Caterina Conti
Legal Analyst
Project Counsel Media
25 July 2019 (Brussels, Belgium) – Yes, the EU institutions are slowly reducing to skeleton staff as they close down for the summer siesta, but lots of things are still going on. The Finnish presidency of the EU Council (in the hot seat until the end of the year) has circulated new proposals on the e-Privacy regulation (“ePR”) to national delegations today, according to a document passed to us. You can read it (all glorious 88 pages) by clicking here. In a Tweet earlier today a Finnish official said:
“The proposed changes include dividing Article 6 into 4 articles to simplify the text and a temporary solution regarding the child imagery issue”
Article 6 lays out the rules for processing electronic communications data. Different sections have been drafted for the processing of content and metadata. Finland decided to keep compatible further processing. Earlier this week, Germany sent a position paper (click here) arguing for more protection for the confidentiality of communications and urging against Article 6 in its current form. End result? The presidency compromise proposal will be discussed on 9 September at the Council Telecom working party.
The ePR is an update of older telecom rules meant to protect communication from wiretapping, surveillance or privacy violations. It aims to ensure communications data are not used by companies without the user’s consent. It was meant to issue on the same day last year as the GDPR, but negotiations on the legislation have dragged on in the Council of the EU for two-and-a-half years. And that’s because its provisions are far more important, will have a far greater impact on Big Tech than the GDPR so it has been a battle with all manner of lobbyists.
For example, it will (it is hoped) explicitly state that all communications data are covered by the text while they are in transit, as well as once they are stored, and it will ensure (it is hoped) that companies gain users’ consent a second time if they use their data for other “compatible” purposes – also known as “compatible further processing”. It has Article 10 (which was removed pursuant to pressure from Big Tech lobbyists but will now be reinstated) which requires internet browsers to include privacy settings and states browsers must “inform the users about this and offer the possibility to select these settings”. As one of the Counsel negotiators told us:
We really screwed up consent in the GDPR so we now have a chance to get things right.
Germany also wants to tackle the problem of what to do with someone’s messages and communications data after they die. In their position paper they state: “It must be ensured that heirs are granted access to the content of the communication of the deceased end-user”.
The e-discovery community and legal technology community have not focused much on the Regulation because … well, there are no “compliance solutions” to sell. So if you cannot make any money, why bother talking about it?
The background
We all know this: the objective of the GDPR is to protect fundamental rights and freedoms of natural persons with regard to the processing of personal data and the free movement of personal data within the EU.
By contrast, the ePR seeks to safeguard the right to privacy and confidentiality in the electronic communications sector, as well as the free movement of personal data and of electronic communications equipment and services in the EU.
You see the problem: there are many types of processing activities that may fall within the scope of both legal instruments. We received an off-the-record briefing from a long-time source who told us there are many elements of the ePR that conflict with the GDPR, there is a general failure of the ePR to deal with new technologies (in particular in the context of Machine-to-Machine communication, the Internet of Things and Artificial Intelligence in general), and just a general cat fight over issues of the competences, tasks and powers of data protection authorities over processing issues of personal data, and what belongs as a “national” competence and not an “EU” competence.
And the real biggie, more important to the tech companies than anything in the GDPR … how consent for cookies is obtained, the life blood of the advertising/digital media industry. If you read the German position paper (noted above) you’ll get a feel for those issues.
We’ll have a more extensive piece on the ePR in September after the Telecom working party meeting so here are just a few of the conflict/contention points:
- Ireland’s recently announced probe of Google is having an affect on negotiations because that probe shows you the complexity of applying the GDPR to “behaviorally” targeted advertising, the systems that select what advertising to show you, and the way adtech broadcasts personal data to hundreds or thousands of companies – what the GDPR (and ePR) are ostensibly meant to protect against. Our boss is engaged in an extensive project on behalf of an advertising/digital media industry trade association vis-a-vis the Ireland/Google case so we’ll tap into his knowledge base to work out the nuts and bolts and incorporate that into our September piece.
- As noted, the discussions over conditioning access to website content on a user consenting to advertising cookies are … a mess. The current ePR draft states this would not be “disproportionate” unless the site is provided by public authorities. Notably, this position contradicts those taken in Article 29 Working Party Guidance from April 2018, and used by the GDPR negotiators, so we have an obvious conflict in enforcement actions.
- To what extent metadata can be processed by end users after receipt, or by a third party entrusted by them, without consent. One practical implication of this was to regulate aggregated and anonymized data that some companies rely on for analytics. Otherwise, this type of data may fall outside the scope of regulation (i.e., GDPR) since it may not be considered personal data. But based on the flood of recent technical position papers on how easily anonymized data can be broken (yes, the negotiators read the press) this is now under a “rethink”.
- There may be an expansion of the definition of “direct marketing communications”. The proposed definition would cover communications using new technologies (including voice over IP calls and electronic message applications), bringing these and other popular mobile applications within the scope of the ePrivacy Regulation.
- Very contentious: how the ePrivacy Regulation will interact with new technologies, in particular in the machine-to-machine, “internet of things” and artificial intelligence contexts.
- And perhaps more important, enforcement by supervisory authorities: just how is cooperation with other supervisory authorities going to work under the GDPR when you have so many processing activities that may fall within the scope of both legal instruments.
And then there is the politics, with many of these committees and working groups getting new blood … meaning a lot more Euroskeptics were elected to the EU Parliament and are now also on EU member country staffs at the Council.
First, reality check: technology is not the primary focus of most Euroskeptic parties. Whether or not Europe will restore its position as a technological force to be reckoned with on the world stage is far less important to them than, say, migration or the EU’s perceived intrusions into national affairs. As many told us “listen, we are going to be squashed by the Americans and the Chinese. That’s reality”. As Johan Bjerkem, a policy analyst at the European Policy Centre, said tech and digital policy “are not something that workers would advocate for, and that’s, really, these parties’ core electorate”.
BUT … when you get into the weeds and chat with them (beers at a Brussels pub work wonders) technology does appear on the Euroskeptics’ agenda insofar as it touches on other priorities. One is nationalism, which is shared by nearly all anti-EU groups and is piqued by the power and dominance of U.S. technology firms. Another is an attachment to free speech — or the ability to be able to communicate cheaply, freely and on a massive scale thanks to social media platforms like Facebook or YouTube.
It can lead to a weird combination: calling for Silicon Valley to pay more tax and respect EU cultures and languages, while fiercely defending American platforms’ role as passive hosts for content. In any case, a big change: they want to set the policy on the national, not the EU, level. To many, “the GDPR, the ePR — crocks! Nations are better able to better anticipate the development of new technologies when they are not constrained by the EU framework”.
It’s going to be a fun few months. Or years.
