By Ron Moscona, Dorsey & Whitney, LLP
We live in a connected world and often we take for granted that our smartphones and other devices should know where we are, or where we were yesterday, or how many steps we took during the day, or that it should guess what music we like, or whose clothes we might want to wear, or who we might want to connect with.
A lot is happening in the background to make those functionalities work – data is gathered, logged, stored, analysed and shared, users are constantly monitored and often profiled, and the average consumer is barely aware of much of this activity. Many users of mobile devices, for example, might be surprised to realise that the default privacy settings of their smartphones are set to allow dozens of applications and functionalities to track their location (by tracking ‘geo-location data’) even when the app is not in use.
New EU ePrivacy legislation
In response to the changing technology landscape, European Union (“EU”) legislatures now wish to tighten the rules on ePrivacy – the set of regulations applying to providers of telecommunication services in relation to the confidentiality of communications, the collection and use of “traffic data” and “metadata”, the tracking of users and the use of telecommunication networks for direct marketing purposes.
The European Parliament has recently approved proposals published by the EU Commission early in 2017 to recast the existing ePrivacy rules. The Parliament adopted the proposals of the Commission and added some language to tighten the rules a little more. EU Member States, the Commission and the Parliament will continue to mull over the proposals and the digital industry will surely try to wield its influence to reduce the burden of compliance on service providers. But it is clear that some industry practices would need to change in order to meet the requirements of the new regime.
The rebooted legislation comes with a significant threat to those who are complacent. Regulators will be empowered to impose heavy penalties, in line with those under the GDPR (the General Data Protection Regulation) – up to EUR 20m or 4% of total worldwide annual turnover (according to the higher). Offending service provider could be given administrative penalties and individual users will have the right to seek remedies from the courts.
The ePrivacy regulation has been around for decades. But there is some catching-up to do. The rules concerning confidentiality of communications and use of ‘traffic data’ currently apply only to traditional telecommunication services (such as telephone and broadband services), not to services provided by applications such as Whatsapp, Waze or LinkedIn. The new proposals will widen the scope to capture a wide variety of communications enabled through the internet and through digital communication networks. All digital services offering communication capabilities are likely to be affected by the new rules as well as any service that collects data from users or which tracks users’ activities.
Current rules on direct marketing prohibit the use of telephone, fax and e-mail to send unsolicited marketing communications (except in relation to previous purchases). In the last decade of the last century (when the ePrivacy rules were first adopted) no-one thought of social networking services, in-app communications and private chat groups. The new legislation seeks to widen the net and will apply the restrictions on marketing communications to all forms of electronic communications.
The cookies rules
The rules requiring user consent to be obtained for the placing of ‘cookies’ on users’ devices (used for identifying users and for tracking online activities) have been clarified in the last few years, but the current position remains unsatisfactory. The EU has been saying for years that users should be able to control their privacy preferences through their browsers and that the providers of the software should make it easier for users to do so. The new legislation seeks to force suppliers of browser software to do so.
Use of metadata
Users of mobile applications and devices are accustomed to receiving requests for consent to access data stored on the device and for enabling ‘location services’. Legal requirements are driving many of those consent requests. Providers of digital services know that the days when services could be designed to surreptitiously harvest data from users and to channel it to the service provider without telling the user are long gone.
However, practices still vary greatly from one service to another. Default settings are one way in which service providers seek access to data without drawing the user’s attention to the issue.
EU legislatures want to raise the bar. Not only would they like services to expressly seek consent for using ‘metadata’ , they want the service provider to explain to users for which purposes exactly the consent is being requested. Further, consent alone would no longer be sufficient to meet the legal requirement. The draft legislation proposes a ban on the use of metadata, even with express consent of the user, except where strictly necessary for the purposes for which such consent is requested. In other words, service providers will need to demonstrate transparency as well as technical necessity in addition to have to obtain the consent of the user for accessing metadata.
Free choice – not forced consent
The adopted proposals emphasise that consent cannot be buried in terms and conditions or other obscure parts of the service and it requires that access to services (whether paid-for of free) must not be conditional on the user giving consent for the collection of his or her personal data or for the placing of code (such as a cookie device) on the user’s device.
Whilst seeking to promote transparency and to give more control to users of digital services and to discourage unnecessary collection of user data and tracking of users, the proposed legislation also includes practical provisions. Where data collection is strictly required in order to deliver a service requested by a user, the user’s consent will not be required. Service providers will be free to install security updates on users’ devices, without seeking prior consent, as long as the update does not interfere with existing privacy settings and that users are aware of the installation and can turn off automatic installations. Provisions are included to allow service providers to measure online activities of users, even without their express consent, and to allow such measurements by third parties engaged by the service provider.
Overall, the new legislation will require providers of digital services to act more responsibly and to pay more attention to consumer interests when designing services and the so called user journey. The requirements are not meant to curtail innovation or the development of new services in a digital environment, but they do require service providers to give consumers more control and a better understanding of how their data is being used and they will encourage the harvesting of data when this is not strictly required to deliver the service required by the consumer. Service providers that have in mind a revenue generation model based on the exploitation of users’ metadata and the tracking of users’ behaviour, on the back of a free digital service, may need to think again.
Ron Moscona is a partner at the London office of the international law firm, Dorsey & Whitney LLP. Ron’s work focuses primarily on the protection and exploitation of intellectual property rights, technology, branding, content and data. Ron has been practicing in this area since 1995