European Commission has revealed their proposal for updating of ePrivacy directive. I have previously analysed a version of ePrivacy document leaked in December.
The new regulation still provides strong guarantees of integrity and confidentiality of communication (concerning also Instant messengers such as Facebook Messenger, WhatsApp, Google Hangout, etc.). That’s good. However, comparing to the leaked document, there are some possibly controversial changes. Some people will recognize that ePrivacy proposal has significantly less strong (and precise) protection guarantees, comparing to the December leak. One may just wonder what has happened in those few weeks. It’s also easy to see that the proposal has been released in haste. Some formatting changes remained and are clearly visible (it’s not visible who is responsible for them).
One of the positive changes is that consent duration for processing communication data becomes limited. Consent will need to be renewed at least every 6 months.
Here I will start from the - definitely - most influential change.
Privacy by Design is out
Article 10 in the leaked version has contained a very strict framework of Privacy by Design. In the proposed version Privacy by Design is scrapped.
The article still offers interesting measures. It requires “the option to prevent third parties from storing information on the terminal equipment of an end-user or processing information already stored on that equipment.”. This means that remote tampering with instant messengers (etc.) is restricted.
Additionally, upon installation - software will need to offer the user options for privacy settings. This actually has strong meaning:
- there MUST be privacy settings
users will be prompted to review and configure their software
- users must provide consent
- all existing software must be updated to reflect those requirements, by May 2018
ePrivacy says “no” to tracking and fingerprinting
Regulation recognizes the risks of identifying and tracking users and their devices using a variety of tools - tracking cookies, web bugs - and fingerprinting. Any use of such technologies is subject to strict, informed consent. And any use of such technologies can only be used for specific purpose.
This also applies to cross-device fingerprinting and linking.
Metadata processing requires consent
Providers of electronic communication will require to obtain explicit consent for analysing communication metadata. This means that analysis based on patterns of use (sometimes “list of visited web sites”) will be prohibited without explicit consent.
The regulation also offers users to opt-in for metadata analysis for reasons of e.g. detecting fraud. Again, strong consent requirements.
Data Protection Impact Assessment
New ePrivacy requires performing of Data Protection Impact Assessment in case “a type of processing of electronic communications metadata, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons”. This applies, for example, to aggregate tracking of pedestrian traffic (for example in London’s Tube, by TfL, where Privacy Impact Assessment has not been made!). The requirement is quite broad and will be enforced.
That is good, Privacy Impact Assessments and Data Protection Impact Assessments are valued as the right tools to measure the privacy risks and to develop adequate solutions and standards. The only question is: are the requirements broad enough.
Cookie consent not required in one-time session tracking
Cookie consent won’t be required if the cookie is only used during a single session, measuring traffic and other similar actions.
The risk with this approach is that this makes it less clear when cookie use is authorised without consent. This can have following impacts:
- cookie consent prompts will not disappear, site owners will prefer to keep them just to be on the safe side
- cookie consent prompts will not be used where it should be
- cookies will be used where consent has not been granted (and it should), perhaps using technical quirks which technically may allow evading the consent requirements (I sometimes call this “consent laundering” or “consent evasion”
Browsers are gatekeepers to digital services
ePrivacy recognizes the privileged positions that web browsers have. For this reason, web browser vendors will be encouraged to deploy privacy controls that are easy to understand and configure. ePrivacy shows an example where web browsers must offer clear settings for cookie accepting. Not much beyond that. Web browser privacy is significantly less present in the proposed regulation, comparing to the December document.
Actually, the ePrivacy regulation is sanctioning the status quo, since all major web browsers already offer cookie controls.
What ePrivacy isn’t addressing is the current trends and the near and medium future. For example, ePrivacy proposal is not recognizing that web browsers will soon have much more powerful functionality, such as sensors or even possibility of pairing with user’s physical devices (for example via Bluetooth). ePrivacy is also apparently not strictly recognizing Do Not Track as a consent solution, although Article 9 (p. 2) foresees the possibility of expressing consent "by using the appropriate technical settings of a software application enabling access to the internet". This can apply to Do Not Track. But what with the requirement of honoring the setting?
WiFi tracking awareness
Places using identifier tracking, such as tracking based on wifi MAC address or IMEI or IMSI need to be visibly marked.
Liability, up to 20 million euro
Failure to comply with this Regulation might result in imposing fines up to 20 million euro (or 4% total worldwide annual turnover) on the manufacturer. This repeats the provisions mandated by General Data Protection Regulation
Comparing to the leaked document, the proposed ePrivacy regulation does not offer any visionary change. It is not trying to look ahead.
ePrivacy still provides a number interesting proposals, for example, requirements of performing Data Protection Impact Assessments, strengthening of consent, and directly referencing fingerprinting, and clearly stated definitions.