ePrivacy: An overview of Europe’s other big privacy rule change

Gather round. The EU has a plan for a big update to privacy laws that could have a major impact on current Internet business models.

Um, I thought Europe just got some new privacy rules?

They did. You’re thinking of the General Data Protection Regulation (GDPR), which updated the European Union’s 1995 Data Protection Directive — most notably by making the penalties for compliance violations much larger.

But there’s another piece of the puzzle — intended to ‘complete’ GDPR but which is still in train.

Or, well, sitting in the sidings being mobbed by lobbyists, as seems to currently be the case.

It’s called the ePrivacy Regulation.

ePrivacy Regulation, eh? So I guess that means there’s already an ePrivacy Directive then…

Indeed. Clever cookie. That’s the 2002 ePrivacy Directive to be precise, which was amended in 2009 (but is still just a directive).

Remind me what’s the difference between an EU Directive and a Regulation again… 

A regulation is a more powerful legislative instrument for EU lawmakers as it’s binding across all Member States and immediately comes into legal force on a set date, without needing to be transposed into national laws. In a word it’s self-executing.

Whereas, with a directive, Member States get a bit more flexibility because it’s up to them how they implement the substance of the thing. They could adapt an existing law or create a new one, for example.

With a regulation the deliberation happens among EU institutions and, once that discussion and negotiation process has concluded, the agreed text becomes law across the bloc — at the set time, and without necessarily requiring further steps from Member States.

So regulations are powerful.

So there’s more legal consistency with a regulation? 

In theory. Greater harmonization of data protection rules is certainly an impetus for updating the EU’s legal framework around privacy.

Although, in the case of GDPR, Member States did in fact need to update their national data protections laws to make certain choices allowed for in the framework, and identify competent national data enforcement agencies. So there’s still some variation.

Strengthening the rules around privacy and making enforcement more effective are other general aims for the ePrivacy Regulation.

Europe has had robust privacy rules for many years but enforcement has been lacking.

Another point of note: Where data protection law is concerned, national agencies need to be properly resourced to be able to enforce rules, or that could undermine the impact of regulation.

It’s up to Member States to do this, though GDPR essentially requires it (and the Commission is watching).

Europe’s data protection supervisor, Giovanni Buttarelli, sums up the current resourcing situation for national data protection agencies, as: “Not bad, not enough. But much better than before.”

But why does Europe need another digital privacy law. Why isn’t GDPR enough? 

There is some debate about that, and not everyone agrees with the current approach. But the general idea is that GDPR deals with general (personal) data.

Whereas the proposed update to ePrivacy rules is intended to supplement GDPR — addressing in detail the confidentiality of electronic communications, and the tracking of Internet users more broadly.

So the (draft) ePrivacy Regulation covers marketing, and a whole raft of tracking technologies (including but not just cookies); and is intended to combat problems like spam, as well as respond to rampant profiling and behavioral advertising by requiring transparency and affirmative consent.

One major impulse behind the reform of the rules is to expand the scope to not just cover telcos but reflect how many communications now travel ‘over the top’ of cellular networks, via Internet services.

This means ePrivacy could apply to all sorts of tech firms in future, be it Skype, Facebook, Google, and quite possibly plenty more — given how many apps and services include some ability for users to communicate with each other.

But scope remains one of the contested areas, with critics arguing the regulation could have a disproportionate impact, if — for example — every app with a chat function is going to be ruled.

On the communications front, the updated rules would not just cover message content but metadata too (to respond to how that gets tracked). Aka pieces of data that might not be personal data per se yet certainly pertain to privacy once they are wrapped up in and/or associated with people’s communications.

Although metadata tracking is also used for analytics, for wider business purposes than just profiling users, so you can see the challenge of trying to fashion rules to fit around all this granular background activity.

Simplifying problematic existing EU cookie consent rules — which have also been widely mocked for generating pretty pointless web page clutter — has also been a core part of the Commission’s intention for the update.

EU lawmakers also want the regulation to cover machine to machine comms — to regulate privacy around the still emergent IoT (Internet of Things), to keep pace with the rise of smart home technologies.

