Connect with us

Hi, what are you looking for?



EU ePrivacy Regulation Edges Closer to Fruition

The proposed European Union ePrivacy Regulation is on the verge of entering Trilogue. Trilogue is the series of informal discussions involving the European Parliament, the Council of Europe (that is, representatives from each member state), and the European Commission. It is Trilogue that defines the final shape of the legislation.

The proposed European Union ePrivacy Regulation is on the verge of entering Trilogue. Trilogue is the series of informal discussions involving the European Parliament, the Council of Europe (that is, representatives from each member state), and the European Commission. It is Trilogue that defines the final shape of the legislation.

The all-important hurdle was the vote by 31 in favor to 24 against by the European Parliament’s justice committee (LIBE) at the end of last week. LIBE is the lead committee in preparing this legislation.

The ePrivacy Regulation is intended to harmonize e-communications confidentiality laws across the member states by replacing the ePrivacy Directive passed in 2002 (and amended by the ‘cookies directive’ of 2009). In this way it is similar to the General Data Protection Regulation (GDPR) replacing the earlier Data Protection Directive — and it carries the same potential sanction of up to 4% of global revenue.

Consistent enforcement will be achieved by assigning the related supervisory powers to the national independent authorities already competent to enforce the GDPR. The intention is to have the ePrivacy Regulation ready by the time GDPR becomes enforceable in May 2018.

However, the new regulation goes beyond simply harmonizing existing laws. These were put into effect before the rise of ‘over-the-top’ communication channels such as WhatsApp, Facebook, Messenger, and Skype — which largely escape the confidentiality requirements imposed on mainstream telecommunications companies. The new regulation will apply to the provision of e-communications services to end-users in the EU, irrespective of whether it is a paid for or free service. Providers from outside of the EU will have to appoint a representative within the EU.

While expanding the scope to include the newer channels, the ePrivacy Regulation in its current form also increases the detail of confidentiality. For example, the new terminology is ‘tracking technologies’, which includes but is not limited to cookies. As with GDPR, consent must be freely and unambiguously given by the user, but can be expressed by a clear affirmative action.

Such ‘affirmative action’ could be at the browser settings level where technically feasible and possible — and the wording of the proposal seems to imply that browsers will be required to include a ‘no tracking’ feature in all new software. Under the new proposal, service providers will not be able to prevent users from accessing a website if they refuse to accept cookies.

The regulation also specifically expands its core rules from content only to include metadata — which is now generally accepted to include personal information.

Advertisement. Scroll to continue reading.

However, it should be said that the Regulation is still in the proposal stage. It has already been weakened following extensive industry lobbying. The view of the marketing and advertising industry is that increased consumer protection will stifle innovation and reduce free services on the Internet. A new report from Corporate Europe Observatory (CEO) published October 17 notes that in 41 high-level EU Commission lobby meetings in 2016, 36 were with corporate interests. Only five were with civil society lobbyists.

Industry lobbying — and in particular, the marketing industry — will continue during Trilogue, and may well succeed in weakening the proposal further. “During the negotiations on the [GDPR],” notes CEO, “the industry lobby had repeatedly succeeded in having a considerable influence on the positions of the Member States. Due to the non-transparency of the Trilog method, this is particularly vulnerable to opaque manipulation attempts by lobbyists.”

Jan Philipp Albrecht, who was the EU rapporteur for the GDPR, warned about the continuing pressure from conservative MEPs and business interests. “Some conservatives have refused a compromise, despite the great concessions, the profit interests of large internet groups and the short-sighted deregulation fantasies of some industrial associations about the fundamental rights on data protection, privacy and communication secrecy and want to massively weaken the data protection in communication. Consumers want strong data protection of their communications.”

The marketing and ad industries will hope to achieve further concessions from the member states, while privacy activists will hope that the European Parliament and European Commission can hold steady.

Related: EU to Launch Cybersecurity ‘Safety Labels’

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...