At the Chaos Communications Congress, experts come together to discuss the hottest topics concerning security, privacy, and human rights in the digital age. Naturally, the new European ePrivacy Regulation was on the agenda this year.
Ingo Dachwitz, editor of German digital rights and Internet privacy portal Netzpolitik.org, talked about the regulation — what it’s about, how it can change the Internet, and why most representatives of the Internet industry think that its consequences may be disastrous.
A brief history of personal data protection regulation in Europe
You may already know about ePrivacy Regulation, or at least have heard of it. Public consultation was conducted in the EU, and it’s already been discussed in many of the European media. Here we summarise how the story of ePrivacy in Europe began.
The Internet started growing rapidly in the 1990’s, and with it, the volume of user data has grown as well. Companies developed new ways to acquire and process that data, which became a valuable commodity. The more user data a company has, and the more effectively it analyses the data, the more accurately that company can target consumers, selling products by showing users ads based on the data the users generate.
The European Commission began to pay special attention to everything concerning this sphere and how and by whom the data was used. The situation clearly required legal regulation on a higher level than had existed before. The first act on personal data protection was the Data Protection Directive. Its definition of personal data was somewhat vague, so 21 years later, in April 2017, it was replaced by General Data Protection Regulation (GDPR).
The regulation aims to strictly define and categorise personal data, as well as to unify and strengthen the rules of protection of EU citizens’ data — be it genetic, intellectual, cultural, economic, or social information. Examples include IP addresses, customer names, phones, supplier records, staff records, and much more.
Defining the new ePrivacy Regulation
And then came ePrivacy Regulation, which takes effect in May 2018 and adds regulation to the GDPR. Its precepts are largely similar to those of the GDPR; the main difference is that the ePrivacy Regulation divides personal data into two huge parts: content data (text messages, pictures, languages used, etc.) and metadata — “data about the data,” the information about the content files. For example, for Web pages, metadata include keywords, cookies, fingerprint files, and so forth. Metadata is hugely important for anyone who wants to define somebody on the Net, track them, and analyse their behaviour.
ePrivacy Regulation’s guiding principle regarding all types of user data on the Net is: “Privacy by default.” That means:
- Data may be collected only with a user’s active consent, and it must be be erased or anonymised when no longer needed for a communication (Article 6).
- All forms of online tracking must be strictly controlled, beginning with users being asked directly if they want to be tracked. Tracking by default (without asking the user’s permission) and tracking walls (which block access to website content unless users agree to being tracked) are forbidden (Articles 7,8,9).
- Offline tracking (over Bluetooth or Wi-Fi) may be used only for statistical purposes — or after obtaining explicit consent from a user (Article 8).
- Providers of communication services shall secure users’ data by using end-to-end encryption, and a user’s data can be deciphered only by that user (Article 17).
- Communication service providers may not prohibit the use of any means of user protection from tracking or targeting (e.g., ad-blockers) (Article 17).
Since the Regulation’s proposal in January 2017, European society has engaged in great debates about it. Europe’s largest media as well as representatives of Internet businesses have expressed the common point of view that the Regulation is not only not helpful for users, but also user-unfriendly and nonproductive.
Industry lobbyists on ePrivacy in the EU, such as the Interactive Advertising Bureau (IAB), DigitalEurope, the European Association of Communications Agencies (EACA), the European Magazine Media Association (EMMA), and more (members of these organisations include such companies as Amazon, Facebook, Google, Apple, Microsoft; the largest European digital, advertising, and PR agencies; and media companies), started an Internet campaign against the regulation. It is called “Like a Bad Movie,” and it imagines a world with ePrivacy Regulation in effect. They claim that the regulation’s approval will hurt users and the Internet as a whole. Its claims:
- Limiting data-driven ad revenue will reduce the amount of high-quality journalism, leading to fewer quality information sources and less diversity of opinion on the Internet;
- The business models of useful apps that live on data-driven ad revenue will fall apart;
- The Regulation will confuse consumers more than help them, forcing them to manage privacy settings on every single device, in every browser, and on every website;
- Much less free content will be available because sites won’t be able to make money from data-driven ads.
The lobbyists’ overarching point is that the Regulation threatens data-driven business models, and so the lobby is fighting it hard. Of the 41 lobby meetings on ePrivacy held with EU Commissioners in 2016, 36 were with corporate interests. As a result, the final proposal of the regulation — what we have now — is already missing some things that were in the draft. For example, its definition of metadata is vague, and the proposal to ensure default e-privacy settings on computer equipment was excluded.
The battle continues. Amendments to the regulation made by the European Parliament on October 23, 2017, tighten the rules constraining industry representatives. The lobbyists haven’t surrendered, though; there’s still time for new amendments to change the document completely.
This is all we know so far, and we’ll keep our eye on how the whole thing goes. We highly recommend you do the same. The regulation’s global impact is going to be enormous, as the Internet finds it may have to move away from being funded by user data. That makes the regulation, if it’s adopted, one of the most important upcoming events of the year — it will definitely mean more to the global economy than the FIFA World Cup.