Paris, 6 November 2017 — On 26 October, the European Parliament as a whole decided to end its debate about the future ePrivacy Regulation. Its position already adopted on 19 October by the leading Civil Liberties committee was thus confirmed. Now, governments of the Member States and representatives of the European Parliament will negotiate in order to find a compromise in form of a final text. Let’s review the first step of legislation which has come to an end.
An alarming start
The protection of our electronic communications is currently guaranteed by the ePrivacy directive , adopted in 2002. It requires our consent to analyse of our communications but, however, exclusively applies to telephone and Internet operators.
Last year, the European Commission announced its wish to reform this directive. The idea was to extend the scope of the ePrivacy directive to any type of electronic communications provider : not only telecommunications operators, but also email providers (Gmail, for example) and instant messaging services (such as WhatsApp). This exciting ambition naturally triggered opposition from the newly affected businesses (see the recommendations we’ve published).
Nevertheless, the ePrivacy draft regulation proposed by the Commission last January also intended to erase numerous protections provided by the current law (see our detailed analysis of the proposal) :
- our cell phones could be tracked by shops or municipalities without our consent, for any purpose ;
- our online activities on websites could be tracked without our consent for the purpose of « audience measurement » ;
- websites could block access to users refusing to be tracked
This alarming draft regulation has been handed to the European Parliament, free to modify it for better or for worse (read the recommandations which we addressed to MEPs).
The lobby war
The ePrivacy regulation will affect a various numerous powerful actors (see their positions on our wiki). Each one of them finds interest in weakening our fundamental rights :
- the telecommunications operators see in the ePrivacy reform a chance to authorise the analysis of our communications without our consent, which would give them a considerable new economic windfall ;
- the other communications providers (email and others) want to escape from the consent requirement (currently solely imposed to operators) because it would fundamentally challenge their economic model based on the surveillance of their users for the advertising purposes ;
- the online advertising companies see in the ePrivacy reform the chance to authorise the tracking of all internet-users without their consent, which would open up new opportunities for a generalised, commercial surveillance ;
- the big newspaper publishers, having entirely renounced to their traditional economic model (the only model able to ensure quality journalism), are today entirely depending on their clients (the advertising companies) and forced to promote the interests of the latter (against the press’s interest, as we already have tried to explain (fr) ) ;
- the European governments have every interest that companies (willingly or not) keep track of the whole population, in order to put in place the most authoritarian surveillance measures, whose violence they no longer even hide./li>
The shared willingness among these actors to harm our fundamental rights has been perfectly mirrored by some MEPs, mostly from the right : see our analysis of the amendments tabled in the lead committee and our denouncement of one of the disastrous opinions adopted in the last months.
Thus, the situation appeared to be critical and we adapted our position by publishing new recommendations (fr) ).
The decisive role of the LIBE committee
The draft regulation was examined by different committees of the European Parliament, but it is the LIBE committee (« Civil Liberties ») which had the final say and was ought to adopt the Parliament’s position. The MEP Marju Lauristin (S&D, the political group comprising European socio-democratic parties) was appointed to lead the debate within this committee.
At the outset, Lauristins overall vision did not seem fare away from La Quadrature du Net’s. But ideological visions die hard in political institutions. Rather than defending intransigently her positions, Lauristin demonstrated a strong willingness to reach a compromise with the conservatives groups at all costs. The reason for this disastrous aim is to find the Parliament’s rules of procedure.
The trilogues perverted rule
In principle, the EU can adopt new legal norms only if the Member States governments (represented within the Council of the EU) and the Parliament agree on an identical text. This can take time as several preparatory readings in both institutions are foreseen.
To counter heavy time delays, the Parliament’s rules of procedure foresee the following : a lead committee (consisting of about 60 MEPs) adopts, alone, the Parliaments position. Also, this lead committee is given the mandate for negotiations with the Member States. Therefore, it is ought to agree, in the name of the whole Parliament, on a common text with Council of the EU.
This negotiation is called « trilogue » and famously known for it’s total lack of transparency by radically depriving the whole populations of the possibility to participate in the debate. Once the trilogue has resulted in a mutual agreement, the Parliament and the Council only have to adopt the compromise text by a formal vote.
