EU member states are divided over a proposal to change privacy rules for telecoms operators, with some countries calling for looser rules on when they can use consumers’ personal data.
Draft rules detailing when telecoms companies and digital communication services like WhatsApp can process consumer data should be softened, according to a report dated 15 May on the progress of national governments’ negotiations on the European Commission’s proposal to overhaul the ePrivacy legislation.
“A number of delegations consider the provision on permitted processing (Article 6) to be too restrictive and ask for more flexibility, also taking into account that the GDPR provides for a number of legal grounds for processing of personal data,” the report, obtained by EURACTIV.com, reads.
Several countries want the bill to give companies more ways to process and analyse data. Industry sources said that would line up with what companies have pushed for by making the rules for data processing more similar to what is already allowed under the EU data protection regulation, a separate, broader privacy law set to go into effect next year.
In January, the Commission proposed a legal change to the eight-year-old ePrivacy directive, turning it into a regulation—which requires the same rules in every country—and pulling digital services like Facetime, WhatsApp or Skype under the telecoms rules.
Companies that break the ePrivacy law can face fines of up to 4% of global turnover or €20 million, according to the Commission’s original proposal.
Under the proposal, telecoms operators can process users’ data if it is necessary to make sure that communications are secure. They can process metadata if they need to to guarantee service quality, for billing reasons or if consumers give their consent.
A group of member states suggest the ePrivacy bill should be closer to the data protection regulation, which includes privacy safeguards and also allows organisations to process data if they have a “legitimate interest”, as well as when consumers give their consent.
The draft report on the ePrivacy rules also says that “a number of issues will need to be addressed in relation to machine-to-machine communications”. Some telecoms companies and manufacturers have complained that the Commission proposal could affect how firms process any personal data that is collected by data-heavy machines or devices used in the so-called internet of things. They argue that means consent could be required every time machines process personal data.
Member states served another blow to the Commission’s proposal by casting doubt on its timeline. The 25 May 2018 deadline for the rules to go into effect is unrealistic, according to the report.
The Commission wanted the law to be in place by then because it is the same time the new data protection regulation, or GDPR, will go into effect. That could help companies that fall under both privacy laws adjust. But sources said they doubt that will work out if talks are as long and heated as they were over the GDPR—that legislation took four years to negotiate and was only passed last year.