Cable Europe, ETNO, and GSMA call on Ministers on the ePrivacy Regulation
Brussels, 30 May 2018
Last week, we all greeted the General Data Protection Regulation (GDPR) taking effect as a new high standard for all players in the digital economy. Cable Europe, GSMA and ETNO’s members have made implementation of the GDPR their highest priority, since the protection of customer’s personal data is at the core of our industry’s business model.
However, the GDPR has not truly resolved the current regulatory imbalance between the telecommunications industry and other players in the economy. As you know, telecom operators are currently still subject to national rules implementing the ePrivacy Directive, which restrict the way they can handle data generated and carried over their networks.
As active supporters of the Digital Single Market strategy, our members are the backbone of the European data economy. The surge of Internet traffic, mobile data traffic, and machine-to-machine connections that we are witnessing can only be sustained thanks to the continuous investment and innovation of the European providers of telecom networks and connectivity. As such, our members have the ambition to fully harness the opportunities of this data-driven revolution to create significant benefits for customers and society as a whole in many areas including service innovation, improvement to public transport and traffic congestion management, or reduced CO2 emissions.
Cable Europe, ETNO and GSMA had hoped that the long-awaited overhaul of the ePrivacy Directive could make that aspiration a reality. However, the European Commission’s proposal for an ePrivacy Regulation and the ensuing legislative debate have frustrated our expectations.
The draft Regulation has so far failed to bring the conditions for processing communications metadata in line with the principles applicable to the processing of personal data in the GDPR. While our members entirely support the principle that unlawful interference with communications should be prohibited, this should not mean preventing telecommunications operators from offering innovative services, provided that sufficient safeguards are in place to prevent such interference. The data economy is global and EU legislation should support European operators to compete – without compromising on confidentiality. As proposed by the Commission, the systematic and sole reliance on consent of the end-user risks hampering data analytics and Artificial Intelligence which are dependent on adequate datasets. The right balance has not yet been achieved and in October 2017, the European Parliament adopted a position that further exacerbates this missed opportunity.
We appreciate that Member States are taking time to thoughtfully deliberate and we value the work on the Regulation undertaken by the Council under the auspices of the Bulgarian Presidency. To facilitate the ongoing difficult discussion amongst Member States, we have regularly provided constructive input to the Council- including providing relevant use cases and technical explanations on how more flexibility for metadata processing can benefit directly our society and the competitiveness of our industry, while ensuring a high level of privacy.
As we approach the 8 June Telecommunications Council meeting, we urge Ministers to give a clear signal that rules should allow innovative use of metadata where it is appropriate and justified. To achieve this, we suggest to incorporate the GDPR’s risk-based approach, which makes the Regulation future-proof, by allowing further processing of metadata without consent for purposes compatible with the initial purpose for which the data were collected, subject to compulsory safeguards such as pseudonymisation1. Such an approach in line with Article 6(4) GDPR balances the benefits of innovative services for society with the appropriate protection of privacy for consumers. More work is needed in this regard, since the currently proposed solutions around “statistical counting” are likely to be interpreted too restrictively and would not allow for data analytics to take place in a variety of accountable business models.
We look forward to the outcome of the discussion at the 8 June meeting, and to continuing to work with the Council and future Austrian Presidency to show how telecom operators can process data in innovative ways while preserving confidentiality, respecting privacy, and building trust.
Matthias Kurth, Executive Chairman, Cable Europe
Lise Fuhr, Director General, ETNO
John Giusti, Chief Regulatory Officer, GSMA
1 More specifically, we suggest including the principle of “further compatible processing” of Article 6(4) GDPR as a mechanism for processing metadata in Article 6(2) of the proposed ePrivacy Regulation.
Our Associations would like to address specifically the relevant questions put forward by Presidency for the policy debate at the TTE Council of 8 June 2018 and provide the industry’s viewpoint for Ministers’ review.
Question 1. Do you think that the current approach as proposed by the Presidency and set out above on the permitted processing of metadata (art 5 and 6) is an acceptable basis to move forward? What other improvements could be made?
- We do not think that the current approach proposed by the Presidency is sufficient. More specifically, the “statistical counting” legal basis is an undefined term that deviates from the GDPR (which refers to processing for statistical purposes) and is likely to be interpreted too restrictively, not allowing for data analytics in a variety of accountable business models. As an improvement, Member States should incorporate the broader principle of further processing for compatible purposes, as laid down in the GDPR, with strong safeguards.
Question 2. Do you consider the approach concerning the protection of terminal equipment and privacy settings (art 8 and 10) to be an acceptable basis to move forward?
- Article 8 on the protection of terminal equipment needs further clarifications. The article was conceived to give consumers control of their privacy in cases where tracking cookies and other similar tools are used. However, the current wording could result in regulating most connected devices. Although the Council has made an attempt to clarify this article, it does not yet result from the text that this provision will only apply to tracking cookies and other similar tools. We consider that the scope of article 8 should be clearly limited to such cases.
Question 3. Do you think that the latest compromise proposed by the Presidency enables advancement of the competitiveness of the European industry in providing innovative services while, at the same time, safeguarding the confidentiality of citizens’ communications and the protection of citizens data (or sensitive data)?
- The approach proposed by the Presidency on Art. 6 is not future proof, since a closed list of exemptions to the prohibition of processing metadata will not provide the required flexibility for the Regulation to be a future-proof legislative instrument. Any law should establish general principle-based rules (e.g. compatible further processing) that can apply to a variety of specific cases, taking full account of a risk-based approach and evolving according to technological developments. At the same time, safeguards remain applicable in all circumstances mitigating risks for end-users. Otherwise, the future ePrivacy Regulation risks becoming obsolete even before being applicable.