Privacy is a fundamental right and people clearly care about it, as the EU barometer survey results demonstrate. A full 92% of the respondents say that it is either important or very important that the confidentiality of their e-mails and instant messaging is guaranteed. The good news is that the European Commission is initiating reform of the e-Privacy Directive, the only piece of EU legislation that protects the rights to online privacy and confidentiality of communications. Reforming the law, which was passed in 2002, would protect the integrity of your communications whether you make a phone call, send an email, or exchange instant messages using WhatsApp. It would also protect you when you send data between two connected devices, like when your Fitbit sends data to your smartphone.
When the first leaked draft of the ePrivacy reform was published in December, the EU Commission seemed to have been heading in the right direction. This draft proposed rules enhancing mandatory protections to safeguard user rights. Unfortunately, it turns out that Brussels is where lobbying dreams often come true. After all the different departments within the EU Commission — from Home Affairs to Research — reviewed and modified the proposal, a final version was published on January 10th. It significantly weakens privacy protections for users, to the benefit of private industry.
Privacy as an option
First on the list of watered-down provisions is Article 10, where legislators have revised the requirements for privacy by design and by default. The Commission initially drafted rules that would have required companies to consider privacy and data protection from the beginning of the software or hardware development process, to guarantee that users would by default get a product or service configured with the strictest-possible privacy settings.
In a complete U-turn from this privacy-friendly approach, legislators are now proposing, per the rules published on January 10th, that requirements apply only to software development, and that companies are merely invited to offer different privacy settings. This is not only extremely disappointing but will also harm users and the digital economy, as it fails to address the current market failure which has resulted in the security and integrity of our products and communications being compromised.
Less protection for metadata
Between the December leak and the January 10th proposal, the rules for protecting metadata have been significantly weakened. First, legislators have cut down the list of what information constitutes metadata. It no longer refers to data that identifies your devices (like your phone, tablet, wifi router, smart devices, etc.), nor where they are located (see the difference between former recital 17 and final recital 14). Furthermore, the conditions for using both communications content and metadata are broad, and they do not adequately empower users to understand what personal information could be accessed or used, how it might be used, or for what reasons.
Fewer avenues for remedy
The December leak included an extensive article on access to remedy, which is a crucial pillar for guaranteeing users’ rights and preventing industry abuse. Now there are only two small provisions on remedy, and it’s no longer possible for consumer organisations and NGOs to represent a user or a group of users in court or before an authority tasked with enforcing the e-Privacy rules (see the changes between former article 23 and final article 21).
Next steps: Keep fighting for ePrivacy that protects users
Private industry has a disproportionate presence and power in crafting legislation, a constant challenge for civil society’s work in Europe, and in Brussels in particular. This rough start for the e-Privacy reform process is a reminder — if anyone needed one — that there is intense industry lobbying to water down or even repeal the ePrivacy law altogether. It is crucial to ensure that the next stages of the negotiations are conducted in an open and transparent manner, to allow for adequate input from outside of industry.
Access Now is a long-time advocate for an update and upgrade of the e-Privacy Directive to better protect users’ rights, so we are disappointed by the content of the proposal released on January 10th. We nevertheless continue to support the Commission’s decision to reform the directive and turn it into a regulation, to ensure harmonisation in the law and guarantee that users across the EU enjoy the same level of protection for privacy. We will continue working with legislators to modify the proposal to ensure that it safeguards your fundamental rights and protects the integrity and security of your communications.
For more information, see our position paper on the e-Privacy reform here.