[A2k] ePrivacy: unraveling the lobbies' falsehoods
La Quadrature du Net
contact at laquadrature.net
Thu Dec 8 09:05:36 PST 2016
TAGS : EPRIVACY, PRIVACY, EUROPEAN UNION
La Quadrature du Net -- For immediate release
EPRIVACY: UNRAVELING THE LOBBIES' FALSEHOODS
Paris, 8 December 2016 -- THE REVIEW OF THE EUROPEAN EPRIVACY DIRECTIVE 
ON THE CONFIDENTIALITY OF ELECTRONIC COMMUNICATIONS MAY NOT HAVE REACHED
THE LIMELIGHT YET, BUT THIS DOESN'T MEAN THAT THE INFLUENCE WORK AND
THE FIGHT OVER INTERESTS HAVEN'T STARTED. ON THE CONTRARY, AS THE DRAFT
TEXT IS TABLED BY THE EUROPEAN COMMISSION TO BE PUBLISHED IN JANUARY 2017,
INTEREST GROUPS ARE AT THE DOORS OF THE EUROPEAN EXECUTIVE POWER TO GET
THEIR TWO CENTS IN THE UPCOMING TEXT.
To get an idea of the content of the discussion happening in high places,
we just need to read the open letters, the position papers and others
common declarations  of ETNO , GSMA , DIGITALEUROPE  and other
lobbies of the digital and telecom industries: all call for the plain and
simple repealing of the directive.
Much as during the negotiations for the General Data Protection Regulation
(GDPR), expounding our arguments is not enough in the face of the
industry's means and striking capacity, we need to review and examine all
their misleading arguments, one by one.
Argument #1 : The ePrivacy directive adds legal and regulatory complexity
when we should be "restoring user trust by decreasing the regulatory
What we have here is the magic of the "rationalisation" argument at work.
This logic suggests that the regulatory environment is a too big constraint
for companies and that it should be simplified. However, it bears reminding
that to "simplify" should never mean to weaken and least of all to delete
guarantees that protect users.
Furthermore, this constraint is essential in order to oversee the practices
of companies for whom our personal data represents a gold mine and is often
the basis of their business model. The "Laissez-faire" and
"self-regulation" approaches, constantly advocated by the industry, are
lures that have never brought individuals more protection and
confidentiality. Regulations exist to make services providers and other
actors respect basic rules in terms of security, confidentiality and
privacy. Wherever there is no clear regulation, their practices tend to be
more exploitative of our privacy for commercial gain. Likewise, users must
be able to know globally what are their guarantees and their rights: as we
use tens of different services everyday, it is absolutely necessary to have
a common base of guarantees that allows us to know what to expect.
Argument #2: The ePrivacy directive is rendered obsolete by the new
General Data Protection Regulation.[2 ]
This is the industry's main argument: the new GDPR regulation would already
cover almost all of the ePrivacy's provisions and this directive would
therefore now be unnecessary.
As a reminder, the ePrivacy directive is intended to protect privacy and
data confidentiality IN THE AREA OF ELECTRONIC COMMUNICATIONS. That is to
say, is is intended mainly for communications such as instant messaging,
SMS, VoIP communications like Skype, emails, phone calls, etc., for which
it will determine obligations for service providers in terms of security
and confidentiality. The General Data Protection Regulation adopted in
April 2016 and which will enters into application in May 2018 intends, on
the other hand, to guarantee the protection of personal data for each
individual when this data is used by private corporations as well as public
authorities. Recent technological developments have been such that the
majority of transfers and movement of personal data now happens on the
Internet via the many websites and services we access.
Both texts are therefore not equivalent: one -the Regulation- focuses on
the personal data produced by our use of services, the other -the ePrivacy
directive- focuses on respecting our privacy and the confidentiality of our
exchanges with other parties.
