In a few months, the European Commission will present a proposal to reform the so-called e-Privacy directive. Often labelled the “cookie law” — since it’s responsible for the inefficient “cookie banner” that pops up every now and then on websites — the e-Privacy directive has been grossly misjudged as unimportant or expendable. In fact, this law establishes measures to protect your right to confidential communications, safeguarding your privacy when you browse the internet, use your mobile phone, or use wearable technology and internet-connected devices. At a time when smartphones are an increasingly predominant mode of communication, developers are always creating new apps, and companies are rolling out a plethora of internet-connected products — from a smart toaster to a smart bed, even a smart hat — the e-Privacy directive has never been more relevant and necessary. But it also hasn’t been working optimally, and it’s in urgent need of a smart update.
Don’t toss this “cookie law” — update and upgrade it
Since its adoption in 2002, the e-Privacy directive has failed to meet its objectives, due partly to the fact that it hasn’t been implemented uniformly across all EU member states, it has been poorly enforced, and lawmakers failed to anticipate how quickly technology would change. Back then, legislators could not envision how developments such as smartphone apps, online tracking and marketing, the explosion of social media, or behavioural advertising would impact our privacy and the confidentiality of our communications.
Conscious of the need for reform, and the necessity of aligning the e-Privacy directive with the recently adopted General Data Protection Regulation (GDPR), the EU Commission has already taken the first step in this much-needed process. It launched a public consultation that ran from April through July of this year. Access Now participated, and we made the following recommendations:
- Make the e-Privacy directive a regulation to ensure that it will be uniformly enforced across the EU
- Extend the scope of the legislation to cover “Over the Top” services, not just telecoms services
- Enhance protections for privacy of our communications — both content and metadata
- Clarify and reform the rules regarding online tracking
- Task the data protection authority with enforcing the rules, not the telecoms authorities as is sometimes currently the case
- Include a mandatory requirement for transparency reporting
- Avoid duplication from the GDPR, and in particular refer to its definitions, data breach measures, and enforcement mechanism
GDPR and e-Privacy are both necessary to protect our rights
While the commission is not expected to make a proposal before the beginning of 2017, the industry lobbying against the e-Privacy directive is already fierce. After campaigning for years against EU data protection reform, industry groups are now arguing that what they portray as “just a cookie law” is no longer necessary because the GDPR has been adopted. As a result, 12 industry associations — including telcos, online services providers, publishers, advertising groups, and hardware manufacturers — have called for the repeal of the e-Privacy directive. Whether all the association’s individual members agree with this hard line position will only be confirmed once the commission publishes all of the consultation contributions. If the commission heeds this call for a repeal, it would negatively impact the privacy of millions of people, exposing them to abusive tracking, intrusive behavioural advertising, and more.
The GDPR gives us a solid foundation for ensuring that our right to data protection is upheld. The e-Privacy directive should complement and particularise these measures, extending protections to guarantee the confidentiality of our communications. The two pieces of legislation need to work in concert to provide Europeans with a high level of data protection and privacy, both of which are guaranteed by the EU Charter of Fundamental Rights. We urge the commission to remain strong, completing reform of EU privacy laws by updating and upgrading the ePrivacy directive.