Tech lobbyists have started their attacks against the European Union’s other new privacy regulation, called ePrivacy. Unlike GDPR, which mainly covers how your data is protected by its handlers, the ePrivacy Regulation focuses primarily on the privacy of your online communications.
An Upgrade To The ePrivacy Directive
The ePrivacy Regulation is the successor to the ePrivacy Directive. In the EU, a “directive” is called a piece of legislation that requires common rules for all the member states, but which each member state can implement the directive in their own way. A “regulation” is a piece of legislation that applies equally to all the member states.
The ePrivacy Directive, also called the “Cookie Law,” was made (in)famous by the fact that it required websites operating in the EU to prompt users with a cookie agreement. This ended up educating users to just click agree (most websites didn’t implement any other option, anyway), so it has largely been considered pointless.
The new ePrivacy Regulation was supposed to pass this month, but got held up by negotiations at the European Council (a group of EU member states prime-ministers and presidents).
Privacy By Design
Besides mandating a unique set of rules for all the EU member states, one of the main changes in the ePrivacy Regulation compared to the ePrivacy Directive is that digital telecommunications providers (Gmail, WhatsApp, Skype, etc) will fall under the same privacy regulations as other types of companies handling communications (post office, internet service providers, etc).
For instance, metadata will need to be anonymized, unless consent is given by the user or the data is necessary for billing. Providers of electronic communications will also need to secure the users’ communications to the best available technique.
It’s not clear whether or not this essentially calls for all messengers to implement end-to-end encryption, but we do know that some EU Parliamentary committee’s have suggested that this would be the path to go. This could also mean that WhatsApp may keep its end-to-end encryption, even after both of its founders left Facebook.
The ePrivacy Regulation will also control how companies can send marketing messages. For example, those companies that send direct marketing calls will have to use a phone number prefix that reveals them to be calling for marketing purposes.
Lobbyists Attack ePrivacy Regulation
According to a New York Times report, companies have already started to heavily lobby EU officials and show them “doomsday financial forecasts,” as well as creating worst-case scenario videos with the drawbacks of the ePrivacy Regulation.
A lobbying database created by a nonprofit research group in Brussels, called the Transparency International EU, shows that Cisco, Facebook, Google, IBM, Microsoft, SAP, the American Chamber of Commerce, DigitalEurope, and the Interactive Advertising Bureau Europe, a digital advertising industry group, have all lobbied European Commission (EC) officials about ePrivacy.
Birgit Sippel, a Member of the European Parliament (MEP), hit back against the lobbyists, saying the following, referring to the Cambridge Analytica privacy scandal:
With one click you can manipulate hundreds of thousands or millions of people, whether you know their names or not. That is why protecting privacy is becoming more important, especially in the digital environment.
Sippel is arguing against the “surveillance capitalism” that has brought riches to many companies, but we’re now just starting to see that it can also threaten not just user privacy and data protection, but also the stability of democracies.
Industry associations such as the Computer and Communications Industry Association, which represents Amazon, Google, Netflix and others, seem to have been successful in convincing the EU Council to stall the legislation. The group's representatives recently visiting Bulgaria recently, the country that will get to run the European Council for the next six month. The draft law can only be put up for a vote in the European Parliament after the Council has reached consensus.
Sippel also commented on the stalling of the ePrivacy Regulation in Bulgaria:
In my view, we have some weak governments on the Council that are not willing to get into trouble with industry. So, for the time being, they haven’t found a common position.
Now that technology companies have seen that the EU is quite serious about its privacy laws, they suddenly seem much more interested in talking to officials about them through their lobbying efforts. It now remains to be seen what the results of those talks will be when the European Council finally reaches consensus on the issue, which could be many months from now.
You've had a quarter of a century to prove that you're able to self-regulate and it's literally all going to hell. This is just the beginning to get Internet services on regulation par with all other media.
I'm thinking GDPR is not necessarily for the good of EU citizens, only. It might also be a way to limit US/China invigilation and abuse of data gathered on EU citizens.
If the data is collected, it will leak.
You know that's not true. Your bank is regulated by rules. The way your car is built is regulated by rules. The way you use that car is regulated by rules. A functional society is built on rules. Common rules and civil rules. Without them, you'd be going to the Thunderdome every Friday evening for the weekly entertainment and "legislation".
Funny you should mention "bank"
I have a letter I got just yesterday from my bank, whom I've been a customer with for over 20 years...
"FooBank cares deeply about the privacy and security of the information you share with us. We have become aware of potential theft by a former employee of information of some of our clients. Although blah blah blah de blah..."
Yes, that former employee will probably, maybe go to jail.
My data is still out there. For the umpteenth time.
Rules can't prevent, only punish after the fact.
Over the last few years, we've all heard about the UK "Data Protection Act"
"The Data Protection Act controls how your personal information is used by organisations, businesses or the government. Everyone responsible for using data has to follow strict rules called 'data protection principles'. They must make sure the information is: used fairly and lawfully."
I've had more than a few Brits state categorically that their data is safe, because of that.
I'm even related to some...:)
It's great, in theory.
Until some schmoe contractor leaves his laptop on the train.
That is the eternal struggle. To find the balance where law functions the best while still letting people live a normal life. Which is why I mentioned common and private law. Those are the foundations of a modern society. We see problems with current law and adapt them as we hopefully get smarter. This does not mean law cures crime. That's not the intention of law or regulation, even the choice of word, regulation, implies that.
That's why the companies don't like EPR. Many companies have their business model based on doing exactly what EPR will forbid them from doing.
I'm a strong proponent of personal integrity, but even I think EPR in some ways go too far.
I'm all for: a) Full disclosure of what data is being collected, and an easy way for the data providers to get a copy of all data collected about them.
b) (applicable mostly to the "free" services living on collected data) An option for users to decline providing data, but still use the service by paying money instead. (As done by for example Spotify.)