Protecting the privacy of electronic communications: getting the next steps right

Video and audio recording

Note that due to technical difficulty the sound of the video and audio recordings only begins at 6:10.

summary

The European Union enacted the far-reaching General Data Protection Regulation (GDPR) back in 2016; however, privacy of electronic communications continues to be governed by the e-Privacy Directive, a 2002 instrument that is widely felt to have failed to keep up with technological and regulatory evolution.

In its Digital Single Market (DSM) Strategy of May 2015, the European Commission promised to “review the e-Privacy Directive with a focus on ensuring a high level of protection for data subjects and a level playing field for all market players”. The Commission unveiled a new proposal for an e-Privacy Regulation to this end on January 10 2017.

Alexander Whalen presented some of the concerns of Digital Europe members about the proposal. In particular, he highlighted potential inconsistencies with the approach followed by the Commission itself in GDPR and the Telco review. He raised two issues in which more clarification is probably needed: whether communication is considered an ancillary service or not; to what extent the e-Privacy regulation will be applied to machine to machine communications and IoT connections (in which both end-users consent model may create several problems). He expressed some scepticism also about the timeline for compliance, given the overlapping with an already dense piece of legislation, such as GDPR.

For these reasons, he advocated in favour of a targeted revision in the forthcoming legislative process to address these issues.

 Nicholas Blades brought the view of Telefónica, a telecom operators already subject to e-Privacy Directive and GDPR and among those calling for a review of legislation to level the playing field with OTT. In an industry increasingly driven by data, Telefonica chose to independently set a high bar in terms of privacy and consent as part of its competitive positioning. In a context in which companies have started processing even metadata of customer communication, changes in regulation often risks to be not very customer-friendly (e.g. cookies legislation). Wondering whether we are learning from past regulatory failures, he pointed out two issues that should be addressed in the adoption of this new piece of legislation: the misalignment in the concept of consent between the proposal and GDPR, the general lack of trust into data controller in case of data security issues (also in case of legitimate interest for customers).

Jeremy Rollison presented the view of Microsoft, whose services will fall under the scope of the new legislation. He shared previous concerns about possible misinterpretations in the proposed text. However, he is confident that some of these issues will be addressed in the course of the legislative process. He presented an emblematic case of the interpretative problems of the provision on both end-users consents: an automatic spam filter would theoretically require the consent of the spammer in case of access to the content of an email. He noted that similar problems could negatively affect way the functionalities of many personal assistance software. Then Mr. Rollison argued that GDPR will affect services based on very different business models with very diversified impacts and consequent changes of business strategies. According to him, also e-Privacy will affect the ways in which companies will comply with GDPR and the uncertainties about its scope will make this regulatory transition even more complex.

Prof. Lynskey agreed with many concerns raised by the other panellists, in particular about the lack of clarity about the scope of the new legislative proposal, whether it relates to data in transit or data held at the terminal equipment. She contextualised the current debate between e-Privacy directive and GDPR in a more general (and dated) tension in EU data protection regulation between the “aspirational” individual-centric control of personal data (e.g. right to data portability) and the complex reality that personal data can relate to various individual at the same time. The opting model of cookies is a clear reflection of this. While it is common opinion that the opt-in model has not been successful, she highlighted that art. 10 of the Regulation may rectify this failure by recognising the role of web browser as data-protection enhancing mechanisms (once individuals have made a granular choice of type of cookies to be stored). However, this provision would be very technology-specific and not very helpful with data processing of machine-to-machine communications. Describing the enforcement mechanisms put in place with GDPR, she highlighted as a notable feature from a civil society perspective the right to collective actions. Relative to cross-country harmonization issues, she welcomed the Commission’s proposal to replace the current directive with a regulation, which means that there will less discretion for rules on privacy in online communications across the member states and companies would not have to comply with different national implementations. Moreover, the e-Privacy regulation would embrace the enforcement architecture of GDPR, most notably with the creation of the European data protection board the will be able to take binding decisions. Prof. Lynskey concluded the panel discussion with a series of considerations about the impact of Brexit on international data transfer between the EU and UK.

Questions from the audiences related to the cultural differences between continental and anglo-saxon member states regarding data privacy (and how Brexit will affect the balance among them) and the societal trade-offs we are facing in order to achieve the fundamental right to privacy.

Event notes by Filippo Biondi, Research Assistant.