Think Digital – Data Protection and Privacy of the European Digital Future

What is crucial for our decisions and actions on ePrivacy regulation not only in the short, but also in the long term perspective?

To have the reasonable and balanced solution on ePrivacy. The openness for data processing, which was proposed by me in the amendments on further processing, is key for innovative services. The openness for cookies and avoiding the situation that all our consents should go via big browsers – is key for the publishers, especially for small local websites. The openness for exceptions allowing for security activities – is crucial for security of the communication. The openness for the household exemptions is key for innovative services for individuals on their demand.

We need the ePrivacy to be complementary to the GDPR, with focus on confidentiality and with the purpose to make situation equal for all businesses (OTT), when the GDPR will enter into force.  It is not reasonable to totally undermine the GDPR by certain solutions in the ePrivacy, which would be welcomed by some businesses.  However, it is equally not reasonable to undermine the possible balanced solutions of ePrivacy by redundancy of the references to the GDPR and its restrictions. After the GDPR enters into force in May 2018, it would be better to have ePrivacy implemented in an adequate time, avoiding the mess related to the misinterpretations of the law because of the different levels of the current ePrivacy directive implementation in different countries.

I have worked hard on this portfolio, as the EPP shadow rapporteur, however my amendments were not taken into account by the Rapporteur of the draft Report. Therefore, we started the shadow meetings from a very difficult and disappointing position. But we achieved much more than we have expected. We deleted the “privacy by default” issue, we deleted the “tracking walls”, we opened the possibility for the “household exemptions”, we implemented the security issues, we changed completely the time of the entering into force this regulation, and many other points. We need to appreciate it. And we need to appreciate the readiness of our colleagues from others political groups to be open for compromises, very difficult for them.

But at the end “the compromise package” did not include the data processing openness. So we were not satisfied and there was no longer time for discussion. We, as EPP, took a political decision and not one based on merit analysis. And we have lost the package I described, and decided to vote in LIBE against the Report and against mandate!

For future consideration it is important to think how can we achieve the goal to achieve balanced solutions in the trilogue negotiating with a difficult starting point, not having the achievements, which were in the original compromise package?  It will not be easy. Some experts suggest that it will be impossible, because there is no 100% certainty on how the Member States will behave.

One additional point. We have worked under tremendous pressure. It is normal. But according to my merit-side assessment of the many voices from both sides: the voices from business and some civic organisations were based on misunderstandings, myths, creating bubbles and fake views. IT IS TRUE!  Many arguments made by business have been not true at different stages of negotiations and were not reflecting the advancement of changes in the text. It was a kind of the distribution of exaggerated threats – also, very often it was presented by some civic organisations. It is clear to me, that it is better to disseminate a true, reasonable assessment of the real impact of certain concrete solutions. In the future, we need to avoid this kind of situation, when we have not enough time to explain real problems, rather than focusing on the mess and misinformation.

Finally, we wanted to express our dissatisfaction with the mandate by voting in the Plenary.

The Plenary vote showed that the European Parliament is ready to give the mandate for the trilogue. It is not a very strong mandate, but it is a mandate. So it opens the possibility to work on the ePrivacy – improving the text, looking for the balanced solution, assessing all merit aspects of the needed equilibrium between innovation and respect of the citizens’ rights and expectations. We need to work together – all parties, all political groups, all institutions.

At the end, I want to emphasise how important is and should be, also for my EPP group – to keep the balanced approach to ePrivacy regulation: for business and for users, for citizens more and more aware of their rights related to the privacy and confidentiality protection. This equilibrium is necessary for the incoming Big Data revolution. This equilibrium is needed because it creates trust. The future digital revolution must be based on this trust. And it can be ours – as Europeans – and our European economy’s advantage vis a vis many other countries.

And, politically speaking – we need to have a clear message to our citizens in this area, taking into account their expectations and the increasing role of the awareness of their digital rights.

GDPR : We still need to assess after the GDPR enters into force the areas, which would be potentailly left unregulated with the ePrivacy Regulation missing.

