ePrivacy – The new EU law that scares digital businesses

A proposal for new EU regulation on e-privacy has entered the final stage of its approval process. If it becomes law many SMEs fear that their business models will be at threat. Also known as the “cookie law”, the new piece of legislation intends to regulate how businesses handle users’ personal data that are collected through websites and apps. Making sure that everyone feels safe when sharing personal information using online services is positive not just for consumers but also for businesses.

Companies, including SMEs, will certainly benefit from higher consumer confidence. However, the regulatory framework needs to be well designed. Clumsy rules risk destroying the opportunities of the data driven digital economy, where European companies already lag behind the Silicon Valley champions. If the legislators do not strike the right balances, Europe’s SMEs and digital economy are at risk.

The brand new text of the e-privacy law raises 4 main concerns.

It is inconsistent with GDPR and depends solely on the users’ consent

The General Data Protection Regulation (GDPR), EU’s massive privacy law, will enter into force on the 25th of May 2018. While its provisions are very strict and will impose high fines to non-compliant companies, the law leaves space also for the treatment of personal data under certain conditions when there is a legitimate business interest.

The current ePrivacy proposal, if approved, would be additional and not entirely aligned with the GDPR. The only legal basis to process data will be the consent of the end-user, with only very narrow exceptions in cases where data processing is necessary for transmission or audience measurement carried out by the provider. A direct consequence is that collection of data from the devices will become more difficult for companies. It might actually affect users experience with digital services, such as apps, and worsen consumers’ satisfaction. Consider the following example: an infected smartphone starts sending malicious e-mails, network and service providers would normally detect such anomalous activity and, thus, interrupt the service, notify the user and prevent a cyber attach to propagate. Under the new law, this reaction will be possible only if the user has previously give consent to collection of certain data.

Another concern is that such rules would create disadvantaged conditions to European SMEs compared to their multinational tech rivals. The latter would still be able to test their products and collect necessary data from the users outside the EU, while for many SMEs it is much more difficult to enter non-EU markets with new products.

It disrupts business models based on the collection of third party cookies

While more and more developers in Europe and worldwide base their business model on advertising the ePrivacy Regulation proposal may disrupt such business cases. Currently, a significant number of online services is free of charge because it is funded by advertising. Users’ behaviour on websites and apps is tracked by either providers of such services or by third parties. Based on their usage data, consumers are targeted with personalised advertising. If the current ePrivacy suggestions remain unchanged and the tracking of consumers’ online behaviour becomes illegal, numerous providers of free online services or applications will have to re-think their business strategies or step-down from the market.

What is worrying in the ePrivacy proposal is that it forbids companies to withdraw the provision of (free) services to users who do not give their consent for third-party cookies. Under these conditions, it is hard to imagine how any company would be able to offer its apps or its services for free.

It gives too much control to the browser

Seeking to set the users free from giving their consent every time when using a new web, and to simplify requirements for the websites, the ePrivacy law wants browsers to collect users’ consent. Under the new regulation, browsers will ask users to set up their cookie preferences. Browsers should offer users easily visible and understandable options, such as ‘reject all cookies’, ‘accept all cookies’, or ‘accept some types of cookies’.

Although a solution should be found to endless consent requests that overwhelm users on any new website, many SMEs legitimately fear that giving too much control to browsers creates a competitive disadvantage. US companies, such as Google, Apple and Microsoft, own market dominant browsers Chrome (50% of the users), Safari (12%) and Explorer (8%). These companies already have huge amounts of data that are a great barrier to new comers and they are eager to increase their edge. Making such companies become the gatekeepers for all data driven online services does not seem a wise decision.

Providers of digital services, be it websites or apps, would be deprived from their right to directly inform consumers on what data is being collected, and what purposes it serves for. It is hard to imagine how a one stop shop solution at the browsers would leave consumers fully informed, while it would certainly prevent businesses from having a direct dialogue with their customers.

Machine-to-machine learning

New e-Privacy Regulation expands its scope to new forms of electronic communications that were not covered before. This ranges from apps that provide communication services (e.g. WhatsApp, Skype, etc.) to many Internet of Things related services. The latter includes machine-to-machine learning, which is considered problematic and rather unnecessary.

Processing and storing of machine-generated data without user consent will be prohibited. On the one hand, it impacts consumers because their consent will be required for every type of information that devices would like to collect. For example, one can try to consider a car: it collects information about the (un)fastened seat bells, route, car’s speed, the wear and tear on the components, road conditions, etc. All of it would need a dozen of consents from the user! Additional inconvenience would arise if another user would like to ride the same car, or the new passengers would enter. Theoretically, each of them should give a consent!

On the other hand, it could negatively affect business due to the legal uncertainty which it would create. For example, an industrial machine that is operated by a person would require the consent of that person to be able to collect and process usage data such as temperature, pressure, rotations per minute, etc. Machines cannot learn and improve if there is no data to learn from. If users disagree to give their consent, an entire concept of machine learning might be in jeopardy. This threatens any data driven innovation. Europe would be at disadvantage compared to other regions when it comes to discovery of new technologies.