Shutting down ePrivacy: lobby bandwagon targets Council

The battle against ePrivacy – that is, over the confidentiality of your online communications – is being waged fiercely by corporate lobbyists. The Facebook/ Cambridge Analytica revelations in the news should have provided a spur to EU institutions to prioritise the online data privacy of citizens, but the corporate lobby (including the publishing and digital advertising industries, social media such as Facebook, and telecommunications companies) is very actively opposing this. An experienced insider characterised the ePrivacy lobby battle that raged in the European Parliament as “one of the worst lobbying campaigns I have ever seen”, culminating in a couple of fractious votes in Autumn 2017. Focus has now shifted to the Council of the EU where the 28 members states are in the throes of agreeing a common position. Officials from the EU28’s permanent representations in Brussels report that they cannot recall a legislative proposal that has attracted so much lobbying – with corporate interests absolutely dominating. And some member states have proved all too happy to help the industry.

Either way, time is running out for ePrivacy in this electoral cycle with European elections due in May 2019, a fact which plays into the hands of corporate interests – and their member state allies – keen to stall progress and kick the whole dossier into the long grass.

What is ePrivacy?

“We’ve lost control of our personal data,” said inventor of the web Tim Berners-Lee last year. Every time you are online via a laptop, computer, or smartphone, you are under commercial surveillance. Your digital data including the content of your emails, the websites you browse, and the purchases you have made, together with metadata (data which includes to whom, when, and where your communications are sent, and which can reveal a lot about the user and recipient) is monitored and collected, including via tracking cookies and other mechanisms. This sensitive information is then sold on and used to target commercial advertising or political messaging at you, and can be used by governments too. EPrivacy is therefore about ensuring the confidentiality of your online communications. This can be done, for example, by banning interference in your communications (calls, chats, texts, Skype calls, or unlawful access to your devices and communications); by making sure that settings on new equipment, hardware, and software are designed and set at the highest privacy level ‘by default’; and that consumers who refuse to be tracked cannot be banned from visiting particular websites (tracking walls).

Public opinion backs such approaches: in the Commission’s consultation on ePrivacy, 81 per cent of individuals who responded demanded ‘privacy by default’ settings to be activated on all new IT equipment. According to a Eurobarometer survey, 89 per cent of its respondents agreed with that suggestion.

EPrivacy is related to, but separate from, the EU’s data protection rules, most recently the General Data Protection Regulation or GDPR which came into effect on 25 May 2018. The revised ePrivacy regulation is needed because communications data is very sensitive and reveals a lot about people’s lives and personalities and it therefore needs specific rules which not only cover data protection, but also privacy, confidentiality and security issues too.

Corporate lobby onslaught

Officials from among the EU28 permanent representations based in Brussels have reported a veritable lobby onslaught around the ePrivacy dossier, in interviews conducted on an unattributable basis with Corporate Europe Observatory in April-May 2018.

One official following the ePrivacy file said that “99 per cent of the lobbying” encountered on the file had been from industry, and the lobbyists that they had met were almost entirely opposed to the file as they consider it too far-reaching. Another said that after several years in Brussels, they could not recall a proposal that had attracted so much lobbying, and that of the 40 plus meetings held, almost all had been with industry. A third backed this assertion saying the lobbying was “huge” and that it was the highest that they had ever seen, despite previously handling lots of other similarly “difficult files”.

A fourth said that the breadth of the lobbying had been “staggering” and talked of lobby approaches from online fashion retailers, hotel booking websites, and even toy manufacturers, as well as with sectors more obviously associated with ePrivacy, such as telecommunications, advertisers and publishers. This official said that when time was available, they had held a couple of meetings a week with lobbyists, although the “hundreds of approaches” received meant that they could easily have held five a week. This official made clear that while lobby meetings might only be 40 minutes long, they can be useful, including when lobbyists offer “draft language” to amend proposals that “can speed up” the process.

A fifth member state official reported receiving three or four lobby contacts a week on ePrivacy from a “mix” of organisations, and confirmed that telecommunications providers, publishers, advertisers, as well as lobby firms had all been in touch.

So what industry interests are at stake and how are they lobbying the EU28?

