On 28 September, the European Parliament Committee on Internal Market and Consumer Protection (IMCO) adopted its Opinion on the proposed e-Privacy Regulation. Just as it did when reviewing the General Data Protection Regulation (GDPR), it is fighting hard to minimise the privacy and security of the European citizens it is meant to defend.

Currently, the surveillance-based online advertising market is dominated by Facebook and Google. It was estimated that, in the US, 99% of growth in the sector is being absorbed by those two companies. Most of the amendments adopted in IMCO serve the purpose of defending this anti-competitive, anti-choice, anti-privacy, anti-innovation framework.

Some of the many egregious efforts to water down the proposal include:

The Opinion adds a loophole to the text to reduce protection of communications. It suggests that the confidentiality of emails and other electronic communications should be protected only when they are “in transit”. This contradicts the entire logic of the legislation and, crucially, will allow companies such as Google to monitor the content of communications – when not “in transit”, but stored in their servers – to intensify their profiling of users.

to the text to reduce protection of communications. It suggests that the confidentiality of emails and other electronic communications should be protected only when they are “in transit”. This contradicts the entire logic of the legislation and, crucially, will allow companies such as Google to monitor the content of communications – when not “in transit”, but stored in their servers – to intensify their profiling of users. It supported the European Commission’s position that devices and software should not prevent unauthorised access by default . Instead, there should simply be an option – possibly hidden somewhere in the settings, as is typical – to set security levels. Ironically, this position completely contradicts other EU legislation, which criminalises unauthorised trespassing on computer systems. It also contradicts the GDPR, which foresees data protection by design and by default.

. Instead, there should simply be an option – possibly hidden somewhere in the settings, as is typical – to set security levels. Ironically, this position completely contradicts other EU legislation, which criminalises unauthorised trespassing on computer systems. It also contradicts the GDPR, which foresees data protection by design and by default. The Opinion suggests that “further processing” of metadata – information about our location, the times we communicate, the people we communicate with and so on – should not require consent . The activity permitted by this is not vastly different from the definition of stalking in Dutch law: “systematically and deliberately intrudes someones personal environment with the intention to force the other to do something, not to do something or to tolerate something…”(translation adapted from Wikipedia)

. The activity permitted by this is not vastly different from the definition of stalking in Dutch law: “systematically and deliberately intrudes someones personal environment with the intention to force the other to do something, not to do something or to tolerate something…”(translation adapted from Wikipedia) Instead of requiring providers to anonymise or delete personal data that is no longer needed, the IMCO Committee would also allow unnecessary personal data, if they use pseudonymisation . This means that the data collected and used by the provider could, at any moment be re-identified, creating unnecessary security, data protection and privacy risks for the individuals concerned.

. This means that the data collected and used by the provider could, at any moment be re-identified, creating unnecessary security, data protection and privacy risks for the individuals concerned. Rather cleverly, the Committee has exploited child protection to make profiling of users easier for companies . By saying that electronic communications data “shall not be used for profiling or behaviourally targeted advertising purposes” for children, it implies that this is acceptable for adults.

. By saying that electronic communications data “shall not be used for profiling or behaviourally targeted advertising purposes” for children, it implies that this is acceptable for adults. An obligation to inform users about security risks that have been discovered and how to minimise risks has been simply deleted from the Opinion.

from the Opinion. The committee did not amend the Commission’s proposal to allow people to be tracked through their mobile devices as they move around physically (in towns, malls, airports, and so on). Individuals are expected to opt out individually each time they enter an area with one or more tracking networks – on condition that they see and react to the one or more signs that indicate that tracking is happening.

The extremist anti-consumer position of the Committee on Internal Market and Consumer Protection was rightfully ignored in the adoption of the General Data Protection Regulation. We can only hope that, in addition to having its name changed to the “Committee on Internal Market and Consumer Protection ”, its Opinion will be ignored also this time.

IMCO Compromise Amendments to the proposal for a e-Privacy Regulation

https://edri.org/files/eprivacy/eprivacy_imco_ca_20170928.pdf

e-Privacy revision: Document pool

https://edri.org/eprivacy-directive-document-pool/

Are we on the right track for a strong e-Privacy Regulation? (28.07.2017)

https://edri.org/are-we-on-the-right-track-for-a-strong-e-privacy-regulation/

(Contribution by Joe McNamee, EDRi)