Those are some of the high level aims but there have been multiple proposed texts and revisions at this point so goalposts have been shifting around.

So whereabouts in the process are we?

The Commission’s original reform proposal came out in January 2017. More than a year and a half later EU institutions are still stuck trying to reach a consensus. It’s not even 100% certain whether ePrivacy will pass or founder in the attempt at this point.

The underlying problem is really the scope of exploitation of consumers’ online activity going on in the areas ePrivacy seeks to regulate — which is now firmly baked into dominant digital business models — so trying to rule over all that after the fact of mainstream operational execution is a recipe for co-ordinated industry objection and frenzied lobbying. Of which there has been an awful lot.

At the same time, consumer protection groups in Europe are more clear than ever that ePrivacy should be a vehicle for further strengthening the data protection framework put in place by GDPR — pointing out, for example, that data misuse scandals like the Facebook-Cambridge Analytica debacle show that data-driven business models need closer checks to protect consumers and ensure people’s rights are respected.

Safe to say, the two sides couldn’t be further apart.

Like GDPR, the proposed ePrivacy Regulation would also apply to companies offering services in Europe not only those based in Europe. And it also includes major penalties for violations (of up to 2% or 4% of a company’s global annual turnover) — similarly intended to bolster enforcement and support more consistently applied EU privacy rules.

But given the complexity of the proposals, and disagreements over scope and approach, having big fines baked in further complicates the negotiations — because lobbyists can argue that substantial financial penalties should not be attached to ‘ambiguous’ laws and disputed regulatory mechanisms.

The high cost of getting the update wrong is not so much concentrating minds as causing alarms to be yanked and brakes applied. With the risk of no progress at all looking like an increasing possibility.

One thing is clear: The existing ePrivacy rules are outdated and it’s not helpful to have old rules undermining a state-of-the-art data protection framework.

Telcos have also rightly complained it’s not fair for tech giants to be able to operate messaging empires without the same compliance burdens they have.

Just don’t assume telcos love the proposed update either. It’s complicated.

Sounds very messy. 

Indeed.

EU lawmakers could probably have dealt with updating both privacy-related directives together, or even in one ‘super regulation’, but they decided to separate the work to try to simplify the process. In retrospect that looks like a mistake.

On the plus side, it means GDPR is now locked in place — with Buttarelli saying the new framework is intended to stand for as long as its predecessor.

Less good: One shiny worldclass data protection framework is having to work alongside a set of rules long past their sell-by-date.

So, so much for consistency.

Buttarelli tells us he thinks it was a mistake not to do both updates together, describing the blocks being thrown up to try to derail ePrivacy reform as “unacceptable”.

“I would like to say very clearly that the EU made a mistake in not updating earlier the rules for confidentiality for electronic communications at the same time as general data protection,” he told us during an interview this week, about GDPR enforcement, datas ethics and the future of EU privacy regulation.

He argues the patchwork of new and old rules “doesn’t work for data controllers” either, as they’re the ones saddled with dealing with the legal inconsistency.

As Europe’s data protection supervisor, Buttarelli is of course trying to apply pressure on key parties — to “get to the table and start immediately trilogue negotiations to identify a sustainable outcome”.

But the nature of lawmaking across a bloc of 28 Member States is often slow and painful. Certainly no one entity can force progress; it must be achieved via negotiated consensus and compromise across the various institutions and entities.

And when interest groups are so far apart, well, it’s sweating toil to put it mildly.

Entities that don’t want to play ball with a particular legal reform issue can sometimes also throw a delaying spanner in the works by impeding negotiations. Which is what looks to be going on with ePrivacy right now.

The EU parliament confirmed its negotiating mandate on the reform almost a year ago now. But MEPs were then stuck waiting for Member States to take a position and get around the discussion table.

Except Member States seemingly weren’t so keen. Some were probably a bit preoccupied with Brexit.

Currently implicated as an ePrivacy blocker: Austria, which holds the six-month rotating presidency of the EU Council — meaning it gets to set priorities, and can thus kick issues into the long grass (as its right-wing government appears to be doing with ePrivacy). And so the wait goes on.