The adoption of this new Regulation in April 2016 does not make the
ePrivacy useless in any way. Indeed, it does not cover directly some
fundamentals rights such as the right to communicate freely or the right to
privacy. Furthermore, the ePrivacy directive covers issues that goes beyond
personal data and that are not covered by the Regulation. It is the case,
for instance, for unsolicited communications like spams or direct
Because they are pervasive in our daily lives and because the informations
they convey are of great value, electronic communications require a
specific security and confidentiality regime, as protective as possible.
The revision of this directive is a huge opportunity to strengthen this
protection while still remaining perfectly consistent with the general
legislation enshrined in the future Regulation.
Argument #3: User privacy protection is already guaranteed by the
Regulation, it is not necessary to keep article 5(3) on the confidentialiy
of your device. [3 ]
The ePrivacy directive was amended in 2009 and a 3rd paragraph on the
confidentiality of "terminal device" (your phone -smart or not- or your
computer) was added. It oversees "information storage" and "access to
already stored information on the terminal device" (such as cookies), by
submitting them to the consent of the user.
Today, it is poorly implemented by Service Providers who make consent not
only compulsory to access a service (destroying the "freely given" nature
of this consent; it is essential to ban this practice) but also uninformed
because it is drowned in an incomprehensible amount of information. In
this, the article 5.3 failed to give the control of their data back to the
users but remains a crucial tool, both essential to limit the effect of
online tracking and unique, as nothing alike exists in the General
This article on the confidentiality and the integrity of terminal devices
therefore needs to be rephrased in order to improve its implementation, but
its scope must also be widened to include cases where the device creates
information by default such as tracking using canvas fingerprinting .
All in all, privacy protection must include the confidentiality and the
integrity of users' device. This article is thus essential but can be
updated and made more efficient by widening its scope and reinforcing the
guarantees for the users (which is exactly what industries do not want).
Argument #4: Online communication services are not covered by the
directive. Thus, according to telecom operators: A "level playing field"
for all actors must be created. Because they are at a terrible disadvantage
compared to American service providers [4 ]
It is true that some services that are ubiquitous today, such as online
messaging services such as Whatsapp, Signal, Viber (also called "OTT":
over-the-top services), did not exist when the ePrivacy directive was
adopted in 2002 and are not subject to the security and confidentiality
requirements of the ePrivacy directive.
On this issue, telecom operators and lobbies of the digital industry have
developed a facade of opposition. When operators denounce the unfairness
they face regarding new online services, these reply that they are already
covered by the General Regulation. In reality, far from being opposed to
each other, they all reach a common conclusion: the necessary abrogation of
the directive. It is a nice trick on their part but a vain attempt in the
end as the issue of the directive's scope should be fixed beforehand by the
new European electronic communication code , currently being discussed
in the European parliament. It should modify the definition of "electronic
communication services" to add new players such as online messaging
Security and confidentiality obligations must apply to all service
providers and in a equal way. Treating all operators, new online services
and future services equally is necessary in order to be able to develop
more ambitious rules about the confidentiality and security of our
Argument #5: The derogations left to member States for national security
purposes are too broad and endanger the possibility for service providers
to offer some services, such as end-to-end encrypted electronic messages.
Because of the Article 15.1, Member States do have the ability to limit the
confidentiality and security requirements laid down in this directive for
national security, defense or public security purposes. They may therefore
adopt measures providing for the retention of data (such as France with
article 6 of the 2004 law regarding Confidence in the Digital Economy or
with decree n°2011-2019 of 25 February 2011) which run not only contrary
to the EUCJ's decision of 8 April 2014  in the case Digital Rights
Ireland, but are also conflicting with some technologies that service
providers may offer such as end-to-end encryption tools. These very broad
derogations left to Member States are therefore incompatible with high
security and confidentiality requirements for our electronic
This may explain why industry lobbyists, such as DIGITALEUROPE, strongly
oppose an extension of the text's scope to OTTs, since article 15.1 would
compromise the ability of these services to guarantee security and
confidentiality of communications through encryption.
