European Policy, Privacy & Data
ePrivacy Regulation, one year later: Needs focus on communications confidentiality and information security
One year after the publication of the European Commission’s proposal for an ePrivacy Regulation (ePR), the debate about how the ePR should ‘particularise and complement’ the General Data Protection Regulation (GDPR) has been contentious. This post looks at the progress made so far, and highlights the multiple issues to be resolved in the legislative process that lies ahead.
When CDT published its initial analysis of the proposed ePR in May 2017, we made the following points. First, we agreed with the Commission’s goal of replacing the ePrivacy Directive of 2002 (and its 2009 update on the use of cookies on websites) with a Regulation that was in line with the GDPR. Second, we agreed that providing legal protection of the confidentiality of communications for not only traditional telecommunications services, but also new and emerging communications applications, was justified. Third, we called for the new regulation to recognise affirmatively the possibility for communications providers and users to deploy encryption tools. In addition, we stressed the importance of putting in place strong safeguards on public sector access to electronic communications.
However, we cautioned that extending decades-old rules on telecommunications providers to a vast array of new services and applications could create serious unintended consequences, particularly where provisions overlapped or conflicted with the GDPR. We argued that the broad and ambitious scope of the draft Regulation could make it hard to create effective and meaningful rules for the many types of very different electronic communications data and services the ePR sets out to cover. This point was reiterated in a study by the University of Amsterdam.
Finally, we suggested the draft ePR was too prescriptive in its attempt to specify detailed rules for treatment of cookies, emphasizing browser controls and focusing disproportionately on user interactions with traditional desktop websites. We also called into question what we consider to be the draft’s excessive reliance on user consent to the exclusion of other legal bases for processing communications data.
Data controllers and processors are currently working on implementing the GDPR’s requirements that consent be freely given, specific, and based on meaningful information, clearly presented. The Article 29 Working Party’s draft ‘Guidelines on consent Under Regulation 2016/679’ explains the obligations that the GDPR places upon data controllers to tackle this issue but concedes that no perfect solution has yet emerged. Absent an easily accessible and centralized mechanism for recording consent, our concern is that the ePR’s approach would not meet the objective of ensuring online user privacy, but could instead exacerbate the problems of the well-intentioned, but largely ineffective ‘cookie banners’, creating ‘consent fatigue’ or ‘consent desensitization’.
Further, detailed consent requirements may not be a useful mechanism for enabling communications providers to push security updates and patch vulnerabilities, and would possibly create new security risks. Communications providers and other cybersecurity services need to process data to maintain pace with the threat of malware, spam, and compromised websites or services.
The core issues of confidentiality, integrity, and security of communications have been lost to some extent in debates on this legislation. Discussions have had a disproportionate focus on online behavioural advertising and the data processing associated with these practices, especially in user interaction with traditional websites. Some advocates have labelled the ad tech business ‘surveillance advertising’, with all the connotations that conjures up. Online advertisers have countered that the draft ePR (and GDPR) would jeopardise the future of news media by depriving them of badly needed advertising revenues. The robust ongoing public debate about the future of news in the online environment suggests that news organisations should probably not rely on click-driven online advertising revenues to as a sustainable business model. The discussion about future funding models for news organisations is a crucial one, but refighting the cookie-banner wars along these lines will not contribute to meeting the objectives of the ePR.
As we said in our initial analysis, there is wide consensus that online tracking in the ad tech ecosystem is woefully opaque, almost impossible to understand, and can undermine trust in online services and applications. There is a clear need for better transparency, accountability, and user control in this ecosystem. But it is doubtful whether the ePR’s focus on consent requests can enhance public understanding of ad tech, and it may even permit advertisers and marketers to further obfuscate their practices. More problematic, the draft regulation attempts to mandate how types of software should behave when browsers and mobile operating systems already are leading the way in offering easy-to-use privacy features and settings.
The advertising-centric debate was central in the European Parliament’s deliberations, concluded in October 2017. The Parliament further strengthened the role of consent. It also expanded the categories of data covered by the ePR by specifying that it covers communications data, whether ‘in transit’ or ‘at rest’. On the other hand, Parliament did strengthen the protection against access to communications data by public authorities, and introduced a welcome article that protects encrypted communications from attempts to weaken encryption or force providers to include backdoors in their services and products.
Member States are making progress in their discussions, but are still far from achieving consensus. For instance, the most recent discussion draft from the Bulgarian presidency of the Council of the European Union continues to grapple with the interaction between the GDPR and ePR; what role, if any, legitimate interest should play in processing of electronic communications metadata; and the role of tracking technologies on users’ terminal equipment.
Member States have difficult discussions ahead. CDT believes solutions must be found in the following areas:
- The final Regulation should ensure alignment of definitions and categories of services with ongoing work on the European Electronic Communications Code (EECC). The definitions should take account the very different types of services the ePR covers, their technical characteristics, and the different privacy expectations users have, for example, with regard to web-based messaging services and traditional telecommunications.
- As a general matter, the ePR should align the legal bases for processing data under the ePR more closely with those of the GDPR. They should be flexible enough that they enable service providers and regulators to develop best practices, codes of conduct, and regulatory guidance for ways to enable informed consent in the different scenarios covered by the ePR (including desktop browsing and mobile apps, but also wider applications in the Internet of Things including connected cars, digital personal assistants, and smart infrastructure). The key animating issue in ePR discussions is tracking. Tracking is rightly considered a serious privacy concern. Tracking can take place both online and offline, with techniques that involve and do not involve electronic communications (such as surveillance cameras with facial recognition software). Tracking practices and their potential privacy harms and risks should be evaluated by regulators under a consistent and technology-neutral regulatory regime. Personal data should be subject to robust protection, whether processed in connection with electronic communications or not.
- It has been argued that deference to GDPR consent provisions could weaken privacy protections. However, the Article 29 Working Party’s recent draft guidelines on consent do not substantiate this view. The document from the Article 29 Working Party suggests that regulators are likely to interpret the GDPR’s consent provisions strictly, including in the areas that would be covered by the ePR. It is not clear that the detailed and prescriptive language on browser and software settings in the ePR contributes to enabling users’ transparency and control of data collection and use. As discussed, consent is a fundamental concept in the GDPR as in any data protection and privacy legislation, but it has limitations as a privacy-protective measure. Excessive reliance on consent could, as we have argued, lead to less privacy-protective outcomes for users.
- The legal bases should enable providers to provide effective and reliable technical protection against intrusion. This is a fundamental element in protecting the confidentiality of communications. It is unlikely that relying on users to provide granular consent declarations for deploying time-sensitive software updates and processing of data for managing security threats will be effective. Instead, it will likely cause unnecessary inconvenience for users and lead to less secure communications services. This is an especially important concern considering longstanding and systemic cybersecurity challenges in connected devices and technologies.
- In order to protect the confidentiality of communications, the ePR should have strong affirmative guarantees of the freedom of providers and users to use the strongest available security measures, including end-to-end encryption. The Parliament’s text on this issue is real progress, but will no doubt meet opposition from Member States.
- The Regulation should ensure that strong safeguards are set for access to data by public authorities. We consider that the Commission’s draft ePR version potentially enables too broad access to information. The European Parliament report provides welcome clarification of the purposes for which public authorities can seek access.