1. Publishers and advertisers lead the charge

The publishers’ lobby (newspaper and magazine publishers) and the digital advertising lobby (those who sell on-line tracking-based advertising) have been some of the most active and vociferous of industry lobbies in the ePrivacy debate, often collaborating together. As print media circulations fall, on-line advertising has become increasingly important to publishers. Their shared business model of monetising people’s data to generate advertising revenue has long been criticised, but industry has failed to seriously engage with such concerns. The voluntary Do Not Track initiative, to give users the opportunity to opt out of tracking, has failed to become an advertising industry standard. Now the Commission’s ePrivacy regulation seeks to make it a default requirement that users must choose a privacy setting for all new software. As the German Federal Data Protection Commissioner Andrea Voßhoff has said: “The advertising industry has failed for years to implement voluntary measures such as the “do-not-track” setting in browsers effectively. Now [it] cannot complain if the legislature fixes this shortcoming.”

Nonetheless, they have been complaining – and bitterly. “It's the death of the press, it’s the death of all apps and free services online, it will be shutting down the internet, it is the end of the telcos, we will lose everything”, is how one MEP characterised the “over-exaggerated” complaints he had witnessed from anti-ePrivacy lobbyists.

The aggressive and even toxic language which characterised some of the lobbying directed at the European Parliament in the Summer and Autumn of 2017 led to the ePrivacy dossier being labelled “one of the worst lobby campaigns I have ever seen” by one Parliamentary insider. Inside and outside the Parliament, the ePrivacy debate was extremely fraught. For example Axel Voss MEP from the centre-right European People’s Party (EPP) likened his pro-privacy colleagues in the civil rights (LIBE) committee to “Iran’s religious watchdog” for their views.

Axel Voss' opinion piece appears in one of Germany’s most important newspapers, the Frankfurter Allgemeine Zeitung (FAZ)

Pro-industry MEPs demanded a further vote on ePrivacy, and VoteWatch Europe data indicated that right-wing and centre-right political groups (the EPP), European Conservatives and Reformists (ECR), Europe of Nations and Freedom (ENF), and members of the UK Independence Party, all voted in line with industry demands. But ultimately pro-privacy MEPs won the day and the Parliament finally agreed its position in October 2017.

Fleishman-Hillard’s “Like a bad movie” campaign A video campaign sought to scare MEPs into opposing tough ePrivacy regulation in the run up to key votes. A series of film-trailer style videos produced by Brussels lobby consultancy Fleishman-Hillard entitled “Like a bad movie” presented ePrivacy in apocalyptic terms, on behalf of its client EDAA (a coalition of industries in digital advertising). The trailers were targetted at Brussels bubble decision-makers through LinkedIn and Twitter. Fleishman-Hillard subsequently revealed the campaign was intended to present MEPs with the consumers’ angle on ePrivacy but “in a different light” – in other words, the industry perspective. And while as far as industry was concerned the vote was ultimately lost, Fleishman-Hillard said the Parliamentary majority “was smaller post-campaign than it would have been without the campaign, and … the client would agree”.

Now the debate is with the 28 EU member states (EU28) who make up the Council where lobbying is traditionally far more of a behind-the-scenes affair. One permanent representation official noticed that the advertising industry was now picking its battles more carefully while another confirmed that the advertisers remained a very active lobby. Certainly lobby groups are doing the rounds of the officials who sit on the Council’s Telecommunications and information society working party, reinforced by active industry campaigns in EU member states.

Last year, Corporate Europe Observatory reported that Germany was already mooting a possible dilution of the ePrivacy proposal when it came to consent and cookies. A position paper on ePrivacy drafted by the German Government dated August 2017 and circulated to member state delegations, stated that ePrivacy should not “preclude the development and use of legitimate business models; this notably applies to business models that ensure access to information that is influential on user’s opinion”.

A few months later this language had been adopted by the Estonian Council Presidency. Its summary of progress to ministers in December 2017 noted: “Delegations stressed the need to find a balance between ensuring proper privacy protection without undermining legitimate business models.” It is clear that Germany is both the target of significant corporate lobbying on ePrivacy, and sympathetic towards it.

