The ePrivacy Regulation: striking the right balance?
by Neil Brady
On 25th May 2018, the ePrivacy Regulation (ePR) is due to become enforceable across the European Union, replacing the ePrivacy Directive of 2002 (Directive 2002/58/EC). Together with the General Data Protection Regulation (Regulation, (EU) 2016/679), GDPR), which the ePR has been designed to complement, these two pieces of legislation will significantly enhance the level of protection applied to the personal data of EU citizens.
The regulation seeks to extend the scope of existing privacy and confidentiality standards to newer, ‘over-the-top’ (OTT) communications services such as Skype and WhatsApp, as well as simplify the consent process by creating a one-off, mandatory requirement of ‘freely given, specific, informed and unambiguous’ opt-in consent to tracking cookies. So instead of being asked to consent to tracking multiple times by each website visited as is presently the case, users will be asked to do so only once, at the point of browser or device activation. Users will also have to be notified of their entitlement to withdraw consent at any time, and be reminded of this every six months.
The regulation similarly extends existing legal requirements for telecoms companies in relation to securing data storage and meta-data to OTT technologies. In addition, unsolicited electronic marketing communications sent by email, short-message-service or automated telephone systems are to be banned. And, as with the GDPR, companies that fail to comply with these new rules can be fined up to €20 million, or 4% of global turnover.
In a September blog post, Vice President for the Digital Single Market, Andrus Ansip noted that both Regulations have been designed in order to reinforce trust and security in the Digital Single Market (DSM), without which “people will not use digital services” in the EU.
Since the introduction of the legislation last January, it has been scrutinised by the Article 29 Group Working Party (Art. 29 WP), the European Data Protection Supervisor (EDPS) the European Council and the European Parliament’s lead committee on the matter, the Committee on Civil Liberties, Justice and Home Affairs (LIBE).
The findings of the LIBE Committee’s draft report, published in June 2017, were broadly supportive of the Commission’s proposal but also argued for the strengthening of a number of measures. Most notably these included a requirement that the withholding of consent to tracking by third parties shall not be a legitimate ground for depriving users of access to a service (the prevention of so called ‘tracking walls’, which are also banned under Article 7 of the GDPR) and that end-to-end encryption shall not be weakened under any circumstances (i.e. no encryption ‘backdoors’). In July, members of the committee submitted a further 800 additional proposed amendments.
The reports of the EDPS and the Art. 29 WP, while also broadly supportive, have similarly recommended the strengthening of several provisions to bring the ePR fully into line with the GDPR.
In particular, four recommendations were made on the basis that the ePR “undermine[s] the level of protection accorded by the GDPR”.
· that tracking walls be banned
· that location tracking rules be clarified and tightened
· the conditions under which content and metadata can be analysed should be clarified and the importance of consent of all end-users reiterated
· that the legislation ensures a requirement for ‘privacy by default’ settings in terminal equipment (i.e. a requirement of ‘affirmative consent / opt-in’ to tracking cookies), including a legally binding option to select the ‘Do Not Track’ standard
In its opinion issued in April, the EDPS described “the complexity of the rules” of the ePR as currently framed as “daunting”. However most of the recommendations made were in line with the observations of the LIBE Committee and the Art. 29 WP, including the abolition of tracking walls, requirements for privacy by design, the strengthening of end-user consent requirements and the narrowing of exceptions regarding the tracking of terminal equipment.
On September 8th, the European Council published its (first) draft revisions of the ePR. These too were broadly supportive of the Commission’s proposal, though the Council also made it clear that this was only a first draft, largely the result of consultation with the Working Party on Telecommunications and Information Society alone and that its main purpose was to “[clarify] certain elements and…specific issues to be examined” .
On October 19th, the LIBE Committee voted in favour of its draft report on the ePR, with 31 members for, 24 against and one abstention. A week later, the European Parliament voted on the report in plenary, with 318 for, 280 against and 20 abstentions. It is now anticipated that, once a final position is taken by the Council, inter-institutional negotiations will begin shortly thereafter.
Issues for publishers
Publishers, digital marketers, advertisers and digital platform providers alike are concerned that the ePR will curtail their ability to use personal data to sell advertising, and severely disrupt their industries as a result.
Publishers in particular are fearful that the one-off, opt-in requirement of consent to tracking being ‘centralised’ within browsers will prevent them from securing that consent, that this will reduce their digital advertising revenues and cement the already dominant position of platform providers like Google and Facebook.
They are also concerned that the abolition of tracking walls will compound this and, in effect, compel them to give away content for free. A group of publishers, including the Financial Times, Guardian, Le Monde, Spiegel, Telegraph, Daily Mail and Les Echoes made representations to the Parliament in May in this context, asking them to reconsider much of the ePR.
