Europe proposes expanding telco data privacy rules to WhatsApp, Facebook et al

The European Commission has set out proposals for updating rules which govern the use of personal telecoms data that would expand their remit to cover email and mobile messaging data for the first time — meaning the ePrivacy regulation would also apply to web companies such as Facebook, WhatsApp, Apple and Google.

Telcos have long complained about regulatory asymmetry vis-a-vis use of personal data, with tougher privacy rules applying to data sent using their services vs data sent via comms apps and services operated by Internet companies.

All electronics comms providers would be covered under the new proposal — to, as the EC puts it, “reflect the market reality” — although telcos are still not happy, with ETNO and the GSMA putting out a statement arguing the proposal new ePrivacy rules still impose stricter requirements on them when it comes to processing certain types of data vs other comms players.

“Rules applying to the processing of location data in connected cars, IoT devices or mobile apps illustrate the issues at stake, as we risk to jeopardise 5G business models,” they argue, calling instead for a “trust-based use of the data collected by telecom operators”.

The new rules would allow telcos to make use of comms content and/or metadata to provide “additional services” — such as, in one example provided by the EC, producing heat maps that indicate the presence of individuals to help public authorities and transport companies when developing new infrastructure projects.

Although user consent must be obtained for processing data for such purposes — hence the telcos’ complaints they will be unable to complete on a level playing field with other providers already offer additional services, such as digital mapping.

Cookie rules are also set to change under the new proposal — in a bid to streamline what the EC dubs “an overload of consent requests for internet users”; itself the result of a 2009 update to the ePrivacy Directive.

The EC claims the new rules will give users more control over cookie settings, providing “an easy way to accept or refuse the tracking of cookies and other identifiers in case of privacy risks”. Although it remains to be seen whether they will impact the flotilla of cookie consent notifications that accompany Europeans around the web.

Advertising industry groups aren’t happy with the proposed changes, with the IAB claiming the new law would “undeniably damage the advertising business model”, while still — it argues — putting a heavy burden on web users when it comes to cookie setting admin.

“Without significant improvements to the proposed text, users would have to actively change the settings of every single device and app they use, and more actively deal with constant requests for permission for the use of harmless cookies when visiting websites and using other digital services,” the IAB claims.

Despite ad industry complaints, some use-cases for what the EC dubs “non-privacy intrusive cookies” will no longer require consent under the proposals, such as cookies used to remember shopping cart history, or set by a visited website counting the number of visitors to that website. Although that suggests there may be confusion ahead for services to determine when/whether they need to obtain consent for their cookie or not.

Another ad group, the EACA, has also complained the ePrivacy proposals take “a restrictive approach towards third party data-driven business services providers” — warning they “may provoke the further accumulation of data by a few large global companies, while inadvertently excluding other businesses from the competition”.

Other aims for the new regulation are to harmonize the rules with the EU’s updated General Data Protection Direction (GDPR), which was overhauled last year — and is due to come into force in the EU in 2018. This means the stricter fines for data protection violations set out in the GDPR (of up to four per cent of a company’s global revenue) will also apply for companies breaching the EU’s ePrivacy rules.

Not included in the proposal: an earlier suggestion to have browsers default to not allow cookies; a strict privacy by design framework; and an earlier plan to allow EU citizens to bring class action lawsuits for privacy infringements…

The Commission ran a public consultation on changing the ePrivacy directive last year, taking feedback from various consumer and industry groups — though not, in the event, following the vast majority opinion of EU citizens (81.2 per cent), nor of public authorities (63 per cent), who supported imposing obligations on manufacturers of terminal equipment to market products with privacy-by-default settings activated (vs 58.3 per cent of industry favoring the option to support “self/co-regulation”).

The EC had originally hoped to have new ePrivacy rules proposed by the end of 2016, but that’s been pushed into the start of the new year. The new proposals will now need to be debated and accepted by the European Parliament and EU Member States before they become regional law — so it’s likely there will be amendments (and much fierce lobbying) along the way.

The EC is aiming for the regulation to be adoption by May 25, 2018 — when the GDPR is due to come into force.