E-Privacy/LIBE CAS

From La Quadrature du Net
Jump to navigationJump to search

This page intends to rate the main points of the compromise amendments discussed in LIBE Committee just before the vote of it's final report on the ePrivacy Regulation on 19 October.

The debate in LIBE was dominated by rapporteur Lauristins (S&D) strong willingness to reach a compromise with the conservative groups represented by shadow rapporteur Michal Boni (PEE). Being in line with the position of La Quadrature du Net at the outset, the shadow rapporteurs Jan Albrecht (Greens) et Sophia in't Veld (ALDE) did follow Lauristin on this approach. Their submission to the compromise-dogma lead to several alarmingly dangerous proposals. The reason for this devastating objective lays down in the Parliaments internal rules of procedure. As the right-wing groups did not want to accept the text - even though it was voted in LIBE on 19 October - they opposed the mandate of Lauristin in order to submit the text to new amendments, this time in plenary. This situation is what Lauristin wanted to avoid at all costs of the compromises with the right-wing. Therefore, it was necessary that the regressive groups lead by Boni left the negotiations table that the so called 'pro-privacy' coalition (S&D, ALDE, Greens and GUE) was given a second chance to get back on track.

It should be noted that these compromise amendments have not been published officially. We assorted them according to their importance for the course of the final negotiation in LIBE. The main issues at stake were our consent to the analysis of our communication as well as to the geolocalisation of our devices.

Compromise amendments 04.10.[edit]

Article 6 - paragraph 2 - point c:

Providers of electronic communications services and networks may process electronic communications metadata only if: [...] the end-user concerned has given his or her consent to the processing of his or her communications metadata for one or more specified purposes [...].

(based on AM 67 (Rapporteur)

  • (-) Further processing of metadata without the consent of all users concerned would be allowed (only single consent).
  • (+) EPP&ECR were haltered in their attempt to allow further processing of metadata for "legitimate interest". However, this raised their bargaining power enabling them to come up with a new exception from consent : scientific or historical research purposes for statistical counting


Article 6 - paragraph 3 - point a:

Providers of the electronic communications services may process electronic communications content only: for the sole purpose of the provision of a specific service requested by the user to an end-user, if the user end user or end user concerned hasve given his or hertheir consent to the processing of his or her electronic communications content [...]".

(based on AM 69 (Rapporteur), AM 485 (Gue), AM 486 (Greens) and AM 489 (EPP)

  • (-) Processing of content of communications without the consent of all users concerned would be allowed ('their consent' replaced by 'his or her' --> only single consent required, users not directly using the service themselves, but simply communicating with someone who does, are not required to consent (p.e. users sending emails to Gmail users). Also a bargaining move, try to make the 'single consent' look like an acceptable compromise.


Article 8 - paragraph 1 - point d & paragraph 2a - point a-d:

The use of [...] processing and storage capabilities of terminal equipment and the collection of information from end-users’ terminal equipment, including about its software and hardware, other than by the end-user concerned shall be prohibited, except on the following grounds: [...] if it is technically necessary for measuring the reach of an information society service requested by the user for web audience measuring, provided that such measurement is carried out by the provider or on behalf of the provider, or by an independent web analytics agency acting in the public interest including for scientific purpose; and further provided that no personal data is made accessible to any third party and that such measurement does not adversely affect the fundamental rights of the user; of the information society service requested by the end-user.

For the purpose of points (d) of paragraph 1 [...], the following controls shall be implemented to mitigate the risks

(a) the purpose of the data collection from the terminal equipment shall be restricted to mere statistical counting; and

(b) the processing shall be limited in time and space to the extent strictly necessary for this purpose; and

(c) the data shall be deleted or anonymised immediately after the purpose is fulfilled; and

(d) the users shall be given effective opt-out possibilities that do not affect the functionality of the terminal equipment.

(based on AM 80, 89 (Rapporteur), first part of AM 548 (EPP), AM 591 (ALDE)

  • (-) Even though restricted to the purpose of 'audience measurement in public interest' and to 'statistical counting', this would still allow the further processing of information from our communications without our consent.
  • (-) This would allow to first collect unanonymized data and then anonymize them for the purpose of statistical counting. This aims at, for example, getting insight about the number of visitors in a store at a specific time or over the last six month, or about how often one particular person visited the store. This implies to store personal data for quite a long time.


