Under the EU’s 2009 ePrivacy Directive, traditional telecoms companies are prevented from listening to or otherwise tapping into customers’ communications, storing them, or sharing any metadata information collected with third parties (unless necessary for billing purposes). Unfortunately, these privacy rules do not currently apply to online providers of “over-the-top” services.
Under a new proposal by the European Commission, this might soon change. Over-the-top services are communications services transmitted via the internet. And the EC wants to introduce new legislation that will bring such services into line with existing legation. This includes services such those provided by Facebook, Google, and WhatsApp, most of which are primarily based in the US.
Under the proposal, companies would be required to ask users for explicit consent before using their data for advertising purposes. This is likely to be a big blow to all providers of free services. Companies such as Google and Facebook scan emails, posts and other communications, plus use advanced online tracking techniques. They do this in order to sell highly targeted and personalized advertising to their users.
The commission explained the need to extend the EU’s privacy law to cover online communications:
“Important technological and economic developments took place in the market since the last revision of the ePrivacy Directive in 2009. Consumers and businesses increasingly rely on new Internet-based services enabling inter-personal communications such as Voice over IP, instant messaging, and Web-based e-mail services, instead of traditional communications services… Accordingly, the Directive has not kept pace with technological developments, resulting in a void of protection of communications conveyed through new services.”
On the flip-side, the proposed changes will allow telecoms companies to profit from metadata collected. For example by using it to provide additional services that can be charged for. This is something they are not currently allowed to do, and which puts them at a disadvantage to their online completion.
The ePrivacy Directive is also popularly known as the “cookie law.” It is the law responsible for that annoying pop-up EU citizens see every time they visit a website, asking for permission to set cookies (or indicate your acceptance of cookies by proceeding to use the site).
Given that most websites will refuse to work if you refuse to accept their cookies, this is not just irritating, but is in practice largely ineffective at protecting our privacy. The new proposals for updating the ePrivacy Directive represent something of a climb-down in the face of this reality and strong industry pressure for the law to be scrapped.
Under the new proposal,
“No consent is needed for non-privacy intrusive cookies improving Internet experience (e.g. to remember shopping cart history). Cookies set by a visited website counting the number of visitors to that website will no longer require consent.”
This change will likely be welcomed by tech firms, but is something of a double-edged sword. By separating out cookies that are necessary to, or improve the web experience, from those that are simply there for tracking and advertising purposes, it makes it much easier to visitors to reject third party cookies. This is likely to damage websites’ income.
Moving Forward with the Privacy Rules
The proposals also ban “unsolicited and nonconsensual electronic communication.” This should include spam and nuisance calls. Telemarketing companies would also be required to display their phone number or use a special prefix reserved for such calls only.
If made into law, the new proposals will apply to all of the EU’s 500 million citizens. According to a public consultation carried out by the commission, an overwhelming majority of these (81.2%) favored requiring “manufacturers of terminal equipment to market products with privacy-by-default settings activated.”
Companies not complying with the new regulations would face fines of up to 4% of their global turnover. This is in line with the General Data Protection Regulation (GDPR), which is due to come into force in 2018.
The proposed new privacy rules cannot become law until approved by the European Parliament and all 28 EU member states. If passed, however, this will be a major victory for privacy. Although we can expect to see strong pushback from the tech industry…