Cookie Conundrum

Now that the legislative juggernaut of the General Data Protection Regulation (GDPR) has reached its full, unstoppable momentum, attention in the EU has turned towards a makeover for its elder but slimmer sibling, the ePrivacy Directive (ePD), better known to most as the Cookie Law.

An update is necessary because the cookie law contains specific provisions for communications and online privacy that are now out of step with the broader rules in the GDPR.  There is a need for the two to become ‘harmonised’ in Euro-speak.

The public consultation on changes to the cookie law closed in the last few days, and two lobbying groups have gone public with their very different visions of what should happen to it.

The first is a coalition of industry bodies representing the tech giants and telcos. Their position is simple – the ePrivacy Directive should be scrapped. Their argument is that most of the provisions in the Directive are now covered by the GDPR, and those that aren’t could be better covered via other vehicles, like consumer protection laws.

They know it will give them greater freedom to extend the surveillance business model that has proved so profitable for the few.

On the other side of the argument you have the respected privacy advocacy group, EDRi. They want a replacement that is another directly applicable Regulation (PDF), harmonised with the GDPR but strengthening and broadening its application to provide more protections for consumers.  Their argument is that modern digital communications channels make people more vulnerable to intrusions on the privacy of their conversations than ever before, and therefore stronger protections in law are very much needed.

They are not both going to get what they want, but the question is, who should?

Despite grabbing the headlines because of the cookie rules, the ePrivacy Directive’s most important protections are the regulation of telecommunications companies to ensure that when you pick up your phone and call someone, neither the phone company nor anyone else is not listening in. Most people would agree this right to privacy is fundamental to free speech and democracy.

The problem is that many people are not having conversations like that. They are using messaging and chat apps that go over the internet. Known in the jargon as Over-the-top (OTT) services, the current protections do not apply to the businesses (those tech giants mentioned earlier). This has made it much easier to roll out such services, and crucially allows the service providers to listen in (at least algorithmically) and exploit the knowledge this gives them, principally through targeted advertising. This listening in includes techniques like tracking you over the web with cookies. This is why the cookie rules are there, although their protections are weaker because they don’t prevent the listening in completely, only require that it be subject to individual consent.

This is why the industry lobbyists would like to get rid of the ePrivacy Directive, because they know it will give them greater freedom to extend the surveillance business model that has proved so profitable for the few.

However, given the mood in Europe, and especially without the more business friendly British government to hold them back post Brexit, it seems likely that the revision of the ePrivacy Directive will go the same way as the GDPR, strengthening the privacy rights and protections of individuals rather than risk undermining them.

The mood appears to be to extend the rules that now apply only to telecoms providers, to internet services companies as well. In many ways, with the growth of end-to-end encryption in some communications apps, the market is moving in this direction already.  It is also likely that the Directive will become a Regulation, to create a more level playing field across the different EU countries, which also supports the Digital Single Market initiative.