Translated Article: E-Privacy Regulation allows retained Data and duplicate Keys
E-Privacy-Verordnung erlaubt Vorratsdaten und Nachschlüssel by Erich Moechel for fm4.ORF.at
The most important EU regulation for the protection of privacy contains a license for data processing of all kinds without the consent of the user and allows political parties to spread spam mail.
For four years the e-privacy regulation has been stuck in the EU Council of Ministers, but under the Portuguese presidency, it was possible to agree on a version for the first time. However, this version of the “Ordinance on the Respect of Privacy and the Protection of Personal Data” has been designed in such a way that Germany’s top data protection officer, Ulrich Kelber, sees “several red lines crossed at the same time”.
In addition to the reference to data retention, which was rejected by the EU Court of Justice for the third time in autumn, there is also a kind of obligation to monitor platforms. Furthermore, the sometimes unclear and contradicting text of this consumer and data protection regulation is almost littered with exceptions for data trading.
Lots of new recitals
In addition, the Council of Ministers has inflated the regulation with a whole series of new recitals (20a to 20aaaa, 21a ff), all of which contain options for circumventing the user’s consent. For example, in recital 20aa it says that “it should be possible (…) to process data from the user’s terminal device for purposes that are comparable to the purpose for which they were collected.” Reason 20a builds on this, which fairly openly pursues the goal of obtaining general consent to all data processing with one click, just as it is now happening with cookie walls.
With such a click, most users currently agree that their data will be forwarded to hundreds of retailers. The Council of Ministers apparently wants to prolong this, which is why “whitelisting” is proposed (20a). The user gives the providers of selected services a carte blanche for any further processing and forwarding of data. This is justified with the “omnipresence of tracking cookies and related technologies”, which would overload the user with requests for consent. This could “lead to a situation where requests for consent are no longer read because that undermines the protection offered by this mechanism”, it says in recital 20.
Recital 20a also offers a solution to this dilemma and it is called “whitelisting”. The dilemma is solved simply by the fact that users voluntarily give up their choice. Recital 20aaa then combines consent to cookies or similar identification methods with automatic consent to be tracked. In recital 20aaaa, the common practice of circumventing the General Data Protection Regulation, which previously had no legal basis, is laid down in this regulation for data and consumer protection. This legitimizes the alternatives that are currently presented on every second cookie wall: “An offer that includes consent to any further cookies and an equivalent offer that does not contain consent to [the] processing for further purposes.” In practice, this means either consent to all cookies from third-party companies including ubiquitous tracking or the acceptance of a paid service.
That’s what data protection experts say
Data protection expert Pat Walshe has discovered a considerable number of further passages that are even below the level of the e-privacy directive from 2001, which is still in force. While this guideline in 15 (1) prescribes a legal basis for the processing of personal metadata in the service of “public security”, according to Walshe, this requirement is missing in the corresponding recital (17a) of this new Council version. The same applies to the new recital (32). This leaves the member states free to allow political parties to use spam emails to “promote their parties”, which has been banned all over Europe up to now.
“In addition, some important guarantees for users, such as the right of objection and the data protection impact assessment, have been deleted,” said the top German data protection officer Ulrich Kelber in his assessment: “A recourse to the guarantees of the General Data Protection Regulation is also excluded. It stunned me how seriously the fundamental rights of European citizens are being interfered with.”