EC Seeks to Impose Telco Privacy Rules on Internet Communications Providers

WhatsApp, Skype and their kin would have to abide by the same privacy rules as telcos under a proposal unveiled Tuesday by the European Commission. If approved by the European Parliament and Council, the measure also would simplify rules for cookies, guarantee privacy for the content and metadata derived from e-communications, create a single rule across Europe, and open up opportunities for traditional telcos to take advantage of data, the EC said. User consent to use of the data is "paramount," said Digital Single Market Vice-President Andrus Ansip at a news briefing. The e-privacy proposals got mixed stakeholder reviews.

On the related topic of Privacy Shield, which allows trans-Atlantic personal data flows, Justice Commissioner Vera Jourová said her partners in the U.S. have briefed the incoming Trump administration on the importance of the agreement and the necessity to keep the commitments made under the Obama presidency. She said she will travel to the U.S. as soon as the new administration has settled in to discuss what still needs to be done. "I am in the mood of slight positive feeling" about Privacy Shield, she said.

The regulation on privacy and electronic communications, part of the digital single market strategy, is intended to boost individuals' privacy protections while enabling free data flows, the EC said. That data localization laws are increasing in Europe and globally isn't good, Ansip said. Big companies are capable of setting up data centers in all 28 EU members, but small businesses and startups can't, he said. Europe's data economy is expected to generate 643 billion euros (about $680 billion) by 2020. The EC initiatives include a communication on building Europe's data economy, and various documents (here) on e-privacy and data protection proposals.

The general data protection regulation (GDPR) adopted last year deals only with personal data, not machine-to-machine or business-to-business communications, Ansip said. There's an existing e-privacy directive but its implementation in national laws varies, he said. The new measure would provide a single set of rules that extend beyond telecom providers to internet communications services, he said. It also would allow telcos to commercialize the data they hold, which they can't do now, he said. It will have to be subject to the consent of data owners, he said.

The EC proposed to give users more control over their settings by providing an easy way to accept or refuse tracking of cookies and other identifiers. No consent would be needed for non-privacy-intrusive cookies that improve the internet experience, such as remembering a user's shopping card history, it said in a news release. The proposal also bans spam by any means. The communication lays out a strategy for international personal data transfers, including discussions on "adequacy" decisions with key trading partners in East and South-East Asia and Latin America.

Making modern communication methods such as Skype comply with data protection rules for electronic communications "is a long overdue reform," said Member of the European Parliament Jan Philipp Albrecht, of the Greens/European Free Alliance and Germany. He panned the rules on user activity tracking, saying service providers would be able to assume consent unless the user says otherwise.

“This reform is the opportunity to confront the widespread problem of online tracking," said European Consumer Organisation Director-General Monique Goyens. "Consumers must have an alternative to being under 24/7 commercial surveillance when using digital services." With 89 percent of respondents to a recent EU survey saying they want their browsers to protect their communication by default, the EU should heed their call, she said.

The EC "has resisted the most extreme demands from certain parts of industry," said European Digital Rights Executive Director Joe McNamee. To promote trust, privacy and innovation, the proposal needs "significant improvement," he said. There are big differences between people and businesses in priorities for the big data society, he said: What they both need is "clear rules that inspire trust."

The proposal "risks incoherence and confusion" with the GDPR, said the Computer & Communications Industry Association. Since it applies to all services with a communications element, such as dating apps, videogame services, travel and e-commerce sites, it dramatically enlarges the range of services covered, which makes it more important that e-privacy is truly compatible with the GDPR, said CCIA Vice President James Waterworth. Achieving a true digital single market and keeping European industry competitive makes it "essential that there is coherence amongst the various EU legal instruments," said EuroISPA President Oliver Süme.

Telecom groups urged the European Parliament and Council to "correct the new e-Privacy regulation and make sure it allows a customer-friendly ad innovation-ready approach." The European Telecommunications Network Operators' Association and GSM Association urged legislators not to burden communications services with tougher requirements than those imposed on other service providers that process similar data such as date, time and location of data or a device.

The privacy proposal drew sharp words from online advertisers and publishers. It "risks harming the livelihood of millions of websites and apps that rely on digital advertising to fund content and tools for consumers" in the U.S. and Europe, said Interactive Advertising Bureau Executive Vice President Public Policy Dave Grimaldi. The proposal's prescriptive rules would hamper online advertisers' ability to innovate, he said. The proposed new rules on cookies "will significantly affect the business model of the digital press" by, among other things, preventing many European companies, including press publishers, from working with third parties for audience measurements, said The European Magazine Media Association and the European Newspaper Publishers Association.