Debata o e-prywatności

Dziś wspólnie z European Internet Forum i posłem Axelem Vossem jestem gospodarzem porannej debaty na temat e-prywatności. Dyskusja na temat tego, czy współistnienie rozporządzenia ogólnego ochrony danych oraz zmiany dyrektywy o e-prywatności jest wykonalne, czy też tworzy niepotrzebne nałożenie się działań i niepewności prawnej.

Ważne jest teraz to, co dzieje się w krajach członkowskich UE: pilnujmy, by wdrożenie regulacji o ochronie danych osobowych nie podważyło harmonizacji, i żeby było zrozumiałe dla wszystkich stron przekazu danych: tych, którzy dane przetwarzają, i tych, których dane są przetwarzane. Ku obopólnym korzyściom gospodarki opartej na danych. Im bardziej wchodzimy w świat cyfrowy, tym większa racjonalność w przetwarzaniu danych, szczególnie osobowych – jest potrzebna. Należy upewnić się, że rozporządzenie prywatności i łączności elektronicznej będzie dostosowane do produktu krajowego brutto i Kodeksu Komunikacji Elektronicznej. Musimy przeanalizować kilka przypadków, a także w jaki sposób rozwiązania regulacji prywatności i łączności elektronicznej zostaną wdrożone i jak będą działać w praktyce. Będą to cenne argumenty dla naszych negocjacji w PE.

  • The ePrivacy Regulation proposal is much wider that we have expected. When we were talking about the matter 6 months ago, the main issue was to make sure that ePrivacy and GDPR are aligned and that they possibly enter into force at the same time.
  • In the Commission proposal of ePrivacy Regulation, it is written that it should enter into force on May 25th, 2018. So exactly at the same time as GDPR. On paper, that would be very good as it would provide legal certainty etc. but I start to think whether it would be possible from technological point of view for the companies to adjust their systems and to do it without any extra time after the Regulation will enter into force. I would like to ask your opinion on that matter.
  • The e-Privacy Regulation should be analysed from two different points of view. We have to make sure that it is consistent with the GDPR and complements this instrument ensuring protection of data during electronic communication. I do not want to have again the same ideological debate, debate about values and I definitely do not want to reinvent the GDPR. We should make sure that both instruments are consistent.
  • On the other hand, it has to be consistent with the Electronic Communication Code as its scope concerns the data when they leave the user and before they get to the recipient of the communication. In that sense, it covers much more the technological aspects of the communication. We should look closely at the definition of electronic communication that is included in the Code. What we understand as electronic communication will set the barriers to the ePrivacy Regulation.
  • The clear added value of this piece of legislation is the provision on confidentiality. It is not covered by the GDPR and ePrivacy remains the only legislation that makes sure that the confidentiality of communication is guaranteed.
  • From the data protection point of view, we will still continue to have an interesting debate on the issue of legal basis on which the processing can take place and in particular on consent. In the ePrivacy regulation, consent is the main, the only legal basis for processing. It is said that the definition of consent from the GDPR applies but article 9 paragraph 2 brings an exception to this rule stating that the consent could be expressed by technical settings of a software application that enable access to the internet.
  • In this context also, we have to figure out how to interpret and implement the consent requirement when it comes to the communication between human and machine and between machine and machine. For instance, how it would work with the autonomous cars.
  • We have a scope broaden to include also OTTs. All electronic communication will be included based on the definition from the Electronic Communication Code. Which brings us to the second pillar of legislation, that we have to make sure the ePrivacy is consistent with.
  • Inclusion of OTTs but also inclusion of machine to machine communication will be an important discussion on this file. Together with the issue of metadata and the consent necessary for the further processing of metadata.
  • Another point that will require more analysis is the question of cookies policies. The question of first party and third party cookies. How to make sure that users understand whatever choice their make as regards to browsers settings and acceptance of cookies? How to make sure that the aim of the legislator, protection of users and limiting of ubiquitous use of tracking cookies, for malicious purposes etc. but on the other hand not destroy business models in your sector?
  • I think what we need now for further work is to have some concrete examples, cases regarding particular situations in which you believe the proposed legislation should be adjust to work properly. This will be valuable arguments for our negotiations in the EP, to show where we need to adjust the proposal and what are consequences of certain provisions.
  • A special thank goes to Sebastian Gerlach from Microsoft and the EIF Organising Committee, who helped set up this great panel.
  • You will find a summary and presentations of this debate on the EIF’s website in the next days.