Support La Quadrature du Net!

ePrivacy: unraveling the lobbies' falsehoods

Paris, 8 December 2016 — The review of the European ePrivacy directive on the confidentiality of electronic communications may not have reached the limelight yet, but this doesn't mean that the influence work and the fight over interests haven't started. On the contrary, as the draft text is tabled by the European Commission to be published in January 2017, interest groups are at the doors of the European executive power to get their two cents in the upcoming text.

To get an idea of the content of the discussion happening in high places, we just need to read the open letters, the position papers and others common declarations of ETNO, GSMA, DIGITALEUROPE and other lobbies of the digital and telecom industries: all call for the plain and simple repealing of the directive.

Much as during the negotiations for the General Data Protection Regulation (GDPR), expounding our arguments is not enough in the face of the industry's means and striking capacity, we need to review and examine all their misleading arguments, one by one.

Argument #1 : The ePrivacy directive adds legal and regulatory complexity when we should be “restoring user trust by decreasing the regulatory complexity”[1]

What we have here is the magic of the “rationalisation” argument at work. This logic suggests that the regulatory environment is a too big constraint for companies and that it should be simplified. However, it bears reminding that to “simplify” should never mean to weaken and least of all to delete guarantees that protect users.

Furthermore, this constraint is essential in order to oversee the practices of companies for whom our personal data represents a gold mine and is often the basis of their business model. The “Laissez-faire” and “self-regulation” approaches, constantly advocated by the industry, are lures that have never brought individuals more protection and confidentiality. Regulations exist to make services providers and other actors respect basic rules in terms of security, confidentiality and privacy. Wherever there is no clear regulation, their practices tend to be more exploitative of our privacy for commercial gain. Likewise, users must be able to know globally what are their guarantees and their rights: as we use tens of different services everyday, it is absolutely necessary to have a common base of guarantees that allows us to know what to expect.

Argument #2: The ePrivacy directive is rendered obsolete by the new General Data Protection Regulation.[2]

This is the industry's main argument: the new GDPR regulation would already cover almost all of the ePrivacy's provisions and this directive would therefore now be unnecessary.

As a reminder, the ePrivacy directive is intended to protect privacy and data confidentiality in the area of electronic communications. That is to say, is is intended mainly for communications such as instant messaging, SMS, VoIP communications like Skype, emails, phone calls, etc., for which it will determine obligations for service providers in terms of security and confidentiality. The General Data Protection Regulation adopted in April 2016 and which will enters into application in May 2018 intends, on the other hand, to guarantee the protection of personal data for each individual when this data is used by private corporations as well as public authorities. Recent technological developments have been such that the majority of transfers and movement of personal data now happens on the Internet via the many websites and services we access.

Both texts are therefore not equivalent: one –the Regulation– focuses on the personal data produced by our use of services, the other –the ePrivacy directive– focuses on respecting our privacy and the confidentiality of our exchanges with other parties.

The adoption of this new Regulation in April 2016 does not make the ePrivacy useless in any way. Indeed, it does not cover directly some fundamentals rights such as the right to communicate freely or the right to privacy. Furthermore, the ePrivacy directive covers issues that goes beyond personal data and that are not covered by the Regulation. It is the case, for instance, for unsolicited communications like spams or direct prospecting.

Because they are pervasive in our daily lives and because the informations they convey are of great value, electronic communications require a specific security and confidentiality regime, as protective as possible. The revision of this directive is a huge opportunity to strengthen this protection while still remaining perfectly consistent with the general legislation enshrined in the future Regulation.

Argument #3: User privacy protection is already guaranteed by the Regulation, it is not necessary to keep article 5(3) on the confidentialiy of your device. [3]

The ePrivacy directive was amended in 2009 and a 3rd paragraph on the confidentiality of “terminal device” (your phone –smart or not– or your computer) was added. It oversees “information storage” and “access to already stored information on the terminal device” (such as cookies), by submitting them to the consent of the user.

Today, it is poorly implemented by Service Providers who make consent not only compulsory to access a service (destroying the “freely given” nature of this consent; it is essential to ban this practice) but also uninformed because it is drowned in an incomprehensible amount of information. In this, the article 5.3 failed to give the control of their data back to the users but remains a crucial tool, both essential to limit the effect of online tracking and unique, as nothing alike exists in the General Regulation.

