ENCRYPTION AND PRIVACY: LA QUADRATURE DU NET WELCOMES THE OPINION OF THE EUROPEAN DATA PROTECTION SUPERVISOR
August 2016 by La Quadrature du Net
IN ITS OPINION  ON THE DRAFT REVISION TO THE
EPRIVACY DIRECTIVE, PUBLISHED ON 25 JULY 2016, THE EDPS (EUROPEAN DATA
PROTECTION SUPERVISOR) TOOK A STAND FOR STRONGER REGULATION IN FAVOUR OF
PRIVACY. LA QUADRATURE DU NET APPROVES THE MAIN PROPOSITIONS OF THIS
OPINION AND ENCOURAGES EUROPEAN LEGISLATORS TO FOLLOW THEM.
While the European Supervisor’s opinion is only advisory, the European
Commission must submit to it all legal proposals that could have an impact
on data protection. The 25 July opinion is a preliminary version of the
EDPS’s position on the revision of the "Privacy" directive (2002/58/EC) in
which the Supervisor recommends a position which stands in stark contrast
with the current zeitgeist in favour of mass surveillance and bypassing the
tools used by European citizens to protect their privacyOn this issue, you
may read La Quadrature’s answer  to the consultation organised by the
European Commission, where we scope out what is at stake in this
directive.. In this light, it is interesting to analyse and make it
accessible to the greater public so it can be publicised and taken into
consideration by the European Commission.
Using the article 7 of the Charter of Fundamental Rights of the European
Union, the EDPS suggests a set of rules to enhance and extend the
protection of privacy beyond the processing of personal data, as defined in
the previous ePrivacy directive, which deals with electronic
communications, or in the recent regulation on data protection.
* Taking into account the fact that many modern communication tools are,
in the eyes of user, nothing but means to engage in private conversations,
the EDPS recommends a regulation that includes all these tools, without
distinction based on a technology or another. All communication — be it
based on an online game’s messaging system, a chat application, text
messages or VoIP - must, for the Supervisor, have the same level of
protection, even if the messages are exchanged by machines without their
users’ knowledge (which is the case with the IoT, Internet of Things, for
instance). And this, no matter what kind of network is used, as soon as it
is accessible to the public.
* Considering, furthermore, the undeniable fact that "metadata" is often
at least as revealing of one’s privacy than the actual content exchanged,
the EDPS suggests that the future text gives them the same level of
For the EDPS, the future directive must therefore forbid any interception
and any mass surveillance, both of data and of metadata (or traffic data),
extended to all tools making possible exchanges of private nature, and up
to terminals enabling access to these services, which must be protected
against intrusions that allow interception.
* Regarding the protection of data, the Supervisor also wishes to give
users better control over the various tracking tools (cookies,
localisation, etc.), to the extent of allowing access to a site even if a
user explicitly refuses the site uses their data for anything else than
local and non-intrusive processing, or otherwise at least imposes this rule
for certain services (those in a dominant position, financed by public
funds, …). For the EDPS, users must also be able to withdraw prior
consent, including via a general setting in their Web browser, by
installing a tool disabling tracking for instance.
* Lastly and in line with the G29 (the European data protection
authorities), the EDPS recommends that the new directive explicitly
authorises the use of end to end encryption for better protection of
electronic communications, and forbids operations of surveillance or
decryption of communications protected in this way. For the Supervisor, any
intermediaries should be forbidden from aiding or authorising _backdoors_
allowing for third parties to intercept encrypted communications.
Finally, the EDPS advises to entrust control of these new rules to the
different national data protection agencies of each Member State and that
the revision of the ePrivacy directive be done in the form of a Regulation,
which would allow for a quicker application in the Member States with a
level of protection better harmonised at the European level.
LA QUADRATURE DU NET WELCOMES THE POSITIVE POSITIONS OF THE EUROPEAN DATA
PROTECTION SUPERVISOR AND INVITES MEMBER STATES, THE EUROPEAN COMMISSION,
THE EUROPEAN PARLIAMENT AND THE NATIONAL DATA PROTECTION AUTHORITIES TO
TAKE THIS OPINION INTO ACCOUNT: IT PROTECTS USERS' PRIVACY AND DEMANDS
SECURITY FOR ELECTRONIC COMMUNICATION, ALIGNING WITH THE POSITIONS
FUNDAMENTAL RIGHTS DEFENSE GROUPS HAVE BEEN DEFENDING.
List of supporting organisations: