Brussels told to get a move on with ePrivacy overhaul

The lack of progress over the EU ePrivacy Regulation is leading to the continued abuse of consumers’ most sensitive data, and threatens to jeopardise Europe’s position as global standard bearer and digital champion gained through the adoption of GDPR.

That is the stark warning contained in a new open letter from Privacy International to EU leaders, and counter-signed by a raft of consumer rights groups, including AccessNow, Open Society European Policy Institute, European Digital Rights (EDRi), the European consumer organisation BEUC.

The Regulation is designed to replace the current 2002 Directive and was meant to be introduced concurrently with GDPR in May 2018. However, it has been subject to many delays, debates and EU institutional wrangling.

Last September, the DMA and Fedma expressed their concerns about the current draft, although the Finnish presidency appears to have made some progress.

But even when the text is finalised, there could be a two-year implementation period, meaning that if the Regulation is approved next year – which itself appears to be a tall order – it will not be enforceable until 2022.

The Privacy International letter claims that without urgent action, data protection abuses will continue unchecked.

The group cites its own investigation which revealed that popular websites about depression in France, Germany and the UK share user data with advertisers, data brokers and large tech companies, while some depression test websites leak answers and test results to third parties.

The letter adds: “A strong Regulation is necessary to tackle the problems created by the commercial surveillance business models. Those business models, which are built on tracking and cashing in on people’s most intimate moments, have taken over the Internet and create incentives to promote disinformation, manipulation and illegal content.

“The reform of the current Directive is essential to strengthen – not weaken – individuals’ fundamental rights to privacy and confidentiality of communications. It is necessary to make current rules fit for the digital age. In addition, a strong and clear ePrivacy Regulation would push Europe’s global leadership in the creation of a healthy digital environment, providing strong protections for citizens, their fundamental rights and our societal values.

“We urge you to finally reach an agreement to conclude the negotiations and deliver an upgraded and improved ePrivacy Regulation for individuals and businesses. We stand ready to support your work.”

Privacy International is no slouch when it comes to exposing what it claims are dodgy practices. In October last year, it filed complaints of “systematic infringements” of data protection law by seven firms it insists find it too easy to operate under the radar.

The group wants European data protection watchdogs to launch probes into Acxiom, Oracle, Critero, Quantcast, Tapad, Equifax and Experian which it claims exploit the data of millions of people without thorough examination, to assess whether their practices meet GDPR standards.

The complaints are based on more than 50 data subject access requests and the information the companies provide on their websites, with Privacy International arguing that the way these companies use data – especially for profiling – contravenes the regulation.

So far, only Quantcast is facing an official investigation.