I’m tracking all the things related to ePrivacy Regulation and also take an active part in the related work for a while now.
What is ePrivacy?
In a nutshell, ePrivacy is a regulation aiming to further protect privacy in electronic communication. Think of it as a specialized GDPR. Indeed, ePrivacy is to have a precedence over GDPR in some respects. Read more on the topic in my previous posts here: ePrivacy official proposal my input during Roundtables in EU Parliament description of a final report (adopted).
Draft ePrivacy proposal of European Commission has been published over a year ago. In October, European Parliament has passed their version, which notably contained some ground-breaking recommendations: end-to-end encryption, banning of backdoors, signals such as Do Not Track as being binding, and more. Now EU Council is struggling to reach its own. Some countries already have specific positions. Here keep in mind that in European Parliament, ePrivacy was a question of rights and freedoms (to simplify: privacy). But the EU Council, ePrivacy is at the hands of a group devoted to telecommunication (so not quite privacy or data protection). So the focus is different, so are the people working on it.
Positions of European countries
In the course of ePrivacy work, I’ve created both public and non-public analyses and reports. I’ve seen internal documents, as well as public ones - from the industry, NGOs, and other organizations. I have also seen some documents made within countries, such as the example of another recent (controversial) analysis for the German government , with seemingly no particular focus on technologies or privacy at all.
But I must say that I am positively impressed with the analysis made by the French Conseil Général de Économie (High Council of Economy, an advisory and audit body), commissioned by the French government. I don’t refer to its position, but rather the used methodology. Namely:
- The study has followed an actual research of available software solutions (browsers, etc), and sometimes the things to come (standards such as DNT)
- The study is aware of the “new cool stuff” such as differential privacy, and privacy by design, although it also omitted some issues addressed on the level of European Parliament
I do not exactly agree with all the conclusions of the document, specifically that ePrivacy is mainly strengthening existing big platforms (i.e. GAFA). But the conclusion that ePrivacy gives a privileged position to web browsers and operating systems may be viewed as correct. However, this should not necessarily be viewed as a weakness of ePrivacy, but an asset - based on facts. Technically browsers and Operating systems are the layers where protection is most fit, and they are here to stay in this or another form. This is not only about security, privacy, and consent processing, but also due to how the internet works architecturally, and ePrivacy should be about technology. So let it speak using technical language.
The French report recommends some negotiating positions:
- ePrivacy must be technologically neutral.
I agree in full, and this is already strengthened in the EU Parliament proposal, which speaks about technology-neutral architectural solutions, referencing technical methods for consent and permissions, or about end-to-end encryption. These could be applied to smartphones, browsers, cars and beyond.
- The report calls for further development of privacy technologies and solutions but suggests that the approach pursued by actors with “dominating position” should be put to scrutiny for consumer protection.
Interesting, may that point be about Chrome ad blockers?
- The position says that there should be different ways of funding publishers, and users need a way of negotiating how they are compensating service providers (if this is the case). There is a need to communicate this kind of agreement - “consent”. In other words, that software must be configurable, and websites should be able to ask users to change the software configuration.
I could view this as a desire to allow websites to ask viewers to disable adblockers. But this can also be seen as a call to further develop web browsers consent processing mechanisms, such as Do Not Track - that would take care mediating between the user and the site
- That ePrivacy should not be about publishers and adblockers (in short), and that it’s the problem of advertisers to have a better reputation among internet users.
A call for self-regulation.
Technical methodology
What is rather remarkable is that the report is pretty thorough for a document like that. The tests focused on: Chrome, Firefox, Safari, and the privacy solutions they offer. So for example, in the last case, the report mentions Intelligent Tracking Prevention (iOS 11), released last year. The report also mentions browser extensions such as Ghostery or uBlock Origin.
In overall, this report is well informed. The quality of technology policy advisory used in the creation of this report is high. Don’t forget we’re speaking about a public institution. Yet, the report quality is much better than some of the industry ones, even those backed with big funding. This again reminds me the recent French cybersecurity document, the level of which was also high.
