- Working groups
Brussels, June 2017. With the proposed ePR progressing through the European Union legislative process, the GSMA and ETNO are calling for the EU to consider the following critical areas to ensure the end result strengthens consumer trust and encourages digital innovation.
PDF available here.
In January 2017, the European Commission issued a proposal to replace the current ePrivacy Directive with an ePrivacy Regulation (ePR). The ePR will apply to electronic communications services providers, including OTT (over-the-top) applications, and will supplement the existing General Data Protection Regulation (GDPR).
The GSMA and ETNO welcome the ePR’s commitment to ensuring the confidentiality of communications, which we believe is essential for consumer trust in the digital ecosystem.
However, the ePR should allow providers of electronic communications services to use metadata responsibly for the benefit of consumers and society, to the same extent that other technology or service providers can under the GDPR, which ensures that individuals receive a high level of protection.
With the proposed ePR progressing through the European Union legislative process, the GSMA and ETNO are calling for the EU to consider the following critical areas to ensure the end result strengthens consumer trust and encourages digital innovation.
Innovation and growth in the digital economy depend on the ability to access and use data. The grounds on which the ePR allows electronic communications services to use metadata are too restrictive and thus risk preventing telecom operators from providing adequate network and service quality, let alone developing innovative services that benefit consumers, the digital economy and society.
Processing of metadata is allowed only for a handful of necessary processing activities such as for guaranteeing the security of networks and services. In fact, the legal bases for processing are so limited, they do not enable the traditional service activities that operators provide today. Rather than specifying each use case in law, which does not provide for a future proof regulation, the ePR should allow more flexible grounds should include processing for compatible purposes or legitimate interests which would allow a case-by-case assessment on whether a certain processing activity is allowed or not, while being subject to sufficient safeguards. These safeguards include accountability, impact assessments, privacy-by-design duties, oversight and administrative fines.
Incorporating more flexible grounds for data processing would thereby enable a range of other activities beneficial to end users and society, such as network planning and optimisation, quality of service and customer care, product development, corporate social responsibility initiatives and the provision of emergency services.
For example, an operator should be able to proactively contact a customer when, based on usage measurements, it sees that the service level of this customer is inadequate. This will enable the operator to offer the customer a free check-up by a technician or even some paying services (such as the acquisition of a Wi-Fi extender or a femtocell). The operator should be able to process and use the same usage measurements, where possible in an aggregated form, to make smart network investments (e.g., placing extra ‘nodes’, antennas, etc. in locations where the usage reveals an objective need).
The ePR should allow for processing based on legitimate interests, which would allow accountable service providers a degree of flexibility to use personal data for the benefit of businesses, consumers and society as a whole, which is one of the stated aims set out in Recital 17 of the proposed ePR. Such a ground for processing requires the controller or service provider to consider carefully the respective interests and to communicate the interests relied upon to the data subject.
GDPR Art. 6(4) provides that further processing should be allowed, without prior consent, when compatible with the initial purpose for which the data was collected. This further processing is subject to a compatibility test, which provides for the need to carefully weigh the interests of the individual, taking into account the context and nature of the collected data as well as the consequences of processing, including whether appropriate safeguards like pseudonymisation have been used to reduce risks. In order to more closely align with the provisions of the GDPR, further processing should generally be allowed (without prior consent), if the processing meets the compatibility test.
The telecoms industry believes that pseudonymisation can play a significant role when considering whether further processing is compatible. We note that the European Commission embraced pseudonymisation as a privacy-friendly technique in the GDPR, “to reap the benefits of big data innovation while protecting privacy.”1 We want the ability to use this technique
to develop innovative new products and services for consumers, while protecting their privacy, and avoiding the inevitable “consent fatigue” that would result if no exceptions to further processing based on user consent are recognised in the ePR.
Additionally, we would encourage alignment with Art. 89(1) in the GDPR, which provides for processing for statistical purposes, subject to appropriate safeguards, such as pseudonymisation. Allowing for such processing would also help telecom operators innovate and build societal benefits.
For example, an operator is working on developing a smart city tool for local government customers, which will help them monitor traffic congestion over time. To develop the tool, the operator would like to use pseudonymised location data, because this will provide necessary insights while also preserving privacy.
The ePR should thus allow for more flexible grounds for data processing subject to safeguards identified in the GDPR, as can be found e.g., in the compatibility test of GDPR Art. 6(4).