This is the conventional process. However, in the Parliament’s rules of procedure it is foreseen, that the mandate to negotiate with the Council is automatically given to the lead committee. But a political group of the Parliament can veto this mandate. This prevents the Parliament from starting the trilogue, as the mandate has to be confirmed by the Parliament as a whole. If the mandate is rejected, the text adopted in the lead committee is no longer considered as the Parliaments position. In the latter case, the entire text is again open to amendments, but this time in plenary (see Rule 69c of the Rules of Procedure of the European Parliament).
The impossible compromise
This « risky » situation is what Lauristin wanted to avoid at all costs: if the conservative groups would not accept the text adopted in LIBE, they would oppose her mandate. All in all, Lauristin was convinced of two things: first, an examination in plenary could only be a sloppy examination, as most MEPs would not have (or would not be willing to take) the time to work out the details and second, that this would simply lead to amendments in favor of the ongoing fierce lobbying.
Therefore, Lauristin was willing to accept many compromises with the conservatives, which she kept estimating as « not as bad » as the outcome of plenary amendments in the case her mandate would be withdrawn.
La Quadrature du Net radically opposed this approach. First and principally, you won’t defend fundamental freedoms by restricting parliamentary debates. Further, in this precise case, Lauristins compromises contested our rights so significantly, that accepting them in order to avoid « the worst » became completely obsolete for us.
Lauristin did no longer try to adjust the various infringements of our rights which proposed the European Commission back in January. Even worse, she was willing to allow the processing of our communications metadata without our consent (in perfect contradiction with current law, but in perfectly compliant with the Internet giants and operators aspirations, represented by the conservatives).
The glorious wake-up
It was at this point of the negotiations, when the intervening population has really made a difference for the defence of our rights by « augmenting pressure » on MEPs through mails, phone calls or public interventions from all over Europe, especially as a part of our ePrivacy campaign). La Quadrature du Net, joined by Acces Now and EDRi undertook to break down the absurd attempt to compromise with conservatives at all costs.
These three NGOs made very clear to the MEPs in LIBE that they would oppose the regulation as a whole, given the case that a compromise would imply surveillance measures as severe as the ones then discussed. They would enforce that the text would be rejected, so that the current law would stay intact.
This intervention (like a kick in the anthill) actually has set right the situation and MEPs like Jan Phillip Albrecht (Greens) picked up the courage they have been lacking so far. Lauristin was forced to ban the worst compromises from negotiations (essentially those concerning the analysis of metadata).
Some of the conservative MEPs were willing to follow Lauristin, causing a significant opposition of the majority of conservative MEPs willing to defend business interest without any concession. As the debate was finally repolarised, a cross-party compromise became impossible and the overall negotiations came to an end (our reaction reaction).
The missed opportunity
Finally, as the slight majority of LIBE was willing to follow Lauristin, she was free to improve the text. But her fear of loosing the majority prevailed. Also, the pro-business groups, by calling her mandate into plenary vote, achieved what Lauristin always wanted to avoid. She feared to go « too far » by defending our rights against the insanely dangerous economic interests.
Haunted by the idea that she could loose the mandate and that the text would be amended in plenary, Lauristin only removed the very last compromises proposed by the conservatives. Particularly, the two worst provisions of the Commissions proposal (offline tracking of our cellphones and online tracking for audience measurement) were barely regulated, whereas they should have been entirely prohibited.1By Article 8, paragraph 1, point d and paragraph 2a of the LIBE report, the European Parliament decided to allow the tracking of our phones as well as of our online activities exclusively for statistical purposes. Thereby, only exclusively anonymous information should be aggregated, so that the tracked individuals could not be identified in the resulting statistics. This limitation is alarmingly insufficient: the identification data required would be kept for as long as it takes to put up the statistic (for example, to find out how often and when you visited the same shop over the last two years, one has to identify every single customer during this period). Besides, anonymising sensitive data like our daily movements is hardly offering any protection regarding the constant development of re-identification technologies. What today seems to be anonymous is likely to give insight about our individual behaviour tomorrow. As such statistics would not be publicly available, but at the same time are likely to cover up the entire population and it’s activities, this would provide extremely detailed information to anyone who has access. This creates a significant imbalance of knowledge, is extremely conducive to population monitoring policies and totally in opposition to democratic values. Then again, the simple publication of such statistics would not at all prevent from surveillance practices opposed to common interest. At last, presumed that such statistics would be legitimate, there should be no reason to fear that the population would not consent to it. Bypassing the consent of individuals is favorable for illegitimate purposes – purposes which the population, if consulted, would refuse.
