Paris, 8 August 2016 — In its opinion on the draft revision to the ePrivacy directive, published on 25 July 2016, the EDPS (European Data Protection Supervisor) took a stand for stronger regulation in favour of privacy. La Quadrature du Net approves the main propositions of this opinion and encourages European legislators to follow them.
European Data Protection Supervisor
While the European Supervisor’s opinion is only advisory, the European Commission must submit to it all legal proposals that could have an impact on data protection. The 25 July opinion is a preliminary version of the EDPS’s position on the revision of the “Privacy” directive (2002/58/EC) in which the Supervisor recommends a position which stands in stark contrast with the current zeitgeist in favour of mass surveillance and bypassing the tools used by European citizens to protect their privacy
Using the article 7 of the Charter of Fundamental Rights of the European Union, the EDPS suggests a set of rules to enhance and extend the protection of privacy beyond the processing of personal data, as defined in the previous ePrivacy directive, which deals with electronic communications, or in the recent regulation on data protection.
- Taking into account the fact that many modern communication tools are, in the eyes of user, nothing but means to engage in private conversations, the EDPS recommends a regulation that includes all these tools, without distinction based on a technology or another. All communication — be it based on an online game’s messaging system, a chat application, text messages or VoIP – must, for the Supervisor, have the same level of protection, even if the messages are exchanged by machines without their users’ knowledge (which is the case with the IoT, Internet of Things, for instance). And this, no matter what kind of network is used, as soon as it is accessible to the public.
- Considering, furthermore, the undeniable fact that “metadata” is often at least as revealing of one’s privacy than the actual content exchanged, the EDPS suggests that the future text gives them the same level of protection.
For the EDPS, the future directive must therefore forbid any interception and any mass surveillance, both of data and of metadata (or traffic data), extended to all tools making possible exchanges of private nature, and up to terminals enabling access to these services, which must be protected against intrusions that allow interception.
- Regarding the protection of data, the Supervisor also wishes to give users better control over the various tracking tools (cookies, localisation, etc.), to the extent of allowing access to a site even if a user explicitly refuses the site uses their data for anything else than local and non-intrusive processing, or otherwise at least imposes this rule for certain services (those in a dominant position, financed by public funds, …). For the EDPS, users must also be able to withdraw prior consent, including via a general setting in their Web browser, by installing a tool disabling tracking for instance.
- Lastly and in line with the G29 (the European data protection authorities), the EDPS recommends that the new directive explicitly authorises the use of end to end encryption for better protection of electronic communications, and forbids operations of surveillance or decryption of communications protected in this way. For the Supervisor, any intermediaries should be forbidden from aiding or authorising backdoors allowing for third parties to intercept encrypted communications.
Finally, the EDPS advises to entrust control of these new rules to the different national data protection agencies of each Member State and that the revision of the ePrivacy directive be done in the form of a Regulation, which would allow for a quicker application in the Member States with a level of protection better harmonised at the European level.
La Quadrature du Net welcomes the positive positions of the European Data Protection Supervisor and invites Member States, the European Commission, the European Parliament and the national data protection authorities to take this opinion into account: it protects users’ privacy and demands security for electronic communication, aligning with the positions fundamental rights defense groups have been defending.