The EU’s digital chief has urged European governments to end their resistance to a new draft “cookie law” aimed at strengthening online privacy protection in the wake of the Facebook/Cambridge Analytica scandal.
Andrus Ansip told the Financial Times that it would be “dangerous” for member states to ignore public demand for the EU’s draft “ePrivacy” regulation — which would impose tougher consent and confidentiality rules on companies such as Google, WhatsApp and Facebook.
The ePrivacy regulation would update rules on online communication that date from 2009 and would give internet users extra privacy protection on top of the General Data Protection Regulation, Europe’s landmark data protection framework, which comes into force next month.
But progress on the draft regulation, which needs the agreement of EU governments and the European Parliament to come into effect, has been stalled for more than a year as member states have clashed over how businesses would comply with the rules and how they would fit with the GDPR.
“With Cambridge Analytica, more and more people understand that you cannot create a kind of Frankenstein. We are allowed to have control about our use of data,” said Mr Ansip, a vice-president of the European Commission and the commissioner for the Digital Single Market.
“There is a clear public demand for rules on the confidentiality of communication and to ignore it from politicians is pretty dangerous,” he added.
The commission has stepped up pressure on EU ministers to find a compromise.
“I really hope more and more member states come to the understanding that this is needed,” said Mr Ansip. “Our people have the right to say what someone can do and can’t do with their data.”
Mr Ansip said more than 90 per cent of EU citizens had backed the need for laws protecting confidential online communication.
Under the ePrivacy plans, websites will need to gain explicit consent from users when sending out marketing emails or carrying out third-party tracking via so-called cookies, a means of collection of information about the user. EU officials think this will provide a safeguard against data violations of the type revealed by Facebook and Cambridge Analytica last month.
The rules will also ensure online companies that offer communication services, such as WhatsApp or Facebook’s Messenger service, are subject to the same strict confidentiality rules as traditional telecoms operators.
Some EU governments are concerned that the commission’s plan will create more legal uncertainty for tech companies about which privacy rules they have to meet after the introduction of the GDPR.
Under the new rules, EU citizens can ask companies to delete personal information held on them and must consent to the processing of their personal data.
The ePrivacy rules specifically protect the confidentiality of “electronic communications data”, such as messaging, emails, and texts. They will also give users the chance to opt out of having their online activity tracked by third-party cookies — a key part of the business model of advertisers and online marketers, as well as the likes of Facebook and Google.
Fines for breaching the ePrivacy rules can reach up to 4 per cent of a company’s annual turnover or €20m — the same punishment as that attached to the GDPR.
One European diplomat said the ePrivacy regulation would in effect ban companies from mass data processing, which would hinder innovation.
Cecilia Bonefeld-Dahl, director-general of Digital Europe, which represents tech companies, said the ePrivacy rules risked undermining the privacy protections in the GDPR, rather than serving to enhance them.
“The GDPR is going to be super tough on businesses, it will set back growth and innovation, but it is the right thing to do. Why would you want to add more laws on top which will just add to confusion?” said Ms Bonefeld-Dahl.
Get alerts on Data protection when a new story is published