Issue of Privacy – smart devices and the safety of children: 

  • A German regulator has banned domestic sales of children’s smartwatches (target age – 5 and 12 years old) that have a listening function — warning that parents have been using the devices to secretly eavesdrop on teachers at their kids’ school.
  • The Federal Network Agency telecoms watchdog said it had already taken action against some online sellers. An app allowed parents to use such children’s watches to listen unnoticed to the child’s environment – according to German law this is regarded as an unauthorized transmitting system. Parents apparently also used the app to listen to teachers in the classroom.
  • In February, the same federal agency banned sales of an Internet connected doll — called My Friend Cayla — as in Germany it is illegal to manufacture, sell or possess surveillance devices disguised as another object.
  • The app owner is able to silently call the device via such functions and listen unnoticed to the conversations of the watch wearer and others in their vicinity — an act of covert surveillance that is illegal in Germany.
  • The agency has instructed parents to destroy any devices they have bought, and asked schools to be on the look out for smartwatches being used by children — and to request destruction of listening devices they identify.

Other cases:

  • Last month the Norwegian Consumer Council put out a report about children’s smartwatches, raising concerns about security flaws, privacy concerns, and risks posed by what they described as unreliable features.
  • This month a UK consumer rights group also raised concerns about poorly secured IoT toys which it said could enable strangers to talk to children. The group also called for devices with known security flaws to be banned from sale
  • The latest ban may increase pressure for the European Commission to consider whether European Union-wide regulation is needed for Internet connected toys.

Issue of Privacy and copyright:

Recent discussions around copyright also highlighted the pressing issue of protection of privacy online. While protecting the rights of authors, we cannot allow for general monitoring of the content online. It is an interesting case where a careful consideration is needed. We need to think about solutions, which are transparent and do not undermine the fragile balance between the rights of authors and the rights of us all as users and citizens.

Privacy Shield:

It has been clear for quite some time now, that legislation is not able to keep up with the technological progress, in the age of the internet, cloud computing and Big Data. With many EU companies as well as US ones reliant on US-based cloud computing giants to store their data, it certainly isn’t a one-way street. In particular, organizations hoping to take advantage of the many new cloud-based analytics and AI infrastructures will have to make it clear that they are ready to be much more thorough and transparent in the way they store and transmit data.

The first annual report highlighted areas where there need to be improvement:

  • Ensuring that companies are not able to publicly refer to their Privacy Shield certification before it has been finalised by the US Department of Commerce (DoC);
  • Calling on the DoC to conduct more proactive and regular monitoring of companies’ compliance with their Privacy Shield obligations, as well as regular searches for companies making false claims about their participation in the Privacy Shield;
  • Strengthening awareness-raising efforts to inform EU individuals about how to exercise their rights under the Privacy Shield, particularly in relation to complaints;
  • Improving the co-operation between the DoC and EU data protection authorities, notably to develop guidance for companies and enforcers;
  • Enshrining the protections offered by Presidential Policy Directive (PPD-28) with respect to non-US persons in the Foreign Intelligence Surveillance Act with a view to ensuring the stability and continuity of these protections; and
  • Appointing a permanent Privacy Shield ombudsman, and filling other empty posts.


Privacy Shield –  new Max Schrems challenge:

  • At the beginning of October privacy activist and student Max Schrems has hailed an Irish Court decision to refer cross-Atlantic data flows back to the European Court of Justice – all over again. (Schrems sparked the original litigation which led to the Court throwing out the “Safe Harbor” legal framework that governed flows of European citizens’ private data to America.)
  • When Safe Harbour fizzled away, some data controllers fell back to Standard Contractual Clauses, and others turned to an ad hoc fix dubbed Privacy Shield.
  • Both Facebook and Schrems challenged this new framework in Ireland (Facebook’s European HQ) for different reasons. Schrems argued that the “self certification” protection wasn’t protection at all.
  • The introduction of the Privacy Shield Ombudsperson mechanism in the Privacy Shield decision does not eliminate concerns whether it is an effective remedy for European citizens under US law. A decision of the CJEU is required to determine whether it amounts to a remedy satisfying the requirements.
  • Schrems statement: “I welcome the judgment by the Irish High Court. It is important that a neutral Court outside of the US has summarized the facts on US surveillance in a judgment, after diving through more than 45.000 pages of documents in a five week hearing. Facebook seems to have lost in every argument they were making,”
  • This potentially paves the way for the European courts to again invalidate the legality of a very commonly used data transfer mechanism under EU law.