2.1.1. Strengthen ePrivacy Regulation in the EU

Short-term Measures

The basic step to tackle the dominance of platform monopolists is to regulate the use of personal data, strengthening user rights and empowering Data Protection Authorities to enforce these rights.

The General Data Purpose Regulation (GDPR) and the upcoming ePrivacy Regulation are steps into the right direction but certainly not enough. The ePrivacy Regulation is supposed to protect confidentiality of communications and personal data (such as location data, browsing data, device usage patterns, mobile app use, search queries etc.) in the electronic communication sector by complementing matters covered in a general way by the General Data Protection Regulation (GDPR). The ePrivacy Regulation is meant to be the main framework to protect online communication. We must ensure that in the final version privacy, data protection and other fundamental rights are fully respected.

Strengthen data protection regulation in the following ways:

• Higher level of Privacy Protection By Design and By Default instead of "Privacy By Option”. This explicitly includes the obligation for hardware and software providers to implement default settings that protect end users’ devices against any unauthorised access to — or storage of information on — their devices.
  • All types of location data should be given a high level of protection as they carry a high privacy risk. Technical solutions based on local computation in the end-user’s device should always be preferred over centralised tracking.
• Strong requirements for meaningful user consent. The request for user consent should be as user-friendly as possible and only for permissions that are crucial to perform the main task(s) of a software/app/smart device. Forced consent mechanisms and “All-Or-Nothing”-Consent (e.g. cookie walls) should all be prohibited. Guidelines for meaningful consent should follow sectoral industry regulation where such regulation exists, or else be based on the specific activity for which consent is sought.
  • No “legitimate interest” exception to use communication data (email, voice mail, chat, videoconference, VoIP) without explicit user consent or a given emergency.
  • Protect users against third party tracking: ban the sale of data to third parties absent meaningful consent.
• Data Protection Authorities under parliamentary control – like European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB) – will be in charge of monitoring the application of the proposed regulations.
• Restrict state-enabled corporate surveillance of the public, e.g. when private contractors perform sensitive and necessary public services such as census data collection and processing.