An Article by Dr. Claus-Dieter Ulmer, Group Data Privacy Officer, Deutsche Telekom
What good times we could have. The General Data Protection Regulation (GDPR) will give Europe harmonized data privacy, thus simplifying and speeding up company processes. That's what many people thought two years ago, when the GDPR was approved.
But if we're honest, we have to admit that many things have turned out quite different. The efforts that companies had to invest in implementing the requirements of the GDPR – and still have to – are many times more than originally assumed. And there are many other new provisions as well. The ePrivacy Regulation is another European law pending for the communications sector, but one that will also affect many companies that do not offer specific communications services. Isn't the legal framework and protection afforded by the GDPR enough already? Do we really need an ePrivacy Regulation, too? Is that useful harmonization? We really do need to ask ourselves: Is the metadata generated by communications – for example, the data indicating who placed a call and from where – really so much more critical than insurance or banking data, which is also processed electronically today and is already covered by the GDPR? The ePrivacy Regulation generally follows the train of thought of the former ePrivacy Directive. But the fact that the digital landscape has evolved dramatically over the last 20 years was obviously overlooked. Still, let's simply assume that a special regulation is needed, due to the heightened criticality of communications metadata. Even in this case, the question still remains as to why future business models – which could be extremely consumer-friendly – should be so significantly impeded by these unnecessary restrictions.
In its current version, the ePrivacy Regulation only allows the further processing of communication metadata, such as location data, in cases where the customer has actively consented or when the data is anonymized. This seems to be a reasonable solution at first glance. But how can it be harmonized with the current data models in our digital society, which depend on the analysis of large datasets on an individual basis? After all, experience shows that even when user-friendly business models are involved, not all users will consent to the further processing of their data, for a wide variety of reasons. But as a consequence, in cases where analytics based on mass data are needed, they might arrive at incorrect results because the dataset is not large enough. The problem with anonymized data is that it only helps us make statements about areas where large numbers of people congregate. By contrast, any analysis on an individual – even nameless basis – is ruled out. But these analyses might be needed for some new business models. That means we lack something "in between": the usability of pseudonymous data. Pseudonymous data records allow a high technical level of data privacy for individual users, while at the same time providing much more information for modern business models, since individual patterns of movement can also be analyzed.
Let me be clear on one thing, however: Even if pseudonymous data is used, that does not mean that companies can do whatever they want and customer data is only regarded as raw material. Of course the use of pseudonymous data also needs to be regulated closely. But I hope that pseudonymization as such will not be demonized. Because it makes data privacy compatible with digital business models. To ensure this, aside from potential regulation, the companies need to take corporate digital responsibility – in other words, they have to take a responsible approach to the possibilities of digitalization, to win and keep the trust of consumers when it comes to how their data is used.
After all, it is the consumers who will ultimately reap the benefits of the pseudonymized use of sufficiently large datasets, because it will make their everyday lives simpler. In traffic management, for example, pseudonymous analyses of location data can help route vehicles through cities dependent on the specific, real-time environmental and traffic conditions. What's more, individual drivers can also find out where parking spaces are available, upon request. This is just one example of the many sensible uses for pseudonymized metadata. We have published other examples under www.telekom.com/privacy.
So what does Deutsche Telekom suggest? Along with the privacy officers of most other European telcos, by the way? The pseudonymous further processing of data should be included in the ePrivacy Regulation, as it already is in the GDPR. If data is pseudonymized and users are notified and have the possibility to object, there is no reason why data that has already been collected legally should not be processed further. Furthermore, the authorization to further process this data can be tied to additional technical requirements for the pseudonymization process, increasing the security level even further.
Data pseudonymization is just one example of how our legislative bodies have failed to grasp the big picture yet. To effectively regulate a digital world, however, it is essential that legislators understand its implications. Another example? Let's stick with the processing of location data. In the current version of the draft, the ePrivacy Regulation only covers location data from communications providers. Location data generated with GPS in apps has been left out. It makes you wonder why the criticality of this information is so different as to warrant this special handling of the communication providers. In contrast to map service providers, telecommunications providers cannot combine the user's location data with their other social data, like Google can, for example. The reason given for this differentiation is that users can deactivate the generation of GPS location data on their smartphones. But that's far too short-sighted. Flipping a switch on the smartphone display does not necessarily change the settings in the operating system. In other words, even if a user thinks they have deactivated the GPS function, there is no guarantee that it actually has been deactivated, as we've all learned from press reports in the past weeks. The legislators also argue that including GPS information in the ePrivacy Regulation would affect all app providers. Of course it would! The ePrivacy Regulation currently affects all communication providers, after all. In my opinion, the legislators have to figure out what actually needs to be regulated before they go about passing further regulation.
One question remains: How do we intend to handle cookies in the future? In fact, the draft provides for a proper approach that would generally allow the use of cookies that are needed to execute a contractual relationship with the user. But what is the solution for advertising and tracking cookies? Whether an opt-in or opt-out approach is selected, what happens if I don't want them? How can the online media's business models continue to work? How can we maintain diversity of opinion as a counterpoint to the lock-in effects of social networks? The current draft of the ePrivacy Regulation fails to address these topics, as well.
Overall, it is apparent that the legislators have focused too one-dimensionally on maintaining existing standards in the draft ePrivacy Regulation. Although they conducted a survey on regulatory needs in advance, not enough attention – if any – was paid to future-oriented scenarios. Solutions for Internet of Things applications cannot use the same approaches that were appropriate in the 1990s. Today's digital solutions are much more complex, going beyond individual companies and countries. It simply is not enough to adopt the harmonization and "level playing field" approach that has been taken in the GDPR. We can surely create a suitable legal framework to deal with the challenges of digitalization (think of the principles of purpose limitation and data economy, for example), but it is crucial that this framework considers the additional technical and organizational possibilities that we have today. What we have now is anything but a grand achievement. Given that the GDPR is already applicable, we should take as much time as necessary to systematically analyze and revise the ePrivacy Regulation again.
