Just as many thought they had EU data protection sorted, were accepting of the General Data Protection Regulation (GDPR) and making steady progress to GDPR compliance, a new EU regulation is underway and waiting in the wings to make its debut.
The draft EU ePrivacy Regulation, published on the 10 January 2017 by the European Commission, is to replace the current ePrivacy Directive (2002/58/EC) across the EU. It was planned for enforcement along with the GDPR on the 25 May 2018, however, was not ready in time and is now expected to come into force by the end of 2018 or possibly early 2019.
The regulation aims to enhance the security and confidentiality of communications, irrespective if it is a free or paid for service and covers traditional and modern forms of communication.
It is putting emphasis on the way providers of communication services handle data so that the data subjects’ privacy and rights are always protected.
A few things to know…
No longer a directive but a regulation
The directive is now a regulation (like the GDPR). This means the new ePrivacy Regulation will apply throughout the EU as soon as it comes into force. It is self-executing and will become legally binding throughout the EU immediately.
What is it
The ePrivacy Regulation updates the existing ePrivacy Directive, implemented in the UK as the Privacy and Electronic Communications Regulations 2011 and also known to many as the ‘cookie law’.
It forms part of the reform of the EU data protection framework along with the GDPR. The two regulations aim to complement each other. ePrivacy aligns with the GDPR to address advancements in technologies and enforce a common law for all EU countries, to do away with the diverse online privacy rules that currently exist.
Although previously referred to as the ‘cookie law’ it is important to understand that the new regulation applies to so much more than just cookie practices.
It covers all electronic communications and technologies that process data and unlike the GDPR that applies to the protection of personal data, the new ePrivacy Regulation applies to both personal and non-personal data.
When a data privacy issue is raised regarding electronic communications, the ePrivacy Regulation will take precedence over the GDPR.
So, businesses will need to comply with the GDPR as well as the new ePrivacy Regulation.
We comply with the GDPR already, so do we automatically comply with the new ePrivacy Regulation
Unfortunately, no. Though, if you are GDPR compliant it will put you in pole position for ePrivacy compliance.
Each regulation reflects a different part of the EU law. The GDPR is a general regulation that and relates to protecting personal information. The ePrivacy Regulation relates to a persons’ private life including confidentiality. The ePrivacy Regulation specifically governs all electronic communications to safeguard privacy and confidentiality of users.
Although the two regulations complement each other, ePrivacy makes it a requirement for the users’ privacy to be protected at all stages of online interaction.
The laws work together to ensure that users of the internet can control their data and there is responsibility on providers of communications (and websites) to handle user data in a manner that guarantees the safety of data and privacy of the user.
Who does it impact
The ePrivacy Regulation has the same territorial scope as the GDPR, so applies to everyone and any country (in and outside of the EU) that provisions electronic communication services to the EU.
Some industries will be affected more heavily than others. The regulation is likely to substantially affect online advertising, direct marketing, media and digital/tech services; however, the scope of the new regulation is much broader than before.
Industries, big and small, are becoming more reliant on digital and connected forms of communications. Healthcare, finance and manufacturing (for example) are working in this way more and more, among others. You might find the impact has a wider reach than expected.
It encompasses a broader scope of electronic communication services, all traditional telecommunication services (voice calls) as well as all online versions. Also, all types of emails, messaging services and group chats.
Additionally, it covers any data communicated by electronic devices: computers, smartphones, tablets, IoT- any connected electronic device.
So, any business providing such services to end users must comply.
The regulation focuses heavily on ‘the principle of confidentiality’
Electronic communications must be handled in a way that protects the users’ privacy and confidentiality…
“Confidentiality of electronic communications ensures that information exchanged between parties and the external elements of such communication, including when the information has been sent, from where to whom is not to be revealed to anyone other than to the parties involved in a communication.”
The principle of confidentiality should apply to current and future means of communication, including calls, internet access, instant messaging applications, e-mail, internet phone calls and personal messaging provided through social media”.
It covers non-personal data too
The GDPR’s focus is personal data, but the ePrivacy Regulation focuses more broadly on the confidentiality of communications and this means that it covers non-personal data in addition to personal data.