Recommendations
Finally, the document issues 7 recommendations. I include them here and provide my critical comments. To make it clear, here I do not speak about endorsement of these recommendations, but provide their assessment.
(1) ePrivacy should be technologically neutral, the entire text including the recitals
This point is already well supported by the version passed by the EU Parliament. Not literary calling solutions like “Do Not Track” or “end-to-end encryption” should not be considered as "non-neutral". But the point is important given the competition in the field of privacy and the diverse solutions that are offered. However, mentioning operating systems and browsers explicitly should not be regarded as non-neutral. The term “end-user terminal” is too often blurred and vague. Keep ePrivacy written in accessible language.
(2) No software should have privileged position, and privacy settings should exist
The problem with this point is that it might miss an opportunity of acknowledging the obvious: operating systems and web browsers are the main means of utilizing internet services and content. Want it or not, they are privileged. They should be responsible for protection. They also need to be named in the text, this way or another. When I browse the web, the gatekeeper of my security and privacy is my web browser and not the owner of websites I visit.
(3) default settings offered by the dominant publishers and service providers should be scrutinized to protect competition
It’s not difficult to see what and who this is about. Then again, is ePrivacy about protection of competition (outside competition for privacy)? Depending on your view, this point might even stand against Chrome with its standard adblocker or even Safari with tracking protection.
Also, this recommendation seemingly contradicts the one from point (2), because authors knowingly admit that there exists something like privileged players and layers (software, for example, browsers which are responsible for tracking preferences)
(4) Software for accessing or controlling access to electronic communication need to have privacy settings, that are easy to use
This recommendation is about changing of tracking and consent settings. Again, depending on your view this may mean that users should be able to easily set high privacy settings. Or alternatively, that when the website requires changing settings to disable adblock or allow tracking, this should be easy as well. Try to guess which point will be taken more seriously, and by who.
But the point here is also about a communication channel between the website and the user. The website should be able to ask for consent, the user should be able to grant it or even change mind after a choice has been made in the past. What should be mediating this communication? In my view, the natural choice would be the web browser. The report mentions the failure of P3P mechanism (which was perhaps a bit ahead of its time?), and the slow standardization effort of DNT within W3C. Those points are sadly justified.
(5) Service providers must be able to offer the user a number of options for accessing the service, depending on the consent.
This point refers to business models such as subscription (paid), premium, freemium, financing with ads, and so on. This position means that tracking walls should be acceptable if users would desire to provide compensation in a different manner. It stands in contradiction to the proposal passed by the European Parliament.
(6) Grace period for implementing ePrivacy
This is by far one of the most controversial points. It is also the place where policy advice may no longer be so well-informed, referring to latest data. Here, the French report wants to grant time for adaptation to new rules required by ePrivacy. Some period when ePrivacy would not be enforced.
In case of GDPR, this grace period was two years, so GDPR is enforced since 25.05.18.
I have some mixed feelings here because GDPR might actually not being taken seriously enough due to this grace period. The lack of preparedness is evident, not only among the companies but also in the actual EU Member states.
So what if it looks like the two years grace period for GDPR could be too long? If so, what’s the point of giving two years grace period if even the Member States are simply behind? A litmus test could be as simple as considering how many of Member States allocated additional preparatory budget resources for Data Protection Authorities in 2016, 2017, and even 2018. This means that long grace periods might be going in the wrong direction.
(6) Self-regulation initiatives of advertising industry should be encouraged, (7) transparency aspects of these guarantees
Interesting recommendation, following the apparent failure of self-regulation. There are continuous attempts to reach an industry-wide self-regulation, but so far these are far from industry-wide. In principle, I could imagine a GDPR Code of Conduct in the industry. But is this the same?
Additionally, it is not clear who could provide an independent oversight here.
The whole report can be found here
Summary
ePrivacy won’t be adopted in May 2018. This means a significant dose of instability due to GDPR and the old ePrivacy Directive operating at the same time. It is currently unclear when the new ePrivacy framework would be entering into force. But this already emerges: the experience of GDPR preparation should indicate that long grace periods are inefficient.
Did you like the analysis? Feel free to reach me at me@lukaszolejnik.com