The draft ePrivacy Regulation was proposed in January 2017 and has remained on the agenda of the Council of the EU following two and a half years of intense discussions. Progress on the file has, however, been limited. While the Council has considered ways to improve the text, too many important questions remain unaddressed and amendments continue to create more confusion than clarity.
The arrival of the new European Commission in November and the new European Parliament represents an opportunity for a fresh start in the debate, which can only happen if the proposal is fundamentally reassessed in light of many outstanding concerns, new legislative landscape and technology development.
Members of SPIR deeply support the European way of live and European values, ensuring the privacy of internet users. However, the current ePrivacy proposal has generated great uncertainty across all of us, whose effort to comply with the General Data Protection Regulation (GDPR) risks being nullified by an incoherent ePrivacy text.
To date, many unanswered questions have remained about the essential aspects of the proposal – its scope of application, its definitions, its inflexible legal bases and its relationship with the GDPR. The Council has endeavoured to address industry’s concerns in the various iterations of the text. Unfortunately, attempts to solve the substantive issues have fallen short of a more profound reconsideration of the proposal.
We still see significant issues in the current draft regulation. The text has not properly balanced the interests of the industry and interests of data subjects, going extensively beyond the GDPR. In addition to electronic communications services, it covers other services such as Internet search engines and online publishing. The proposal has not attempted to establish a balanced and fair relationship between industry and data subjects, which, on the one hand, would ensure a high level of data protection and privacy, while on the other hand, would allow the continuation of business models that have successfully developed and proved over recent years on the Internet.
The proposal in its current iteration still does not allow to evaluate the legitimate interests of both business and data subjects on a case-by-case basis. Such consideration, of course, cannot be allowed for critical fundamental rights, such as the confidentiality of one’s communication, where clear legal framework needs to be adopted. At the same time, parts of the draft provisions, i.e. Article 8, would perform much better and in a more balanced way if there was an option of the case-by-case evaluation.
We believe that the ePrivacy proposal imposes disproportionate restrictions on service providers, including disproportionate penalties, without significantly increasing the level of users’ protection that GDPR has already established. The implementation of the ePrivacy will lead to a significant burden for users, with an enormous number of information banners. It has been proved already, how annoying and disturbing that is to users’ experience, without increasing users’ protection and privacy at the same time. This observation has already been acknowledged also by the European Commission. Such disruption of business models will also likely impose a threat to the European digital economy.
Online advertising is a key component and a key driving force of the European digital economy, allowing European’s publishers to flourish and European application developers to reinvest in further innovations. In 2018, online advertising was responsible for a gross value of € 55 billion in the EU 1. Online advertising is thus an essential source of revenue for online media publishers and app developers: 75% of their total revenue came directly from online advertising. It is obviously of uttermost importance to make all efforts to achieve a well-balanced and proportionate ePrivacy Regulation, and not to rush for a general approach at all costs.
Result of the ePrivacy might be complete suppression of the possibility to segment users for the purposes of increasing efficiency of the content delivered to users online. We believe that in everyday life, users will not take advantage of the possibilities provided by Article 4a to express their consent to profiling/segmentation. Therefore, this option will remain available only to those who acquire users’ express consent based on Article 8, which will in practice be feasible only for a few largest non-European online service providers.
Only the providers of large non-European social networks or e-mail services have a sufficient number of users, allowing them to achieve efficient segmentation/profiling in accordance with the provisions in Article 8. At the same time, such providers are able to conduct more detailed profiling because of the fact that they have access to very detailed information about the data subjects and they can combine them with information on their activities within their services, incl. their interpersonal connections.
The current state of the ePrivacy proposal includes an exception for audience measurement to the consent as required by Article 8. This exception recognizes the necessity for information society service providers (although we believe that any website provider should be able to measure traffic) to better understand how their audiences interact with their service. It specifically recognizes the very limited privacy impact, as there is a broad agreement between all audience measurement providers that no audience measurement data may be used for targeted advertising.
Unfortunately, we are convinced that the current provisions in the ePrivacy draft are not yet enough to allow all audience measurement services to operate. NetMonitor, an audience measurement system operated by a third party in the Czech Republic, under the supervisory of SPIR, would probably not fit into the exception found in Artice 8 of the ePrivacy draft. NetMonitor is a measurement system carried out by an independent third party, on behalf of SPIR as an independent national organization. Current provisions in Article 8(1)(d) would lead to unjustified limitations of this model. It is not appropriate to require a controller- processor relationship when the whole market trusts an independent operator of such measurement service.
We are also concerned about the implementation of the provisions for the purpose of detecting, deleting and reporting material constituting child pornography. While SPIR strongly supports all efforts to combat child pornography, we also strongly support combat with terrorism and illegal content, which are all part of important European policies. Article 6(d) constitutes a very special provision for communication service providers when it comes to child pornography, while at the same time, leaves untouched other important political challenges like terrorism or illegal content. Such an approach is very unfortunate, deeply unbalanced and as non-systematic should be reconsidered.
Without a major overhaul of the text, Europe’s digital transformation will be severely hampered as a result of the legal uncertainty and rigidity brought about by the ePrivacy Regulation. Europe’s artificial intelligence ambitions will also be frustrated at a time when specific AI legislation is being considered.
Ahead of a major stocktaking exercise on the application of the GDPR since its entry into force in May 2018, this is an opportune time to reset the ePrivacy discussions and ensure certainty and consistency for both industry and consumers.
We, therefore, urge the national governments to fundamentally reconsider their discussions on the text and not let ourselves wave in favour of the general approach, as the ePrivacy file is obviously not ready yet. While we support in general the worthy objectives of the proposal, only a fresh new attempt will serve the Regulation’s purpose in line with the principles of better regulation and in line with the GDPR.