The European Commission's proposed e-Privacy Regulations have leaked. We take a first look at what's in there.
The leaked e-Privacy Regulation (ePR) brings many improved protections to our communications data, which are now extended to communications devices and internet services, not just traditional telecom providers. At the same time this modernisation has brought other fundamental changes that could have less welcome consequences.
Here we focus on the basic changes to electronic communications. Most other analyses of the leaked ePR will probably focus on cookies and the impact on online advertising, and rightly so as this is really important. We don’t have the space here for a proper take on both here, but in the coming months we will also engage with those other areas: cookies, marketing, nuisance calls, as well as the enforcement aspects.
One point we have to stress is that the new ePR explicitly allows national legislation for the interception of communications as long as this is compliant with human rights.
It is important to remember that this is a leak of a European Commission version of the Regulation, which will then have to be amended and fought over by the European Parliament and the Council of Member States, so the final legislation could be different in many areas. There will also be a concerted lobbying campaign from industry to change the parts of this leak that they don’t like.
Whatever happens with Brexit, this Regulation will have an impact in the UK given the current commitment to keep UK data laws compatible with the EU in order to facilitate data flows, e-commerce and services.
Confidentiality of electronic communications
The leaked Regulation is concerned with the confidentiality of 'electronic communications data' meaning both the content and metadata of electronic communications.
The ePR establishes a general principle that nobody can interfere with or monitor electronic communications and that metadata shall be “erased or made anonymous as soon as the communication has taken place”.
The ePR also sets out several cases where metadata can be retained and used for lawful processing by providers, mainly around typical needs to provide security, quality of service, billing and access to emergency services. This is similar to the provisions in the previous Regulation.
There are some differences when it comes to other uses, such as analysing users’ data for commercial purposes. The ePR allows these activities on the basis of consent for specified purposes, provided these could not be achieved with anonymous data.
It also establishes that where there is a “high risk to rights and freedoms” the provider must perform a data protection impact assessment and consult with the ICO, in reference to part of the General Data Protection Regulation (GDPR) that was recently passed by the EU.
Consent in general is strengthened and brought in line with the GDPR. Its is also explicit that consent for the use of electronic metadata must be user friendly and separate from general T&Cs and there is a ban on making services conditional on giving data access.
This is a good but it may not be enough. Communications data in the mobile phone age gives insights into our most intimate personal details and we believe that impact assessment should be compulsory in all cases, as even the best consent system can be bent.
One very important change is that location data has disappeared as a separate category in the new ePR and it is now explicitly described as communications data. In the current Regulation, there are stricter conditions for consent to reuse location data when compared with other types of metadata, and it restricts its use to value-added services and not marketing. That was at the time when mobiles were coming into the mainstream and policymakers saw a high risk involved in knowing where you are at any time.
In the new version, location is just another piece of metadata. Location analytics has become mainstream and restricting the use of such data for mobile phone providers while Google and Apple get it from the handset didn’t really work. At the same time the potential value of collecting location data from mobile phones - whoever gets it, how and to what level of detail - is huge and continues to have high privacy risks.
Removing the different regimes for location and what used to be called “traffic data” is more consistent and will avoid complex debates on what is traffic and what is location. But it is still unclear whether this will be sufficient protection given the high interest in location analytics among industry.
The leaked ePR contains stronger provisions on the protection of data stored in devices and the extraction of data which should bring some real changes to the way the whole tech industry operates. There are even restrictions on using the processing power of end-users’ devices that could see blockchain technologies requiring some clear consent. There could be some issues with the implementation in some computer environments as it appears to be conceptualised around mobile devices run by corporates.
There are also detailed provisions on the tracking of devices, for example in public wifi in shopping malls or transport networks, where large notices must be displayed. In its guidance for Wifi Location Analytics, the UK ICO does go further in asking for the hashing of personal identifiers though, which makes it more difficult to identify individuals in a dataset.
It is very good that the recitals clarify that machine to machine communications of the kind involved in the internet of things and the coming 5G wave of hyper-connectivity are explicitly covered.
The new rules give companies more leeway in how they use our data while simultaneously tightening the rules on how consent is used in alignment with broader data protection. The new ePR seems particularly good for traditional telcos, which not only see their internet nemesis communications providers now included in the rules - WhatsApp, FaceTime, etc. - but also are the main beneficiaries of these changes on electronic communications data.
The Commission is unapologetic about wanting to create a data market around the reuse of communications data with consent, in recital 23. Interestingly this is exactly the big pitch from Telefonica around reinventing itself as a data company and giving their customers more control, also followed to a lesser extent by Vodafone.
One area that we will be looking into is the use of anonymisation to process communications data, so far the preferred modus operandi of telcos, who are only now starting to move towards a consent model. The new Regulation appears clearer than the previous formulation to delete or anonymise data “when no longer needed’, but we will see in practice if this stops companies building pseudonymous profiles of their users.