It now looks like a bit of a divide and conquer situation for anti-privacy lobbyists, who — having failed to derail GDPR — are throwing all their energies at blocking and even derailing/diluting the ePrivacy reform.

Some Member States appear to be trying to attack ePrivacy to weaken the overarching framework of GDPR too. So yes, it’s got very messy indeed.

There’s an added complication around timing because the EU parliament is up for re-election next Spring, and a few months after that the executive Commission will itself turn over, as the current president does not intend to seek reappointment. So it will be all change for the EU, politically speaking, in 2019.

A reconfigured political landscape could then change the entire conversation around ePrivacy. So the current delay could prove fatal unless agreement can be reached in early 2019.

Some EU lawmakers had hoped the reform could be done and dusted in in time to come into force at the same time as GDPR, this May.

That was certainly a major miscalculation.

But what’s all the disagreement about?

That depends on who you ask. There are many contested issues, depending on the interests of the group you’re talking to.

Media and publishing industry associations are terrified about what they say ePrivacy could do to their ad-supported business models, given their reliance on cookies and tracking technologies to try to monetize free content via targeted ads — and so claim it could destroy journalism as we know it if consumers need to opt-in to being tracked.

The ad industry is also of course screaming about ePrivacy as if its hair’s on fire. Big tech included, though it has generally preferred to lobby via proxies on this issue.

Anything that could impede adtech’s ability to track and thus behaviourally target ads at web users is clearly enemy number one, given the current modus operandi. So ePrivacy is a major lobbying target for the likes of the IAB who don’t want it to upend their existing business models.

Even telcos aren’t happy, despite the potential of the regulation to even the playing field somewhat with tech giants — suggesting they will end up with double the regulatory burden, as well as moaning it will make it harder for them to make the necessary investments to roll out 5G networks.

Plus, as I say, there also seems to be some efforts to try to use ePrivacy as a vector to attack and weaken GDPR itself.

Buttarelli had comments to make on this front too, describing some data controllers as being in post-GDPR “revenge mode”.

“They want to move in sort of a vendetta, vendetta — and get back what they lose with the GDPR. But while I respect honest lobbying about which pieces of ePrivacy are not necessary I think ePrivacy will help first small businesses, and not necessarily the big tech startups. And where done properly ePrivacy may give more power to individuals. It may make harder for big tech to snoop on private conversations without meaningful consent,” he told us, appealing to Europe’s publishing industry to get behind the reform process, rather than applying pressure at the Member State level to try to derail it — given the media hardly feels well done by by big tech.

He even makes this appeal to local adtech players — which aren’t exactly enamoured with the dominance of big tech either.

“I see space for market incentives,” he added. “For advertisers and publishers to, let’s say, re-establish direct relations with their readers and customers. And not have to accept the terms dictated by the major platform intermediaries. So I don’t see any other argument to discourage that we have a deal before the elections in May next year of the European legislators.”

There’s no doubt this is a challenging sell though, given how embedded all these players are with the big platforms. So it remains to be seen whether ePrivacy can be talked back on track.

Major progress is certainly very unlikely before 2019.

I’m still not sure why it’s so important though.  

The privacy of personal communications is a fundamental right in Europe. So there’s a need for the legal framework to defend against technological erosion of citizens’ rights.

Add to that, a big part of the problem with the modern adtech industry — aside from the core lack of genuine consent — is its opacity. Who’s doing what; for what specific purposes; and with what exact outcomes.

Existing European privacy rules like GDPR mean there’s more transparency than there’s ever been about what’s going on — if you know and/or can be bothered to dig down into privacy policies and purposes.

If you do, you might, for example, discover a very long list of companies that your data is being shared with (and even be able to switch off that sharing) — entities with weird sounding names like Outbrain and OpenX.

A privacy policy might even state a per company purpose like ‘Advertising exchange’ and ‘Advertising’. Or ‘Customer interaction’, whatever that means.

Thing is, it’s often still very difficult for a consumer to understand what a lot of these companies are really doing with their data.

Thanks to current EU laws, we now have the greatest level of transparency there has ever been about the mechanisms underpinning Internet business models. But yet so much remains murky.

The average Internet user is very likely none the wiser. Can profiling them without proper consent really be fair?

