This year, 2021, is expected to be a pivotal one for data use in the EU, with several new initiatives that will increase access to data to help promote innovation, strengthen competitiveness and create a green and digitally efficient society. In order for all of this to become a reality, however, the ePrivacy proposal currently on the table must be improved, clarified and based on the General Data Protection Regulation (GDPR).
Servicification of manufacturing is an utmost important trend in the digital economy. Manufacturing companies are increasingly selling services. For example, in addition to selling mining machines, engineering group Sandvik also sells safety, thanks to connected products within the Internet of Things (IoT), which provide ongoing information about how the equipment is used and when it needs maintenance. The data and communication that is transferred to the manufacturer also provides valuable information for product development and innovation.
The ePrivacy proposal has been negotiated as part of various EU presidencies since 2017. However, to date no country has succeeded in uniting the Member States around this cumbersome and anti-competitive legislative proposal. The Swedish Trade Federation, Svensk Handel, has made serious efforts to explain the detrimental impact the proposals would have on the development of e-commerce. There are still concerns remaining over how the functionality and security of websites can be maintained.
The Council version that is currently on the table – which is its 13th iteration - worries every organisation and entity that understands how negatively this proposal could affect the next major technological leap - IoT products and connected vehicles. Both industrial and consumer IoT devices have the potential to provide enormous opportunities to innovate, optimise, upgrade and thereby extend the life of products. Yet such possibilities remain highly uncertain if current proposals go on to the trialogue discussions. In the proposal only security reasons are mentioned in the preambles, not innovation, nor data sharing.
The Portuguese Presidency’s efforts to improve the wording of the ePrivacy Regulation to align it more closely to the GDPR are highly commendable, but further alignment is needed. It is unreasonable to limit companies’ ability to handle data and content when no risk to end user privacy exists. In fact, many businesses already invest in privacy technology due to the GDPR and existing ePrivacy Directive. The flexibility that has been added by the Presidency is simultaneously taken away by far-reaching requirements for the conditions of using data. The Confederation of Swedish Enterprise considers that regulations for further processing of metadata (Article 6c) and terminal equipment data (Articles 8g1-g4) must allow for further processing in settings where the end user requests it to deliver a service that is expected.
The main legal basis in the proposal for the right to process electronic communication data and terminal equipment information is the consent of the end-user. The consent must be voluntary, specific and informed and it must constitute a clear indication of the data subject’s wishes, according to the European Data Protection Board, (EDPB) Guidelines 05/2020 on consent. The EDPB has paid particular attention to the problem of obtaining consent in connected vehicles, in accordance with the current ePrivacy Directive in Guidelines 1/2020 on the processing of personal data in connection with connected vehicles. The personal data controller must be careful to take into consideration the various methods of obtaining valid consent from various participants, such as car owners or car users. Such consent must be provided separately, for special purposes and cannot be ‘bundled’ within the agreement to buy or lease a new car. Consent must be as easy to revoke as it is to give.
A strong argument why consent as a legal basis for processing does not work in situations where several users use an IoT product or a connected vehicle is ”the low quality of consent” (see paragraph 49 of the EDPS guide). The business community has continuously highlighted the importance of including the legal basis called legitimate interest in the ePrivacy Regulation (cf. GDPR, Article 6.1.f).
The EU and the Member States frequently point out the need to take advantage of the potential of the digital economy. There is a clear will to make data sharing simpler and more straightforward in order to promote innovation and reinforce the EU’s competitiveness. The ePrivacy proposal should, therefore, enable the level of data processing set out in the proposed Digital Government Act and other initiatives under the Data Strategy. In addition, the ambition is for the EU to become a leader in AI use in business-to-business settings. If this is also to become a reality, any new legislation such as the proposed ePrivacy Regulation will probably have to enable data collection, data use and data sharing from IoT products, connected vehicles and associated apps.DataskyddEUDataDigitaliseringGDPR