Telecoms providers will face fines of up to €20 million or 4% of global turnover if they’re caught breaking new EU privacy rules that will also hit firms processing vast amounts of machine data in the internet of things.
The new ePrivacy regulation, which is an updated version of a 2009 directive that allowed for some differences in national law, has caused an upset among internet companies for drawing services like WhatsApp, Facetime, Skype or chats in online games under telecoms law.
Andrus Ansip, the European Commission vice-president in charge of EU telecoms policies, said he uses Apple’s Facetime to call his family in Estonia. Their calls over the internet-based service should be protected by the same privacy safeguards as regular voice calls, Ansip argues.
Users of any service pulled under the rules will need to give companies permission to gather their data – and companies will have to remind them every six months that they’re still using it, according to the proposal that Ansip presented today (10 January).
“I don’t think it’s too complicated to ask for people’s consent,” Ansip told reporters.
Ninety-two percent of people who responded to a European Commission survey said they wanted tougher rules to safeguard the privacy of information collected by telecoms firms, including content, time and location data or metadata.
Privacy advocates say the new ePrivacy regulation complements a broad data protection overhaul that was rubberstamped last year and will go into effect in 2018.
“We’re on the cusp of the big data economy and the question is: ‘Do we want clear trust-inspiring legislation that will inspire legal certainty?’”, asked Joe McNamee, executive director of the NGO European Digital Rights.
“Or do we say, ‘Let’s stumble forward the next five or six years’?” he said.
Industry lobbyists warned that the new consent restrictions will make it harder for companies to cash in on data using analytics tools, and will put a damper on developments in internet-connected machines that use huge amounts of data.
One telecoms lobbyist argued the sector is being held to unfairly high privacy standards that could make it hard for firms to collect their users’ location data and provide products like mapping services – while internet firms like Google Maps might not fall under the same rules.
Ansip, a former Estonian prime minister, insists the draft law’s requirement for user consent will give companies more certainty and help them use data to create targeted products that can boost their business.
“Today telecoms cannot commercialise this data they have. We would like to create a level playing field and allow telecoms to commercialise the data and metadata they have, but only on the basis of consent,” Ansip said.
He told reporters that at one point, when a group of Latvians came to neighbouring Estonia for a Madonna concert, location data from their phones could have been analysed and used to improve public transport for the large group of travellers.
Some privacy experts in Brussels were quick to voice their concern that the ePrivacy bill could face the same fate as the EU data protection regulation, which was approved in 2016 after rocky negotiations that dragged on for four years. During that time, the regulation drew a record high number of amendments, reflecting its importance to lobby groups. If talks with MEPs and national governments take that long with the ePrivacy proposal, technologies behind the fast developing internet of things could look very different by the time the law goes into effect.
“If it takes as long as the GDPR [general data protection regulation] took in Parliament, a lot of services might already be on the market,” said Laurent De Muyter, a lawyer working on privacy at Jones Day.
“It’s not a market that’s going to freeze but of course this proposal can affect the way it develops,” De Muyter said.
Internet companies are stung by the Commission’s proposal to include their services under telecoms rules, signalling a clear failure of their lobbying bid to argue that online services are somehow different than traditional voice calls and text messaging.
“This is a classic example of an immature market that is premature to regulate,” said James Waterworth, vice president of the Brussels office of the Computer and Communications Industry Association, a lobby group that represents tech firms including Google and Facebook.
The ePrivacy bill also includes new rules that require internet browsers to ask users for permission to track their online behaviour, as well as offer different options that collect varying amounts of data and remind users every six months that it is still being gathered. That means internet users who don’t allow their data to be trackers can’t be targeted with personalised ads, which advertisers warned could cut into their online business.
Townsend Feehan, CEO of the Interactive Advertising Bureau Europe, said the proposal would “undeniably damage the advertising business model – without achieving any real benefits for users from a privacy and data protection point of view”.
Monique Goyens, director general of The European Consumer Organisation (BEUC): "Online communication services such as Skype and WhatsApp are replacing SMS and regular phone calls at lightning speed. Consumers’ privacy should not be less protected when using these services. They should be able to rest assured that their phone calls, e-mails or messages are for their eyes and ears only, irrespective of the service they use. This reform is the opportunity to confront the widespread problem of online tracking. Consumers must have an alternative to being under 24/7 commercial surveillance when using digital services."
Lise Fuhr, director general of the European Telecommunications Network Operators' Association (ETNO): “There is no European data economy without an innovation-oriented Regulation. Telcos should be able to innovate and provide more choice to European customers”.
German Green MEP Jan Philipp Albrecht (rapporteur on the general data protection regulation): "Including modern communication methods such as Skype and WhatsApp under data protection rules for electronic communication is a long overdue reform that reflects the way many people communicate today. However, the rules around tracking user activity are completely back to front. Service providers should require the explicit consent of users if they want to track their activity; under these proposals, they would be able to assume consent unless the user says otherwise."