GDPR sets out an expectation of privacy by design and default. So, following that principle, you could argue that cookie consent, for example, should be default opt-out — and that any website must be required to gain affirmative opt in from a visitor for any tracking cookies. The adtech industry would certainly disagree though.

The original ePrivacy proposal even had a bit of a mixed approach to consent which was accused of being too overbearing for some technologies and not strong enough for others.

It’s not just creepy tech giants implicated here either. Publishers and the media (TechCrunch included) are very much caught up in the unpleasant tracking mess, complicit in darting users with cookies and trackers to try to increase what remain fantastically low conversation rates for digital ads.

Most of the time, most Internet users ignore most ads. So — with horribly wonky logic — the behavioral advertising industry, which has been able to grow like a weed because EU privacy rights have not previously been actively enforced, has made it its mission to suck up (and indeed buy up) more and more user data to try to move the ad conversion needle a fraction.

The media is especially desperate because the web has also decimated traditional business models. And European lawmakers can be very sensitive to publishing industry concerns (for e.g., see their backing of controversial copyright reforms which publishers have been pushing for).

Meanwhile Google and Facebook are gobbling up the majority of online ad spending, leaving publishers fighting for crumbs and stuck having to do businesses with the platforms that have so sorely disrupted them.

Platforms they can’t at all control but which are now so popular and powerful they can (and do) algorithmically control the visibility of publishers’ content.

It’s not a happy combination. Well, unless you’re Facebook or Google.

Meanwhile, for web users just wanting to go about their business and do all the stuff people can (and sometimes need to do) online, things have got very bad indeed.

Unless you ignore the fact you’re being creeped on almost all the time, by snoopy entities that double as intelligence traders, selling info on what you like or don’t, so that an unseen adtech collective can create highly detailed profiles of you to try and manipulate your online transactions and purchasing decisions. With what can sometimes be discriminatory impacts.

The rise in popularity of ad blockers illustrates quite how little consumers enjoy being ad-stalked around the Internet.

More recently tracker blockers have been springing up to try to beat back the adtech vampire octopus which also lards the average webpage with myriad data-sucking tentacles, impeding page load times and gobbling bandwidth in the process, in addition to abusing people’s privacy.

There’s also out-and-out malicious stuff to be found already here too as the increasing complexity, opacity and sprawl of the adtech industry’s surveillance apparatus (combined with its general lack of interest in and/or focus on security) offers rich and varied vectors of cyber attack.

And so ads and gnarly page elements sometimes come bundled or injected with actual malware as hackers exploit all this stuff for their own ends and launch man in the middle attacks to grab user data as it’s being routinely siphoned off for tracking purposes.

It’s truly a layer cake of suck.

Ouch. 

The ePrivacy Regulation could, in theory, help to change this, by helping to support alternative business models that don’t use people-tracking as their fuel by putting the emphasis back where it should be: Respect for privacy.

The (seemingly) radical idea underlying all these updates to European privacy legislation is that if you increase consumers’ trust in online services by respecting people’s privacy you can actually grease the wheel of ecommerce and innovation because web users will be more comfortable doing stuff online because they won’t feel like they’re under creepy surveillance.

More than that — you can lay down a solid foundation of trust for the next generation of disruptive technologies to build on.

Technologies like IoT and driverless cars.

Because, well, if consumers hate to feel like websites are spying on them, imagine how disgusted they’ll be to realize their fridge, toaster, kettle and TV are all complicit in snitching. Ditto their connected car.

‘I see you’re driving past McDonald’s. Great news! They have a special on those chocolate donuts you scoffed a whole box of last week…’

Ugh. 

Yeah…

So what are ePrivacy’s chances at this point? 

It’s hard to say but things aren’t looking great right now.

Buttarelli describes himself as “relatively optimistic” about getting an agreement by May, i.e. before the EU parliament elections, but that may well be wishful thinking.

Even if he’s right there would likely still need to be an implementation period before it comes into force — so new rules aren’t likely up and running before 2020.

Yet he also describes the ePrivacy Regulation as “an essential missing piece of the jigsaw”.

Getting that piece in place is not going to be easy though.