Web Version  |  Update preferences  |  Unsubscribe

Google and Facebook: EU’s Draft ePrivacy Regulation Passes Committee and Parliament Vote; Strong Privacy Measures Intact; GDPR, ePrivacy Regulation Pose Risk to Facebook, Google, Other “Surveillance Economy” Participants

Vol. 5 No. 358 - October 26, 2017 - Click here to access our library.

EU Update

ePrivacy Regulation advances to next stage without lobbied-for changes. Today, the European Parliament voted in Plenary to support the negotiation mandate of the ePrivacy Regulation, moving the draft regulation to the next step of the regulatory process: negotiation with EU member states. The Capitol Forum is at the Knect365 Big Data and Competition Law conference in Brussels today, where Christian D’Cunha, head of the Private Office of the European Data Protection Supervisor, stated, “It’s been quite an important day for data protection in Europe.” 

Today’s vote followed the October 19 vote by the European Parliament Committee on Civil Liberties, Justice and Home Affairs on the proposed ePrivacy Regulation, which retained provisions sought by privacy activists and opposed by the tech and advertising industries. Privacy advocate Joe McNamee, executive director of European Digital Rights (EDRi), lauded that vote, saying, “Despite a huge lobbying effort to water down the proposal, the Committee voted for clear, privacy-friendly rules. We welcome this approach, as it will not just protect citizens, but promote competition and innovation as well.”

Monique Goyens, director general of the European Consumer Organisation (BEUC), similarly praised the October 19 vote, “Surveys show a vast majority of people want that tools for monitoring their online activities should only be used with their permission.” EU Parliament committee members have “sided with consumers instead of giving in to industry pressure to track our every step online,” she added. 

With data collection forming the heart of Facebook and Google’s business model, the regulation as drafted would require major changes to their practices. Stakeholders in the digital advertising ecosystem that depend on tracking are similarly at risk.

Firms and trade associations directly involved in the lobbying effort around the ePrivacy Regulation reportedly include Facebook, Google, Microsoft, AT&T, Deutsche Telekom, Interactive Advertising Bureau (IAB), and CCIA (trade associations of which Facebook and Google are members), among others. The industry lobbying effort will continue through this next member state negotiation stage and could influence the regulation’s final language. Unlike the existing ePrivacy Directive, the ePrivacy Regulation will not give individual states discretion on whether to implement its provisions. 

Although the EU aims to have the ePrivacy Regulation take effect with the General Data Protection Regulation (GDPR) on May 25, 2018, most experts following the process expect the timeline for the ePrivacy Regulation to be delayed several months.  

Failure to comply with the ePrivacy Regulation could result in fines of up to four percent of annual turnover of the preceding financial year. And as PageFair’s Johnny Ryan previously explained to The Capitol Forum, “the penalties actually don’t stop there,” because both the GDPR and the ePrivacy Regulation “also give data subjects, the people who are concerned with these data or communications, … the opportunity to take the accused infringer to court.” “Actually, this is expressed in the regulation in such a way as to open up the prospect of class action suits,” added Ryan, “so there’s quite a lot of hazard here.” Further, if data is misused, every single party that was part of the event that led to the infringer getting the data is liable as well, says Ryan.

ePrivacy Regulation as drafted requires significant changes to Facebook and Google’s business practices.  In its current form, the most important components of the e-Privacy Regulation include:

• No processing of electronic communications data/access to consumers’ devices without affirmative consent.
• Privacy as default for electronic communications.
• No ability for companies to deny access to their website or service if a consumer does not consent to tracking, when such tracking is not necessary for providing the service.

A legal opinion written by the law firm Frankfurt Kurnit Klein & Selz and commissioned by the trade association Digital Content Next concluded that, without dramatic changes, “much of the EU data subject data on which Facebook and Google currently sit could lose its value because it could not be used for online behavioral or targeted advertising purposes….”

“Without the implementation of new more robust consent mechanisms,” continues the opinion, “they could not process the metadata within any messages, emails, calls or posts for online behavioral or targeted advertising purposes; and they could not collect or access any information from user devices or place tracking technologies (such as cookies) on user devices for online behavioral or targeted advertising purposes.” Without obtaining user consent, “the ePrivacy Regulation would likely eliminate Facebook’s and Google’s ability to match customer list data against their own data and target users on and off their third party technology on websites and apps.”

Under both the GDPR and the ePrivacy Regulation, consent requires a company to demonstrate a clear affirmative act by the user establishing a freely given, specific, informed, and unambiguous indication of the user’s agreement to the processing. 