The German Ministry of Economics and Technology commissioned an economic impact study of the EU’s proposed ePrivacy regulation, and specifically its expected effects on the advertising industry. Published in November 2017, it found that in Germany the total digital advertising budget is expected to reduce by about one third in the short term after the regulation comes in. (This was echoed by a later survey by the umbrella organisation of German magazine publishers VDZ, which reported that the majority of publishers and marketing professionals surveyed expected media to suffer losses of more than 30 per cent in digital advertising sales following new ePrivacy rules.)

But as the German digital civil rights platform Netzpolitik points out, the German Government's study was biased from the outset. The authors only asked the publishers, media, and advertising sectors for their views, all of whom have an interest in limiting ePrivacy (of course the same applies to the VDZ survey). The government study was also criticised by the German Data Protection Commissioner who “wished for a more balanced approach to a study on the impact of the ePrivacy Regulation” and said it lacked analysis of “new business models with privacy-friendly tracking of user behavior.”

The German media, publishing, and advertising industries stepped up the fear-mongering. Media industry outlet Horizont has repeatedly predicted calamity, hosting articles which hailed ePrivacy regulations as ‘the biggest possible evil’ and ‘The end of digital economy?’ amid other doom-laden headlines. Even this hyperbole was overshadowed by attendees at an advertisers’ conference who actually demonstrated against the ePrivacy proposal accompanied by an image of a nuclear mushroom cloud!

In April 2018, the President of the Federal Association of German Publishers (BDZV) urged German officials to take action: “It is now up to Berlin to set crystal clear signs in Brussels, and I'm sure that sensible data protection can then also become a real competitive advantage”. Meanwhile, the Vice-President of the German Federal Association of the Digital Economy (BVDW) warned that major sites such as Spiegel Online or Bild.de would be threatened and likened ePrivacy to a “civic coup”.

The French Government, known to be sympathetic to industry concerns, has also been active, commissioning a report on the impact of ePrivacy which garnered the support of industry. The trade associations GESTE (content editors and online services) and UFMD (direct and digital marketing) noted that the analysis is “in line with the position expressed by professionals in the sector”, although it was critiqued elsewhere.

France was one of many EU28 governments thought to have received an open letter in early March 2018 from 50 plus publishers and advertisers which re-hashed familiar arguments that ePrivacy would reinforce already dominant players in the data economy, threaten online advertising and other sectors, and “undermine the essential role of press and media in European democratic life”.

This was one of a number of pan-European industry lobby efforts to pile on the pressure. In December 2017 industry lobby groups representing publishers and advertisers, including communications agencies (EACA), magazine publishers (EMMA), newspaper publishers (ENPA), news media (NME) and advertisers (IAB Europe) produced a set of draft amendments to an Estonian Presidency proposal, looking to weaken further the provisions for consent including: allowing for users to be banned from sites if they refuse to accept tracking (tracking walls); changing the emphasis from explicit to implicitly-given consent; and extending the collection of certain kinds of data without consent. The lobby groups demanded the full deletion of Article 10 on privacy settings.

Another industry body, the Federation of European Direct and Interactive Marketing (Fedma), similarly produced its wish-list of demands although it seemed content with the Presidency’s proposal to downgrade the essence of Article 10, without actually deleting it. Its April 2018 event in the European Parliament hosted by Axel Voss MEP (a well-known advocate of industry positions on privacy) kept Fedma’s concerns alive and prominent within the Brussels bubble.

What impact has all this public activity and behind-the-scenes lobbying had? The latest Bulgarian Presidency paper (May 2018) proposed concrete language on privacy settings (Article 10) which was substantially weaker than that in either the Parliament or Commission’s position. Instead of a requirement to decide about privacy settings when installing new software, users would only be reminded of the availability of such options. This is in line with Fedma’s demand; of course, the other coalition of advertisers and publishers would rather that particular Article was deleted entirely! Other problematic elements in the May 2018 paper included the possibility to lose access to a site if a user refuses to accept a tracking cookie (ie. by creating a tracking wall), which is another industry demand.

