EU E-Communications Draft Law Doesn’t Protect Privacy: European Parliament Study


europeanunionflag

Two major pieces of European Union privacy legislation are slated to be enacted in May 2018, but a study commissioned by the EU Parliament says the privacy protections in the electronic communications legislation don’t rise to the level of the larger privacy framework—known as the EU General Data Protection Regulation (GDPR).

The study, An Assessment of the Commission’s Proposal on Privacy and Electronic Communications, highlights four areas of the draft ePrivacy Regulation that don’t ensure “sufficient protection of the right to privacy and confidentiality of communications” for provisions related to tracking peoples’ location with Wi-Fi or Bluetooth signals from their phones or devices, the default setting on web browsers for internet tracking, requiring consent to tracking in order to use websites, and the confidentiality of communications.

The location tracking provisions prohibit the collection of information from user devices unless two broad exception apply. One is that information about the collection be displayed in “a clear and prominent notice. The study said that the provision “allows location tracking without consent and without an opt-out option.” Under the current draft, “people might never feel free from surveillance when they walk or drive around” and would need to constantly look around for signs telling them they are being tracked, the study said. Instead, it recommends that informed consent should be required before Wi-Fi or Bluetooth signals are collected.

The provision on tracking through internet browsers states that browsers should allow users to allow or reject internet-wide tracking. It doesn’t provide enough privacy protection and “is hard to reconcile” with the new GDPR, the reports said. The study recommends reintroducing a “privacy by design” approach that was in an earlier draft, which would include privacy-friendly default setting in browsers and considering a Do Not Track-like standard.

“Take-it-or-leave-it” choices that force internet users to consent to being tracked in exchange for visiting websites, and people generally consent in order to use the service. The study recommends that the EU ban tracking walls, because they would provide the most legal clarity, but recommends that they are at least prohibited under certain circumstances.

The right to confidentiality of communications and its exceptions should be revised so that analysis of the content and metadata of communication is only allowed under strict circumstances, and only as strictly necessary, the study said. If there are no valid exceptions, it recommends that the law should ensure that end users give “meaningful consent” before the content or metadata of communications is analyzed by companies.

The study was performed by academics at IViR Institute for Information Law, University of Amsterdam. It follows up on and frequently cites highly critical opinions issued by the European Data Protection Supervisor and the Article 29 Working Party of privacy regulators from the 28 EU countries.

The commission aims to enact the ePrivacy Regulation on May 25, 2018, the same enactment date as the GDPR, but criticism of the legislation has called that date into question.

To keep up with the constantly evolving world of privacy and security sign up for the Bloomberg BNA Privacy and Security Update.