EC's Proposed E-Privacy Revamp Gets Mixed Reviews From Lawmakers, Stakeholders

EU electronic communications privacy rules would be extended to over-the-top players, machine-to-machine and IoT communications under a controversial European Commission proposal. The proposed ePrivacy Regulation (ePR) to replace the current law (Directive 2002/58/EC) is needed because of increasing consumer and business reliance on newer internet-based communications services such as VoIP, instant messaging and web-based email, which aren't subject to current rules, the EC said. The draft raised concerns during a Wednesday debate in the European Parliament Civil Liberties, Justice and Home Affairs (LIBE) Committee. It got industry criticism.

The proposal complements the general data protection regulation (GDPR) with regard to electronic communications data that qualify as personal data, the EC said. It said the measure will: (1) cover traditional telcos and new players such as WhatsApp, Skype, Facebook Messenger and Gmail; (2) guarantee privacy for content and metadata arising from electronic communications; and (3) streamline rules for "cookies" to allow users to take more control of their settings and clarify that no consent is needed for cookies that aren't privacy-intrusive.

The proposed ePR "should not lower the level of protection" afforded by the GDPR, but it would, wrote Member of the European Parliament Marju Lauristin, of the Group of the Progressive Alliance of Socialists and Democrats and Estonia, in her LIBE response. She proposed broadening ePR coverage to use of e-communications services and information related to and processed by end-users' terminal equipment, and to software that permits users to communicate. Because technology moved on since the e-privacy directive was adopted, e-communications remain stored with service providers even after receipt, so user data confidentiality also must be safeguarded when data stored or processed by terminal equipment or other equipment such as cloud storage, or processed in the IoT or M2M environment, she said. Lauristin criticized the EC proposal for not paying enough attention to privacy-by-default and privacy-by-design principles.

Most LIBE members praised the report as some disagreed about whether it goes far enough. Michal Boni, of the European People's Party (EPP) and Poland, said e-privacy rules need updating, but the free flow of data and the need for innovation also must be considered. Lawmakers worried it's unclear how the proposed regulation meshes with the GDPR. Daniel Dalton, of the European Conservatives and Reformist Group and the U.K., said changes should wait until policymakers assess how the GDPR is working. He said browsers shouldn't have to demand consent from users every six months, because that will lead to "consent fatigue" and cause the internet to break as companies move away from free advertisements. The EC started with noble objectives such as building a digital single market and kick-starting Europe's economy but threw them out because of concerns about jeopardizing human rights, said Axel Voss, of the EPP and Germany. Lauristin's report goes far beyond what's needed to protect users' privacy, he said. LIBE votes in October.

"The draft legislation is controversial," with industry claiming the GDPR is sufficient to cover the majority of the issues and doesn't need to be enhanced through a second regulation, and parliamentary committees arguing the measure doesn't contain sufficiently strong consumer protections, emailed Ann LaFrance, Squire Patton (London) data privacy and cybersecurity lawyer. Akin to the GDPR, the ePR regulation "will have extraterritorial reach," so companies with no operations in the EU will be caught by it if they provide communications services to end-users in the EU, use communications services there or process information related to the terminal equipment of European end-users, she said. Violations risk penalties of 10 million euros (around $11 million) or 2 percent of total revenue, whichever is higher, LaFrance said.

Telcos and mobile operators are concerned the telecom sector would suffer "in the context of an overly restricting approach." Industry supports continued protection of the confidentiality of communications, but Lauristin's draft would prevent e-communications services providers from using metadata to benefit consumers to the same extent that other technology or service providers can under the GDPR, said the GSM Association and European Telecommunications Network Operators' Association. Lack of alignment between the ePR and GDPR will cause lack of consistency in EU data and privacy protection laws, they said.

The American Chamber of Commerce to the European Union noted some of the same concerns about the EC ePR proposal in a May 18 paper, saying it could "severely limit the potential of a data-driven digital economy." AmCham recommended the regulation not include M2M services. Processing of electronic communication data should be allowed under the same conditions as personal data under the GDPR, and shouldn't redefine basic concepts of consent already included in the GDPR, it said. "The rules on terminal equipment, consent and privacy settings are in direct conflict with the GDPR."

As a cross-sectoral body representing all big U.S. companies, AmCham looks to reconcile members' positions and different approaches on either side of the Atlantic, said Tanguy Van Overstraeten, Linklaters privacy and data protection lawyer, in an interview. It also tries to achieve results that will benefit consumers, he said. Many stakeholders have serious concerns about the ePR, but if it became more business-friendly, it could become a global standard, he added.