2. Facebook, Google, and other platforms – winners or losers from ePrivacy?

Council deliberations on ePrivacy have been taking place in the midst of the furore about Facebook, Cambridge Analytica and growing public concerns about on-line privacy. Citizens are starting to realise that while services provided by companies such as Facebook, Twitter, Google etc appear to be free, it is at the expense of users’ privacy. These (highly successful) business models are based on off-the-radar transactions which sell on your data. As the adage goes, “If a service is free, the product is you.”

Several permanent representation officials have reported to Corporate Europe Observatory that the recent scandal had given the dossier some energy and momentum in recent times, after months of appearing to be stuck.

Of course, Facebook (which also includes Messenger, Instagram, and WhatsApp) and Google (which also includes YouTube and Gmail) have major skin in the game of ePrivacy. The existing ePrivacy rules pre-date the massive growth of such platforms and browsers and the rules don’t currently apply to them, which gives them and other so-called over-the-top (OTT) providers a competitive advantage. A key demand of the telecommunications industry (see below) therefore has been to ensure that the OTTs are brought within the remit of the new ePrivacy rules. Meanwhile Facebook and Google make their money from online advertising and they have a real parallel interest in seeing the rejection of the new ePrivacy rules, or for them to be as weak as possible.

Conversely, a common refrain of the publishers and advertisers has been that ePrivacy rules should be rejected, on the grounds that they would give too much power to browsers such as Google or platforms such as Facebook which would be required to host broad consents under the new rules, enabling them to maintain their market dominance in online advertising. Such concerns are typified by Matthias Döpfner, President of the Federal Association of German Publishers (BDZV), and head of the country’s biggest publisher, Axel Springer, who has accused politicians in Brussels of creating an “anti-European law” saying it would place far too much power with the US “robber barons” - Facebook, Google, and Apple.

Even politicians are now repeating this line. Dorothee Bär was recently appointed Germany’s State Minister for digital affairs under the new Merkel Government. “We need a system of rules that offers opportunities to our businesses and doesn’t destroy them.… But if only Google and Facebook profit from the e-privacy regulation – which is well-intended but poorly-made – then this is just wrong”, she recently told German media.

Considering Facebook and Google’s unpopularity, this could be a persuasive argument for decision-makers, but is it true? As one permanent representation official said in an interview, Facebook is not lobbying for ePrivacy, so we should be sceptical about the claims that it would hugely benefit. Meanwhile a law firm which has looked at the consequences of ePrivacy for Facebook and Google has argued that: “The steps required by the current draft Regulation for Facebook and Google to obtain the requisite consent would require an overhaul of their current practices and would likely significantly curtail the scale at which they collect data.”

It seems clear that Facebook is actively opposing ePrivacy and articulating shared industry concerns about damage to its business model. Facebook has had at least four meetings with the high echelons of the Commission on ePrivacy, including two with Vice President Ansip, most recently in January 2018. It has met with some permanent representation officials and is active in the European Parliament, but for obvious reasons it appears to be keeping a low profile and relying on its membership of multiple trade associations to promote its interest of maintaining maximum ability to process users’ data with minimum restrictions.

In October 2017, in a document prepared for the incoming Bulgarian Council Presidency which it presented in Sofia, the Computer and Communications Industry Association (CCIA) whose membership includes Facebook and Google expressed concerns about the loss of revenue for publishers. It also co-funded a study with Google which found that venture capital investments into online news, online advertising, and cloud computing increased at a slower pace in the EU than in the US after the passage of the previous 2002 ePrivacy directive. Another of Facebook and Google’s trade associations European Digital Media Association (EdiMA) is also active on ePrivacy, producing briefings to analyse both the October 2017 Estonian presidency proposal and what constitutes “legitimate interest” when processing data.

Clearly Facebook and others should be brought into the remit of ePrivacy rules to protect the content of messages sent via these platforms and so that they too should be forced to obtain data-processing consents from their users for targetted advertising and tracking, making the rules far more water-tight and creating a level playing field with other sectors.

While there are genuine concerns about the “Google/Facebook online tracking duopoly”, surely their market dominance should be tackled through competition and anti-trust regulations, rather than privacy ones.