Compromise amendments 09.10.[edit]

Article 6 - paragraph 2 - point c:

[unchanged]

  • (-) Further processing of metadata without the consent of all users concerned would be allowed (only single consent). No clarification
  • (+) EPP&ECR were haltered in their attempt to allow further processing of metadata for "legitimate interest". However, this raised their bargaining power enabling them to come up with a new exception from consent : scientific or historical research purposes for statistical counting.


Article 6 - paragraph 3 - point d (new):

Providers of electronic communications services and networks may process electronic communications metadata only if: [...] it is necessary for statistical purposes in the public interest, the data are pseudonymised and the provider has obtained prior authorization by a supervisory authority. Users are clearly and visibly informed about the processing and shall be given the opportunity to opt-out. The data shall be anonymised or erased no later than seven days after it has been obtained by the provider. The result of processing for statistical purposes shall be aggregate data, and that this result is not used in support of measures or decisions regarding any particular natural person. [...]

(based on AM 64, 68 (Rapporteur), AM 449 (Alde), AM 450 (ECR), AM 451 (Greens), AM 452 (Gue)

  • (-) This would allow further processing of metadata without consent exclusively for 'statistical' purposes, so that everybody concerned remains unidentified. This limitation is alarmingly insufficient: the collected and processed metadata required for this purpose would always be kept for as long as it takes to put up the statistic. What today seems to be anonymous is likely to give insight about our individual behavior tomorrow. This is hardly offering protection regarding the constant development of re-identification technologies.


Article 6 - paragraph 5 - point a :

[unchanged, see compromise amendments from 04.10., Article 6 - paragraph 3 - point a]

  • (-) Processing of content of communications without the consent of all users concerned would be allowed ('their consent' replaced by 'his or her' --> only single consent required, users not using the service are not required to consent, p.e. users sending emails to Gmail users). Also a bargaining move, try to make the 'single consent' look like an acceptable compromise.


Article 8 - paragraph 1 - point d & paragraph 4a - point a-d:

The use of [...] processing and storage capabilities of terminal equipment and the collection of information from end-users’ terminal equipment, including about its software and hardware, other than by the end-user concerned shall be prohibited, except on the following grounds: [...] if it is technically necessary for measuring the reach of an information society service requested by the user for web audience measuring, provided that such measurement is carried out by the provider or on behalf of the provider, or by an independent web analytics agency acting in the public interest including for scientific purpose; that the data is aggregated and the user is given a possibility to opt-out; and further provided that no personal data is made accessible to any third party and that such measurement does not adversely affect the fundamental rights of the user; of the information society service requested by the end-user.

For the purpose of points (d) of paragraph 1 [...], the following controls shall be implemented to mitigate the risks

(a) the purpose of the data collection from the terminal equipment shall be restricted to mere statistical counting; and

(b) the processing shall be limited in time and space to the extent strictly necessary for this purpose; and

(c) the data shall be deleted or anonymised immediately after the purpose is fulfilled; and

(d) the users shall be given effective opt-out possibilities that do not affect the functionality of the terminal equipment.

(based on AM 80, 89 (Rapporteur), first part of AM 548 (EPP), AM 591 (ALDE)

  • (-) Even though the possibility to opt-out was added, this would still allow the further processing of information from our communications without our consent for the purpose of 'audience measurement and statistical counting'.
  • (-) This would allow to first collect unanonymized data and then anonymize them for the purpose of statistical counting. This aims to, for example, get insight about the number of visitors in a store at a specific time or over the last six month, or about how often one particular person visited the store. This implies to store personal data for quite a long time.



Compromise amendments 12.10.[edit]

Article 6 - paragraph 2 - point c:

[unchanged]

  • (-) Further processing of metadata without the consent of all users concerned would be allowed (only single consent).


Article 6 - paragraph 2 - point d (added):

Providers of electronic communications services and networks may process electronic communications metadata only if: [...] the processing of electronic communications metadata generates anonymous statistical analysis and is subject to the following specific safeguards

  1. the purpose of further processing must be compatible with the purpose for which the data were initially collected,
  2. further processing for any commercial or for-profit purpose is excluded and can only take place for public policy purposes,
  3. the electronic communications metadata is anonymised, where possible, or otherwise pseudonymised,
  4. a data protection impact assessment according to Article 35 of Regulation (EU) 2016/679 has been conducted,
  5. a prior authorization by the independent supervisory authority referred to in Article 18 has been obtained,
  6. the user is clearly and visibly informed about the processing and is given a possibility to object,
  7. the result of processing is and cannot be used in support of measures or decisions regarding any particular natural person,
  8. the result of processing is shared with the independent supervisory authority and not reusable,
  9. the underlying electronic communications metadata is not disclosed to or shared with any other party, and
  10. the electronic communications metadata is erased or anonymised immediately after the processing operation for anonymous statistical purposes has been completed.

