Next on EU Privacy: The Revision of the EU e-Privacy Directive

News & Analysis
EU Flags

After the adoption of the EU General Data Protection Regulation, the Data Protection Directive for Law Enforcement Agencies, the EU-US Privacy Shield, your understandable EU privacy policy fatigue is excused.

But when a coalition of tech and telecom industries calls for a relatively obscure EU directive to be repealed, it may unintentionally trigger an atypical Streisand effect: if companies, which often so cavalier to individuals’ privacy, want to get rid of the EU e-privacy Directive, then maybe there is something worthwhile fighting for in it.

The current EU e-Privacy Directive contains the specific rules concerning the processing of personal data in the electronic communication sector. It was adopted with the specific aim of provide for the harmonisation of the national laws to ensure an equivalent level of protection human rights - in particular the right to privacy and confidentiality - with respect to the processing of personal data and the electronic communication sector and to ensure the free movement of such data and of electronic communication equipment and services in the EU.

It was adopted with the specific aim of harmonising national laws to ensure an equivalent level of human rights protections – in particular the right to privacy and confidentiality - with respect to the processing of personal data and the electronic communication sector, and to ensure the free movement of such data and of electronic communication equipment and services in the EU.

Since the EU e-Privacy Directive was adopted in July 2002, the landscape of generation, collection, and other processing of data in the digital sphere has changed significantly.

The massive increase in the capacity of devices to generate, transmit, and process data has been accompanied with the development of analysis techniques such as algorithms, to process such data. A fundamental shift has occurred in our relationship with technology. At the start of the last decade, virtually the only devices collecting data on us were computers and smartphones. However, there are now a myriad of ways in which technology deployed by private parties and state agencies are collecting personal data.

This requires a fresh look at the principles that underpin an ever more digitised society.

The EU Commission has just concluded the public consultation on the revision of the current EU E-privacy Directive.

Privacy International’s briefing to this consultation can be found here. We also contributed to the briefing submitted by EDRi.

In our briefing, we made a series of recommendations, including:

  • Expand the scope of its application to cover communications and data transmitted “over the Internet”, and data collection and identification devices such as those referred to as belonging to the “Internet of Things”;
  • Clarify that the right to confidentiality applies to these and similar types of data.
  • Address the challenges to anonymisation of data posed by new technologies, particularly in light of the increased possibility of cross-referencing data, by requiring, for example, the disclosure of the logic involved in the processing of data, including an explanation of the working of algorithms and sufficient information about the consequences of the processing.
  • Reflect the role of the device manufacturers. Individuals need to have enforceable rights against the manufacturers and retailers of products they buy including around data access, algorithmic transparency, and the digital footprint created by the device and any third party software on it. The responsibility of manufactures to put in place appropriate security safeguards to protect data should also be addressed.
  • Clarify that the principle of data minimisation applies irrespective of the grounds for processing (consent, contractual obligation, delivery of value added service, etc.) and it applies at all stages of processing, including at the point of generation of the data.

This is the first stage of the process. The EU Commission is due to review the result of this consultation and to submit proposals. Judging from some of the contributions made publicly available, this exercise has the potential of being of one of the most significant developments to address the challenges to data protection in the modern world.