Who’s afraid of… e-Privacy?
This piece was written by PI Head of Advocacy and Policy Tomaso Falchetta and Legal Officer Ailidh Callander.
On 11 October, the LIBE Committee of the European Parliament votes on the draft e-privacy regulation. As the landscape of generation, collection, and other processing of data in the digital sphere evolves, the proposal seeks to update the rules on confidentiality and security of electronic communications and online activities.
Unsurprisingly, companies whose business models rely on tracking individuals online have been busy lobbying against the new regulation. The companies see the proposal as an attempt to undermine their capacity to collect information, and monitor online behaviour. Some companies argue that the new proposal would impact on the users’ expectation (and perception) of free services on the internet.
A number of MEPs have even introduced amendments that, if adopted, risk to further weaken the protection contained in the current draft .
Instead, the debate around this proposed regulation should be a welcome opportunity to discuss and set rules that see innovation, security, and protection of privacy as mutually reinforcing.
For example, look at the booming of internet connected devices, from so-called ‘smart’ toys and ‘smart’ home appliances to connected cars.
At the start of the last decade, virtually the only devices collecting information about us were home computers and smartphones. There are now a myriad of ways in which technology deployed by private parties and state agencies are collecting personal information. The massive increase in the capacity of devices to generate, transmit, and process information has been accompanied with the development of analysis techniques such as algorithms, to process such data.
There is a growing concern about the threat to privacy of these devices. And there are also concerns about the security vulnerabilities of many of these connected products. Have the manufactures of these devices adequately considered the risks of unauthorized access? Are these devices designed in a way that would permit the transfer of information securely, including for example by using encryption? Can security updates been developed and distributed when vulnerabilities are detected? Almost invariably the answers to these questions is no.
The draft E-privacy regulation seeks to extend its rules on confidentiality, privacy, and security to apply to internet connected devices and machine-to-machine communications. This is welcomed. Given the attention on device and cyber security in Europe and elsewhere, particularly in light of recent cyber attacks which exploited the weakness of internet connected devices, the proposal should be further strengthened by requiring privacy by design and by default, instead of demanding that privacy settings being optional.
The e-PR aims to protect confidentiality of communications and personal data in the electronic communication sector by complementing matters covered in a general way by the General Data Protection Regulation (GDPR).
The proposal by the Commission, unveiled early this year, does not go far enough. Privacy International and other European digital rights organisations proposed some amendments to the European Commission’s proposal.
- Regarding Article 5, we stress that confidentiality of communications needs to be protected both in transit and when it is stored.
- Regarding Article 6, it is important to keep consent as the legal ground to process communications data, and that neither “legitimate interest” nor “further processing” are allowed to weaken the Parliament’s position.
- Articles 7 and 10 need to be strengthened and improved, and certainly not watered down or deleted. Specifically, we believe that Article 10 needs to ensure “privacy by design and by default” and not, as in the Commission proposal, “privacy by option”.
- Regarding the restrictions in Article 11, we suggest keeping and strengthening the safeguards established by the CJEU in related cases and not expanding the scope of the restrictions.