France ‘got its way’ as Portugal ends e-Privacy deadlock

The new e-Privacy regulation, proposed by the European Commission back in 2017, aims to harmonise legislation across the bloc and protect users from data retention and behavioural-tracking techniques, such as cookies.

But the agreement reached by member states this week has been harshly criticised by civil society for allowing “mass surveillance” under national data retention laws – permitting this was an important issue for France.

The new law will update the existing framework from 2002, which was amended in 2009, requiring prior consent for using cookies – and receiving the name of EU Cookies Law.

Cookies serve many functions, from storing a username and password to monitoring users’ online habits to target advertising.

The council position establishes that the access to the terminal equipment of website users, needed for setting cookies, is, in principle, only allowed with consent.

However, the compromise also introduces new exceptions, for example, when installing security updates, measuring audiences, or updating software.

The new regulation also extends confidentiality rules for traditional telecommunications providers, to internet-based services such as WhatsApp or Zoom, and services involving an automated transfer of data, such as fitness trackers and other ‘Internet of Things’ devices.

As a result, any interference, including listening to, monitoring and processing of data by anyone other than the end-user would be prohibited.

France vs Germany

While the parliament’s committee responsible for the e-Privacy reform quickly reached a position, member states have spent four years trying to agree a common approach.

That is explained partly by the fact that France has been fighting to ensure that mass surveillance is legal (under national data-retention legislation), while Germany had been advocating for strong privacy safeguards.

“One side decided to protect privacy, while the other wanted to turn the e-Privacy reform into a surveillance toolkit,” said Estelle Massé from NGO Access Now, warning that the outcome of the council’s negotiations shows that “France got its way”.

“France’s proposed language, aimed at giving more discretion to public authorities to retain and use data, got added in the final proposal,” she added.

Portugal is the ninth successive EU presidency to have been working on e-Privacy.

The council and the parliament now can start negotiations on the final text – what could last months since the MEPs position dates back to the last parliamentary term and lobbying is expected to intensify.

This regulation builds on top of the requirements established under the bloc’s data protection rules (GDPR), securing the privacy of electronic communications, whether they contain personal data or not.

Shortcomings

However, privacy activists and some MEPs have criticised the reform for not being aligned with essential principles of GDPR, such as ‘privacy-by-design’ and by default (data protection through technology design) – which has been deleted in the council text.

“Not ensuring privacy-by-design [and] by default would be terrible as it would legalise the current dominant tracking of people and having faulty devices to communicate, which would not guarantee the right to privacy and confidentiality of communications,” said Diego Naranjo from the Brussels-based NGO European Digital Rights.

Green MEP Patrick Breyer, for his part, slammed the proposal, arguing that “EU governments are trying to hijack this reform to legalise mandatory and voluntary data-retention and forced tracking of our online activities”.

“There must be no watering down of the current communications data protection,” he added, warning that negotiating on these basics make no sense at all.