ePrivacy law protects the confidentiality, security and privacy of electronic communications. Just think about the calls you’ve made today and the emails you’ve sent. Now, imagine how you would feel if the content of your communication was intercepted and exposed. At the minimum this would cause you distress and you would probably consider having more face-to-face conversations in the future. But no one wants to give up the convenience of electronic communication. Clear and rigorous rules are therefore essential to ensure the privacy and security of our everyday communications.
Earlier this January the European Commission published a proposal for a new ePrivacy regulation. This act will replace the 2002 directive and bring (sometimes clashing) national legislations closer to each other. Of course, the text first needs to survive the legislative procedure, but some of the positive and the negative points can already be assessed.
In a recent post, an EU journalist Jennifer Baker pointed out “the good”, “the bad” and “the missing” parts of a draft regulation that went viral in December last year. Following her example, the goal of this contribution is to point out the pros and cons of the draft’s successor - the official proposal for an ePrivacy regulation.
Traditionally, ePrivacy law pertained to electronic communication providers such as telecommunication companies and internet service providers (e.g. Dutch Ziggo). In recent years, more and more communication has been carried out via OTTs. OTT stands for over-the-top and refers to messaging apps such as Whatsapp and Skype. Although they offer various communication services, these apps do not have their own networks and instead make use of other companies’ infrastructures. Is this sufficient cause to treat them differently and keep them outside the scope of ePrivacy law? The EC doesn’t think so and has expanded the scope of the regulation, which now also includes OTTs.
Consent and end-user control rights sit at the heart of the new proposal. For example, consent remains the key enabler to allow the processing of data (either content or metadata), to place tracking tools (such as cookies), or to send unsolicited communication (e.g. marketing emails or political messages). An interesting solution was proposed in Article 9(b): not only should end-users be given the possibility to withdraw their consent, they should also be reminded of this possibility at periodic intervals of 6 months. A similar user-friendly (or, some would say, paternalistic) approach appears in some other points, e.g., in Article 8(4) where standardised icons are proposed as a replacement for lengthy and complex textual information.
The first downside refers to the provision in Article 8(2)(b) that seeks to regulate the increasingly popular practice of wi-fi in-store tracking. Today, many retail stores are either experimenting with or actively using technology that uses your phone's Wi-Fi to track your movements around the store. Based on the information they collect, visitors might receive an email with a personalised offer. To protect personal privacy, the ePrivacy regulation proposal requires that providers engaged in such services display prominent notices to inform visitors about the tracking. How could this rule be implemented? For example, a store could hang up a big sign with the following text: Tracking going on! Switch off your phone if you do not agree with it. (Note: Simply disabling wi-fi connection does not prevent tracking.) If we disregard the fact that this approach is somewhat unsophisticated, we still run into a couple of troubling questions: Should Wi-Fi tracking be made that easy? Should stores be allowed to get away with simply hanging up a poster? How about individual consent for personal data processing (as the Dutch DPA suggested)?
The second negative point of the proposal is the rule about privacy settings that should be offered by software permitting electronic communication. The draft proposal that was leaked in December required that any setting of terminal equipment (e.g. personal computer, mobile phone) must be configured in a way that prevents third parties from storing information in this equipment, or to use information that has been stored there. In essence, the requirement demanded that third party cookies, which are the backbone of the targeted advertising industry, should be blocked by default. The later proposal abolished this requirement and was somewhat watered down. Rather than requiring that the software is set to “do not track” mode, the official proposal only requires that it offers an option to do so.
Given the bad and the good sides of the proposal, we are now eagerly awaiting what the legislative process will bring. Hopefully the balance will tilt towards “the good”.