Online privacy, building trust in the digital age

Source: A. (Andrus) AnsipĀ i, published on Tuesday, September 5 2017.

One of the most pressing challenges in our Digital Single Market project (DSM) is to create an online environment that people can really trust.

Privacy and protection are fundamental in the digital world - and fundamental to the entire DSM.

You cannot have one without the other. That goes for individuals as much as for businesses.

It's very simple: without clear rules on privacy in electronic communication services - or e-privacy - there will be no trust. Without trust, people will not use digital services.

But in terms of legislation and rules, it is far from simple. And we urgently need to update the EU's existing rules, because so much has changed since they were last reviewed back in 2009.

Today, more and more people use internet-based services to send messages or to make calls: services such as Voice over IP, instant messaging apps and web-based e-mail services.

As they stand now, privacy rules only cover traditional communications services. We want to extend their scope so that they apply to all similar services - and to make sure that electronic communications remain confidential, regardless of the technology used.

Our proposed rules cover a good deal of ground. You can read more details here.

They cover confidentiality of non-personal data - trade and business secrets, for example. They act against annoying spam, banning unsolicited electronic communications by emails, SMS and automated calling machines.

They require software that allows internet access, such as browsers, to have settings available to give users more control of their personal information. This is already built into most software but is not always obviously accessible.

And we want to protect the integrity of devices: permission would be required from users before something can be stored in their device - like tracking cookies - or accessed, such as photos and contact details.

It all boils down to user consent. We know how important this is for people: in a recent Eurobarometer survey, 92% of those asked said they only wanted someone able to access personal information on their device with their permission.

Not surprisingly, our proposal has generated a wide range of views.

There are some who say it does not protect privacy enough. Others argue that it does not allow businesses enough flexibility.

However, all sides seem to agree that it is important to protect the confidentiality of communications as a fundamental right.

On that basis, my view is that our rules - as they are now - are not sufficient to defend this principle and that is why they need updating, if only to reflect new technological developments.

I am confident that we strike a right balance that takes everyone's interests into account. The main principles of e-privacy remain untouched; they are still valid.

Traditional telecoms operators will get more opportunities to monetise data, as will new communications services. At the same time, people who use any of these services retain the power to decide how their communications data is used and processed.

I know that some publishers are unhappy, particularly about browser settings.

They fear a situation developing where they may lose revenue due to difficulty in targeting advertisements for their users. However, our proposal would not make this impossible for publishers.

Contextual advertising is not affected - user consent is already required for storing tracking cookies.

Our e-privacy proposal is now being debated by EU governments and in the European Parliament. We will be working closely with the Parliament to strike the right balance.

One important thing to stress is the close link with the General Data Protection Regulation, or GDPR, which will fully apply from May 2018. So the clock is ticking.

This law will give people more control over their personal data and make it easier to access. But the GDPR only applies to processing of personal data of individuals. The proposed e-privacy rules, on the other hand, protect the confidentiality of electronic communications as such - regardless of whether personal data is being processed, or not.

This is important because data that is non-personal as such can contain clues that lead to a person. In addition, data produced purely by machine-to-machine interaction may contain sensitive business or financial data.

The basic question is this: why offer less protection for today's electronic exchanges than people's long-held right not to have their physical letters opened or tampered with?

These two pieces of legislation - e-privacy and GDPR - are complementary. Ideally, they should both come into force at the same time because this would make life vastly easier for both people and businesses.

If not, we risk a duplication of rules as well as diverging interpretations by national authorities: different sets of rules on data breaches, and different obligations for data controllers.

The right to online privacy is fundamental. This becomes ever more relevant as we build an increasingly digital economy and society. We cannot get the best out of the opportunities offered by digital tools and online networks if we do not trust them.

People want, and need, to know what happens with their personal data. They have to be able to choose and control that process, and this is what the revised e-privacy rules will allow them to do.

Business may now see this as a burden - but it is not; it is the basis for tomorrow's data-based business models. As I said at the start, trust is the basis of our online society.

Another blog soon.