Google, Facebook Face Proposed EU E-Privacy Overhaul

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

European Union rules on the privacy of electronic communications would be extended to cover internet communications services offered by Facebook Inc., Microsoft Corp., Alphabet Inc.'s Google and other multinationals under proposals published by the European Commission Jan. 10.

The rules contained in the present EU e-Privacy Directive cover only traditional telecommunications operators, but the European Commission, the EU’s executive arm, said the emergence of new services necessitates a widening of the scope of regulatory oversight to include over-the-top (OTT) services, such as voice over internet protocol services and messaging applications.

Jorg Hladjk, cybersecurity, privacy and data protection of counsel at Jones Day in Brussels, told Bloomberg BNA that “the new rules are a game changer for all OTT players in the market as they will now be in scope—it puts these types of companies in the same box as traditional telcos.”

Gold Standard or Unnecessary?

European Commission Vice President for the Digital Single Market Andrus Ansip, said at a Jan. 10 briefing that the proposed e-privacy revision “builds on the gold standard” of the EU General Data Protection Regulation (GDPR) in which “consent of the user is paramount.”

The e-privacy reform is intended to modernize EU rules on confidentiality of electronic communications and to bring them into line with the GDPR, which takes effect May 25, 2018.

“Companies will clearly benefit from the type of instrument used by the European Commission—it’s a regulation and thus companies will have to comply with only one single set of rules across the EU,” Hladjk said.

The DIGITALEUROPE association, which represents information technology and consumer electronics companies, was skeptical that the e-privacy reform would bring benefits.

The association said in a Jan. 10 statement that the commission’s proposal was “disproportionate” and “over delivers where not necessary.” The e-privacy revision would “hamper European companies’ ability to benefit from data-driven innovation,” it said.

DIGITALEUROPE Director John Higgins said that the scope of the e-privacy rules had been extended too far and would cover communications between devices in the internet of things. The new rules would “overlap unnecessarily with the GDPR and cause countless problems for those companies seeking to digitize their industry,” Higgins said.

A spokeswoman for Facebook Inc., who asked not to be named told Bloomberg BNA that the company was still assessing the commission’s proposal.

Confidential Data

The e-Privacy reform would also seek to clarify that the content of electronic communications and associated data, such as times of messages or locations from which messages are sent, are confidential and can’t be processed without consent of data users. The proposed reform also requires websites to respect visitors’ browser privacy settings and prohibits them from tracking online users without consent.

The commission urged the European Parliament and governments of the 28 EU countries, which must discuss the e-privacy proposals, to agree on the reform so it can take effect at the same time as the GDPR. It would align e-privacy rules with GDPR sanctions, which can be as much as 20 million euros or 4 percent of a company’s global revenues.

The fines for non-compliance follow the GDPR—so we can expect increased enforcement regarding OTT players and telcos,” Hladjk said.

Reinforcing Consent

Under the new rules, companies would be required to allow users of internet browsers to consent to privacy settings, or to modify them if desired, when a browser is first installed or used.

E-mail services such as Gmail would also have to obtain specific consent from users for the scanning of the content of messages, which is done to identify keywords for advertising purposes.

The e-privacy rules cover the content of communications and related metadata, such as when and to whom messages were sent. The commission said in a statement Jan. 10 that the e-privacy revision would confirm a general principle that all communications data in the EU “will need to be anonymized or deleted if users have not given their consent, unless the data is required for instance for billing purposes.”

The commission added that the e-privacy reform was needed as a complement to the GDPR because, while the GDPR covers personal data, the revised e-privacy law would cover all forms of electronic communications, including business-to-business communications and communications that don't contain personal data.

The reform would replace the e-Privacy Directive with an e-Privacy Regulation. While an EU directive requires EU countries to adopt national laws in line with the requirements of the directive, a regulation is an EU-level law that has direct effect across the bloc.

A commission official who asked not to be named, speaking at a briefing Jan. 10, said that the switch to a regulation would mean that consent requirements for processing of electronic communications data would be harmonized, with the overall effect of making them stricter.

For example, for services such as Gmail that scan the content of e-mails, “we make it absolutely clear” that users must give “effective consent; this cannot be buried in the terms and conditions,” the official said.

Browser Settings

The requirement to ensure the confidentiality of communications data under the e-Privacy Regulation would prohibit without consent “any interference with electronic communications data, such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or processing,” according to the text of the draft regulation.

The commission said that as an exception to this, EU countries would be able to impose requirements for the retention of communications data for law enforcement purposes as long as they are in line with a Dec. 21 ruling of the EU Court of Justice, which said that companies cannot be compelled to retain data unless retention orders are targeted, necessary and limited to combating serious crime and terrorism.

On cookies, the e-Privacy Regulation would put the emphasis on browser privacy settings to determine user permissions for cookies, and would do away with the existing requirement for websites to obtain permission for placement of cookies using pop-up banners.

The commission official said this change would resolve “banner fatigue” among internet users, and would enable users via their browsers to “give clear consent to the kind of privacy setting” they wanted.

GDPR Coherence

The e-Privacy Regulation must be discussed, possibly amended and agreed by the European Parliament and EU countries represented in the Council of the EU before it can be adopted.

The commission urged the parliament and council to agree on the reform so it can be put in place by the time the GDPR takes full effect in 2018.

Jan Philipp Albrecht, the German Green lawmaker who was the European Parliament’s lead lawmaker on the GDPR, said in a Jan. 10 statement that the parliament and council should “bring forward the changes needed to make sure this promising package truly delivers.”

“Including modern communication methods such as Skype and WhatsApp under data protection rules for electronic communication is a long overdue reform,” and online companies should do “everything technically possible to secure the fundamental right of privacy,” Albrecht said.

Johannes Kleis of advocacy group the European Consumer Organization told Bloomberg BNA Jan. 10 that the commission should have specified that internet browsers be set by default to reject cookies, requiring users to change the setting if they want to accept cookies.

“However, provided that the proposed rules are easy to understand for users and that they can easily set up and eventually modify their user preferences, it could nevertheless be an improvement over what we have right now,” Kleis said.

To contact the reporter on this story: Stephen Gardner in Brussels at correspondents@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security