Striking the right ePrivacy balance to foster digital innovation

The mobile ecosystem is flourishing, providing a platform for innovation that is generating employment opportunities and spurring the creation of new services, writes Afke Schaart.

Afke Schaart is vice-president Europe for GSMA.

Data, and the effective use of data, offers huge opportunities for individuals and society, including better environmental management, more effective health outcomes and tailored goods and services for consumers. Indeed the European Commission forecasts that, by 2020, the European data economy may be valued at €739 billion – up from €285 billion in 2015 – if the right policies are put in place.

In this new data-driven world, the mobile industry is focused on building the trust and confidence of users and, in so doing, enabling data innovation that benefits citizens. However, this will hinge on the implementation of consistent and balanced rules for data privacy.

The proposed ePrivacy Regulation (ePR) will soon be put to vote in Parliament. This is a hugely significant piece of legislation which will impact the development of the data economy for decades to come. Now is the time to ensure that the Regulation, when adopted, does not stymie the mobile industry from playing its role in enabling future digital innovation and growth, while at the same time maintaining consumer trust and ensuring confidence in this burgeoning sector.

There are a number of areas where the proposed regulation could make a positive contribution, particularly in its commitment to ensuring the confidentiality of communications − critical to maintaining consumer trust.

What is concerning, however, are the proposals that risk limiting the basis through which electronic communication service providers can access and use consumer data. If adopted in its current form, not only will the proposed regulation inhibit mobile operators from providing optimised network and service quality, it could also stifle the development of innovative services that ultimately benefit individuals and society, now and in the future.

To ensure the new ePR strikes the right balance between protecting consumers and enabling digital innovation, it needs to allow for more flexible grounds for responsible data processing. This would enable a range of beneficial activities such as network planning and optimisation, product development and the provision of emergency services. This flexibility would also help to future-proof the Regulation, permitting service providers to develop innovative propositions by responsibly harnessing data from new sources, such as the Internet of Things, drones, smart appliances and other technological advances. Privacy risks should be mitigated through appropriate safeguards, such as transparency, impact assessments, privacy-by-design, oversight and fines.

In addition, if the ePR does not expand the legal bases for data processing, the regulation will force a heavy reliance on consent. There is a right place for consent, but the current proposals may require individuals to provide consent multiple times for similar activities. This risks leading to consent fatigue, weakening the very protection consent is intended to deliver.

Further processing of data for compatible purposes should be allowed and responsible processing techniques to protect consumer privacy (i.e. pseudonymisation – where the identifiable attribute is removed and stored separately) should be recognised in the regulation. This will enable operators to perform big data analytics which has a world of applications, many of which are hugely beneficial for the consumer.

Similarly, MEPs should not be too quick to reject the ‘legitimate interests’ ground for processing data. ‘Legitimate interests’ requires an organisation to balance its interests with those of the individual and to communicate this to them. For example, an operator offers enhanced services to a customer based on their usage measurements. According to legitimate interests, the operator should also be able to use these usage measurements to make smart network investments, provided it considers the interests of the customer carefully and communicates effectively with them. This is a far more effective tool to change and embed privacy culture within a company than merely collecting consent.

The rationale for the ePR is to protect the confidentiality of consumers’ communications. What has emerged, however, is a set of obligations that are inconsistent with the recently adopted General Data Protection Regulation. The GSMA would maintain that any rules that restrict the legitimate use of data should be qualified and proportional to the risk of privacy harm that consumers might suffer if their data is misused and should not discriminate based on industry sector or technology. Undue restrictions on responsible data use could deny citizens potential benefits of new communications services and technology.

The GSMA and its members call on MEPs and the Council to get the balance right, and to create an environment of trust and accountability. If not, the EU may be left behind.

To read the GSMA’s full position on the ePrivacy Regulation, please visit the GSMA Europe website here.