To implement this, browser manufacturers could also be put under obligation: According to the draft, web browsers in the future should offer users the possibility to fundamentally regulate tracking. Is anybody allowed to read my cookie data? And if yes, are these only direct providers, or are they also third parties? Among other things, there’s controversy as to exactly how the default setting should look – i.e. whether the user has to become active themselves in order to protect their privacy. The GDPR at least assumes “Privacy by Default”: Data protection settings should be as strict as possible directly following installation, and then can only be weakened by the user afterwards. In general, tracking services should only be allowed without permission by the user if they serve a purely statistical purpose.
The World Wide Web Consortium (W3C) also took a critical look at privacy protection. The result was the do-not-track-HTTP-header, which many popular browsers already support. With this, users can set the preference in the browser that they don’t want any tracking. The HTTP header then forwards this information to the website. At the moment, though, website providers are not obligated to comply with this wish. This could be changed with the EU’s ePrivacy Regulation. It goes one step further, though, because according to the regulation, not only the browser but also all other technology for data transmission is supposed to be privy to the data protection.
The draft for ePrivacy also includes machine-to-machine communication. This is the EU’s response to the challenges of the Internet of Things. For these types of data transfer, the same should go for such instances where users are directly involved. The plan is that devices will only transfer personal data if the user has agreed to it. This could apply to GPS data for smartphones, for example. In general, it should apply that users must be informed about which data is being collected from them and for what purpose. Therefore, it shouldn’t be possible to hide an agreement in the T&Cs or link it to another service. For example, if user data needs to be transferred for online shopping – as it always does – this is allowed. It should not be allowed, though, to use this data for advertising purposes at the same time. For this, a new, specific agreement would be needed.
The ePrivacy Regulation shouldn’t be limited to the tapping of personal data by companies, though. Intervention on the state side should also be strongly regulated by ePrivacy. An end-to-end encryption should be obligatory: All data transmissions should be fully encrypted and not viewable by governments. The introduction of backdoors is also to be forbidden: Backdoors that the producer built to grant access for the government would be illegal.
ePrivacy shifts away from the internet when it comes to direct marketing: While nothing changes in the principle of email marketing, the regulation intends to more strongly regulate telephone marketing in particular. The proposal says that telephone calls for solicitation purposes should only be allowed if the caller reveals their telephone number or if they use an integrated code to indicate that it’s an advertising call.