ePrivacy : no time for weakness
Paris, 13 June 2017 — June will be a decisive month for the future of our privacy and the confidentiality of our electronic communications. The future "ePrivacy" Regulation now being debated in the European Parliament is divisive, brings back unpleasant memories from when the General Data Protection Regulation was negotiated. Since the publication for opinion of two utterly opposing reports, all eyes are now turned toward the main rapporteur, Marju Lauristin, who is supposed to present her text on June 21. Will we see courage or weakness in the face of the lobbies? Civil liberty and innovative models, or exploitation and surveillance capitalism? La Quadrature du Net has made its choice, and will certainly continue to defend it over the long months of negotiation ahead.
For the past year, the question of privacy and confidentiality of electronic communications has been on the agenda of European institutions.
By means of a revision an old 2002 "ePrivacy" directive, the EU wants to review the rules surrounding the confidenciality of our communications and devices (phones, computers, etc.). This is a very sensitive topic, because it aims to protect our personal privacy at a time when it's being seriously endangered by state surveillance and the constant tracking by private actors, mostly for commercial purposes.
After the European Commission presented its draft proposal in January, the file was sent to Parliament, which is now working on it. La Quadrature du Net -- along with other fundamental rights organizations -- has worked within the Parliament since the beginning of the year to assert the importance of strong, ambitious rules to break from the status quo and provide real protection for European citizens. Unfortunately is comes up against industry's furious lobbying and the ever-present argument over the "balance" we're supposed to find between fundamental rights and business.
This rhetoric of "balance" is intolerable, because it seeks to make us believe that today's "balance" currently leans in favor of protecting our rights and liberties, and that we have to re-balance things in favor of industry and business. That's a lie. Individuals have no power compared to service providers. Their personal information is wrenched from them without their free, informed consent, when it isn't simply ignored. This creation of wealth, created in the ignorance of users, also feeds the enormous databases that governments love to use for surveillance, and companies for social control, profiling, and advertising.
MEPs have a grave responsibility, because with the ePrivacy rule they have the chance to create a framework that truly protects our rights and liberties, which will lead European digital actors to invest in better models, and in that way to stand out from their competitors.
The rapporteur designated by Parliament to write the draft regulation is the Estonian Social Democrate Marju Lauristin. Her report, which should be presented to the Commission on Civil Liberties (LIBE) on June 21, is eagerly awaited. Familiar with these subjects, the rapporteur has a good understanding of the issues around ePrivacy, but she must remain firm and resist the power of industry lobbies, which will be many and diverse (telecoms operators, American net giants, the online advertising industry, the press, etc.).
Within ITRE, the liberal Kaja Kallas has issued a half-hearted advisory. She actually improves the Commission's initial proposal on certain points:
- Consent should be given freely and thus should not be a required compensation to access a service -- in other words, you can't be denied access to a service whose economic model is based exclusively on targeted advertising, only because you refuse to let your personal data be exploited;
- Offline tracking of our devices should be subject to consent;
- Member states derogations should be limited;;
- End-to-end encryption should be encouraged and back doors forbidden.
Unfortunately Ms Kallas's report fails to limit the blank check given to service providers to exploit the data of electronic communications. Contrary to what La Quadrature recommended, consent from only one participant in a communication would be enough, according to her, to permit communications data (metadata or content) to be exploited. Moreover, Kaja Kallas didn't want to include in her report the possibility of really effective class actions for users, and hasn't increased the sanctions for enterprises which violate the rules on confidentiality for end devices.
Within IMCO, Eva Maydell (PPE) makes her business orientation quite clear, and nothing is worth keeping from her report. We won't bother listing here all the points that would have to be amended, but to sum up, Ms Maydell's report:
- refuses to consider that the electronic communications sector requires specific reinforced protection, and instead adds exceptions to turn user consent on its head, framed as 'further purposes';
- opposes requiring all users in a communication to consent to metadata or content collection;
- shamelessly suppresses the entirety of Article 7, which requires service providers to delete or render anonymous the content of communications they handle, as well as metadata no longer needed to assure the communication and its billing.
Just these few examples -- if they were adopted by the IMCO committee, or worse, later picked up by the LIBE committee -- would considerably weaken the already-unambitious European commission proposal. La Quadrature calls on the European deputies of the IMCO committee to reject massively Eva Maydell's unacceptable and dangerous report.
Following on these two reports for opinion, rapporteur Marju Lauristin's proposal will be decisive, because it will be the one to guide how future debates and amendments will be organized. Should we continue to defend the few gains from the 2016 General Regulation on Data Protection (such as that consenting to the processing of personal data cannot be required for access to a service) and fight to not lower the standards set in the former 2002 ePrivacy directive (e.g., saying that consent is the sole legal basis for processing personal data)? Or should we finally abandon this defensive posture, turn to the future, and become a force in putting forward a truly innovative ePrivacy regulation? Right now the lobbying offensive, the positions of some member states, and IMCO's advisory report would tend to make us lean towards the former, but rapporteur Lauristin's proposal might -- with a bit of courage -- reverse that balance.