(based on AM 68 (Rapporteur)

  • (-) This would still allow further processing of metadata without consent exclusively for 'statistical' purposes, so that everybody concerned remains unidentified. Although the added safeguards, this limitation is still alarmingly insufficient for the same reasons mentioned above (What today seems to be anonymous is likely to give insight about our individual behavior tomorrow, see above) and is lacking precise definition ('public policy purpose').


Article 6 - paragraph 3 - point a:

[unchanged, see compromise amendments from 04.10., Article 6 - paragraph 3 - point a.]

(based on AM 69 (Rapporteur), AM 485 (Gue), AM 486 (Greens) and AM 489 (EPP)

  • (-) Processing of content of communications without the consent of all users concerned would be allowed ('their consent' replaced by 'his or her' --> only single consent required, users not using the service are not required to consent, p.e. users sending emails to Gmail users). Also a bargaining move, try to make the 'single consent' look like an acceptable compromise.


Article 8 - paragraph 1 - point d; paragraph 2a - point a:

The use of [...] processing and storage capabilities of terminal equipment and the collection of information from end-users’ terminal equipment, including about its software and hardware, other than by the end-user concerned shall be prohibited, except on the following grounds: [...] if it is technically necessary for measuring the reach of an information society service requested by the user for web audience measuring, provided that such measurement is carried out by the provider or on behalf of the provider, or by an independent web analytics agency acting in the public interest including for scientific purpose; that the data is aggregated and the user is given a possibility to object; and further provided that no personal data is made accessible to any third party and that such measurement does not adversely affect the fundamental rights of the user; of the information society service requested by the end-user. Where audience measuring takes place on behalf of an information society service provider, the data collected shall be processed only for that provider and shall be kept separate from the data collected in the course of audience measuring on behalf of other providers; the purpose of the data collection from the terminal equipment shall be restricted to mere statistical counting;

(based on AM 80, 89 (Rapporteur), first part of AM 548 (EPP), AM 591 (ALDE)

  • (-) Even by forbidding the providers to exchange the aggregated information about our communications among each other, they would still NOT be obliged to ask for our consent, given that they collect for the purpose of 'audience measurement'.


Compromise amendments 17.10.[edit]

Article 6 - paragraph 2 - point c:

[unchanged]

  • (-) Further processing of metadata without the consent of all users concerned would be allowed (only single consent).
  • ==> The underlying AM 67 of Rapporteur Lauristin had tendency to clarify the consent of all users concerned, but fell victim to the compromise.


Article 6 - paragraph 3 - point a:

[unchanged, see compromise amendments from 04.10., article 6 - paragraph 3 - point a.]

(based on AM 69 (Rapporteur), AM 485 (Gue), AM 486 (Greens) and AM 489 (EPP)

  • (-) Processing of content of communications without the consent of all users concerned would be allowed ('their consent' replaced by 'his or her' --> only single consent required, users not using the service are not required to consent, p.e. users sending emails to Gmail users). Also a bargaining move, try to make the 'single consent' look like an acceptable compromise.


Article 6 - paragraph 2 - point d (added):

[removed]'

  • ==> The further processing of metadata for statistical purpose including safeguards was removed from article 6 after Boni left the negotiations table. However, further processing without consent would still be allowed (Art 8 - 1 - d, see below) only restricted to imprecisely defined purpose of 'audience measurement' in 'public interest'.


Article 8 - paragraph 1 - point d; paragraph 2a - point a:

[unchanged, see compromise amendments from 12.10.]

(based on AM 80, 89 (Rapporteur), first part of AM 548 (EPP), AM 591 (ALDE)

  • (-) Even by forbidding the providers to exchange the aggregated information about our communications among each other, they would still NOT be obliged to ask for our consent, given that they collect for the purpose of 'audience measurement'.
  • ==> Web audience measurement without users' consent should be illegal.