Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
By George Lynch
A proposed European Union electronic privacy law reboot raises concerns that it doesn’t sync with the bloc’s new general privacy regime, a group of privacy regulators said in a recent opinion.
A simpler approach to consent rules for placing cookies on the computers of users in the EU would be a boon to online companies that do business there. But creating an ePrivacy Regulation that is potentially at odds with the new EU General Data Protection Regulation (GDPR) would create a privacy compliance nightmare for companies already facing daunting implementation challenges, the regulators said. Cookies are small packets of data that websites place on computers to facilitate tracking and ease of use, such as faster downloading.
And cookies aren’t the only thing in the proposed ePrivacy Regulation that may be in conflict with the GDPR. The Article 29 Working Party of EU privacy leaders from the 28 EU countries, in its April 7 opinion, expressed “grave concerns” about the proposed ePrivacy Regulation’s low legal standards for user consent to cellphone Wi-Fi tracking, use of embedded meta data and allowing tracking by other websites affiliated with the one actually visited.
If the ePrivacy Regulation is amended to address the privacy regulators’ concerns, the result would be a much stricter approach to consent, Peter Van Dyck, an information technology and data protection senior associate at Allen & Overy LLP in Brussels, told Bloomberg BNA. “Some companies are therefore, understandably, slightly wary of what the changes will mean for them,” he said. They want legal certainty, he added.
On April 11, the European Parliament held its first hearing on the proposed regulation and heard from a variety of representatives from industry, consumer groups and government.
The opinion sends a “warning shot over the bow,” serving notice from the privacy regulators to their allies in Parliament to step up and improve the ePrivacy Regulation’s privacy provisions, Tim Toohey, the head of the Cyber Security Practice at Greenberg Glusker LLP in Los Angeles, told Bloomberg BNA. It appears those parliamentary allies are “willing ready and able to accept the invitation,” he said.
The GDPR will take effect in May 2018. The EU is trying to approve the ePrivacy Regulation so it can take effect at the same time.
The EU privacy chiefs had some praise for the draft ePrivacy Regulation, saying that it seeks to create a harmonized approach across the 28 EU countries and is consistent with the GDPR’s approach of setting a primary privacy regulator to handle oversight and enforcement.
The group also welcomed the expansion of ePrivacy rules to include over-the-top providers (OTT), such as Facebook Inc.'s WhatsApp and Messenger services, and Skype Inc. communications services. Including OTT services as well as traditional telecoms, such as Deutsche Telekom AG and cable providers, helps create “a level playing field,” Van Dyck said.
None of the concerns raised by the privacy regulators “come as any real surprise,” Elle Todd, partner and head of digital and data at Olswang LLP in London, told Bloomberg BNA. The consent issues they raise will interest app providers and content publishers but are “unlikely to be hugely controversial,” she said.
Van Dyck said that, to address fears of continuous monitoring through Wi-Fi tracking, the privacy regulators suggested that the European Commission, the EU’s executive arm, develop a mobile phone automatic anti-tracking signal that users could enable.
In regards to allowing websites to pass on tracking permission to other websites, the Working Party called for an “explicit prohibition” on “take it or leave it choices” presented to website visitors.
The privacy regulators were also critical of the lack of privacy by design in products and services lacking privacy by default settings for internet tracking. They said users must be able to provide specific consent through their browser settings and recommended making do-not-track settings mandatory.
Lukasz Olejnik, an independent cybersecurity and privacy consultant and researcher in London, told Bloomberg BNA the Privacy Regulation text should be revised “in-line with principles of privacy by design on the technology level.”
The EU Parliamentary Committee on Civil Liberties, Justice and Home Affairs (LIBE) heard opinions on the proposed ePrivacy Regulation from privacy professionals, online industry and non-government organization representatives, academics and government officials.
“European Parliament stakeholders represent a broad spectrum of opinions,” from strict privacy protection advocates to industry-centered views, that were represented at the hearing, Olejnik said.
Giovanni Buttarelli, the European Data Protection Supervisor (EDPS), told the committee that he shared the concerns raised by the privacy regulators. However, without an ePrivacy Regulation, the overall EU privacy legal regime “would be incomplete,” he said.
To contact the reporter on this story: George Lynch in Washington at gLynch@bna.com
To contact the editor responsible for this story: Donald Aplin at firstname.lastname@example.org
Full text of the Article 29 Working Party opinion on the proposed ePrivacy Regulation is available at http://src.bna.com/nSf.
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)