This week the European Parliament’s Civil Liberties, Justice and Home Affairs Committee (LIBE) voted on new e-Privacy proposals.
Outside of the Brussels bubble very few people have heard of these negotiations; but the new rules promise to have a huge effect on how everyone uses the internet and what content and services are available online.
They come hot on the heels of the new data protection (GDPR) laws, which come into force in May next year and will strengthen data protection online, in the largest overhaul of data protection rules in 20 years.
The new e-Privacy proposals, however, go too far.
They govern communications and were originally devised to ensure phone and fax communications were secure, however the internet and the new GDPR laws rather overtook this outdated approach. The EU now find themselves facing the complex challenge of bringing the rules governing communications, which increasingly take place on the internet and are impossible to unravel from data, into line with this new reality.
It might have been sensible to wait and see how the GDPR works in practice, especially when it is clear many small, medium, and not so small businesses are struggling to implement the GDPR correctly. This has been compounded by the long delays in guidelines being published to help them do so before the imminent deadline.
Instead, the European Commission decided to replicate some of those rules for e-Privacy, in many cases going far beyond the provisions in the GDPR. They proposed to introduce these new laws at the same time as the GDPR: May next year. Business then, which has just spent time and money getting ready to comply with the GDPR, would be left in the dark to the last minute on an entirely new regime that they will need to comply with as well.
This unworkable approach has hit the buffers with the European Parliament (EP), which is already proposing to delay introduction.
However, that is probably the only reasonable aspect of the EP position. In the rest of its proposals the Parliament appears intent on strangling the life blood of the internet and funding streams for start-ups by taking a maximalist approach to the issue of privacy online.
Now privacy is a fundamental right and no one is proposing to weaken existing privacy laws. The definitions of consent will get much stronger when the GDPR comes into force next year, moving us from an opt-out culture to an opt-in culture across the internet and this will affect every company that handles personal data.
However the EP has effectively decided that the internet and its platforms are a public utility, whose services consumers are free to use without giving anything back in return. This approach will of course lead to one thing: far fewer free online services as no one in their right mind is going to spend money developing a service which they cannot make a profit from.
And this is the crux. The internet is currently built on data that people generate online and their information is the single most valuable commodity for any platform. It allows companies to invest money in creating new services that can then be offered to consumers for free, knowing that they can monetise their data through advertising and earn revenue to continue funding those free services for consumers.
Now many people are understandably uneasy about this, and some seek ways to avoid companies building up a profile on them either by deleting their cookies or using ad blockers, VPNs or other similar services. This is the consumer’s choice, and one that we are all free to make every day. The proposed e-Privacy laws, on the other hand, seek to make this choice for consumers.
The deep seated problem in many of the assumptions that the proposed laws make is they take a maximalist approach to ensuring privacy as default. Rather than giving consumers the choice of when they do and don’t want to give consent to data processing, the EP supports an approach which centralises consent in the browsers and uses a default setting disabling cookies. On top of this, the EP then wants to force companies to give the same service to people who choose not to opt-in to consenting to data processing, even though they are effectively getting the service for free.
The end result of this is that companies will not get anywhere near the same amount of data they got before and therefore they will receive far less money from advertisers.
You might say that is a good thing, but in such a case how does a small start-up get the funding needed to build a new service or platform online?
If they can’t rely on data there is only one other source of funding - direct payments from consumers. And those most affected will be small companies and start-ups who simply won’t be able to raise the capital to even get to the starting line. Big tech firms with economies of scale won’t have the same problems but everyone will suddenly find themselves paying for services they previously got on the internet for free.
If I were an app developer for a start-up faced with this prospect I don’t doubt I would be considering a career change, or at least a move to the U.S. where their privacy and data protection rules would allow me access to the data to develop new, innovative products for consumers out there.
That is not just bad news for consumers, especially those with the least disposable income, it is also bad news for both small and not so small businesses. One example is the gaming industry, in which many services recently moved from a pay first model to a free model where gamers pay for in-game services but the game itself is free. Under the old system up to 90% percent of all copies of games being played were pirated copies, while under the new system even players of pirated games need to buy the in-game purchases through the game itself, therefore allowing companies to monetise pirated versions of their games.
The gaming industry also provides a good example of the problems with the e-Privacy proposals. As many games have communications services included so gamers can talk to each other and plan tactics in the game, they come under the new proposals. The draft EP position would not allow the gaming companies to monitor those conversations even though they need to ensure there is no cheating and most importantly no abuse in an online space ripe for bullying.
The unintended consequences of these proposals are significant, ranging from a loss of free services to lost investment from start-ups and small businesses, and from higher costs for consumers to potentially less control on online bullies.
Yet supporters of the proposals label anyone opposed to them as being in favour of weakening privacy. Nothing could be further from the truth. If these proposals are rejected, and they may still be in the parliament’s plenary, all the existing privacy rules remain in place and data protection will be strengthened by the new GDRP rules coming into force next year. All that will happen is we go back to the drawing board and try to rewrite a proposal that will work.
I intend to ensure privacy is protected without destroying the lifeblood of the internet, and know many of my colleagues in the European Parliament will take a similarly pragmatic approach.