Anyone surfing the internet leaves behind valuable traces for the digital economy. The latter has a great interest in skimming off data as unnoticed as possible - and being able to use it. The original aim of a 2017 draft Regulation of the Commission was to protect users’ privacy. However, discussions in the Council point in another direction. The latest AK Position Paper summarizes the state of play.
Consumers live in a densely networked environment. If you use electronic communications, you inevitably leave traces behind: the list of numbers called from your mobile phone, cookies in web browsers, access protocols on web servers or your user profile at your smart home service provider. Geodata from smartphones can even provide sensitive information: whether someone regularly goes to a hospital or visits a religious institution. Seemingly harmless sensor data reveal whether someone is at work, at home or driving their car at the time. The information allow for the creation of user and location profiles, or users are sorted in no less controversial pseudonymised and anonymised groups. This creates our digital alter egos, which permit – highly profitable - prognoses on future behaviour.
Commission Proposal becomes wish list of the Digital industry
The Commission’s draft Regulation, published in 2017, was to replace the e-Privacy Directive and to improve the protection of consumers’ privacy. However, the discussions in the Council point in another direction: actors from the digital industry, but also from science and research, will probably have even more opportunities to use metadata either directly or due to purchased anonymised data for an unlimited time without consumers’ consent. There is a danger that the exploitability of metadata will in future exceed levels seen until now (network security, fee billing, marketing of communications services or provision of services with added value, each with prior consent of the user). The obligation of browser developers to at least offer privacy setting options was even cancelled. Another gateway to data monitoring is the supposed fight against cases of fraud and abuse. However, this may also be easily claimed to skim off data. All this was part of the wish list of digital companies, for example browser developers, which willingly subordinate data protection to the growth of the digital industry.
Consumers worry about data protection
Digital rights are not only an important concern for consumer protectors such as the AK, but for all internet users. According to a Eurobarometer survey, 78 % of respondents thought that online providers have too much consumer data. 73 % always want to be asked for their explicit consent to allow the provider to use their data. However, it is understandable that many find it too difficult to independently safeguard their privacy: 40 % of Austrian respondents stated in a Eurobarometer survey that they were not able to change their browser settings due to a lack of digital skills.
Further weakening standards of protection is unacceptable
This is exactly the reason why from the AK’s point of view any further weakening of standards of protection is unacceptable. The so-called “offline tracking” via the smartphone in the trouser pocket, for example in a shop, which according to the new Regulation shall also be permitted, is particularly alarming. Shops may, unnoticed to the customer, identify her or him (via their smartphones and WLAN or Bluetooth connections) and follow their movements and length of stay – without needing to obtain the consent of those affected. The initial draft very aptly called the scanning of device-related information as “tracking service”. Hence, regarding the draft Regulation, the AK demands the obligatory requirement for users’ consent without exception for any skimming off data. A simple notice in the monitored area is not sufficient. Consent should also be obtained for statistical or scientific use because the usage of pseudonymised data (which, in fact, can be traced back to the individual) is an infringement of fundamental rights. The AK also insists on the strictest possible pre-settings of browsers as provided for in the GDPR, instead of burdening internet users, whose digital skills might differ, with the protection of their own privacy.