On Tuesday, Access Now testified in a hearing before the LIBE Committee in the European Parliament on the proposal for an e-Privacy Regulation that was presented by the EU Commission on 10 January 2017.
This e-Privacy proposal aims to set the rules for the respect for private life and the confidentiality of electronic communications in the EU. Our testimony, published in full below, clarifies that to protect Europeans’ fundamental rights, the rules should not only uphold the level of protection afforded by the General Data Protection Regulation (GDPR), but should exceed it.
Further, there is a “playing field” that must be levelled in the e-Privacy context, but it is not the one between telcos and Over-the-Top (OTT) service providers. Users do not have sufficient access to information and control of their personal information. There is very little transparency. Telcos and OTT providers are in the dominant position, and the field must be levelled to address this information asymmetry and put users back in control as promised.
Download the complete testimony (PDF).
The e-Privacy proposal: legal consistency with other legal instruments; level playing field
Thank you, Mr Chair. My name is Fanny Hidvegi, I am the European Policy Manager of Access Now, which is a nonprofit civil society organisation based in Brussels. Our mission is to defend and to extend the digital rights of users at risk around the world. We are part of the European Digital Rights network.
I’d like to thank you for the opportunity to speak about the proposed e-Privacy regulation. The title of this session of the hearing is legal consistency and level playing field. My main point about this topic is that in order to meet the requirements of the EU Charter of Fundamental Rights and achieve legal consistency with the General Data Protection Regulation we must indeed level the playing field. Level the playing field for users in the form of racing to the top, not to the bottom.
Access Now welcomes the Commission’s effort to conduct reform of the e-Privacy rules in the form of a regulation to complement and particularise the General Data Protection Regulation. The guiding principle for the process is very clear. The rules of the e-Privacy Regulation should not only uphold the level of protection afforded by the GDPR but should exceed it to protect the fundamental right to privacy, as also stressed by the Article 29 Working Party. As the proposal currently stands, however, it does not fully deliver on either of these promises.
I was curious to hear which arguments the representatives of different industry members would decide to use today. Usually there are two contradicting ones, which speak to the same point: the repeal or watering down of e-Privacy rules. They either claim that the GDPR is the solution for every data processing question and is perfect as it is — despite all their previous efforts to undermine it, I must say — or that the GDPR is already creating a huge burden, and they couldn’t cope with additional rules.
I disagree with both arguments. First, as much as I applaud the EU’s effort to conclude the GDPR, the regulation is not ensuring the confidentiality of communications and it does not offer enough protections against online tracking. Therefore, we need the e-Privacy reform. Second, I refuse the characterisation of the GDPR as a regulatory burden. To respect the fundamental rights of privacy and data protection is not a favor, it is a legal obligation. Processing and monetising personal data should come at a price. The primary public interest is the legal and technical protection of people and not cementing semi- or fully unlawful business practices.
In order to achieve legal consistency with the GDPR, the proposal must ensure the followings:
- First, privacy by design and by default: the future Regulation must include a binding and technologically neutral requirement for both hardware and software providers.
- Second, equally high level of protection for content and metadata: improve the clarity and scope of protection for metadata, which is recognised to reveal sensitive information, and avoid different standards for protection, including for the terminal equipment and location tracking.
- Third, the scope of protection is based on a conceptual framework of communications which is outdated, and information should be protected both in transit and when stored.
- Forth, the strict interpretation of any exception to (1) the prohibition of processing and (2) requirement of consent,without reopening the discussion of the GDPR. Given the sensitivity of the information protected under the e-Privacy Regulation, legitimate interest cannot and must not be used as a basis for processing.
- Finally, the e-Privacy regulation must prescribe that member states ensure collective redress mechanisms and the possibility of NGO representation, without the possibility of derogating from this rule.
Reaching consistency with the GDPR, if it meets the above detailed requirements, will lead to a level playing field. The expression “level playing field” is so overused, however, that it is very difficult to attribute any meaning to it. In e-Privacy jargon, the traditional meaning is to level the field between telecoms and Over-the-Top service providers. To change that discourse, I’d like to offer a new approach to what we should mean by “levelling the playing field” in this context. The playing field must be levelled to protect users because the field is uneven: telcos and online service providers are both in a dominant position compared to the users due to the lack of information and transparency. A level playing field for users would address this information asymmetry.
Access Now supports that the scope of the Regulation should be extended to any communications services regardless of the infrastructure they’re running on. Users do care about their privacy, but they do not care about the definitions Brussels uses for messaging and for describing devices, apps, and software. As the agenda of this hearing says, the proposal expands its scope to cover the new forms of electronic communications and ensure the same level of protection of individuals regardless of the communication service used. The effort to fulfill that proposal is not yet fully delivered.
The definitions for the e-Privacy rules should not be dependent on a separate legal instrument, namely the European Electronic Communications Code. To keep to the definitions in the code could be harmful for two reasons. First, the pace of its adoption should not impact e-Privacy reform. Second, relying on the code reduces legal certainty and clarity for all stakeholders.
Beyond the question of which legal instrument should include rules relevant to e-Privacy reform, the definitions must be clearer and more inclusive. There is no valid reason for the current proposal to exclude some of the most popular and average forms of communications. There is a lesson to be learned in how broadband privacy rules were recently revoked in the US. Europe should listen more to user demand, namely to the 92% of citizens that demanded confidentiality of their communications through the December 2016 EU Barometer. The EU must champion the e-Privacy rules to provide high protections for online activities.
The proposed e-Privacy Regulation must therefore increase the level of protection for the confidentiality of communications and defend against tracking in order to reach a higher level of protection than the GDPR. That would create a level playing field for all actors, but most importantly for the users who were promised to be put back in control of their data. The European Union has taken the first steps to create the Digital Single Market which can only be successful if the trust of European citizens is regained.