ePrivacy regulation: Europe at a crossroads

The European Commission, Parliament and Council are in trilateral negotiations on a new ePrivacy regulation to replace the existing ePrivacy directive. The new legislation and the specifics of its interpretation will be decisive for the future of privacy, both in Europe and globally. Unfortunately, there are growing concerns that our privacy rights could change for the worse.

Data protection laws saved us from the worst…

For years it has been highly profitable to build giant databases of people’s personal information. These databases have been used for political manipulation, predicting your next purchases, building filter bubbles that keep you psychologically dependent on your social media or, simply, to store every detail of your life forever to accommodate future revenue streams. Individuals’ personal data has been spread across the world and effectively been sold to the highest bidding democracies, dictatorships and crime organisations.

Under the General Data Protection Regulation (GDPR), companies are required to clearly state what they intend to do with your data. Sharing your personal data requires your consent. Corporations can no longer secretly exploit your data for purposes you do not consent to. The legislation has been such a success that more than half the world is in the process of adopting similar requirements.

However, there is one significant exception to your data sovereignty.

… but a loophole could put privacy gains at risk

We are constantly connected and communicating. Our online identity is our second life. Everything about us, both online and offline, is communicated in real-time through communication networks. As we communicate, our every word is tracked. All this data is now in danger of being exploited.

For practical reasons, there is an exception where companies can collect your data for “legitimate interests”. Some amount of consent can be considered implicit in asking for the service and sharing your data. For example, if you make a purchase, a company will handle your payment information and may use it to make statistics on their monthly sales. This data might also need to be sent to their cloud provider, checked for errors etc. Arguing for legitimate interest is dependent on finding a reasonable balance in your rights and freedoms against the reasonable commercial interests of the company. So far, so good.

ePrivacy: from Directive to Regulation

Your communication data is not shared freely, but due to necessity, and with the specific expectation that your communication will be confidential. Since communication data is so sensitive and omnipresent, a separate legislation was created to give it stronger protection than the GDPR in itself. The ePrivacy Directive was introduced, with regulators intending for it to be turned into a uniformly applicable law (i.e., a “regulation”) at the same time as the GDPR.

However, the privacy intruders are now fighting back to defend their markets. They do not want to read your messages. Instead, they want to know who you talk to, track you through your daily life through mobile phone networks, and know which websites you read. They argue that it is their legitimate interest to store any such information they like about you, as long as they do not actively infringe on your freedoms by, for example, personalising your ads too much.

You will have a personal profile in thousands of apps, thousands of websites and your mobile phone operator has your history pinpointed from morning to evening. If it is just used for statistics, they claim, then it is perfectly legitimate to store this personal data forever without your consent. But what if someone leaks your data?

Infinite storage = infinite security concerns

Experience shows that someone will eventually hack and sell your data to whoever is willing to pay for it. You cannot stop it. Databases with your information are all perfectly “legitimate”.

Surprisingly, the current draft proposal of the ePrivacy Regulation supports the “legitimate interest” interpretations. It abandons the explicit prohibitions of such databases that exist in the current ePrivacy Directive. Privacy is set to take a step back and this step might be larger than any gain from the GDPR.

A utopian alternative

One should not deny the usefulness and necessity of data in today’s society. Data allows us to study people, cities, societies, industries and commercial operations. It allows us to grow smarter. We would like to understand the purchasing habits of the average German, or the safety concerns of the average miner. Such data about general groups are all aggregated and is not considered personal. We can know everything about the average reader of this article and you can still stay perfectly anonymous while reading it.

Preventing such data collection anonymously is a technical challenge: How can we track the aggregate information about the behaviour of groups without tracking the individuals? How can we link, for example, the exposure to noise environments with worsening health without tracking many individuals for years and measuring their health? This problem is so central that it is mentioned in the ePrivacy recitals:

“To display the traffic movements in certain directions during a certain period of time, an identifier is necessary to link the positions of individuals at certain time intervals. This identifier would be missing if anonymous data were to be used and such movement could not be displayed.”

Well, necessity is the mother of innovation. Like with climate change, good regulations create surprisingly fast adaptation through market mechanisms. And so, after pioneering the GDPR and the current ePrivacy Regulation, we have found mathematical solutions and can now track groups without knowing anything about the individuals. In other words, we can measure traffic using nothing but anonymous data. With these new tools, society can be both smart and anonymous without too many sacrifices to either interest.

At a crossroads

The path ahead consists of the final formulation of the new ePrivacy Regulation and, equally important, the interpretation of the legislative text through guidelines and rulings. The legislation leaves ample room for data protection authorities to establish the precise balancing your freedom and rights against commercial interests. The legal precedence established in the next year or two will forever cement the direction of our future society.

Personal data is big money and we do not expect those who profit from your personal data to be perfectly understanding and the road to the anonymous utopia might be rough. The future needs your help in choosing the right data alternatives, voicing concerns, talking to your legislators and protect our collective privacy interests. We need to prevent the non-consensual bulk storage of personal metadata today. If not, the loss might last forever.

Read more about this issue or support our concern by consulting DIGITAL SME’s position paper on the e-Privacy Regulation Proposal. Let us know what you think about it, and join DIGITAL SME’s network here if you share our concerns!



Dr Leonard Johard

Dr Leonard Johard is the Co-founder of Indivd AB and Director of Brilliance Center B.V., a research institute dedicated to providing both startups and established market players with solutions in AI and privacy. He has a long career in researching and designing various algorithms for AI and cloud-based brain simulations in CERN openlab. In 2020 his system for anonymous facial recognition system designed for Indivd AB passed a requested prior consultation by the relevant supervisory authority under GDPR.

You can follow him via his LinkedIn.



This article was written by an expert from one of DIGITAL SME’s working groups. It is not a commercial initiative. As part of our effort to put digital SMEs at the heart of Europe’s digital transformation, we will post jointly developed articles like this one.
If you would like to propose a topic for another article, contact us at office@digitalsme.eu.


Contact Us