The EU’s draft ePrivacy regulation risks crippling innovative cloud computing services, writes Kim Gagné.
Kim Gagné is executive director of the European Cloud Alliance.
Regulating evolving technologies should not be difficult: laws should be based on enduring principles. Legislators should ensure that regulation is flexible enough to take into account the development of new services, while simultaneously ensuring clarity and consistency for stakeholders.
If the European Union institutions take a principles-based, technology neutral approach to updating the ePrivacy Directive, they can both regulate technology effectively and promote innovation.
Unfortunately, this is not reflected in the draft ePrivacy regulation.
Instead, the European Commission has extended obligations that currently apply to traditional telecom operators to all over-the-top communication services, machine-to-machine applications, and content services with communications capability.
This approach is convenient, but ultimately will cripple the delivery and prospects of the digital transformation in Europe. Cloud-based communication technologies, voice computing and machine learning increasingly form an integral part of the digital infrastructure that underlies modern societies – including the industrial base of advanced economies.
The principle at stake – the privacy and confidentiality of communications – is not controversial. Industry groups have urged for new provisions in the ePrivacy review to preserve privacy rights and promote the development of modern communication services. Policymakers also endorse this principle. As Vice-President Andrus Ansip stated in his most recent blog post, “privacy and protection are fundamental in the digital world”.
At the same time, this important principle cannot be legislated in the same way that it was 20 years ago. Today’s communication services, including e-mail, VoIP, instant messaging, and emerging tools such as bots and digital assistants, provide consumers and businesses with a wide array of benefits.
Where traditional communication services involved simple transmission mechanisms, such as letter delivery and telephone links, these cloud-based platforms include a much wider range of functions – such as spelling correction, automatic calendaring, grammar correction, voice transcription (language-to-text), linking, and phonetic matching – to make our lives more convenient and computing more natural.
Each of these functions is based on natural language machine learning, which relies on innovative uses of the data generated by communication services.
It is clear that longstanding principles must be applied to these new technologies. Even as we enjoy (and increasingly expect) these new features, we also expect our privacy rights to be preserved. Just as we understood that letter carriers would not read our mail and that telephone operators would not listen to our conversations, we similarly expect that those handling our web-enabled communications will ensure their confidentiality.
We need, however, to be thoughtful in how we apply the principle of communications confidentiality. Simply saying “only users can access communications” makes little sense today. Cloud-based communication services, with their value-added features, are made possible through the processing of content and metadata – including, in some cases, when messages are in transit.
Just as a doctor treats one patient, and then applies the experience they gain to help improve their treatment of the next, all without violating patient confidentiality, the quality of modern services improves through models based on machine learning techniques and data from each service – without violating the confidentiality of the communication.
In many respects the new ePrivacy regulation might be viewed as GDPR II through the backdoor. Their rules often overlap.
But the ePrivacy regulation is far less nuanced than the GDPR, and includes a number of rules which were ultimately not included in the final GDPR text. As a result, the ePrivacy regulation threatens to both significantly impede innovation and confuse stakeholders, in particular in relation to the roles and responsibilities of processors and controllers.
Europe’s innovative industries are engaging closely with European Union institutions and member states to ensure a positive outcome to the ePrivacy negotiations. The stakes are high for European businesses and consumers.
We all need legislation that is both principled and forward-thinking. The European Parliament and member states should embrace new technological models as they continue to protect the privacy rights of European citizens.