Surprise: Latest Draft Of The EU's Next Big Privacy Law Includes Some Improvements
from the expect-massive-lobbying-push-to-remove-them dept
The EU's new ePrivacy regulation is a strange beast. It's important, designed to complement the EU's GDPR. Where the GDPR is concerned with personal data "at rest" -- how it is stored and processed -- the ePrivacy Regulation can be thought of as dealing with personal data in motion. Despite that importance, it is largely unknown, except to people working in this area. That low profile is particularly strange given the fierce fighting that is taking place over what exactly it should allow or forbid. Businesses naturally want as much freedom as possible to use personal data as they wish, while privacy activists want the new regulation to strengthen the protection already provided by the GDPR.
A new draft version of the ePrivacy regulation has appeared from the Presidency of the EU Council, currently held by Germany. It is a nearly illegible mess of deletions and additions, but it contains some welcome improvements from the previous version (pdf), which was released in March 2020. One relates to the protection of the "end-users' terminal equipment" -- a legalistic way of saying the device used by the user. The DataGuidance site summarizes what's new here as follows:
in relation to the protection of end-users' terminal equipment information, the current Draft ePrivacy Regulation has introduced, in Article 8(1)(c), a more strict wording, providing that, in order for the use of the terminal equipment to be necessary for the provision of a service requested by the end-user, the same must be 'strictly technically necessary' for providing an information society service 'specifically' requested by the end-user. In addition, the current Draft ePrivacy Regulation has reintroduced Article 8(1)(da) and (e), addressing the use of processing and storage capabilities of terminal equipment and the collection of information from end-users' terminal equipment that are necessary for security purposes and for software update.
But the most significant change from the previous version concerns the controversial issue of "legitimate interests". This was perhaps the biggest loophole in the previous draft, since it allowed companies to collect personal information from their users if:
it is necessary for the purpose of the legitimate interests pursued by a service provider to use processing and storage capabilities of terminal equipment or to collect information from an end-user's terminal equipment, except when such interest is overridden by the interests or fundamental rights and freedoms of the end-user.
The concept of "legitimate interests" was so vague that it essentially allowed companies to do pretty much whatever they wanted with sensitive personal information they gathered. The latest draft from the German Presidency deletes this section completely. That's good news for users of online services, but predictably, telecoms companies are unhappy. In a letter sent to the EU, seen by Euractiv, they write:
We are finding that the latest text has taken a dramatic step back, disregarding the constructive compromises achieved so far, negating the positions and interests of many EU Member States and threatening the stability of the digital economy and its growth potential
Clearly, then, there is going to be yet another big fight over this latest move, as lobbyists try to get the "legitimate interests" section re-instated. The ePrivacy saga continues.
Follow me @glynmoody on Twitter, Diaspora, or Mastodon.
Filed Under: eprivacy regulation, eu, legitimate interest, privacy