Tech lobbyists have started their attacks against the European Union’s other new privacy regulation, called ePrivacy. Unlike GDPR, which mainly covers how your data is protected by its handlers, the ePrivacy Regulation focuses primarily on the privacy of your online communications.
An Upgrade To The ePrivacy Directive
The ePrivacy Regulation is the successor to the ePrivacy Directive. In the EU, a “directive” is called a piece of legislation that requires common rules for all the member states, but which each member state can implement the directive in their own way. A “regulation” is a piece of legislation that applies equally to all the member states.
The ePrivacy Directive, also called the “Cookie Law,” was made (in)famous by the fact that it required websites operating in the EU to prompt users with a cookie agreement. This ended up educating users to just click agree (most websites didn’t implement any other option, anyway), so it has largely been considered pointless.
The GDPR improves on this somewhat by only requiring websites to prompt users with a cookie agreement if they use cookies that are not strictly necessary for the website's function (advertising cookies, etc).
The new ePrivacy Regulation was supposed to pass this month, but got held up by negotiations at the European Council (a group of EU member states prime-ministers and presidents).
Privacy By Design
Besides mandating a unique set of rules for all the EU member states, one of the main changes in the ePrivacy Regulation compared to the ePrivacy Directive is that digital telecommunications providers (Gmail, WhatsApp, Skype, etc) will fall under the same privacy regulations as other types of companies handling communications (post office, internet service providers, etc).
For instance, metadata will need to be anonymized, unless consent is given by the user or the data is necessary for billing. Providers of electronic communications will also need to secure the users’ communications to the best available technique.
It’s not clear whether or not this essentially calls for all messengers to implement end-to-end encryption, but we do know that some EU Parliamentary committee’s have suggested that this would be the path to go. This could also mean that WhatsApp may keep its end-to-end encryption, even after both of its founders left Facebook.
The ePrivacy Regulation will also control how companies can send marketing messages. For example, those companies that send direct marketing calls will have to use a phone number prefix that reveals them to be calling for marketing purposes.
Lobbyists Attack ePrivacy Regulation
According to a New York Times report, companies have already started to heavily lobby EU officials and show them “doomsday financial forecasts,” as well as creating worst-case scenario videos with the drawbacks of the ePrivacy Regulation.
A lobbying database created by a nonprofit research group in Brussels, called the Transparency International EU, shows that Cisco, Facebook, Google, IBM, Microsoft, SAP, the American Chamber of Commerce, DigitalEurope, and the Interactive Advertising Bureau Europe, a digital advertising industry group, have all lobbied European Commission (EC) officials about ePrivacy.
Birgit Sippel, a Member of the European Parliament (MEP), hit back against the lobbyists, saying the following, referring to the Cambridge Analytica privacy scandal:
With one click you can manipulate hundreds of thousands or millions of people, whether you know their names or not. That is why protecting privacy is becoming more important, especially in the digital environment.
Sippel is arguing against the “surveillance capitalism” that has brought riches to many companies, but we’re now just starting to see that it can also threaten not just user privacy and data protection, but also the stability of democracies.
Industry associations such as the Computer and Communications Industry Association, which represents Amazon, Google, Netflix and others, seem to have been successful in convincing the EU Council to stall the legislation. The group's representatives recently visiting Bulgaria recently, the country that will get to run the European Council for the next six month. The draft law can only be put up for a vote in the European Parliament after the Council has reached consensus.
Sippel also commented on the stalling of the ePrivacy Regulation in Bulgaria:
In my view, we have some weak governments on the Council that are not willing to get into trouble with industry. So, for the time being, they haven’t found a common position.
Now that technology companies have seen that the EU is quite serious about its privacy laws, they suddenly seem much more interested in talking to officials about them through their lobbying efforts. It now remains to be seen what the results of those talks will be when the European Council finally reaches consensus on the issue, which could be many months from now.
