Daryl Cox of Pinsent Masons, the law firm behind Out-Law.com, said EU law makers are set to scrutinise the issue of metadata processing at a meeting on Tuesday at which proposed new EU laws on privacy and electronic communications – a draft e-Privacy Regulation – will be discussed.
In advance of that meeting, the Bulgarian presidency of the Council of Ministers has published a document (19-page / 415KB PDF) that has highlighted that there are different views across national governments in the EU on the rules that should apply to metadata processing.
Metadata, referred to in the draft e-Privacy Regulation as 'electronic communications metadata', is information that is connected to communications which does not include the content of those communications. Such information can include numbers called, websites visited, geographical location or the time and date a call was made, according to examples previously set out by the European Parliament.
The EU's highest court has previously determined that such metadata can be considered to be just as sensitive as the actual contents of communications because of insights that the data can offer into people's private lives.
MEPs previously endorsed plans to treat metadata as confidential information that should never be passed on to third parties. However, such a move would impose stricter conditions on the processing of metadata by those subject to the e-Privacy rules than would apply to other businesses under the terms of the EU's General Data Protection Regulation (GDPR).
The proposed e-Privacy reforms, however, cannot be introduced unless the Council of Ministers and European Parliament agree on the wording of the provisions. While the European Parliament has already adopted its negotiating position, the Council of Ministers has still to do so.
The Bulgarian presidency's document has set out a range of options for EU governments to consider which would loosen the rules around metadata processing for the companies subject to the e-Privacy framework.
The options put forward range significantly on what they would enable electronic communication service providers to do.
Under one option, they would be free to process the metadata for the purpose of improving the quality of their services, such as for "network management and optimisation". Under a more liberal option, permitted use of metadata could be linked to specific purposes where the purpose of the processing satisfies a public interest or end-user interest test.
A further loosening of provisions could allow telecoms operators to process specific types of metadata, such as location data, so long as businesses could show that "the purpose or purposes concerned could not be fulfilled by processing information that is made anonymous". Under this option, however, the data would have to be erased or anonymised within 24 hours of being collected, and the operators would only be able to share an anonymised version of the data with third parties. In addition, the information could not be used in end-user profiling.
The Bulgarian presidency has also suggested that the processing of metadata under the e-Privacy framework could be enabled where end-users are informed about the specific processing planned and "given the right to object to such processing", as would similarly apply under the GDPR.
The Bulgarian presidency, however, also suggested that "safeguards" should apply to metadata processing. The safeguards, it said, could include a requirement on businesses to encrypt or pseudonymise the information.
"The metadata issue is a continuation of a broader global debate over the regulation of telcos and over the top (OTT) service providers," Cox said. "At its core, the debate centres on heighted regulation faced by telcos who operate electronic communication networks when compared to OTT service providers, resulting in calls for a 'level playing field' between the two."
"In several cases, OTT service providers have functionally similar services to telcos and also have access to large swathes of consumer data. This includes valuable data such as GPS location which may escape the definition of metadata under the draft e-Privacy Regulation, whereas the functionally equivalent data generated by a mobile network could fall within the scope of the law," he said.
Cox said that the telcos are "concerned that this puts them at a disadvantage in the EU and reduces their ability to participate in the digital economy". He said they have asked for greater scope to use this data and "a fairer balance of regulation".
"This debate is playing out in several other forums, such as the formulation of the proposed new European Electronic Communications Code, and the Belgian regulator's question to the EU courts as to whether Skype’s 'SkypeOut' feature brings the service under regulation traditionally reserved for telecoms operators," he said.
In its January 2017 plans for a new e-Privacy Regulation, the European Commission proposed that the updated framework apply to both traditional telecoms operators and OTT service providers. However, telcos and the Article 29 Working Party – a committee of data protection authorities from across the EU – have voiced concerns over the wording of the draft e-Privacy Regulation and whether this intent is appropriately captured in the text of the Regulation, said Cox.
The final text of the new Regulation must be approved by both the Council of Ministers and the European Parliament before it can enter into EU law, and there is likely to be a transitional period after that point before the new rules take effect.
A coalition of telecoms industry bodies last year called on the revised e-Privacy framework to "be fully coherent with the overarching aim of increasing network investment, allowing more space for innovation, boosting the competitiveness of Europe’s vertical industries and creating further choice for European consumers".