By providing limited bases for data processing, the ePR forces a heavy reliance on end-user consent. The ePR also mandates that the data controller must remind users at six-month intervals of their right to withdraw consent. This reminder requirement does not exist in the GDPR, even for processing sensitive data. Additionally, individuals may be required to provide consent multiple times for similar activities - such as for the processing of metadata and content data respectively and in some cases where the telecom operator uses the processing or storage capabilities, or collects information from, the end user’s device. Placing significant emphasis on consent may also lead to difficulties obtaining consent from third parties, such as passengers in smart cars or guests in a smart home. This also holds true for processing in real time.
By using consent as the main legal ground, the notion of informed consent may very well be undermined where data subjects will be overwhelmed by the amount of information provided about the types of data processed and for what explicit purpose. Consent should, as Working Party 29 have pointed to in their opinion 2014/217 on legitimate interest, only be used when processing is seen as especially intrusive.2 As outlined above, processing of metadata may be carried out for many non-intrusive purposes while falling outside the exhaustive list outlined in the ePR Art. 6, and users would reasonably expect that their communication providers are carrying out such processing. By continuously forcing users to evaluate information given to them and provide consent, there is an unnecessary burden put on users, as well as a great risk of undermining and potentially even weakening the notion of consent. A telecom provider is accountable for ensuring that its processing is being conducted in a lawful manner, and documenting and demonstrating that accountability, all against the backdrop of potential enforcement and significant fines. These considerations are better placed on the telecom provider than the users.
The current ePR proposal will inevitably lead to consent fatigue, and weaken the very protection that consent is intended to deliver. The ePR should expand the grounds for processing as stated above and drop the duty to remind end users about consent every six months.
For example, a smart car generates data about the condition and usage of parts, the location and velocity of the vehicle, the driving style of the driver, the presence of passengers, and the use of the in-car information and entertainment systems. This data could be used to help improve safety for the driver and for other road users. It could make it cheaper for the driver to insure and maintain his or her vehicle and could even contribute to a cleaner environment.
Potentially, a fresh consent would have to be collected actively for each new driver and each passenger for every journey in respect to the metadata transmitted, the use of the car’s processing or storage capabilities or the information collected from the car. This would be frustrating for all users of the car.
Permitting more flexible bases for processing, as mentioned above, would allow the telecom operator to process the data subject to additional safeguards.
The ePR fails to recognise that the same types of data used in electronic communications services are also used in many other services. This means that the same type of data, carrying the same potential data privacy risks, will be treated differently under the ePR than under the GDPR.
For example, in the case of location data, EU legislators decided not to treat location data as sensitive data (i.e. a special category of data) under the GDPR. This decision should be respected and not be reintroduced through the ePR, which would cover electronic communications services, while leaving out other services using the same type of data.
Further, consumers should not be expected to distinguish between their rights under the GDPR and those under the ePR. The GSMA and ETNO do not propose to extend the ePR to any use of these data types, but rather to highlight the inconsistency and challenge the necessity of introducing specific rules that undermine the holistic approach of the GDPR.
The ePR should protect the confidentiality of consumers’ communications, but if it creates inconsistency with the GDPR and if it relies too heavily on consent, it risks undermining the very trust it seeks to foster. Undue restrictions on responsible data use could deny citizens potential benefits of new communications services and technology. The GSMA and ETNO are committed to working with policymakers to get the balance right.
The GSMA represents the interests of mobile operators worldwide, uniting nearly 800 operators with more than 300 companies in the broader mobile ecosystem, including handset and device makers, software companies, equipment providers and internet companies, as well as organisations in adjacent industry sectors. The GSMA also produces industry-leading events such as Mobile World Congress, Mobile World Congress Shanghai, Mobile World Congress Americas and the Mobile 360 Series of conferences.
For more information on the GSMA, please visit the GSMA corporate website at www.gsma.com
For more information on this topic, please visit www.gsma.com/policies_for_a_digital_europe
ETNO has been the voice of Europe’s telecommunication network operators since 1992 and has become the principal policy group for European electronic communications network operators. Its 41 members and observers from Europe and beyond are the backbone of Europe’s digital progress. They are the main drivers of broadband and are committed to its continual growth in Europe. ETNO members are pan-European operators that also hold new entrant positions outside their national markets.
For more information, see ETNO’s website at www.etno.eu
Follow ETNO on Twitter: @ETNOAssociation
PDF available here.