Risk of digital anarchy after the EU retreat in ePrivacy

Dr. Leonard Johard. Co-founder, Lead Scientist, Head of AI at Indivd

Leonard Johard, Lead Scientist at Indivd

The Portuguese Presidency of the EU Council of Ministers has caused a serious setback for the planned ePrivacy Regulation. – Without a functioning ePrivacy regulation, digital anarchy is created and the problem we then get is that our societies will no longer be able to benefit from digitalization, says Leonard Johard, AI researcher, privacy expert, and Lead Scientist at Indivd.

The new ePrivacy Regulation is intended to regulate the use of electronic communications services within the EU and will thus replace the previous directive on privacy and electronic communications. The ePrivacy Regulation specifies, among other things, additional requirements for all companies that process personal data. The new confidentiality rules will apply to everyone, including telecom operators, social media, and major tech players.

The work has been going on for a long time and the legislation was intended to only be applied during the second half of 2018. Above all, it is the work in the Council that has dragged on.

– The European Parliament’s proposal has been gradually watered down. Most recently, the compromise proposed by Germany in November 2020 failed. From 1 January this year, Portugal, through its Presidency of the Council, has now managed to come up with a new, even more, blunt proposal. It has already met with much criticism, both internally within the EU and from privacy-committed organizations, says Leonard Johard, CTO, privacy expert and also as such and as an AI expert engaged in the European Digital SME Alliance working group focusing on AI. The organization reports to the European Commission and monitors, among other things, AI and the consequences for smaller companies’ ability to influence EU decisions in the area of digitalization and Privacy.

Disputes over the wording

The right to data storage of personal data has once again become part of the new ePrivacy proposal, despite the fact that it has previously been ruled illegal by many courts. At the same time, permission is proposed for so-called cookie walls. It is also proposed that important consumer rights such as the right to object and the impact assessment of data protection be annulled.

– It is further proposed that personal data may be processed without the consent of persons for purposes other than the original. Questions such as “pay or allow cookies” for those who want access to a website are also suggested to continue to be allowed. In addition, under the current directive, personal data may only be stored for important public interests. In the new bill, there is no such reference to the public interest, Leonard Johard continues.

In parallel, France is also fighting to amend the ePrivacy initiative in order to exempt national security agencies from certain provisions.

Metadata may be stored

The most controversial issue, however, concerns the processing of metadata, which includes all data surrounding a digital message or call, ie who you call, who you communicate with, where you do it and when you do it.

Metadata has a high privacy value and must be anonymized or deleted if users do not give their consent.

– The new bill now proposes that you as a communication owner should have the right to save and store this metadata, as long as it is done for statistical purposes. The problem is that a statistical purpose can be interpreted very broadly. If, for example, a 20-year study is done, you can in practice save as much and any data about all people. In practice, this means that all web services will be able to track and build profiles for all people, as long as the profiling does not obviously take place for marketing purposes.

Uncertain future

Much of the bill’s focus is also still on cookies.

– In the legal text, they try to regulate cookies for overuse of statistics. In fact, this with cookies is now meaningless, as cookies are an old tracking technology, which is completely being replaced by fingerprint technology. Fingerprint copies your web presence and saves the data in the cloud. It is a completely new and unregulated type of data collection and data storage, says Leonard Johard and continues:

– With the right to store information for statistical reasons, every single app and web player will be able to access people’s personal information and store and save it for an indefinite period of time. In addition, this personal data will certainly be lost to other less serious players in the market.

User information is already sold online today. It is already easy and it will be even easier, according to the current bill.

Impact on GDPR

The intention was from the beginning that ePrivacy legislation would be stricter than GDPR.

– In practice, in its current proposal, it will be weaker than the GDPR, because it says yes to certain parts, which according to the GDPR are currently banned. This will open the door to also interpret the GDPR in a more beneficial way for those who monitor communication. And there will be little opportunity for you as an individual to say no to this type of surveillance, says Leonard Johard.

Over 90 percent of the world’s population in various surveys say no to all use of personal data, as long as they do not give their consent.

– People are very concerned about their privacy and if they are abused, they will look for other solutions. In parallel, new tools and markets for anonymization will therefore be created.

Several such alternatives have recently emerged. Apple has, among other things, launched the privacy-friendly browser Brave, the search engine Duck-duck-go is growing, as well as the privacy-friendly browser Tor Browser.

– Without functioning regulation, anarchy is created and the problem we then get is that our societies will no longer be able to benefit from digitalization.

In addition, an unequal competitive relationship is created with other markets.

– While the collection of personal data is tightly regulated in the physical world, it becomes free in the virtual. Therefore, a compromise is needed, but it is opposed by how the bill is formulated today.

New negotiations are started

The so-called trilogy negotiations with Parliament will begin next.

– Hopefully, they will then have time to correct the bill before the legislation is implemented. Given the great strife that prevails, it will probably not go as fast as the Portuguese Presidency hopes. The lobby groups of the big telecom companies, media, and tech giants are also not supposed to be inactive in Brussels, says Leonard Johard.

Plans for the new legislation to enter into force before 2023 are likely to be dashed. A potential transitional period of 24 months means that all new regulations will then hardly have time to enter into force before 2025. And the next Presidency of the Council will, from 1 July this year, be shouldered by Slovenia.

This is European Digital SME Alliance

The European Digital SME Alliance is a community of 20,000 small and medium-sized IT companies and associations in 30 countries and regions within the EU. The organization has started a special working group focusing on artificial intelligence. Indivd participates in this through its representative Leonard Johard, CTO and co-founder of Indivd. The task is, among other things, to monitor the development, uptake, and effects of AI in Europe on behalf of the European Commission. Privacy is a very important part of this mission.