E-Privacy Regulation Next Battleground in EU Privacy Protection Push

Debate over a European Commission proposal for a new e-privacy law is heating up as telcos and digital companies race to comply with the EU general data protection regulation. The e-privacy regulation (ePR), which would modify existing electronic privacy rules enacted as part of telecom liberalization, is an exception to Europe's general reluctance to impose sector-specific privacy regulations and a political move aimed at leveling the playing field between traditional providers and over-the-top players that offer telco-like services, Hogan Lovells (Paris) telecom and privacy lawyer Winston Maxwell told a Tuesday webinar. Communications providers said the current version of the draft is inflexible, while digital rights activists criticized EU governments' failure to move forward on the regulation.

Personal data and privacy are treated separately under the European Charter of Fundamental Rights, with Article 7 covering privacy of one's home and communications and Article 8 data protection, Maxwell said. The right to privacy is sometimes broader than that for data protection, justifying the need for an additional law, he said. The EC wants to update the e-privacy directive ostensibly to align it with the GDPR, but the political drive is to put services such as Skype and WhatsApp on the same footing as traditional telecom services, he said. Because the current measure is a directive, governments could tweak its provisions when they adopt it into national law, while a regulation must be adopted without changes, he said.

The GDPR is flexible, technologically neutral and adaptable, but the ePR would divide communications data into content data and metadata data, Maxwell said. It would ban processing of e-communications metadata without the consent of the end-user except in limited circumstances such as for network security, billing and fraud prevention, he said. Content data (such as email correspondence) couldn't be used without the consent of all end-users concerned, raising the "impossible question" of what "all end-users" means and how to obtain their consent, he said.

Telco data protection and privacy executives are "working full speed ahead" to bring their companies into GDPR compliance by May 25, 15 said in a Thursday "plea" to policymakers. The GDPR is an "opportunity to further enhance the privacy of our customers and users in an increasingly digitised society," but the regulation "will need to cohabit with an obsolete e-Privacy Directive from 2002 that specifically governs the handling of telecommunications data with more restraining conditions than for any other sector." The proposed ePR, which sets stricter rules for metadata, would push telcos "into a dumb pipe scenario" that assumes their role is simply to deliver telecom and internet traffic and not to tap into the potential of data analytics, they said.

"Metadata are inherently no more or less sensitive" than other data, the letter said. The ePR should take the same risk-based approach to privacy in metadata as the GDPR takes to other personal data, and should involve the same principles of purpose limitation, data minimization, storage limitation, and confidentiality, they said. Consent isn't the best solution for analytics operations that need large datasets to work and don't have to rely on fully identifiable data to perform those analytics, they said. Signatories included BT, Deutsche Telekom, Telefónica and Vodafone.

The ePR complements the GDPR by "providing clear and specific rules" on such issues as the tracking of individuals online and offline and the use of communications metadata, European Digital Rights Executive Director Joe McNamee wrote in a newsletter. The EC proposal, launched in January 2107, received a "barrage of negative lobbying," he said. The European Parliament took a strong position in defense of electronic privacy rights in October but "the Council appears no closer" to setting clear rules on privacy of communications, he said. McNamee criticized governments for showing "little real progress" in arriving at a negotiating position.

A Council working party met March 13 to discuss revised text proposed by the EU Bulgarian Presidency, an EU source said. The March 7 document (6726/18, here) suggested broadening the existing permissions for use of metadata to, for example, network management or optimization, or creating a legal basis for expanding the use of the data even further. The EC said the ePR proposal covers the content of a communications while it's being transmitted, but the GDPR covers the content once received, the source said. Now the definition of what "in transmission" means is being clarified, and the working party is also considering how sensitive metadata is in light of European Court of Justice case law, she said. A new document (7207/18) with further compromise language will be discussed at a March 28 working party meeting, the source said.

The ePR and GDPR will affect mostly social networks, Barclays Capital wrote investors Wednesday. Its research suggested most companies that use cookies and tags for digital marketing should be relatively unchanged since most publishers have been using GDPR-compliant notifications for months. However, the ePR could be more problematic for social networks, handing more control to Google and Apple at the expense of advertising intermediaries and publishers, Barclays said.

Editor's note: A related series of stories continues on how stakeholders are grappling with GDPR. Part I looked at domain-name stakeholder compliance: 1801290027. Part II detailed corporate efforts in Europe: 1802070001. Part III was on U.S. companies' preparation: 1803080001.