3. Telco industry, influential players

The telcos (telecommunications companies) have been among the most active lobbyists on ePrivacy. As set out above, while telcos are already subject to the current ePrivacy rules, newer platforms (over-the-top providers) which enable users to communicate online such as Facebook’s Messenger and WhatsApp platforms, and Skype are not. Telcos, already unhappy about the existing ePrivacy rules they must adhere to, would like them to be scrapped. Failing that they at least want to level the playing field, firstly so that newer OTT providers have to follow the same rules; and secondly, so that telcos can carry out processing of metadata (data which includes to whom, when, and where communications are sent) on a par with others (Article 6).

The European Telecommunications Network Operators' Association (ETNO) represents the established network operators such as Telefónica (Spain), Orange (France), Deutsche Telekom (Germany), and Proximus (Belgium). In the run up to the December 2017 meeting of EU28 telecom ministers, ETNO stated that “Overly restrictive measures on ePrivacy would not add meaningful protection of individuals, but they would hamper the telcos ability to deliver increased consumer choice, by entering the digital service space with new offers.” It has also produced an open joint letter with UNI Europa, its social partner; and a public statement in the name of big telcos’ data protection officers.

ETNO has additionally joined up with its fellow telco trade association GSMA (which represents mobile operators) to produce a booklet of case studies on how ePrivacy will impact the industry, and what EU law-makers should do about it. It says: “The additional obligations imposed by the ePrivacy regulation will negatively impact the ability of some sectors to participate in the data-driven economy, particularly vis-à-vis other digital players only regulated under the GDPR [the EU’s new data protection rules]”. This is code for ‘if you won’t scrap ePrivacy altogether, make sure it does not make any new demands on us’.

Major telcos, especially those which own and operate their networks, have a tradition of being close to national ministries and several permanent representation officials interviewed confirmed this. This applies particularly to those that were formerly state-owned and where a culture of ‘revolving doors’ has developed (Telefónica, Spain), or where an element of government ownership has been retained, such as Deutsche Telekom (Germany) and Orange (France). As ALTER-EU recently revealed, it was striking how many telcos (alongside their trade association friends) attended European Commissioner Oettinger’s ‘mini-Davos’ event in April 2018, rubbing shoulders with EU and national level decision-makers.

Telco positions are also supported by BusinessEurope, the EU’s most active lobby group, which lost no time in denigrating the Parliament’s pro-privacy position in Autumn 2017 and tried to flatter the Council to take the opposite approach saying, “we look towards the Council to champion a balanced framework that upholds better regulation principles and ensures that businesses and users have full economic and societal benefits from innovative data processing”. BusinessEurope parrots many specific sectors’ demands, including deleting Article 10 on privacy by design, full alignment with GDPR, and that maximum metadata processing should be allowed, among others.

An observer tracking the ePrivacy dossier has told Corporate Europe Observatory that there is a coalition of countries (led by Spain) that is pushing the telco agenda hard. That is plausible; the Spanish Government is not shy of articulating the demands of its biggest provider Telefónica. ETNO’s working group on data protection which covers ePrivacy issues is Cristina Vela Marimon of Telefónica.

A source has told Corporate Europe Observatory that the German Government is also open to the telco agenda, namely that service providers (telcos and OTTs) should be allowed to use communications metadata (especially location data) on a pseudonymous basis and without consent, via Article 6.

Such calls appear to have been listened to. The Bulgarian Presidency proposal of 13 April 2018 stated that: “The Presidency has noted the interest of some delegations to further develop the permitted processing of electronic communications metadata. With this in mind, the Presidency has introduced two main changes in Article 6… to allow processing for purposes of network management and optimisation… [and] added a new basis for processing for the purpose of statistical counting.” The May 2018 proposal refined these further.

4. Others

Many other types of corporate organisations perceive a risk to their current ways of doing business from the new ePrivacy rules. As a permanent representation official told Corporate Europe Observatory, the breadth of the lobbying has been “staggering” and has included many sectors. This includes those involved in the so-called ‘Internet of Things’, where everyday appliances connect with each other and exchange data, causing serious surveillance concerns. This is a digital growth area which would be brought under ePrivacy rules for the first time.

