European Parliament Agrees Text For Key ePrivacy Regulation; Online Advertising Industry Hates It
from the how-dare-people-refuse-to-be-tracked-online dept
Techdirt has mentioned a couple of times the EU’s important ePrivacy Regulation that is currently working its way through the legislative process. It’s designed to complement the EU’s new General Data Protection Regulation (GDPR), which comes into force next year, and which is likely to have far-reaching effects. Where the GDPR is concerned with personal data “at rest” — how it is stored and processed — the ePrivacy Regulation can be thought of as dealing with personal data in motion. That is, how it is gathered and flows across networks. Since that goes to the heart of how the Internet works, it will arguably have an even bigger impact than the GDPR on the online world — not just in the EU, but globally too.
That’s led to lobbying on an unprecedented scale. A recent report on the Regulation by Corporate Europe Observatory quoted a source in the European Parliament as saying it was “one of the worst lobby campaigns I have ever seen“. Despite that pressure, and a last-minute attempt to derail proceedings, the European Parliament has just agreed a text for the ePrivacy Regulation. That’s not the end of the story — the other parts of the European Union legislative machine will weigh in with their views, and seek to make changes, but it’s an important milestone.
The European Parliament has produced an excellent briefing on the background to the ePrivacy Regulation (pdf), and on its main elements. A key feature is that it will apply to every business supplying Internet-based services, not just telecom companies. It will also regulate any service provided to end-users in the EU, no matter where the company offering it may be based. There are strict new rules on tracking services — including, but not limited to, cookies. Consent to tracking “must be freely given and unambiguous” — it cannot be assumed by default or hidden away on a Web page that no one ever reads. Cookie walls, which only grant access to a site if the visitor agrees to be tracked online, will be forbidden under the new ePrivacy rules.
IAB Europe, the main European-level association for the digital media and advertising industry, says giving the public the right to refuse to be tracked amounts to “expropriation”:
“The European Parliament’s text on the ePrivacy Regulation would essentially expropriate advertising-funded businesses by banning them from restricting or refusing access to users who do not agree to the data collection underpinning data-driven advertising,” warned Townsend Feehan, CEO of IAB Europe.
The press release then goes to make the claim that online advertising simply must use tracking, and that visitors to a site are somehow morally obliged to give up their privacy in order to preserve the advertiser’s “fundamental rights”:
“Data-driven advertising isn’t an optional extra; it is online advertising,” explained Feehan. “Forcing businesses to grant access to ad-funded content or services even when users reject the proposed advertising value exchange, basically deprives ad-funded businesses of their fundamental rights to their own property. They would be forced to give something in return for nothing.”
However, IAB Europe graciously goes on to say it “will continue to engage constructively with the EU institutions in hopes of meaningfully improving the draft law in the remaining legislative process.” Translated, that means it will lobby even harder to get the cookie wall ban removed from the text during the final negotiations. IAB Europe is naturally most concerned with the issues that affect its members. But the European Parliament’s text — not the final one, remember, so things could still change — includes some other extremely welcome elements. For example, the Regulation in its present form would require EU Member States to promote and even make mandatory the use of end-to-end encryption. Moreover, crypto backdoors would be explicitly banned:
In order to safeguard the security and integrity of networks and services, the use of end-to-end encryption should be promoted and, where necessary, be mandatory in accordance with the principles of security and privacy by design. Member States should not impose any obligation on encryption providers, on providers of electronic communications services or on any other organisations (at any level of the supply chain) that would result in the weakening of the security of their networks and services, such as the creation or facilitation of “backdoors”.
As the above extracts indicate, the European Parliament’s text offers strong support for the user’s right to both encryption and privacy online. For that reason, we can expect it to be attacked fiercely from a number of quarters as haggling over the final text take place within the EU. Unfortunately, unlike the European Parliament’s discussions, these negotiations will take place behind closed doors.