Brussels (Brussels Morning): Last week, the Portuguese EU presidency resuscitated the dormant debate on the protection of privacy and confidentiality in the use of electronic communication. An updating of the obsolete rules from 2002 has been stalled for the last three years, with the European Parliament concerned about issues of citizens’ privacy, while EU member state officials favoured storing users’ data for all kinds of purpose.
First out with a reaction was Patrick Breyer, representing the German Pirate Party and the Greens in the European Parliament. “EU governments are trying to hijack this reform to legalise mandatory and voluntary data retention and forced tracking of our online activities,” he exclaimed.
Outlining his position and that of his EP collegues to Brussels Morning, Breyer stressed that any changes that water down existing levels of data protection are unacceptable to MEPs. In several rulings, the European Court of Justice has held that providers of electronic communications services cannot be required to retain data in a general manner and that data retention must be limited to the strictly necessary, when combating threats to public security and serious crime as laid down by law. Despite the Court’s rulings, EU governments have sought to allow for more data retention in repeated attempts to have the e-Privacy directive renewed.
”The way the text stands now, they propose that internet providers can decide to retain data even for their own purposes or by way of prevention. The definition is so wide that you can always find reason to collect and retain this data. Once it is collected for commercial purposes, it will also be made available for governments, because they have the right to access,” Breyer explained. In his view, the revised proposal is a very problematic attempt at ”indiscriminate data retention” and a thinly disguised surveillance measure.
”EU governments could just as well rename the e-Privacy regulation the ‘dePrivacy’ regulation,” Breyer maintained.
Despite attempts by the Portuguese EU Presidency to redefine the privacy rules, any revision of the directive is highly unlikely at this stage. The proposal also provides for interception of encrypted communication when there is an executive order to that effect.
”That contradicts the use of encryption, because then the service providers could not offer encryption as standard,” Breyer pointed out.
End to cookies?
The Parliament has been vocal in urging that the presumption should be that no ”cookies”, tracking information should be saved by the web browser on the user’s device for storage and that the users should not be tracked constantly when using digital services. The EU’s general privacy regulation, the GDPR enacted in 2018, already contains that provision, but lacks enforcement powers.
”The GDPR does not take into account how sensitive our online activities are,” Breyer noted. The data can be used for profiling all internet service users based on medical information, sexual preferences etc. So we need GDPR provisions on the collection of data online, even if it is not done by cookies. You can collect data directly on a server, too.”
A further problem is that the the issue of user identification online is not covered by the proposal for an e-Privacy regulation. As digital service providers have to be able to identify users, in a manner that is comparable to offline services, it could be done separately by a service that is not linked to the user’s online activity,one that serves solely for logging in.
The EP has sounded the alarm about the unnecessary collection of personal data such as mobile phone numbers by online platforms when people log on for services. At present, the rules are too permissive, Breyer contended. ”That is how Google and Facebook can collect a clickstream history for every user without their consent. It is pervasive tracking that needs to be stopped! It can be used to manipulate or even blackmail people.”
He would like to forbid outright the invasive tracking of the entire history of online activities, as well as personalised advertising and their underlying data collection.
As things stand, there does not seem to be any scope for agreement on or even for negotiating the e-Privacy regulation.
”If there is no major advantage for the protection of privacy, then it would be better not to pursue these changes to the legislation at all,” Breyer claimed, noting that in the circumstances any changes risk being problematic.
”In terms of a single digital identity, it would come with great risks, because it could be used to prevent people from being anonymous online. And anonymity must always be possible even with identification services. The problem is to protect against identity theft, because your data is not safe once you are signed anywhere.”