Interesting points in leak of new ePrivacy Directive
We've received an interesting opportunity to study further transitions of the privacy and data protection landscape in Europe. Just in time for the Holiday Season, a drafted proposal of European Parliament (and Council) concerning the respect for private life
and personal data in electronic communications and repealing of Directive 2002/58/EC (Privacy and Electronic Communications Regulation) has leaked. And I'm very happy to quickly highlight a few interesting points!
[Update 10/01/2017: my analysis of the official proposal can be found here. The proposed version contains changes]
The directive provides freedoms and privacy protection guarantees (with respect to personal data processing). The reason to update is now is that the technology landscape is constantly evolving. The update of the directive was preceded by public consultation (citizens, civil society/consumers organisations, etc. - but also industry bodies), where 86.7% of polled citizens expressed the need for further protection of data against processing without people's awareness or consent. EU citizens support privacy protections by default and requirement of good security and privacy designs from products.
Some more insight:
- 89% respondents agree with the proposal that default Web browser settings should stop their information from being shared.
- 90% of EU citizens support end-to-end encryption - a communication mode where only participants of communication can access its details.
Updated directive directly mentions Web browsers
The draft proposal discusses in detail the operation of Web browsers. Web browser privacy and transparency and browser operation (and mechanisms) are used as one of the motivations behind the update of ePrivacy directive. This must become a major indicator for browser vendors and standardisation bodies such as W3C.
The new directive says that Web browsers should affirmative action from user to signify his/her agreement to storage of, access to or use of the equipment computing facilities.
This effectively means that Web browsers should:
- Ask the user for consent when storing/accessing cookies
- Offer permissions to access sensitive data, for example provided by sensors or advanced communication facilities
Web browser vendors are encouraged to provide easy-to-use privacy and transparency management mechanisms. This means cookie protections and Web Permissions. The cited text can be understood as applying directly to advanced communication methods such as Web Bluetooth (my Web Bluetooth privacy assessment) or sensors such as Ambient Light (my Ambient Light privacy assessment). Web browsers (and standardisation bodies) must think how best to deliver sensitive and powerful features.
Some additional interesting stuff below below.
Cookie information boxes relaxed
In European Union, when browser cookies are used for tracking purposes, this fact must be clearly communicated to users. In practice, this means that most of the sites inform users about their use of cookies. This has caused some deal of irritation among the users: the need to constantly see cookie information messages, clicking "OK", etc.
The Regulation is relaxing this need.
- When cookies are used just for configuration purposes, there is no need of informing about their use.
- When the site uses cookies for tracking purposes (perhaps to behaviorally profile users), cookie information boxes need not be used if a Web browser setting signifying consent (or lack of it) is used. This means that ePrivacy Regulation endorses Do Not Track (DNT). This means that Do-Not-Track becomes effectively very relevant and finally gains a strong support.
No more data storage beyond retention periods
Article 7 (point 1) of the directive requires removing (or anonymizing; by the way - good luck with that!) of electronic communication metadata when they are no longer needed. Unless the user has provided an explicit consent, that is. This point is important as it's known that certain service operators (e.g. ISPs) sometimes tend to store metadata longer than it's necessary even by (e.g.) data retention requirements for law enforcement purposes.
Privacy by Design
The updated directive endorses Privacy by Design process (Article 10). This is great for privacy and data protection.
This provision will apply to hardware and software. We can (for example) interpret it as requirements of Privacy by Design for Internet of Things.
Liability, up to 20 million euro
Failure to comply with this Regulation might result in imposing fines up to 20 million euro (or 4% total worldwide annual turnover) on the manufacturer. This repeats the provisions mandated by General Data Protection Regulation
Liability applies to hardware and software manufacturers, service providers and others.
Summary
The proposed Regulation is in many respects very interesting. It provides additional privacy and data protection, offers guidelines, but also fines. Organisations will need to make sure that the way their assets (such as user data) are protected and processed is adequate. New EU regulations provide opportunities for organisations to reassess and evaluate their risks while conducting Privacy Impact Assessments and Data Protection Impact Assessments - crucially important for data-related project management.
Additionally, I like how the Regulation directly recognizes the important role of Web browsers. It is encouraged that Web browser vendors should focus on good privacy and transparency designs.