Legal boffins poke holes in EU lawmaker's ePrivacy proposals

Recommend amendments on privacy, tracking and encryption

The European Commission's proposed ePrivacy law needs significant amendments, particularly on location tracking and keeping people's communications confidential, according to an in-depth study.

The report (PDF), written by five experts from the Institute for Information Law at the University of Amsterdam, says that in some cases the proposals would reduce the protection offered by the incoming General Data Protection Regulation, which the ePrivacy reg is meant to complement.

The European Parliament's civil liberties committee (LIBE) is considering the Commission's proposals, which will update the ePrivacy directive – last amended in 2009 – and extend its scope to new communications methods like the Internet of Things and Over-The-Top services.

LIBE's rapporteur for the work, Socialists and Democrats MEP Marju Lauristin, filed a draft report last month, and MEPs tabled their own amendments to the proposal last week, which are now awaiting a committee decision.

The group also commissioned the detailed study through the parliament's policy department for citizens' rights, and the report – published July 20 – sets out a number of weaknesses in the Commission's proposals.

Four areas need urgent work – location tracking, browsers and default settings, tracking walls, and the confidentiality of communications – because they don't ensure "sufficient protection" for rights and confidentiality.

It also warned that the location tracking proposal, in which information emitted by users' devices could be collected, risks undermining the protections established by the GDPR.

These provisions, set out in Article 8(2), could be interpreted in such a way that it would allow cities to inform people their Wi-Fi and Bluetooth signals are being used for tracking, it said, meaning the only way to opt out would be by "limiting the functionalities" of their devices.

This article should be "significantly amended", the group said.

We recommend that collecting Wi-Fi or Bluetooth signals should only be allowed after the individual's informed consent.

There should be exceptions to that consent requirement, but only as far as strictly necessary to enable the device to connect to another device. The lawmaker could consider introducing an exception for anonymous people counting. Data collection for people counting should only be allowed if there are sufficient safeguards, which should include immediate anonymisation.

The Commission also needs to address take-it-or-leave-it barriers that can only be passed if a person agrees to being tracked, the study said, arguing that it encourages people to consent even if they don't want to give up their data.

"A complete ban [on tracking walls] would provide most legal clarity," they wrote. A partial ban would have to involve a black list of sites, such as those regarding health or with monopoly-like positions, as well as a grey list for circumstances when a wall would be illegal.

The group also took issue with articles about communications content and metadata, calling for greater protection of people's right to privacy.

Companies should only be allowed to analyse people's communications – like emails or phone chats – or metadata "when all end-users give meaningful informed consent", the group said.

We recommend that the EU lawmaker only allows the analysis of communications content and metadata in limited circumstances, and only as far is strictly necessary. If no exception applies, the law should ensure that all end-users (for instance the sender and receiver of an email) should give meaningful consent before companies can analyse their communications content or metadata.

Furthermore, a phone provider or an internet provider should not be allowed to offer a take-it-or-leave it choice, where people can only subscribe if they allow the provider to analyse their communications content or metadata for marketing purposes. In addition, the definition of metadata should be amended to ensure that metadata generated by 'over the top' service providers are within the scope of the definition.

The study also called on the Commission to set browsers to privacy by design and default, and make it easier for people to refuse consent for online tracking.

For instance, it could make compliance with Do Not Track, or a similar standard, a requirement, and apply it to all tracking technologies, including cookies and device fingerprinting.

And, although the group does not put encryption on its number-one priority list, it adds another voice to those calling for governments to end the anti-encryption rhetoric – and recommends "prohibiting such backdoors".

"The ePrivacy regulation should recognise the value of encryption for the protection of privacy and confidentiality of communications," the group said.

Other recommendations include requiring that providers of electronic communications services to publish stats about the number of requests they get from authorities; that the Commission reconsiders the weighting of the fines for breaking the regs; and that making it explicit that withdrawing consent for spam is "at least as easy as giving consent".


Biting the hand that feeds IT © 1998–2017