EU states reach an agreement on ePrivacy reform. Here’s what worries privacy advocates
After four years of talks, EU member states agreed on the ePrivacy reform, and the Portuguese presidency can now start negotiating with the European Parliament on the final text of the bill. ePrivacy rules outline cases when private data can be processed without the user’s consent.
On Wednesday, member states agreed on a negotiating mandate for revised rules on the protection of privacy and confidentiality in the use of electronic communications services.
The updated ePrivacy rules will define cases in which service providers are allowed to process electronic communications data or have access to data stored on end-users’ devices.
An update to the existing ePrivacy directive of 2002 is needed to cater for new technological and market developments, such as the current widespread use of Voice over IP, web-based email and messaging services, and the emergence of new techniques for tracking users’ online behavior, The European Council stated in a press release.
“Robust privacy rules are vital for creating and maintaining trust in a digital world. The path to the Council position has not been easy, but we now have a mandate that strikes a good balance between solid protection of the private life of individuals and fostering the development of new technologies and innovation. The Portuguese presidency is very pleased to launch talks now with the European Parliament on this key proposal,” the president of the Council Pedro Nuno Santos said.
The new regulation will cover electronic communications content transmitted using publicly available services and networks, and metadata, such as location, related to the communication. The rules will also cover machine-to-machine data transmitted via a public network.
The rules will apply when end-users are in the EU. As a rule of thumb, electronic communications data will be confidential. Any interference, including listening to, monitoring and processing of data by anyone other than the end-user will be prohibited, except when permitted by the ePrivacy regulation.
‘Content hugely misses the mark’
Privacy advocates have been closely monitoring the negotiations on new ePrivacy rules.
Access Now, a non-profit that defends people’s digital rights, ‘applauds the agreement’ but does not endorse the content of the text as it ‘hugely misses the mark’.
"After four years of negotiations, it was time for the Council to move forward with this important reform of the ePrivacy Regulation," said Estelle Massé, Senior Policy Analyst at Access Now.
She stressed that several surveillance measures were added.
"The reform is supposed to strengthen privacy rights in the EU but the text approved by the Council hugely misses the mark," added Estelle Massé. "States poked so many holes into the proposal that it now looks like French Gruyère. The text adopted today is below par when compared to the Parliament’s text and previous versions of government positions. We lost forward-looking provisions for the protection of privacy while several surveillance measures have been added."
The regulation would enter into force 20 days after its publication in the EU Official Journal, and would start to apply two years later.
What’s in the rules?
Permitted processing of electronic communications data without the consent of the user includes, for example, ensuring the integrity of communications services, checking for the presence of malware or viruses, or cases where the service provider is bound by EU or member states’ law for the prosecution of criminal offences or prevention of threats to public security.
Metadata may be processed for instance for billing, or for detecting or stopping fraudulent use. With the user’s consent, service providers could, for example, use metadata to display traffic movements to help public authorities and transport operators to develop new infrastructure where it is most needed. Metadata may also be processed to protect users’ vital interests, including for monitoring epidemics and their spread or in humanitarian emergencies, in particular natural and man-made disasters.
In certain cases, providers of electronic communications networks and services may process metadata for a purpose other than that for which it was collected, even when this is not based on the user’s consent or certain provisions on legislative measures under EU or member state law. This processing for another purpose must be compatible with the initial purpose, and strong specific safeguards apply to it.
As the user’s terminal equipment, including both hardware and software, may store highly personal information, such as photos and contact lists, the use of processing and storage capabilities and the collection of information from the device will only be allowed with the user’s consent or for other specific transparent purposes laid down in the regulation.
To avoid cookie consent fatigue, an end-user will be able to give consent to the use of certain types of cookies by whitelisting one or several providers in their browser settings. Software providers will be encouraged to make it easy for users to set up and amend whitelists on their browsers and withdraw consent at any moment.
More great CyberNews stories:
Subscribe to our monthly newsletter