Eventually, this version of the text was adopted in LIBE on 19 October (by 31 votes against 25). We sorely criticize that the presupposed pro-privacy MEPs did not meet the expectations imposed by their image.
The important progress
In the last few months, regardless this missed opportunity, numerous progressive conditions were added to the text by civil rights NGOs, certain institutions and some MEPs seriously aware of our rights and freedoms. The finally adopted text provides for six key measures :
- blocking access to a website on the sole ground that a specific user refuses that his/her activities on this website would be tracked is prohibited2See article 8, paragraph 1a of the LIBE report. (contrary to what the Commissions proposal suggested) ;
- electronic communication providers (telephone, ISP, email, instant messaging) have to guarantee communications confidentiality by technical measures according to the state of the art, such as cryptographic methods and especially end-to-end encryption. Further, Member States legislation shall not impose any obligations that would oblige these providers to use weaker methods (such as point-to-point) or introduce backdoors3See article 17 of the LIBE report. ;
- electronic communication providers shall only collaborate with States for the purpose of fighting serious crime and public security breaches (these purposes are still way too broad, but at least excludes other unacceptable purposes enabling today’s state surveillance, such as the defence of a State’s economic interest or particular rights such as copyright)4See articles 11a and 11b of the LIBE report. ;
- companies sharing information with public authorities will have to document these activities in a public reports (indicating the number, the purposes and the authors of the information request, the type of transmitted data and the number of individuals concerned)5See article 11c of the LIBE report. ;
- browser settings will have to ensure privacy by default and function like certain add blockers (hinder pop-ups and third-party attempts to track the user on a specific website)6See article 10, paragraph 1, point a of the LIBE report. ;
- our communications will be protected, no matter from where they’re sent (current law barely protects communications sent from a network not « publicly available », such as corporate or university networks)7See article 4, paragraph 3, point -aa of the LIBE report, in opposition to article 5 of the current ePrivacy directive..
The fight ahead
The conservative groups joined forces in order to let the Parliament as a whole decide on weather Lauristins mandate for the trilogue should be withdrawn or not. On 26 October, her mandate was affirmed (318 against 280 votes) in plenary. Therewith, parliamentary debate came to an end and the LIBE report was ultimately adopted as the Parliaments position.
In the forthcoming months, it is up to Member State governments to agree on a joint position within the Council, so that the trilogue can start (Lauristin will be replaced by another MEP from S&D, Birgit Sippel).
The French government will play a key role in this process. We will be back soon with more details on it’s position and on how we can further on join forces to defend our fundamental rights.
|↑1||By Article 8, paragraph 1, point d and paragraph 2a of the LIBE report, the European Parliament decided to allow the tracking of our phones as well as of our online activities exclusively for statistical purposes. Thereby, only exclusively anonymous information should be aggregated, so that the tracked individuals could not be identified in the resulting statistics. This limitation is alarmingly insufficient: the identification data required would be kept for as long as it takes to put up the statistic (for example, to find out how often and when you visited the same shop over the last two years, one has to identify every single customer during this period). Besides, anonymising sensitive data like our daily movements is hardly offering any protection regarding the constant development of re-identification technologies. What today seems to be anonymous is likely to give insight about our individual behaviour tomorrow. As such statistics would not be publicly available, but at the same time are likely to cover up the entire population and it’s activities, this would provide extremely detailed information to anyone who has access. This creates a significant imbalance of knowledge, is extremely conducive to population monitoring policies and totally in opposition to democratic values. Then again, the simple publication of such statistics would not at all prevent from surveillance practices opposed to common interest. At last, presumed that such statistics would be legitimate, there should be no reason to fear that the population would not consent to it. Bypassing the consent of individuals is favorable for illegitimate purposes – purposes which the population, if consulted, would refuse.|
|↑2||See article 8, paragraph 1a of the LIBE report.|
|↑3||See article 17 of the LIBE report.|
|↑4||See articles 11a and 11b of the LIBE report.|
|↑5||See article 11c of the LIBE report.|
|↑6||See article 10, paragraph 1, point a of the LIBE report.|
|↑7||See article 4, paragraph 3, point -aa of the LIBE report, in opposition to article 5 of the current ePrivacy directive.|