This January, the European Commission introduced a proposal to update the current EU-wide legal framework regarding the privacy and security of communications online, known as the ePrivacy Directive. This effort is timely – trust online isn’t great, and there’s more that we need to do to build it. But the Commission’s draft is far from perfect. Because online privacy is one of the core principles in the Mozilla mission, we are actively working with all of the EU institutions, to share our experiences with investing in privacy online and to advise them on ways we believe European privacy law can improve.

The specific proposal on the table is for an ePrivacy Regulation to replace the current Directive. This proposed Regulation, like the General Data Protection Regulation (GDPR), would be binding and harmonized across the European Union. Although both the GDPR and ePrivacy relate to privacy, the first focuses more on the protection of personal data and the latter more on the confidentiality and security of communications.

Here are the key issues in the proposal as adopted by the Commission:

Confidentiality of communications : Establishes that all e-communications data shall be confidential. “Listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or processing of electronic communications data” shall be prohibited except as outlined in the Regulation.

: Establishes that all e-communications data shall be confidential. “Listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or processing of electronic communications data” shall be prohibited except as outlined in the Regulation. Consent for tracking/cookies : Consent may be expressed via technical settings of a software application allowing access to the internet (like a browser).

: Consent may be expressed via technical settings of a software application allowing access to the internet (like a browser). Privacy settings : Software permitting electronic communications (like browsers) shall offer a privacy friendly option (e.g. prevent third party cookies).

: Software permitting electronic communications (like browsers) shall offer a privacy friendly option (e.g. prevent third party cookies). Lawful access: Member states may restrict e-privacy for “public interest”; providers of e-communication services shall establish internal procedures to respond to requests by law enforcement agencies for users’ data.

Member states may restrict e-privacy for “public interest”; providers of e-communication services shall establish internal procedures to respond to requests by law enforcement agencies for users’ data. Broader application: The Regulation applies to telcos and ISPs, but also to over-the-top content providers like messaging apps, email providers, VoIP platforms, etc. Any technology using cookies or tracking technology (like device fingerprinting) will also be subject to the rules.

We understand and sympathize on many levels with the goals of this process. And getting this right is important. As part of our ongoing efforts to understand privacy in practice, we recently conducted a survey of Mozilla’s community on how users feel about online privacy. Our survey found massive challenges to trust online for internet users. First, respondents are concerned about their privacy online. 8 out of every 10 respondents fear being hacked by a stranger, and 61% of respondents are concerned about being tracked by advertisers. Second, respondents report not knowing much about how to secure their own privacy, with over 90% of survey participants saying they don’t know much about protecting themselves online. Global surveys of consumers indicate the same sentiments, concluding that “only when consumers around the world trust online companies with their data will those companies be able to make the most of the possibilities offered by global database marketing.” As these surveys illustrate, the core problem is one of trust — internet users don’t trust that their activities online are private, which creates a negative dynamic between internet users and online service providers, preventing an optimal condition for both.

Although intended to address this gap, the current EU framework hasn’t produced behavior from the technology industry that promotes a good experience for users (e.g. the ‘cookie header’ that users simply click through), or most importantly, engendered sufficient trust. In revising the ePrivacy framework, the EU government bodies hope to further encourage the right kind of dynamic, one founded on trust.

For our part, we work to enable trust in internet users by building privacy into our products, with Private Browsing embedded in Firefox and Firefox focus, where private browsing is the default. We also believe government action can play a positive role in improving trust and that the proposed ePrivacy Regulation, if done right, would have such an effect. We support the spirit and intention of the ePrivacy Regulation, because it would give EU citizens stronger privacy protection online, fostering individual online security. We will work with the institutions in order to shape a future proof framework that provides predictability for both users and online service providers, and contributes to a more secure online communications ecosystem.

“Doing it right” will be no easy feat. For instance, the draft Regulation imposes very specific restrictions on the technology industry that may challenge the business models of some ISPs. In some areas, obligations are proscriptive, undermining the principle of technological neutrality that this legislation needs to withstand the test of time in a rapidly changing environment, in addition to potentially restricting companies in freely developing innovative products and services.

Achieving harmony on these seemingly competing principles is where the challenge of a successful reform process lies. The core of the challenge is in ensuring these regulations are implementable and will achieve their goals of giving individual users choice, agency, and control, while not imposing undue or unhelpful burdens, or prematurely regulating burgeoning industries and practices.

The reform process is still in the early stages and is now in the hands of the European Parliament. The intention is to wrap up negotiations and have this legislation implemented at the same time that the GDPR comes into force, which will be May 2018. We think that is an overly aggressive timeline to tackle such a complex, important issue space, and hope that the institutions opt to take more time to more thoroughly assess the Regulation.

At Mozilla, we continue to work on these issues within a philosophy of empowering individuals. We’ll be engaged throughout this process and will share updates soon.

This post was written by Sherrie Quinn, Policy & Legal Extern at Mozilla