Trumping E-Privacy Legislation

For those of you who can drag yourselves away from the relentless coverage of the formal commencement of Brexit, it is worth noting that the US House of Representatives yesterday voted by a slim majority (215 to 205) to block legislation enacted under President Obama which was designed to give consumers more control over how internet service providers share their data. The legislation in question effectively made the sharing of data by internet service providers conditional on user consent. The order blocking the legislation will now be sent to President Trump for ratification, which will no doubt be swiftly forthcoming.

Republicans who led the drive to block this e-privacy legislation argued that it was wholly undesirable because it increased costs for service providers, stifled innovation and competition and was otherwise unfair because it did not apply uniformly to all service providers. Nancy Pelosi, Minority Leader of the House of Representatives, and staunch democrat, has apparently decried the move on the basis that it puts the profits of online service providers before the privacy rights of consumers.

What is so interesting about this development – apart from the fact that it marks yet another staging post in the Trump administration’s attempt to dismantle the legislative infrastructure left behind by his predecessor – is that, just as America lurches away from a privacy-centred approach to online data processing, so we see the EU’s embrace of the privacy principle becoming ever more passionate. Thus, not only do we now have to contend with the more expansive approach to the protection of online privacy rights embodied in the EU General Data Protection Regulation (due to take effect across Europe in May 2018), but in addition we also have seen the EU Commission recently proposing wide-ranging, pro-privacy changes to existing EU e-privacy legislation (see further the new draft regulation proposed by the EU Commission in January 2017). In a regime designed to complement and particularise the already heavily consent-oriented GDPR, the EU Commission proposals effectively make user consent central to the operation of the e-privacy regime (see Articles 6, 8 9, 10 and 16). Notably, the proposals also envisage that the new regulation will apply to all end-users ‘in the EU’ (whatever that means), irrespective of whether the relevant internet service is provided from California, New York or anywhere else in the world (see recital (9) and Article 3 of the proposed regulation).

Where this all takes us to is a world in which, in terms of the protection of online privacy rights, users are firmly separated into winners and losers based exclusively on their geographical location. Of course, in one sense ‘twas ever thus: privacy rights have never held the currency in the US that they hold within the EU; and we have seen this principle writ large not least in the application of the EU right to be forgotten. However, there is nonetheless a serious issue as to the palatability of having a highly stratified approach to privacy protection when the situation is judged from the perspective of the consumer. As a consumer of internet services, operating within the global online environment, why should I have to accept a highly privacy invasive regime merely because I live in New York or Los Angeles, as opposed to Berlin or Paris? Why should internet service providers be permitted to treat me as a second class citizen within an online world which is by its very nature supra-national?

Beyond these questions, and coming back (as you knew I would) to the issue of Brexit, there remains the important question of what approach to e-privacy the UK Government will adopt in the aftermath of our exit from the EU. Will we remain true to European ways and endorse a pro-privacy approach or will we see a subtle or indeed not so subtle move towards an increasingly deregulated approach to data processing by online service providers? All I can say is: “watch this space”.

Anya Proops QC