European Union regulators aren’t shy about their plans to transform the global data-privacy landscape so that it aligns with continental values. And as Europe returns from its August hiatus, those same regulators are set to resume debate on a new privacy rule viewed with trepidation by tech companies on both sides of the Atlantic.
It’s called the ePrivacy Regulation, and it’s ostensibly an attempt to update and give real teeth to a 2002 directive governing the confidentiality of electronic communications. But coming so soon after the General Data Protection Regulation—the sweeping overhaul of the EU’s data-privacy regime that went into effect in May—many in the tech industry view it as a one-two punch that could upend established business models, inadvertently frustrate consumers, and stifle innovation in both Europe and the United States.
“We would certainly like to see how GDPR settles before you try and lock down the text of ePrivacy,” said Bruce Gustafson, the chief executive of the Application Developers Alliance. “It doesn’t make much sense—we’re already wrestling with one set of sort of vague rules; developers are trying to figure out what the heck this means and what we need to do.”
App developers aren’t alone in their trepidation. The current ePrivacy texts place new, entirely consent-based restrictions on the processing of nearly all data sent or received by consumers, regardless of the type of technology or the company involved. It’s a sharp contrast to the GDPR, which has several frameworks other than user consent through which companies can process data. And it’s causing telecommunication companies, software developers, and Silicon Valley stalwarts to all sound the alarm.
“The problem with ePrivacy is that it’s binary—consent or nothing else,” said Alexander Whalen, the European director of policy at the Software Alliance. “There’s no other legal basis allowed for processing.”
While it’s not yet clear if the regulation will have the same extraterritorial reach as the GDPR, ePrivacy is still expected to have a significant impact on the U.S. tech industry.
“If [companies] are going to roll out any sort of update to their privacy policies or the way they go about designing their software, they’re likely going to do that on a global scale,” Whalen said. And given the presence of top U.S. firms throughout Europe and the size of the marketplace, it’s unlikely that Silicon Valley would abandon Europe even with the new constraints.
When coupled with GDPR, industry representatives view ePrivacy as yet another reason for Capitol Hill to take up the thorny issue of data privacy rather than ceding that ground to the EU.
“We need to try to figure out how to deal with privacy in the U.S.,” Gustafson said. “Because if we don’t, we’re going to be operating under a European regime, which in a lot of ways is inconsistent with what the Constitution would provide here.”
Most industry representatives say members of the European Council are largely sympathetic to their concerns. But after Cambridge Analytica and a host of other scandals drove data privacy to the top of many Europeans’ minds, they say the Council is under tremendous stress from the public to look tough.
“There’s a lot of pressure for the Council to still look at this, and they don’t want to be perceived as caving in to industry too much,” said Alberto di Felice, the senior manager for infrastructure privacy and security at Digital Europe, a group that includes Amazon, Google, and other major U.S. tech firms.
That pressure is also being felt by the European Parliament, which together with EU member states is expected to come to a final agreement on ePrivacy before next spring's European elections. Privacy advocates are hoping to force an agreement on the strict version of the text before then.
“We have been mobilizing people in the past to push the Parliament to get there as soon as possible,” said Diego Naranjo, a senior adviser to European Digital Rights. “In light of the next elections in spring next year, we have quite a lot of possibilities to make this mobilization happen and be effective.”
The new rules are an attempt to extend that cookie protection to any electronically transmitted user data. But industry representatives warn of a cascade of unintended consequences from imposing a strict consent-based model on the myriad new types of communicable data that have arisen over the past 16 years.
Telecommunication firms worry about the emphasis on consent for each and every data transfer, arguing that it will annoy and overwhelm consumers and make products that constantly transfer data, such as connected cars or industrial equipment, more difficult to operate effectively.
“If nothing else, you have a consent-fatigue situation, where consumers are being asked to consent to processing that they would probably expect to be happening,” said Jade Nester, the director of consumer policy at GSMA, a European telecom association.
Business-software developers fret about the impact on automatic updates and the development of artificial intelligence. Requiring users to consent to each update and every transfer of pseudonymised data, they say, could slow the adoption of crucial cybersecurity updates and prevent advances in machine learning.
Some privacy advocates accuse the tech industry of crying crocodile tears in order to continue surveilling their customers in violation of fundamental European privacy rights. While some firms dependent on data scraping or online tracking may need to adapt, Naranjo says innovation is unlikely to be negatively impacted because consumers will have greater confidence that their data is secure.
“It’s kind of amusing, because all of them who were radically opposing GDPR now say, ‘Hey, we have GDPR, we don’t need anything else,’” Naranjo said.