Others have suggested that, due to the existence of a direct relationship between publishers and the public, they will in fact be able to secure consent with relative ease. Furthermore the argument is made that, as a result of this new data trading architecture and the absence of such a direct relationship between third party ad tech companies and the public, the business model of this sector is unlikely to last, thereby potentially opening up new revenue streams for publishers in the process.
Issues for platforms
Views on the likely extent of the impact on platform providers such as Google and Facebook are mixed. Some have suggested that it will be limited due to platform providers’ similarly direct relationship with their users, and consequent ability to secure consent. As the owners of a multitude of ad networks, these companies are also far less reliant on third party cookies.
Others argue that the depth and scale of the ePR’s requirements around consent will compel large data gathering companies like Google and Facebook to heavily amend their terms and conditions in order to obtain more granular levels of, and clearly demonstrable consent for processing of any data, for behavioural and targeted advertising purposes.
Consent, legitimate interest and exceptions
There is also substantial support for the view that the ePR in its current form is unworkable and too burdensome. A particularly vocal opponent of the legislation has been LIBE Committee member Michał Boni. He has argued that it is impracticable, could unintentionally worsen the issue of ‘consent fatigue’ that it is intended to address and that it could undermine the ability of the EU’s digital economy to realise its full potential.
Boni has consequently argued in support of the idea of ‘legitimate interest’ (included in Article 6 (f) of the GDPR) as an alternative to consent. This would allow data processing to occur where necessary, and when a data protection impact assessment has been carried out.
Several industry players have made similar observations. Mozilla, makers of privacy-oriented web browser Firefox has expressed concern that, in its current form, the ePR “does not allow sufficient flexibility to allow product features to function”. Mozilla does not support the inclusion of the principle of legitimate interest as an alternative to consent, but it has suggested the broadening of the permitted exceptions to consent in line with past advice from the Art. 29 WP.
By any measure, the ePR has proved a highly divisive and complex legislative exercise thus far, and it seems unlikely it will be in place by May 25th 2018 as planned. All stakeholders agree on the importance of both fundamental rights and innovation friendly policies, but views diverge greatly on what is meant by this in practice, and the balance to be struck between these competing priorities.
This is further complicated by uncertainty over the ePR’s relationship to the GDPR. Recital five of the ePR describes it as ‘lex specialis’ to the GDPR, and that it is intended to ‘particularise and complement it as regards electronic communications data that qualify as personal data’. This suggests that, where there is doubt, the ePR will take precedence, but how exactly this will play out in practice remains to be seen, something that was noted by the European Council in its draft revisions of September 8th, when it called for ‘further clarification’ here.
This potential for various unintended consequences, including the perpetuation of ‘cookie consent fatigue’ and consolidation of Facebook and Google’s dominance of the digital advertising market, should be considered in any assessment of the regulation.
In particular, confusion abounds due to the ePR’s apparent conflation of tracking or ‘persistent cookies’ with cookies that are not necessary for the provision of a service.
The ePR generally raises substantive issues in relation to the development of e-commerce, digital services and the slow pace of change within the European Union. Again, this was noted by the European Council in its Presidency conclusions published on October 19th, when calls were made for a ‘future oriented regulatory framework” for digital, and ‘a sense of urgency to address emerging trends’.
In this context, the GDPR and the ePR’s exclusion of tracking walls, clearly expressed under Article 8(1a) of the latter and Recital 43 of the former, indicates a widely belief that the exchange of personal data for services amounts to a violation of the right to privacy, and no choice at all.
At a time when digital tracking and targeting mechanisms have, as European Data Protection Supervisor Giovanni Buttarelli recently put it, gone “beyond commercial advertising, as we see in today’s urgent concerns about micro-targeted political campaigns”, this is understandable.
However, given the plethora of privacy reinforcing provisions contained within the GDPR and the ePR, as well as the existing freedom of EU citizens to access non-privacy intrusive internet platforms (e.g. DuckDuckGo), the question arises, to what extent is it appropriate to curtail the freedom to trade personal data for services, and vice versa?
Speaking to the International Association of Privacy Advisors in October on the question of possible ramifications for publishers for example, Greens MEP Jan Philipp Albrecht made clear his view on the role of policymakers here: “[If] publishers want to protect their content, they can do so with a paywall, not a data wall.”
A compromise approach to this issue however could involve a partial ban on tracking, for sites in important fields (e.g. health) or with a “monopoly-like position”, as has been suggested by the Directorate-General for Internal Policies (DG IPOL).
Finding the optimum balance of the rights involved here will not be easy. Additional ongoing efforts to address tech firms’ disproportionate power and influence, notably by way of copyright and tax reform, must also be acknowledged, and policymakers ought to consider the totality of legal, economic and political priorities involved in this important piece of legislation, as they reflect how best to optimise it.