ePrivacy: Commission's weak proposal forecasts harsh debates

Paris, 11 January 2017 — On Tuesday 10 January, the European Commission put forward a series of new texts on personal data protection in the EU. It includes the upcoming ePrivacy Regulation which will frame the confidendiality and security of our electronic communications, as well as the famous internet cookies, among other things. Before the legislative process had even started, lobbies from the digital industry and telecom operators collaborated closely to water down as much as possible the reform that was supposed to not only provide better security and confidentiality to electronic communications, but also to give users control of their data back. Nonetheless, civil society has not had its last word just yet. In the coming months, we are set to engage in a harsh legislative battle to make the ePrivacy a really ambitious Regulation that protects our rights and freedoms.

When the first version of ePrivacy regulation was leaked in last December1, few of us welcomed the relatively courageous direction taken by the European Commission. When telecoms and the digital industry were simply requesting the removal of the text, the Commission took, as we recommended it, the opportunity of this revision to make of ePrivacy a modern and protective text, finally in phase with EU citizens' expectations on privacy. Those expectations were revealed one by one through a consultation of the stakeholders on ePrivacy in Spring 2016 and a Eurobarometer (EU wide survey) which results were published not long ago, in December. 2

In the old version, there were still some of the recommendations made by La Quadrature and other civil liberties organisations during the last months:

  • Reaffirmation of the confidentiality principle as key to electronic communications, meaning that the content and data used to transmit our communication through email, texts or chats should not be listened to, tapped, stored, or monitored (article 5)3;
  • Regulation of new tracking methods, such as collecting the data that is automatically issued by our computers or cellphones when connecting to other devices or networks, e.g. device fingerprints (article 8.2)4 ;
  • The end-user has to give consent to the use of metadata (i.e. traffic data and location data) for purposes other than the provision of specific services (article 6.2)5;
  • Reaffirmation of the importance of encryption tools for the protection of security and confidentiality of communications. La Quadrature du Net considers that the ePrivacy Regulation is a perfect opportunity to put forward encryption tools and technologies as key to ensuring the Regulation's stated objective: confidentiality. Although the actual Commission proposal was modest, it deserves credit for being there at all (recital 37)6

This document was leaked in November and has in all likelihood provoked the anger of telecom operator and actors of the digital industry who have intensified their lobbying campaigns until the very end of December, in other words, during the last days of the redaction of the proposal by the European Commission. The latter did end up yielding on a central point and deleted from its draft the default configuration of our tools preventing third parties to store or to access data stored in our devices7. This measure, as La Quadrature was advocating for months, would mean that in practice, third-party cookies that are tracking us to sell our data to advertising companies would be deactivated by default on our devices (article 10). In the current version, it is not the case anymore, so only informed users may opt-out.

But other unfortunate surprises appeared in the regulation proposal, including some very negative points that were kept, and will be the subject of our forecoming battles:

  • the provisions on collective legal action were deleted. Collective legal action (the equivalent of US class actions) allows an individual to mandate an association or a non-profit organisation so it can file a complaint on his or her behalf (article 21);
  • localisation data generated outside the context of electronic communications are not, in the version of the proposal of the Commission, considered as metadata and thus can be used without the user's consent (recital 17);
  • the Commission didn't dare to go further and facing pressure from the adverstising industry, maintained the possibility for a website to refuse the access to a service or to the website if the user doesn't give its consent to be tracked. La Quadrature will keep reaching in the coming months to MEPs and Member States so users are not forced to accept to be tracked to access services, and more generally for the development of other economic models that don't force users to sell off their personal data.

These few points are merely the biggest loopholes that we found after a first reading, but we will complete this list if necessary following a deeper analysis of the text. This regulation proposal does have some interesting elements but it doesn't challenge the economic model of the digital industry based on the exploitation of personal data. So, last minute concessions given to advertisers and telecoms are already too big considering there are still months left of negotiations where lobbies of the industry will have all the time to undermine the text. At this time, the proposal doesn't address the concern of EU citizens on the protection of their electronic communications.

Nonetheless, civil society - including La Quadrature du Net - is not ready to give up, and will continue to reach to the EU institutions and the general public in order to make ePrivacy an ambitious text, that properly addresses security and privacy challenges raised by the development of electronic communications.

This Regulation proposal will be discussed and amended in the coming months at the European Parliament and by member states at the EU Council. To be continued...

  • 1. See the leaked version of December 2016: https://www.laquadrature.net/files/Leak-projet-r%C3%A8glement-ePrivacy%28d%C3%A9cembre%29.pdf
  • 2. "More than nine in ten respondents say it is important that personal information (such as their pictures, contact lists, etc.) on their computer, smartphone or tablet can only be accessed with their permission, and that it is important that the confidentiality of their e-mails and online instant messaging is guaranteed (both 92%). In fact, more than seven in ten think both of these aspects are very important. More than eight in ten (82%) also say it is important that tools for monitoring their activities online (such as cookies) can only be used with their permission (82%), with 56% of the opinion this is very important." See the results of the Eurobarometer: https://www.laquadrature.net/files/eurobarometer-privacy-2016-EN.pdf
  • 3. Article 5: "Electronic communications data shall be confidential. Any interference with electronic communications data, such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or processing of electronic communications data, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation"
  • 4. Article 8.2 : "The collection of information emitted by terminal equipment to enable it to connect to another device and, or to network equipment shall be prohibited, except if: (a) it is done exclusively in order to, for the time necessary for, and for the purpose of establishing a connection; or (b) a clear and prominent notice is displayed informing of, at least, the modalities of the collection, its purpose, the person responsible for it and the other information required under Article 13 of Regulation (EU) 2016/679 where personal data are collected, as well as any measure the end-user of the terminal equipment can take to stop or minimise the collection"
  • 5. Article 6.2 : "Providers of electronic communications services may process electronic communications metadata if: [...] (c) the end-user concerned has given his or her consent to the processing of his or her communications metadata for one or more specified purposes, including for the provision of specific services to such end-users, provided that the purpose or purposes concerned could not be fulfilled by processing information that is made anonymous"
  • 6. Recital 37 : "Service providers who offer electronic communications services should inform end-users of measures they can take to protect the security of their communications for instance by using specific types of software or encryption technologies [...]."
  • 7. See the final version of the proposal of the European Commission: https://www.laquadrature.net/files/Leak-projet-r%C3%A8glement-ePrivacy%28d%C3%A9cembre%29.pdf