-the-Top (OTT) service providers (OTTs today provide similar communication services to telecoms providers – e.g. Skype and WhatsApp).
‘Getting it right’ as regards the level of privacy associated with our electronic communications is crucial. According to a study carried out by the Warsaw Institute for Economic Studies, utilizing data analytics has the potential to increase Europe’s GDP by 1.9% between 2014 and 2020. All stakeholders stand to gain from increased employment, services, and technological innovation.
Privacy is impacting levels of trust in the use of electronic communication and in turn the availability of valuable data. It also moderates the degree to which such data becomes available for future use. Put simply – without trust in privacy, Europe’s ability to harness the full potential of the digital economy will evaporate.
Following the Snowden revelations, the issue of privacy of electronic communications became increasingly prominent in the EU. Citizens and governments alike have become increasingly wary about the security of online communications; most respondents to the Commission’s public consultation on E-Privacy noted that their level of trust is not adequately secured by existing EU privacy legislation covering electronic communications regarding the protection of their data.
In parallel, a recent Eurobarometer survey shows that the vast majority of EU citizen respondents expect privacy in their online communications.
In response to this and political pressure by Member States – and despite insistence by impacted industry that the implementation of GDPR rules is sufficient – the European Commission came forward with this revised E-Privacy proposal.
The overarching principle adopted by the Commission in devising the E-Privacy Regulation can be characterised as being very privacy oriented from an end-user perspective – which, critics argue, is burdensome in terms of compliance from an industry perspective.
In a nutshell, the key points are:
Only under very limited circumstances will an end-user’s consent not be required. For example, service providers are permitted to scan communications in transit (i.e. email) for removing pre-determined content (i.e. spam) as long as the end-user is aware of such activities taking place. However, when scanning such sensitive material, the service provider needs to seek first the consent of the relevant supervisory authority. When it comes to recording data for identifying commercial transactions (i.e. billing) or to ensure adequate security/maintenance of service, consent is not required, but again, end-users need to be informed in advance. Only in instances of national security can governments be allowed access to end-user data without their consent.
The Regulation’s predecessor had established the ‘cookie law’ which tracks end-users’ online activities. The European Commission estimates that the compliance cost to industry amounted to approximately 1.8 billion Euros. To reduce such costs as well as the nuisance popups and banners cause to end-users, the Commission has targeted internet browsers, obliging them to integrate cookie preference functionalities that would apply to all websites a user visits, thus alleviating web publishers from the costs affiliated with cookie popups. Furthermore, browsers would have to encourage end-users to set their privacy setting during the installation phase of their browsers.
The Commission also seeks to protect end-users from unsolicited marketing. Unsolicited electronic communications for marketing (commercial or political purposes) is prohibited in this proposal unless an end-user explicitly opts for it. Voice-to-voice marketers would be required to use specific identifiable phone number prefixes, so that a recipient can identify the caller’s intentions in advance. Member States are however permitted to make exceptions for voice-to-voice marketing as long as an enduser has not explicitly objected to it.
Should a service provider breach the above mentioned principles, an end-user is given the right to lodge a legal complaint through their own national authorities or in a Member State where a service provider has an establishment (the same rights provided under the GDPR). The fines that a provider can incur can reach up to 20 million Euros, or 4 per cent of their total global annual turnover.
The proposed Regulation applies to all parties providing electronic communication services within the EU, but also those who facilitate communication from outside the EU into the EU. To prevent the regulation becoming obsolete via future technological developments, it seeks to be technologically neutral and does not restrict itself to defining particular technologies that fall within its scope. Instead, it identifies industries that facilitate exchanges of information through publicly available electronic communication services. Industries that will be specifically impacted include:
Regarding costs, the Commission admitted in its proposal that most of the above-mentioned industries would incur considerable compliance costs ranging from minor (website publishers) to significant (browsers, online targeted advertisers). However, the Commission’s assessment is an estimate that is not all-encompassing and thus a much higher financial impact could result. It does not take into consideration the real costs incurred for technical compliance and does not factor in the lost opportunity costs many of these industries face because of the rigorous restrictions put in place for data use.
Take, for example, IoT devices; the proposed restrictions on machine-to-machine communications will burden developers. Setting boundaries for a growing business sector that is still at its infancy risks hindering innovation – which goes against the goals of the EU’s Digital Single Market strategy.
The approach towards consent is a direct challenge to the advertisement-funded business model that a multitude of free online services depend on. Online advertisers will struggle to secure explicit tracking consent from users; this will impact website publishers who rely on advertisements to offer free online services. The less targeted and relevant the advertisement, the more frustrating and less appealing it will be for end-users.
There are diverging views on how best to ensure e-privacy and the role consent should play. The E-Privacy Regulation provides us with the Commission’s answer; one that is surely to become as contentiously contested in the legislative cycle as the GDPR was (amendments to the GDPR were record breaking in the Parliament). So how will stakeholders react to the Commission’s proposal?
The European Parliament has supported in the past the principle of ‘privacy by design’ and will likely take the same approach when reviewing this proposal. In other words, they are likely to be supportive of the stringent consent obligation set forth in the Commission’s proposal.
The Council will likely seek out a more sombre approach – one that balances the desires of some Member States for fewer restrictions to protect and develop their industries and others who emphasise security and access to data for surveillance purposes. In the former camp, the ‘likeminded group’ of Member States, the ‘Visegrad group’ , and the ‘Digital 9’ could take the lead, given their reluctance to over-regulate OTTs. These Member States are up against the largest and most influential Member States – France and Germany, both of whom are apprehensive of US OTTs dominating the EU market. They also want to strengthen their access to online communications due to the increased terrorist threat they currently face.
Industry is not taking the Commission’s proposal lightly, arguing its approach is too restrictive, hampering their ability to innovate and develop future services and products for consumers. They also argue that the GDPR sufficiently covers matters pertaining to privacy and that this proposed Regulation creates unnecessary overlap.
Finally, the unknown element at play is the US, home of the majority of dominant service providers impacted by the proposal. Many in the EU are curious to see how Presidentelect Trump’s administration will react to the EU’s approach that impacts US industries. Known for his protectionist rhetoric and ambivalence towards privacy matters, Trump is unlikely to provide a helping hand for proponents of the Commission’s proposal.
Andrus Ansip, the Commission’s Vice-President in charge of the Digital Single Market portfolio, pitched the proposal by stating that it will “deliver the trust in the Digital Single Market that people expect…[and] strikes the right balance: it provides a high level of protection for consumers, while allowing businesses to innovate.”
Many in industry will find it hard to see how the proposal fosters innovation. While it sets out clear and harmonised rules for accessing and using data from electronic communications, it’s a far cry from claiming it does so in a business-friendly manner. Balancing user privacy rights in a digital era is tricky to say the least. The Commission has succeeded in putting together a proposal that puts the enduser at its heart but falls short of fostering trust in the future growth of Europe’s Digital Single Market.
1 Belgium, Bulgaria, Czech Republic, Denmark, Estonia, Finland, Ireland, Lithuania, Luxembourg, the Netherlands, Poland, Slovenia, Sweden, UK
2 Poland, Czech Republic, Hungary and Slovakia
3 Benelux and Baltic nations