The digital tracking landscape has expanded considerably in the years since the ePrivacy regulations were shaped, as companies’ use of marketing technologies has proliferated to collate and triangulate increasing amounts of user data — providing one clear impetus for regulators to revisit and update privacy rules to try to keep pace.
Indeed, the most recent addition to the ePrivacy Directive (pertaining to cookies) is still more than five years old, having been added back in 2009.
So-called over the top (OTT) messaging apps and VoIP applications — such as WhatsApp and Skype — are also not currently bound by the directive but telecoms companies would of course prefer they were, given the widespread adoption of OTT comms services. Albeit, telcos complaining about being overly regulated vs their Internet company counterparts is a perennial refrain.
The ePrivacy directive is a supplement to Europe’s incoming general data protection rules (GDPR), finally agreed by MEPs at the back end of last year — and just today voted through the LIBE committee. A final vote on the GDPR will take place this Thursday, with the regulation set to come into force in 2018. So another impetus to update the ePrivacy Directive is to harmonize it with the new GDPR.
European politicians decided to separate the two legislative pieces in order to reduce the complexity of overhauling the general directive. Now the latter has been achieved they’re turning their attention to the ePrivacy piece — with a plan to propose a new version of that by the end of this year.
“The Commission wants to reassess the scope of the Directive to ensure citizens the same level of protection online and offline,” the EU notes in a update on its plans, adding that the aim is to fashion rules that are “up to date with the challenges of the digital era”.
It says the public consultation is aimed at gathering views on “the effectiveness, relevance and coherence of current rules as well as the options for revising the text”.
As part of that discussion process it’s running a workshop today in Brussels with various stakeholders, including national data protection authorities and mobile operators. Issues slated for discussed at this event include:
- The overall functioning of the rules on confidentiality of communications, including the consent requirement to store information or accessing information stored in users’ equipment, including its application to cookies;
- The assessment of the performance of the other provisions on security, spam, calling line identification, directories of subscribers, etc.
And judging by related chatter on Twitter, some of those stakeholders — including consumer rights groups and the French data protection authority — are arguing for browsers to have do-not-track technology pre-installed and default switched on, in order to safeguard user data in an era of ever more sophisticated tracking tech. Rather than relying on pro-active and informed users to know to opt out of being tracked.
Another area the EU is concerned to address via an updated ePrivacy directive is what it dubs “inconsistent enforcement and fragmentation at national level”.
This is perhaps most obvious in how the rules have played out across the region vis-a-vis cookies, with Internet users in Europe encountering a variety of cookie consent banners when they visit websites and apps — which arguably do little to help the cause of user data protection, and rather more to irritate consumers with annoying pop-up messages. So the risks of badly thought through rules are amply clear.
However irritating consent messages pale into insignificance beside the massive risks posed to telco users’ privacy by the spread of tracking technologies and big data processing techniques in recent years.
A recent report by digital rights group, the Open Rights Group, looked at the practices of the UK’s four major carriers and the risks to user data. Its report argued that the UK telcos are, at best, doing the bare minimum to comply with current data protection law in this area — including asserting that customers are not being given enough clear information about how their data is being used; nor are they being given clear and easy ways to opt-out of their data being used; and that telcos are not always properly anonymizing traffic and location data which means they should in fact gain consent for use of that data.
The current law “may not be fit for purpose in giving customers control over the risks associated with Big Data”, the report added in one of its conclusions.
Meanwhile, over in the US, the FCC has just this month proposed new privacy rules for ISPs that would, if adopted, require broadband providers to gain explicit consent from users for using or sharing their data, with some narrow exceptions, such as for providing and marketing the specific service. The FCC is currently consulting on its plans to set new rules.
The EU’s public consultation on the ePrivacy Directive will run until July 5.