The European Commission plans to legislate for smartphones and apps to be designed with privacy in mind, according to a draft of a future ePrivacy Regulation leaked in December 2016.
Skype, WhatsApp and services like them could soon fall under the same European Union regulations as telephone calls and SMS text messages, a leaked legislative draft reveals.
Although Skype and WhatsApp can both be used to make voice calls and send text messages, they don’t fall under existing EU communications privacy legislation because they are data services that run over the top of an internet connection, rather than native functions of the network like phone calls and SMS.
But legislators want to bring such “over-the-top” services within the scope of rules protecting users’ privacy with their proposed Privacy and Electronic Communications Regulation, a draft of which was obtained by Politico on Monday. The regulation is intended to replace the 2002 ePrivacy Directive.
The new regulation calls for all electronic communications to be confidential. Processing or interfering with such communications without the end users’ consent, including by listening, tapping, storing, monitoring or other kinds of interception and surveillance, shall be prohibited, the draft regulation says.
The ePrivacy Directive was last updated in 2009, at the dawn of the smartphone app era, and much has changed for users of telecommunications services since.
For one thing, while mobile phone users still send billions of SMS text messages a day, usage of over-the-top messaging services overtook SMSyears ago. By January 2015, WhatsApp said its messaging traffic alone exceeded that of SMS by 50 percent.
The draft regulation expands the definition of electronic communications to encompass new services delivered by apps rather than dedicated hardware.
Under the proposed rules, privacy is an option — but it’s one that must always be turned on by default, allowing users to opt out of it, rather than requiring them to opt in.
Article 10 of the leaked draft, titled “Privacy by design,” requires: “The settings of all the components of the terminal equipment placed on the market shall be configured to, by default, prevent third parties from storing information, processing information already stored in the terminal equipment and preventing the use by third parties of the equipment’s processing capabilities.”
Furthermore, it says, “Software placed on the market permitting electronic communications, including the retrieval and presentation of information on the Internet, shall be configured to by default prevent third parties from storing information on the terminal equipment of an end-user or processing information already stored on that equipment.”
The draft regulation ought to put an end to spam, with its stipulation (in Article 16, Unsolicited communications) that, “The use of electronic communications services by natural or legal persons for the purposes of transmitting direct marketing communications is allowed only in respect of end-users who have given their prior consent.”
One of the more controversial provisions of the 2009 update to the ePrivacy laws was the requirement that websites targeting EU readers should request permission before setting cookies.
Under the new draft, that requirement will be softened in a number of ways. Sites can look at browser settings allowing or rejecting cookies and apply those without having to ask the user, while cookies essential to the operation of a site can be set without notice. The preamble to the regulation gives examples of essential uses, such as to remember language preferences, or to keep track of users’ input when filling in forms over several pages.
But there are some warning signs: “Cookies can also be a legitimate and useful tool, for example, in measuring web traffic to a site,” the draft’s preamble notes without further explanation. Most website visitors would not object to their visit being counted in this way by the site’s operator, which is already aware of it. The privacy issues arise when information about the visit is tracked by a third party, correlated with all the other sites visited by the same user, and then sold on to others.