How is the EU’s ePrivacy Regulation, a companion law to GDPR, likely to impact the IoT industry? David Meyer reports.
The European Union’s ePrivacy Regulation, currently under development, is controversial for many reasons. A companion law to the incoming General Data Protection Regulation (GDPR), it will extend confidentiality rules for traditional telecommunications players to internet-based services such as Gmail and WhatsApp, and entrench “Do Not Track” anti-cookie preferences in law.
However, due to its scope, the regulation is also likely to have a major effect on the IoT industry. But as for how great of an effect, and what the implications will be, there still remains considerable disagreement.
For the doomsayer side of the argument, look no further than a study released on Thursday by Berlin-based lawyer Niko Härting, for Hunton & Williams’s Centre for Information Policy and Leadership. Härting argues that the ePrivacy Regulation (as proposed by the European Commission) would make life very difficult for anyone providing machine-to-machine [M2M] communications, wearables, connected cars and other IoT services.
Härting raises the example of the Fitbit Surge, a wearable fitness tracker. The regulation explicitly covers the data sent in machine-to-machine communications. However, it defines communications data as being either content such as, but not limited to, text, voice, videos, images, and sound, or metadata about that content.
The Fitbit sends raw data that isn’t text, voice, videos, images or sound, and certainly isn’t metadata about those types of content, but might or might not still be defined as “content”.
Read more: Connected healthcare may violate user privacy, warns Forbrukerradet
Protecting personal data
If it is communications content, then the ePrivacy Regulation would demand consent for its transmission. However, as it is also personal data (data that can be linked with an identifiable individual), it’s also covered by the GDPR, which allows other legal justifications for its transmission, such as the performance of a contract.
So is the Fitbit’s raw data communications content? Does its transmission require explicit consent, or is the contract between the user and Fitbit sufficient? The answers, according to Härting, are worryingly unclear.
“We would get rules that contradict what we have in GDPR, because the GDPR is not consent-oriented,” Härting told Internet of Business. In the GDPR, consent is one of six alternative options for how data processing can be lawful, he points out, “whereas the draft ePrivacy Regulation is totally focused on consent…”
“If this draft comes through, we [lawyers] will get a hell of a lot of new work, because all the processes that are now shaped in a way that are compliant with the GDPR have to be looked at again to see if they comply to ePrivacy. That is crazy,” he adds.
There are other concerns that IoT companies should bear in mind, too. The ePrivacy Regulation would effectively outlaw Wi-Fi and Bluetooth tracking, unless the operators of the tracking services display “prominent notices” at the edge of the covered areas – so no more traffic monitoring on the go, for example.
Again, the GDPR might allow this on the basis of “legitimate interest” that outweighs the interest of the data subjects, so again, there is a potential clash between the two pieces of legislation.
Practical issues
With connected cars, you get both the raw data and Wi-Fi/Bluetooth tracking issues – consider sensor-laden roads that can communicate with connected cars, or the iPhone safe-driving mode that uses connection to a car’s Bluetooth network to establish that the user is in their car. That could mean cars festooned with notices warning of their networks.
And then there’s the consent issue. “The development of any application that enables cars or components to communicate would be burdened with the necessity of creating processes that allow for consent on both ends,” Härting’s analysis reads.
“The transmission of signals from a car to a garage for maintenance purposes would require consent of the owner of the garage as well as the driver’s consent. Whenever there is a new driver, consent would need to be renewed.”
However, the regulation’s champions disagree that it will cause confusion. Jan Philipp Albrecht, the German Green MEP who was the lead rapporteur on the GDPR and is a shadow rapporteur on the ePrivacy Regulation, told Internet of Business that the new regulation’s definition of electronic communications “doesn’t cover everything”.
“There is clearly also the application of ‘electronic communications’ to situations where two machines are communicating with each other, but it has to be in the context of human-to-human communication, between two natural and legal persons,” Albrecht insisted. “M2M can be part of that interpersonal communication… That is to make sure there is no broken link [in people’s privacy protections].”
Read more: Amazon Echo murder case marks the death of privacy as we know it
Interpreting ePrivacy Regulation
Albrecht gives the example of automatic translation services. Without the ePrivacy Regulation’s protection, he says, there “would be a missing link of confidentiality of communication. That is why this whole definition is written in a technically neutral way…”
“Of course that means many other M2M processing activities, [involving] either personal data or non-personal data, is not covered by the ePrivacy Regulation. Personal data would then be only covered by the GDPR, and non-personal data would be covered by none of the privacy rules.”
“People have many misunderstandings and fears about this which may not be appropriate… It’s only data processed in the context of interpersonal communication,” Albrecht adds. “As long as it’s just the procedures between IoT services, you are not in the scope of the ePrivacy Regulation.”
Härting, however, strongly disagrees. “I would love to ask Jan where he finds anything of what he said in the text of the draft regulation.”
“If you search for M2M you will find the recital that clearly states that M2M communication comes into the scope of the regulation.”
Of course, all this refers to the Commission’s original proposal. This week, the European Parliament will vote on its own version of the text, as amended last week by its civil liberties, justice and home affairs (LIBE) committee. And only then will ‘trilogue’ negotiations begin between the Commission, the Parliament and the EU’s member states.
Read more: Privacy and IoT: innovative regulations needed to regulate innovation
The need for clarity
The amendments passed last week in committee don’t necessarily clear up the confusion that IoT services might face as a result of the new regulation, which is supposed to come into effect alongside the GDPR in May next year (although this timescale is looking increasingly unlikely for the slow-moving ePrivacy Regulation). Raw data still doesn’t fall easily into any definition, for example.
And, while an amendment limits the regulation’s applicability to M2M to cases where “the information can be related to the identifiable end-user receiving the information”, that still means consent will be required for many types of IoT. “Smart homes, wearables [and] connected cars will always ‘relate to end-users’,” said Härting.
Legislators dealing with the ePrivacy Regulation may be primarily concerned with issues around cookies, tracking and the modernization of EU law to cope with services like WhatsApp superseding SMS, for example, but there will almost certainly be serious consequences for the IoT industry. So it would be a good idea to pay attention not only this week, but over the coming months.