Security Experts:

EU ePrivacy Regulation Edges Closer to Fruition

The proposed European Union ePrivacy Regulation is on the verge of entering Trilogue. Trilogue is the series of informal discussions involving the European Parliament, the Council of Europe (that is, representatives from each member state), and the European Commission. It is Trilogue that defines the final shape of the legislation.

The all-important hurdle was the vote by 31 in favor to 24 against by the European Parliament's justice committee (LIBE) at the end of last week. LIBE is the lead committee in preparing this legislation.

The ePrivacy Regulation is intended to harmonize e-communications confidentiality laws across the member states by replacing the ePrivacy Directive passed in 2002 (and amended by the 'cookies directive' of 2009). In this way it is similar to the General Data Protection Regulation (GDPR) replacing the earlier Data Protection Directive -- and it carries the same potential sanction of up to 4% of global revenue.

Consistent enforcement will be achieved by assigning the related supervisory powers to the national independent authorities already competent to enforce the GDPR. The intention is to have the ePrivacy Regulation ready by the time GDPR becomes enforceable in May 2018.

However, the new regulation goes beyond simply harmonizing existing laws. These were put into effect before the rise of 'over-the-top' communication channels such as WhatsApp, Facebook, Messenger, and Skype -- which largely escape the confidentiality requirements imposed on mainstream telecommunications companies. The new regulation will apply to the provision of e-communications services to end-users in the EU, irrespective of whether it is a paid for or free service. Providers from outside of the EU will have to appoint a representative within the EU.

While expanding the scope to include the newer channels, the ePrivacy Regulation in its current form also increases the detail of confidentiality. For example, the new terminology is 'tracking technologies', which includes but is not limited to cookies. As with GDPR, consent must be freely and unambiguously given by the user, but can be expressed by a clear affirmative action.

Such 'affirmative action' could be at the browser settings level where technically feasible and possible -- and the wording of the proposal seems to imply that browsers will be required to include a 'no tracking' feature in all new software. Under the new proposal, service providers will not be able to prevent users from accessing a website if they refuse to accept cookies.

The regulation also specifically expands its core rules from content only to include metadata -- which is now generally accepted to include personal information.

However, it should be said that the Regulation is still in the proposal stage. It has already been weakened following extensive industry lobbying. The view of the marketing and advertising industry is that increased consumer protection will stifle innovation and reduce free services on the Internet. A new report from Corporate Europe Observatory (CEO) published October 17 notes that in 41 high-level EU Commission lobby meetings in 2016, 36 were with corporate interests. Only five were with civil society lobbyists.

Industry lobbying -- and in particular, the marketing industry -- will continue during Trilogue, and may well succeed in weakening the proposal further. “During the negotiations on the [GDPR],” notes CEO, “the industry lobby had repeatedly succeeded in having a considerable influence on the positions of the Member States. Due to the non-transparency of the Trilog method, this is particularly vulnerable to opaque manipulation attempts by lobbyists.”

Jan Philipp Albrecht, who was the EU rapporteur for the GDPR, warned about the continuing pressure from conservative MEPs and business interests. “Some conservatives have refused a compromise, despite the great concessions, the profit interests of large internet groups and the short-sighted deregulation fantasies of some industrial associations about the fundamental rights on data protection, privacy and communication secrecy and want to massively weaken the data protection in communication. Consumers want strong data protection of their communications.”

The marketing and ad industries will hope to achieve further concessions from the member states, while privacy activists will hope that the European Parliament and European Commission can hold steady.

Related: EU to Launch Cybersecurity 'Safety Labels'

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.