The right to privacy is a fundamental right for every individual, enshrined in international human rights treaties. This right is being particularly threatened by political and economic interests, which are having a deep impact on freedom of expression, democratic participation and personal security. The recent Facebook-Cambridge Analytica scandal is a perfect example of the risks that privacy breaches poses to individuals’ rights.

Under the excuse of providing customers with “a better service”, companies are often unnecessarily asking to exploit communications data, and track them online. In practice, these “requests” often leave users without the real possibility of refusing, as this would mean not being allowed to use the service. This is what EDRi member Bits of Freedom calls “tracking walls”. To protect citizens from this and other abusive practices, EU level rules have been developed, namely the ePrivacy Directive. This Directive was adopted in 2002 and revised in 2009. Now, a new proposal for a ePrivacy Regulation is on the table.

The protection of the right to privacy online in the ePrivacy Regulation should be at the centre of EU’s priorities. For this reason, it is important to be aware of the most sensitive issues concerning ePrivacy, to be able to identify when citizens’ rights could be at risk:

Consent is one of the ways to allow your data to be used legally. Through free and informed consent, the users agree that a company to accesses a specific personal information for a specific purpose.. Consent drives the trust that is needed for new services but it needs to be meaningful. It must be freely given, specific, informed and explicit, not the only choice that is available. For example, accepting abusive permissions “required” by an app, when the only alternative is not using the app at all, is not a valid form of requiring consent.

“Legitimate interest” means that under exceptional circumstances it would be legal to access personal data without the user’s consent. Communications data – your emails, calls over the internet, chats, and so on – must be treated as sensitive data, as it has been stated by the Court of Justice of the European Union (CJEU). The “legitimate interest” exception allows only the use of non-sensitive data – such as an email address or a telephone number – therefore communications data cannot, logically and legally, be processed under this exception. For this reason, companies should, in no circumstances, be allowed to monetise or otherwise exploit sensitive communications without specific permission.

Given that the scope of the ePrivacy Regulation deals with sensitive data, the legitimate interest exception has no place in it. Any suchexception would fatally undermine users’ control over such information. Moreover, it would affect freedom of expression, as the users would fear having their communications controlled by companies without consent.

Offline tracking is a highly intrusive technology, which implies being tracked through your electronic device. The location of your device can be used for unlawful purposes involving the use of sensitive data, revealing personal information of the users, particularly when they are in the vicinity of – or in – various service or institutions. The European Commission has proposed to allow this offline tracking as long as the individual notified. However, obtaining this information by tracking individual citizens poses severe privacy risks and possibilities for abuse, including the risk of mass surveillance by commercial or law enforcement entities. For these reasons, every update of the ePrivacy rules must consider less intrusive ways to obtain location-based information.

In the same way that you expect to use a microwave oven without having to think about a risk of starting a fire in your house, your connected devices should protect your privacy by design and by default. Privacy by design is the principle by which a high level of user privacy protection is incorporated in all stages of a device’s creation Privacy by default means that our devices are set to protect our data, with options to change this, if we wish to do so. As the ePrivacy Regulation will be the main framework to protect your communications online, it is important that hardware and software (not only browsers) will be designed, at all stages, to protect the privacy of individuals by default, and not by option.

The ePrivacy Regulation is currently being revised in the Council of the European Union, and there is an aggressive lobbying campaign to influence the Regulation to allow big business to exploit personal data more easily. Consequently, it will become less favourable for protecting citizens and their privacy online – the very purpose of the Regulation. Some of the [https://edri.org/files/eprivacy/ePrivacy_mythbusting.pdf arguments promoted by the lobbyists] are that ePrivacy is bad for democracy and for media pluralism, and that it prevents the fight against illegal content. (None of these arguments is actually linked with protecting privacy.) We have busted these myths, as well as the rest of the most common misconceptions related to ePrivacy. You can read more about it here: https://edri.org/files/eprivacy/ePrivacy_mythbusting.pdf

Being aware of what it is at risk is the best way to fight against lobby campaigns threatening citizens’ rights.

(Contribution by Maria Roson, EDRi Intern)

Read more:

Mythbusting – Killing the lobby myths that are polluting the preparation of the e-Privacy Regulation

https://edri.org/files/eprivacy/ePrivacy_mythbusting.pdf

EU Member States fight to retain data retention in place despite CJEU rulings (02.05.2018)

https://edri.org/eu-member-states-fight-to-retain-data-retention-in-place-despite-cjeu-rulings/

ePrivacy: Civil society letter calls to ensure privacy and reject data retention (24.04.2018)

https://edri.org/eprivacy-civil-society-letter-calls-to-ensure-privacy-and-reject-data-retention/

Cambridge Analytica access to Facebook messages a privacy violation (18.04.2018)

https://edri.org/cambridge-analytica-access-to-facebook-messages-a-privacy-violation/

(Contribution by Maria Roson, EDRi Intern)