The focal areas
A much broader scope exists with a greater set of online communications covered in addition to the typical ones -traditional telecommunications, emails and SMS.
Users increasingly substitute traditional services (like these) with equivalent online services like Voice over IP, messaging services and web-based email services also referenced as over-the-top communications services (OTTs). The previous regulation does not factor in all of these services.
The regulation is updated to reflect these advancements in technologies over the years and defines electronic communications service based on a functional approach. It defines three service categories: internet access services, interpersonal communications services and services consisting of the conveyance of signals (machine to machine communications).
The ePrivacy Regulation addresses practically all old and modern communication means- websites, social networks, blogs, apps, text, Voice over IP, video and audio (like Skype), instant messaging, social media messaging (like WhatsApp and Facebook messenger) and IoT devices.
The scope is huge-anywhere online interaction occurs- gaming apps, travel apps, dating apps, e-commerce and so on.
The privacy, confidentiality and protection rules will apply to any company offering electronic communications services in any form. All of these mentioned, amongst others.
The same level of protection is required across all counterparts (traditional and modern). Providers of any electronic communication service must protect all communications using the best available techniques. This means that across the board electronic communications should be utilising the best security functionalities available to them, at all times, to maintain consistency of high-level security across all types of communications.
Content data and metadata
Rules regarding confidentiality, which is core to the regulation, apply to both metadata and content data communications. Metadata is included in the regulation as it can be used to gain insights into people’s private lives in the same way that the contents data of communications can.
Metadata may include the numbers called, websites visited, geographical location and the time and date a call was made.
Privacy must be guaranteed for all electronic communication content and for the metadata of the content. This means that metadata must be anonymised, deleted (where consent is not given) and not given to a third party.
Metadata must be protected with the same level of security as the actual content communication that it is facilitating. So that any potential for interception of any such communication is protected against.
Interception is prohibited
The regulation prohibits the interception of any electronic communication (both content data and metadata) unless required by law.
The definitions of consent that form part of the GDPR also form part of the ePrivacy Regulation. Stricter consent rules apply and users must be able to withdraw or change consent at any time.
Unsolicited Electronic Communications
New rules relating to unsolicited electronic communications-direct and email marketing- apply. Direct marketing through calls is also addressed as well as rules relating to requirements for consent.
Prior consent (opt-in) is needed for all electronic marketing and a way to opt-out must always be available to the user.
Marketing callers must display their phone number or use a special prefix number that indicates a marketing call.
Cookies and tracking
A Privacy by Design approach is followed where cookies are tracked within the software and the user’s browser. Each user can set these in the browser setting as they require and prefer. Providers of browsers and similar software must provide users with cookie and tracking controls.
Tracking personal devices via cookies or software updates or tracking without consent through public hotspots or Wi-Fi is prohibited.
As the proposed regulation stands consent is not needed for ‘non-privacy intrusive’ cookies which improve user internet experience such as e-commerce cookies, those used for remembering shopping cart histories and cookies for Google Analytics. However, advertising and marketing cookies are more complicated and prior consent is likely required.
IoT is a fast-growing industry. Understandably, IoT is specifically mentioned in the proposed regulation and it emphasises the requirement for ‘the principle of confidentiality’ to apply to the transmission of machine-to-machine communications.
Hefty fines comparable to those of the GDPR
Up to 20 Million Euros or up to 4 percent of worldwide annual turnover, whichever is the highest for:
“Infringements of the principle of confidentiality of communications permitted processing of electronic communications data and time limits for erasure”
Up to 10 Million Euros or up to 2 percent of worldwide annual turnover, whichever is the highest for
“Infringements regarding obligations of legal or natural persons who process electronic communications data, the obligations of providers of publicly available directories and/or the obligations of legal/natural persons who use electronic communications services”
The regulation is not in its final form
The regulation must still be approved before it can enter into EU law. There may be some adjustments to it and there is likely to be a transitional period, like with the GDPR, before the new rules take effect. It is anticipated that the new ePrivacy Regulation will come into effect by the end of 2018 or early 2019.
Having said that, it would be sensible for organisations to begin preparations already as the change will happen and it will happen fast.