Obtaining user consent likely to be difficult. Although obtaining consent is key to data collection under both the GDPR and the ePrivacy Regulation, a study by PageFair showed that only 5% of users would choose “accept all tracking,” when given the below choices that would comply with the draft Regulation.

Even a study performed by GFK and commissioned by IAB Europe and the European Interactive Digital Advertising Alliance for purposes of opposing the regulations concluded that only 20% of online users “would be happy for their data to be shared with third parties for advertising purposes.”

Consent cannot be required to use service. As drafted, the ePrivacy Regulation prohibits tracking walls, meaning that a company cannot make it a requirement to use its website or service that the user consent to tracking.  Industry lobbyists will continue to oppose this measure, with the goal that one powerful website could get tracking consent for not just itself but others as a requirement of use.

For example, Google potentially could present a tracking wall that requires users to give consent to 15 enumerated companies in order to use Google search, if tracking walls were permitted. Industry lobbyists did not succeed in convincing the EU Parliament to remove the tracking wall prohibition, but they are expected to continue this effort with Member States.

ePrivacy Regulation and GDPR Overview

Fundamental rights and individual control over data.  The ePrivacy Regulation aims to protect two rights in the EU Charter of Fundamental Rights: the respect for private life and communications (Article 7) and the protection of personal data (Article 8).  The GDPR only covers the latter. 

Even if the data subject has given consent, both regulations give the data subject “a whole set of rights over those data, because they continue to own the data, rather than the tech platform,” explained Johnny Ryan. “So, for example, they could port all of their data from one platform to any other, or they can access their data or delete them, or disallow the processing of those data for any reason that they choose,” added Ryan.  “So an awful lot of power is now given to the data subject, the person using the online service.”

Global reach. The GDPR covers any processing of personal data in or for the European market. “Any processing of data that is personal data, that is done by or for a European business, or any businesses anywhere in the world that are offering services to, or trying to sell or monitor or profile users in the EU, are in the scope of this regulation,” explained Ryan. “And it doesn’t matter where one is based in the world,” added Ryan, “Everyone’s in scope.”

Similarly, the ePrivacy Regulation governs the processing of electronic communications data in the EU, even if the processing does not actually take place in the EU.

Data covered. The ePrivacy Regulation broadly defines electronic communications data as data related to electronic communications services and includes both the content of a communication and metadata within the communication.

The Frankfurt Kurnit legal opinion explains that under the draft ePrivacy Regulation, “Facebook and Google would be required to obtain more clearly demonstrable consent from their users prior to processing any data (not just personal data) for online behavioral or targeted advertising purposes and, in some instances, would be completely barred from processing data for such purposes.” The ePrivacy Regulation also covers machine-to-machine communications, extending its rules to the Internet of things.

The GDPR, in contrast, governs the processing of “personal data.” Personal data is defined far more broadly than is personally identifiable information, the term used in U.S. privacy regulation.

Explained Ryan: “So personal data is any information that relates to an identifiable person, whether that is direct or indirect. So personal data isn’t just your phone number or your social security number. It could easily be your IP address. In fact, it could easily even be your lists of preferences in things like Netflix, if they could be combined with other data to single out someone from a crowd, to identify someone…To be able to use personal data in the European market, the new standard that the GDPR introduces essentially means that there are several ways legally to do so, but the only way that is available to most online tech companies is consent.”

ePrivacy Regulation and GDPR pose risk to Google and Facebook. “The inability of Facebook and Google to meet the consent requirements under the ePrivacy Regulation could destroy their ability to collect meaningful data at scale in the EU,” concludes the Frankfurt Kurnit legal opinion. For a discussion of how the regulations pose risk to specific business lines, such as Google’s Double Click and Facebook’s Audience Network, see our interview with PageFair’s Johnny Ryan.

Although Google did not provide the reason for its recent decision to stop scanning Gmail for ad targeting purposes, the practice likely would have been prohibited under the ePrivacy directive.  In future reports, we will continue to explore the risk these regulations pose to tech platforms and other companies with business models that depend on data collection and tracking.

It is worth noting that the Frankfurt Kurnit legal opinion concludes that, “The ePrivacy Regulation is a greater threat to Facebook and Google than the GDPR.” One main reason is that under the GDPR, “a company may process personal data on the basis of its legitimate interest except where such interests are overridden by the interests or fundamental rights and freedoms of the user.”  No doubt, many companies will argue that their data processing serves a “legitimate interest” that outweighs users’ rights.