This is why there is a real need to question these broad derogations left
to Member States for purposes as open and vague as "national security" and
to drastically reduce the scope of article 15.1. To this end, the wording
"measures providing for the retention of data" must be deleted.
Furthermore, it is essential to specify that any national surveillance law
falling within these derogations must be both targeted and enforced under
prior control of a judicial authority.
To reinforce the right to privacy and to reassure service providers and
users, La Quadrature du Net recommends the introduction of a separate
article on the importance of encryption technologies. It could mention on
one hand the essential role of encryption for the security and
confidentiality of electronic communications and, on the other hand, remind
service providers and Member States of their responsibilities in the
promotion of the use of these technologies.
Argument #6 You will kill competitiveness!!! [6 ]
This argument, made nearly empty by how commonplace it is in the jargon of
industry lobbyists, means that forbidding the development of certain
practices or technologies considered as intrusive for privacy would put the
European Union at a disadvantage because other States do not have such
But today, users are more and more aware of what their personal data
represents to them and some are turning to more privacy-respecting
services. It is useless to hope to be competitive by engaging in the race
to ever more intrusive tracking models, we must meet the challenge that
lies ahead and see in an ambitious and privacy-respecting regulation the
necessary incentive to the egregiously sought-after innovation.
But this change of orientation and change of companies' economic model will
no happen thanks to free market competition. Without strong and ambituous
regulation, companies will never accept to risk their immediate profit. The
revision of the ePrivacy directive is the perfect occasion to promote this
ideological turning point of which the digital economy is in dire need.
* 1.  "Building consumer trust by reducing regulatory complexity".
ETNO, August 2016, page 15 :
* 2.  "DIGITALEUROPE therefore believes that the GDPR creates the
ideal scenario for the European Commission to achieve its stated
objective". DIGITALEUROPE, October 2016, page 2 :
* 3.  "DIGITALEUROPE does not believe that maintaining Article 5(3)
is necessary to achieve the high level protection of consumers privacy,
already guaranteed by the GDPR". DIGITALEUROPE, October 2016, page 5 :
* 4.  "telecomproviders are subject to the GDPR and the sector -
specific rules ofthe ePrivacy Directive as regards the processing of
personal data (notably location and traffic data ), whereas the - mainly
US-based- over-the-top players that are offering functionally equivalent
services (such as Whatsapp and Skype) are only subject to the GDPR,and not
to the ePrivacy Directive." ETNO, August 2016, page 4 :
* 5.  "Lastly, we highlighted that an expansion of the ePD to cover
OTT services could undermine the very privacy it is seeking to protect.
Many of these services are engineered to applyt he best possible encryption
technology, but the ePD could have the absurd effect of undermining their
ability to guarantee the security and confidentially of the communication
through the use encryption due to the fact the Article 15 (1) allows Member
States to restrict this right." DIGITALEUROPE, July 2016 :
* 6.  "This would not only disproportionately interfere with the
freedom to conduct a business and the freedom of contract, but also
undercut the EU's competitiveness in the data-driven and knowledge-based
digital economy." DIGITALEUROPE, October 2016, page 7:
ABOUT LA QUADRATURE DU NET
La Quadrature du Net is an advocacy group that defends the rights and
freedoms of citizens on the Internet. More specifically, it advocates for
the adaptation of French and European legislations to respect the founding
principles of the Internet, most notably the free circulation of knowledge.
>In addition to its advocacy work, the group also aims to foster a better
understanding of legislative processes among citizens. Through specific and
pertinent information and tools, La Quadrature du Net hopes to encourage
citizens' participation in the public debate on rights and freedoms in the
La Quadrature du Net is supported by French, European and international
NGOs including the Electronic Frontier Foundation, the Open Society
Institute and Privacy International.
List of supporting organisations:
PRESS CONTACT AND PRESS ROOM
contact at laquadrature.net - +33 (0)972 294 426
_To unsubscribe, click here _
_La Quadrature du Net
60, rue des Orteaux
More information about the A2k