Although described as a sectorial law, the proposed ePrivacy Regulation has profound implications for European industry as a whole. That’s why lawmakers need to make it fit for the entire digital economy, writes Cecilia Bonefeld-Dahl.
Cecilia Bonefeld-Dahl is the director general of DIGITALEUROPE.
For almost a year and a half now, Europe has been debating a revamp of the rules governing privacy in electronic communications. But many of the basic points underpinning the legislative proposal for an ePrivacy Regulation, as it’s called, are either incomplete or just plain wrong – and we need sensible co-legislators to fix that.
If we believe that consent is the only solution to prevent possible dangerous uses of data, citizens will simply be bombarded by consent requests and they won’t bother to understand them. That’s exactly what has happened with consent banners so far, where we are asked to consent and almost automatically do.
If anyone thinks the new Regulation would solve that, I’m afraid they are wrong. Also, consent is simply impossible or very impractical in many other circumstances; think about real-time uses such as smart traffic lighting or asking malicious actors such as a burglar in a home security setup.
As new industries such as healthcare, finance and manufacturing become connected, as director general of DIGITALEUROPE I am particularly sensitive to the fact that businesses big and small operating across the EU member states will have to comply with the new Regulation. That’s why our members need the co-legislators to make ePrivacy rules fit for everybody.
The risks for Europe of getting ePrivacy wrong are just too big. The European Commission’s strategy for building a European data economy aims to bring the value of data economy to 4% of EU GDP, or €739 billion, by 2020. But as the strategy notes, that won’t happen unless there are favourable policy and legislative conditions.
EU lawmakers are taking very good steps in the right direction, for example on the free flow of non-personal data, but there is a real risk that ePrivacy will not work for citizens, on the one hand, and will block the development of beneficial services and technologies in Europe on the other.
Legislators do not have an easy task with this extremely technical and complicated file, which is inextricably linked to the General Data Protection Regulation (GDPR), the horizontal EU law governing personal data processing.
To make sense of this complexity, two basic things need to be clarified before we can seriously discuss the reform and the overall results we want it to produce.
Firstly, the overlap with the GDPR is much more substantial than proponents of the law like to describe it. While ePrivacy is supposed to be a sectorial law governing personal data in electronic communications, as opposed to the GDPR which governs personal data in general, the reality is that electronic communications are so commonplace today, and used by all industries beyond ICT players, that it is hard to see who and what wouldn’t be covered by ePrivacy.
Most people assume ePrivacy is just about advertising, but it isn’t. Not only would the new Regulation expand the definition of “electronic communication service”, covering telecoms operators as well as other “equivalent” online services with stricter rules, but it would expand the rules to cover any data “processed by” devices – computers, smartphones and tablets, of course, but also M2M and IoT devices or indeed any existing and future connected piece of electronic equipment.
Think digital factories, smart transport and many more. Any company that wants those devices connected, including for very understandable purposes such as ensuring their security, will have to comply.
Secondly, because the overlap between ePrivacy and the GDPR is so profound, we need a real alignment of these two laws. This is particularly the case for the “legal bases”, which define the grounds on which companies can process personal data.
While the GDPR allows for different legal grounds that are suitable for various circumstances and levels of risk, ePrivacy prefers consent as the main legal basis and only allows for very narrow exceptions.
This is being justified by the fact that ePrivacy is supposed to cover types of data that are always sensitive, such as the content of communications. However, as shown above, ePrivacy covers a great variety of data processing activities (in some cases even involving non-personal data, such as when two machines exchange data in M2M communications) and the context in which data processing happens should be taken into account when deciding if asking for users’ consent actually makes sense.
ePrivacy is so much more than just cookies. It is about how all present and future digital technologies and devices function. The aim of the legislation should be to protect the secrecy of communications, not to undermine Europe’s digital future.