In France, the trade association TECH IN France which represents software publishers and internet service providers, published a study that looks at the risks for “agritech, connected cars, smart retail”. Its members include Uber, Apple, Microsoft, and 400 others and the report makes proposals for the Bulgarian EU Presidency and “calls on France to take a stand for a regulation… which protects individuals without hindering the development of services digital and the transformation of our industry”.

One of Brussels’ highest-spending lobbyists Microsoft has also been active in its own right on ePrivacy. Reportedly, in 2017, Microsoft contacted some Brussels-based disability rights organisations indicating that accessibility for people with disabilities would be compromised because of ePrivacy. They were told that under the new rules for example, users would need to give consent to Microsoft’s Skype programme if they used speech-to-text software, thereby effectively obliging them to disclose their disability. However, MEPs spotted this issue and proposed a simple amendment to deal with it. After having checked this ‘potential problem’ with accessibility and privacy experts, disability organisations have not seen the need to be concerned about ePrivacy.

5. Support for ePrivacy

Permanent representation officials spoken to noted that only a handful of meetings had been held with NGOs who supported ePrivacy, with one saying that there needed to be more “balance”. It seems clear that those who have been supportive of ePrivacy have been out-resourced and out-gunned.

Nonetheless they have sought to make their voice heard. In addition to the one or two pro-ePrivacy industry voices discussed above, in March 2018 various NGOs from across Europe signed an open letter to telecoms ministers and officials in the Council’s Telecommunications working party. Signatories included EDRi, Access Now, and Max Schrems whose landmark privacy case against Facebook led to the abandonment of the Safe Harbour data deal between the EU and US.

The European Data Protection Supervisor has also presented a clear pro-privacy position. In response to the telco demand to allow further processing of metadata, the EDPS says: “there should be no possibility under the ePrivacy Regulation to process metadata under the legitimate interest ground”. On matters of consent and tracking, the EDPS argues against tracking walls (where consent is a condition to access or use a website), and argues for a strengthened Article 10 on privacy, supporting “privacy protective settings by default”.

Conclusion

“Member states are putting their foot on the brake and basically just acting on behalf of industry”, Birgit Sippel MEP, the European Parliament rapporteur on ePrivacy has said. The evidence presented here backs this assertion.

Corporate interests are using their significant resources to run major lobby operations in both Brussels and in key member states like Germany and France, leveraging support from among the EU28 via lobby meetings or through longer-lasting connections. In too many important areas of ePrivacy - processing of metadata, privacy by design, consent, and tracking walls – the emerging Council position appears to be close to industry’s demands. Last week GESTE (the French association of content editors) said: "There is progress under the Bulgarian presidency, we feel we are heard", although it added that "it's not enough."

Such a pro-industry Council position will set-up a major clash between the institutions when it comes to the trilogue process. After all, MEPs are talking about the end of the current business model – which is based on abusing private data – used by advertisers and publishers. As Sippel has said: “We have to put the user into the very heart of the lawmaking process…. We need privacy by design and default.… What we are aiming at is to abolish surveillance-driven advertising”. Others agree and Jan-Philipp Albrecht MEP, rapporteur on the last data protection regulation said: “I think the e-privacy regulation will maybe support the media industry in getting there”.

Even the Commission appears to have concerns about the Council’s decision-making. Commission Vice-President Andrus Ansip has said it would be “dangerous” for member state governments to ignore public demands for more privacy protection and has called upon “more and more member states [to] come to the understanding that this is needed”.

Corporate interests are still hoping that the ePrivacy file will run out of time and be pushed off the political agenda, at least for a few months, by the European Parliamentary elections in May 2019. Just last week (31 May), 50 plus trade bodies wrote an open letter saying "Member State discussions on [ePrivacy] should not be rushed and trialogue negotiations should not commence until a robust, balanced and comprehensive General Approach is obtained." Recognising its best institutional ally, industry said: "We stand ready to support the Council in its efforts to produce a more coherent outcome for the final Regulation."

With public concern about personal data security at an all-time high, member state governments must get their priorities straight with a clear preference for citizens’ privacy over the profit-driven demands of industry.