The ePrivacy Regulation does not seem to be making a smooth and easy entry into EU law. The amount of resistance and lobbying it is inviting is like never seen before. Organizations are certainly mindful of the impact that this regulation may have on business and are not letting it slide without putting up a good fight.
Nonetheless, it will be enforced within the next few months (give or take) — maybe with some tweaks — so best not to put off your preparations for too long.
Seven to remember
Here are seven focal areas that the regulation targets. Perhaps considering these will make the regulation a little easier to digest.
The way that communications is referenced in the regulation can be confusing. The ePrivacy Regulation aims to include new communications — the new ways in which we communicate and interact with one another. Technology changes so quickly and has advanced immensely in what seems a very short time. The hope is that this regulation can incorporate all that is new to protect peoples’ privacy and uphold their right to confidentiality.
A much broader scope now exists with a greater set of online communications covered, in addition to the typical ones that include the traditional telecommunications, emails, and SMS.
Users increasingly substitute traditional services (like these) with equivalent online services like VoIP, messaging services, and web-based email services. (These are referenced in the regulation as over-the-top communications services, or OTTs.) The previous regulation does not factor in all of these services.
The regulation is updated to reflect these advancements in technologies over the years and defines electronic communications service based on a functional approach. It defines three service categories:
- Internet access services.
- Interpersonal communications services.
- Services consisting of the conveyance of signals (machine-to-machine communications)
The ePrivacy Regulation addresses practically all old and modern communications — websites, social networks, blogs, apps, text, VoIP, video, and audio (like Skype), instant messaging, social media messaging (like WhatsApp and Facebook Messenger), and IoT devices.
The scope is huge. It covers anywhere online interaction occurs — gaming apps, travel apps, dating apps, e-commerce, and so on.
The privacy, confidentiality, and protection rules will apply to any company offering electronic communications services in any form. So it will cover all of these mentioned — and others
Providers of any electronic communication service must protect all communications using the best available techniques. This means that across-the-board electronic communications should be utilizing the best security functionalities available to them, at all times, to maintain consistency of high-level security across all types of communications.
Content data and metadata
Rules regarding confidentiality, which is core to the regulation, apply to both metadata and content data communications. Metadata is included in the regulation as it can be used to gain insights into people’s private lives in the same way that the contents data of communications can.
Metadata may include the numbers called, websites visited, geographical location, and the time and date a call was made.
Privacy must be guaranteed for all electronic communication content and for the metadata of the content. This means that metadata must be anonymized, deleted (where consent is not given), and not given to a third party.
Metadata must be protected with the same level of security as the actual content communication that it is facilitating. So that any potential for interception of any such communication is protected against.
Interception is prohibited
The regulation prohibits the interception of any electronic communication (both content data and metadata) unless required by law.
The definitions of consent that form part of the GDPR also form part of the ePrivacy Regulation. Stricter consent rules apply and users must be able to withdraw or change consent at any time.
Unsolicited electronic communications
New rules relating to unsolicited electronic communications — direct and email marketing — apply. Direct marketing through calls is also addressed as well as rules relating to requirements for consent.
Prior consent (opt-in) is needed for all electronic marketing and a way to opt-out must always be available to the user.
Marketing callers must display their phone number or use a special prefix number that indicates a marketing call.
Cookies and tracking
A “Privacy by Design” approach is followed where cookies are tracked within the software and the user’s browser. Each user can set these in the browser setting as they require and prefer. Providers of browsers and similar software must provide users with cookie and tracking controls.
Tracking personal devices via cookies or software updates or tracking without consent through public hotspots or WiFi is prohibited.
As the proposed regulation stands consent is not needed for “non-privacy intrusive” cookies that improve user Internet experience such as e-commerce cookies, those used for remembering shopping cart histories, and cookies for Google Analytics. However, advertising and marketing cookies are more complicated and prior consent is likely required.
The Internet of Things (IoT) is a fast-growing industry. It will continue to advance and grow. IoT has already infiltrated into everyone’s lives. It is part of our households and daily routine. So understandably, IoT is specifically mentioned in the proposed regulation and it emphasizes the requirement for “the principle of confidentiality” to apply to the transmission of machine-to-machine communications. Here is the "principle of confidentiality" from the amendment:
Confidentiality of electronic communications ensures that information exchanged between parties and the external elements of such communication, including when the information has been sent, from where to whom is not to be revealed to anyone other than to the parties involved in a communication.
ePrivacy Regulation: Additional to GDPR and not a replacement for it
The ePrivacy Regulation is related to, but independent of, the EU’s data protection rules –the General Data Protection Regulation that came into force in May this year.
The ePrivacy Regulation is specific to communications data (personal and nonpersonal) as this type of data can expose a great deal about peoples’ lives.
The regulation not only covers the protection of this type of data but goes further to cover confidentiality, privacy, and security concerns surrounding communications specifically.
Both regulations are important. Compliance with both regulations is required. The one is not a substitute for the other. So, if you’re thinking of playing that card … it may be a good idea to think again and redirect your efforts to preparations instead. The regulation will be here sooner than you think!
Featured image: Pixabay