Data protection and the right to privacy are two given rights enshrined within the Charter of Fundamental Rights of the European Union. The General Data Protection Regulation (GDPR) is a first attempt to ensure European citizens’ data is handled and processed in line with these fundamental rights. Two proposed regulations in the European Union (EU)—“Privacy and Electronic Communications” (ePrivacy) and “European Production and Preservation Orders for electronic evidence in criminal matters” (eEvidence)—could have dramatic effects on the way app developers provide services within the EU. Below is the current state of play on these proposed regulations and what that could mean for our members and their businesses.
The eEvidence Regulation
What it is
The eEvidence Regulation aims to establish a system by which European Member State officials can access data stored in other countries within the EU for the purposes of a criminal investigation. This means that law enforcement in one Member State will be able to directly ask a company in another Member State to provide the data of a person(s) for the purposes of a criminal investigation.
The regulation intends to streamline the existing system of Mutual Legal Assistance Treaties for law enforcement agencies to access data stored in other EU countries. It is believed that the existing system is too slow and cumbersome for law enforcement to keep up with the nature and pace of online crime in the 21st century.
The European Parliament is currently debating the text of the Regulation. The rapporteur, Birgit Sippel (S&D, Germany), has refused to issue a committee report because of significant issues related to the constitutionality and protection of fundamental rights—like the privacy rights articulated under the GDPR—that the European Parliament needs to debate before they can come to a decision on the final text. The scope of this regulation covers all companies that not only store data, but also manage customers’ data on their behalf, or provide means for interpersonal communications.
What it means
The important thing for our members to know about the new regulation is the effect it has on their relationship with their customers and EU law enforcement agencies. Currently, the proposed regulation could open up our members to significant liability issues and fines for non-compliance because it lacks any scalability for smaller outfits and is almost exclusively tailored to larger tech firms. Our members could find themselves stuck between a rock and a hard place attempting to meet some of the high burdens the regulations require when EU law enforcement requests consumer data. The regulation in its current form has strict timeframes in which companies must respond to requests for data from law enforcement: ten days in normal circumstances, but only six hours in emergencies. In the event of non-compliance, companies can be fined up to two percent of their global worldwide annual revenue. Strict rules like this don’t leave companies with much room even in cases where they have made a good faith effort, or even an utmost effort, to comply with law enforcement’s requests.
Privacy is a fundamental right in the European Union which raises further complications for companies that comply with law enforcement requests for customer data. In the event a company hands over a customer’s data, which was later found to be requested illegally, the company could be held liable for violating the fundamental rights of a European citizen. Companies are left in an uncomfortable position – damned if you do, damned if you don’t.
What we’re doing
To ensure that SME voices are heard in Brussels, we need our members’ help. We’ll be reaching out in the coming months to discuss members’ invaluable and essential input on the effect this regulation has on SMEs and ensure lawmakers hear what they have to say.
There is no easy solution to the issue of lawful access to data, but this much is clear: first, a regulation, such as the one proposed, is needed to increase the efficiency of the justice system; second, this need should be balanced against the fundamental rights of European citizens; and third, the interests of SMEs need to be recognised so that the regulation is workable.
The ePrivacy Regulation
What it is
The European Commission proposed the ePrivacy Regulation in January 2017. The aim of the regulation is to complement GDPR and establish a robust regulatory framework mainly aimed at online tracking to protect the fundamental rights of European citizens online. The ePrivacy Regulation has the potential to extend the scope of privacy protection to new technologies. Some of the goals of the regulation include:
- Ensuring confidentiality and end-to-end encryption of data
- Confining the processing of data to the legitimate interests of the processor (for example, quality assurance of communication)
- Asking consent for any extra activity, deleting any data that is no longer needed, and asking consent in a variety of other situations
- Allowing consent withdrawal
- Avoiding the collection of data about terminal equipment and keeping the data for the duration necessary
- Showing notice in a variety of situations (for example, when collecting signals from terminal equipment)
- Following stringent requirements of spam-free commercial communication
What it means
This regulation has significant implications for small to medium-size enterprises (SMEs) like our members. The proposal introduces heavy privacy requirements that affect mobile apps. These requirements cover the processing of content and metadata, the placement of cookies on user devices, and privacy settings on tracking. Each of these datasets is vital for many app developers and would greatly reduce the quality of their services due to the inevitable scarcity of datapoints that they can use.
However, on 20 May, the Romanian Presidency of the Council of the European Union circulated the progress report on the ePrivacy proposal to be proposed to the Member States at the Telecommunications Council on 7 June.Member States were required to adopt a common position on the text, but the Presidency abandoned this initiative given the persistent disagreements between national delegations.
This failure delays any possibility of adoption of the text. The forthcoming Finnish Presidency of the Council of the EU (from 1 July to 31 December 2019) has already announced that ePrivacy would not be a priority text, while any interinstitutional negotiations will not be possible before November because of the European Elections.
The potential for this framework to be fatal for app developers was consdierable, especially when the involved governments were unclear on the rules for implementing both it and the GDPR. However, since the ePrivacy regulation is significantly delayed with no clear path forward, it is effectively dead. We’ll be sure to keep our ears and eyes peeled for any additional updates if this issue resurfaces.
All this to say…
Data breaches and online scandals have raised the spectre of data protection and governments are asking hard questions in the digital era. The European Union has been at the forefront of setting the rules of the road. Moving forward, the challenge will be to ensure that new regulations like ePrivacy and eEvidence do not undo the good work done until now, nor undermine the business models of smaller companies that are only now coming to grips with the existing rules around GDPR.