EU Parliament committee endorses end-to-end encryption, companies are behind in preparing for new EU data rules, and U.S. net neutrality debate resurfaces

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights that highlights key news related to tech companies, freedom of expression, and privacy issues around the world.

EU Parliament committee endorses end-to-end encryption

European Parliament, image via Wikipedia

A European Parliament committee is proposing that end-to-end encryption be mandatory for all electronic communications. The proposal calls for  amending the EU Charter of Fundamental Rights to include online privacy. It also includes a ban on encryption “backdoors” that give governments access to encrypted communications. “Member states shall not impose any obligations on electronic communications service providers that would result in the weakening of the security and encryption of their networks and services,” according to the proposal.

This is a stark contrast to recent discussions among officials in the UK, Germany, and Australia who say authorities should be able to access encrypted communications to stop terrorism. As highlighted in the 2017 Corporate Accountability Index, governments should not pass measures that undermine encryption. As the EU Parliament committee’s proposal asserts, “The protection of confidentiality of communications is also an essential condition for the respect of other related fundamental rights and freedoms, such as the protection of freedom of thought, conscience and religion, and freedom of expression and information.”

Companies not ready for new EU data protection rules

The Financial Times reports that European companies are unprepared for the EU’s new data protection regulations that come into force in less than a year. Many businesses are “dramatically underestimating” the impact of the General Data Protection Regulation (GDPR), according to the report, and appear to be behind schedule in making necessary changes, or are unaware of their obligations under the new rules. While the law is currently in effect, companies have until May 2018 to be compliant with the rules. The Irish Times also cited a survey showing that two-thirds of 150 businesses in Ireland “did not realize what they would have to do regarding the GDPR.”

Any company that handles personal data of EU citizens must comply with the GDPR. The rules cover a wide range of data protection issues, and include new requirements for handling personal data and reporting data breaches. Findings of the 2017 Corporate Accountability Index showed that most companies lacked transparency about how they handle user information, and only three of the 22 companies evaluated disclosed any information about their process for responding to data breaches.

Companies and rights groups to protest net neutrality rollback in the U.S.

Several companies, including Amazon, Netflix, and Reddit are joining with civil society advocates for an “internet-wide day of action to save net neutrality” to protest the Federal Communications Commission (FCC) plan to repeal the current net neutrality rules. In February 2015, the FCC classified internet service providers as “common carriers” under Title II of the Communications Act, protecting the principle of net neutrality—requiring carriers to treat all types of content and traffic equally. The measure was hailed by internet rights groups since it created strong protections for net neutrality, helping to ensure equal access to content and the free flow of information online.

In May 2017, the FCC voted to begin the process of repealing the 2015 net neutrality rules and the Title II classification for ISPs. On July 12, websites participating in the day of action will display a message about the importance of net neutrality and provide a prompt for users to submit a comment to the FCC and Congress in support of strong net neutrality protections.

While some telecommunications companies support net neutrality, our research shows they may lack transparency about their network management policies and practices. The Corporate Accountability Index evaluates if companies disclose whether they engage in practices that affect the flow of network traffic, like by prioritizing certain content or throttling traffic. We expect companies to avoid these types of practices unless for legitimate traffic management reasons, like to ensure the flow of traffic through their networks. If companies do engage in throttling, traffic shaping, or prioritization, we expect them to publicly disclose this and to explain their purpose for doing so. Of the ten telecommunications companies evaluated in the 2017 Index, Vodafone was the only company to clearly disclose a commitment to not prioritize, block, or delay certain types of traffic other than for assuring quality of service and reliability of the network.

Leave a Reply