The results of a European Commission consultation on the evaluation and review of the ePrivacy Directive due to be published this week will be of interest to a wide range of online businesses due to the rapid evolution of online and mobile networked devices and services.
If European data protection supervisors get their way, operators of online services will be seriously constrained in how they profile their users’ behaviour.
Given the rapid changes in technology, new services have been developed which fall outside the scope of the directive even though they are functionally equivalent to traditional electronic communications services. For example, there are now a multitude of messaging apps and VoIP services equivalent to traditional telephone and SMS services. These services, while subject to general data protection, rules fall outside the scope of the more specific and detailed ePrivacy regime.
In a timely example, a recent study found that mobile phone battery status could be used to identify users and their devices. In the case of the online transportation service, Uber, it has been suggested that it could adjust pricing customers with low batteries desperate to get a taxi before their phone died. It is clear from academic research that industry has moved far beyond cookies as the sole way of tracking user behaviour online.
The ePrivacy Directive was conceived in 2002 as the telecommunications sector switched from analogue to digital and from state monopoly to regulated market operation. Voice still dominated over data and the distinction between content and metadata was clear.
The directive forms part of the legislative basis for two long-standing aims of European integration: the internal market (through the free movement of personal data) and a high degree of protection of fundamental rights and freedoms of individuals.
In advance of the publication of the consultation results European data protection regulators acting through the Article 29 Working Party (A29WP) issued an opinion on the revision calling for an updated directive that offers the same level playing field and high degree of individual protection no matter what technology is used to deliver functionally equivalent telecommunications services.
To achieve this result the Article 29 Working Party recommends significant clarification to fundamental definitions and essential terms to, in effect, make ePrivacy rules technology neutral focusing on functionality and outcome.
The A29WP recommends a broad definition of “interception and surveillance” so that surveillance by any means falls within the scope of the ePrivacy directive. It also warns that the review should not be used to increase data retention powers. Anticipating new ways of profiling and monitoring users, the A29WP calls for strict controls on the non-core use of metadata:
The confidentiality of communication is a core right for a democratic society. Therefore, the confidentiality of communications and related metadata require stricter rules, especially because modern communication technologies enable massive collection of intrusive data with covert techniques, or at least techniques people are not fully aware of. The collection, processing and use of these data for other purposes than providing the communication must be exceptional and must only be allowed after users have been adequately informed and have provided consent. In order to better protect the secrecy of electronic communications, the Working Party therefore advises the EC to create a harmonized consent requirement for the processing of metadata such as traffic and location data. This consent requirement should apply to all traffic and location data, also when they are generated through sensors in a user device. The new rule should apply to all parties collecting and processing these data
If the A29WP recommendation is adopted Skype, Facebook and WhatsApp will be regulated under a revised directive in the same way as traditional telcos. Crucially operators of electronic communications services (including online and mobile services) will not be able to profile and monitor user behaviour without their knowledge or consent.
Photo credit: https://www.flickr.com/photos/g4ll4is/8521624548