This article on the confidentiality and the integrity of terminal devices therefore needs to be rephrased in order to improve its implementation, but its scope must also be widened to include cases where the device creates information by default such as tracking using canvas fingerprinting.

All in all, privacy protection must include the confidentiality and the integrity of users' device. This article is thus essential but can be updated and made more efficient by widening its scope and reinforcing the guarantees for the users (which is exactly what industries do not want).

Argument #4: Online communication services are not covered by the directive. Thus, according to telecom operators: A “level playing field” for all actors must be created. Because they are at a terrible disadvantage compared to American service providers [4]

It is true that some services that are ubiquitous today, such as online messaging services such as Whatsapp, Signal, Viber (also called “OTT”: over-the-top services), did not exist when the ePrivacy directive was adopted in 2002 and are not subject to the security and confidentiality requirements of the ePrivacy directive.

On this issue, telecom operators and lobbies of the digital industry have developed a facade of opposition. When operators denounce the unfairness they face regarding new online services, these reply that they are already covered by the General Regulation. In reality, far from being opposed to each other, they all reach a common conclusion: the necessary abrogation of the directive. It is a nice trick on their part but a vain attempt in the end as the issue of the directive's scope should be fixed beforehand by the new European electronic communication code, currently being discussed in the European parliament. It should modify the definition of “electronic communication services” to add new players such as online messaging services.

Security and confidentiality obligations must apply to all service providers and in a equal way. Treating all operators, new online services and future services equally is necessary in order to be able to develop more ambitious rules about the confidentiality and security of our electronic communications.

Argument #5: The derogations left to member States for national security purposes are too broad and endanger the possibility for service providers to offer some services, such as end-to-end encrypted electronic messages. [5]

Because of the Article 15.1, Member States do have the ability to limit the confidentiality and security requirements laid down in this directive for national security, defense or public security purposes. They may therefore adopt measures providing for the retention of data (such as France with article 6 of the 2004 law regarding Confidence in the Digital Economy or with decree n°2011-2019 of 25 February 2011) which run not only contrary to the EUCJ's decision of 8 April 2014 in the case Digital Rights Ireland, but are also conflicting with some technologies that service providers may offer such as end-to-end encryption tools. These very broad derogations left to Member States are therefore incompatible with high security and confidentiality requirements for our electronic communications.

This may explain why industry lobbyists, such as DIGITALEUROPE, strongly oppose an extension of the text's scope to OTTs, since article 15.1 would compromise the ability of these services to guarantee security and confidentiality of communications through encryption.

This is why there is a real need to question these broad derogations left to Member States for purposes as open and vague as “national security” and to drastically reduce the scope of article 15.1. To this end, the wording “measures providing for the retention of data” must be deleted. Furthermore, it is essential to specify that any national surveillance law falling within these derogations must be both targeted and enforced under prior control of a judicial authority.

To reinforce the right to privacy and to reassure service providers and users, La Quadrature du Net recommends the introduction of a separate article on the importance of encryption technologies. It could mention on one hand the essential role of encryption for the security and confidentiality of electronic communications and, on the other hand, remind service providers and Member States of their responsibilities in the promotion of the use of these technologies.

Argument #6 You will kill competitiveness!!! [6]

This argument, made nearly empty by how commonplace it is in the jargon of industry lobbyists, means that forbidding the development of certain practices or technologies considered as intrusive for privacy would put the European Union at a disadvantage because other States do not have such constraining regulations.

But today, users are more and more aware of what their personal data represents to them and some are turning to more privacy-respecting services. It is useless to hope to be competitive by engaging in the race to ever more intrusive tracking models, we must meet the challenge that lies ahead and see in an ambitious and privacy-respecting regulation the necessary incentive to the egregiously sought-after innovation.

But this change of orientation and change of companies' economic model will no happen thanks to free market competition. Without strong and ambituous regulation, companies will never accept to risk their immediate profit. The revision of the ePrivacy directive is the perfect occasion to promote this ideological turning point of which the digital economy is in dire need.