Just as many thought they had EU data protection sorted out, were accepting of and compliant with the General Data Protection Regulation (GDPR), and making steady progress to GDPR compliance, a new EU regulation is waiting in the wings to make its debut. The draft EU ePrivacy Regulation, published on January 10, 2017, by the European Commission, is to replace the current ePrivacy Directive (2002/58/EC) across the EU. It was planned for enforcement when GDPR went into effect on May 25, but it was not ready in time and is now expected to come into force by the end of 2018 or possibly early 2019.
The regulation aims to enhance the security and confidentiality of communications, irrespective if it is a free or paid for service and covers all traditional and modern forms of communication.
It is putting emphasis on the way providers of communication services handle data so that the data subjects’ privacy and rights are always protected. And like the GDPR, it doesn’t just affect companies that are physically located in the EU. Companies in North American and elsewhere that deal with EU citizens will also have to comply — just as they have to do with the GDPR.
A few things to get your head around
It’s no longer a directive but a regulation
The directive is now a regulation (like the GDPR). This means the new ePrivacy Regulation will apply throughout the EU as soon as it comes into force. It is self-executing and will become legally binding throughout the EU immediately.
What is it?
The ePrivacy Regulation updates the existing ePrivacy Directive, implemented in the UK as the Privacy and Electronic Communications Regulations 2011 and also known to many as the “cookie law.”
It forms part of the reform of the EU data protection framework along with the GDPR. The two regulations aim to complement each other. ePrivacy aligns with the GDPR to address advancements in technologies and enforce a common law for all EU countries, to do away with the diverse online privacy rules that currently exist.
Although previously referred to as the “cookie law,” it is important to understand that the new regulation applies to so much more than just cookie practices.
It covers all electronic communications and technologies that process data and unlike the GDPR, which applies to the protection of personal data, the new ePrivacy Regulation applies to both personal and nonpersonal data.
The ePrivacy Regulation addresses practically all old (traditional communications, email, and SMS) and modern methods of communication like websites, social networks, blogs, apps, text, VoIP, video, and audio (like Skype), instant messaging, social media messaging (like WhatsApp and Facebook Messenger), and IoT devices.
The scope is huge —anywhere online interaction occurs the regulation applies
When a data privacy issue is raised regarding electronic communications, the ePrivacy Regulation will take precedence over the GDPR.
So, businesses will need to comply with the GDPR as well as the new ePrivacy Regulation.
If we comply with the GDPR already, are we automatically compliant with the new ePrivacy Regulation
Unfortunately, no. Though, if you are GDPR compliant it will put you in pole position for ePrivacy compliance.
Each regulation reflects a different part of the EU law. The GDPR is a general regulation that relates to protecting personal information. The ePrivacy Regulation relates to a persons’ private life including confidentiality. The ePrivacy Regulation specifically governs all electronic communications to safeguard privacy and confidentiality of users.
Although the two regulations complement each other, ePrivacy makes it a requirement for the users’ privacy to be protected at all stages of online interaction.
The laws work together to ensure that users of the Internet can control their data and there is responsibility on providers of communications (and websites) to handle user data in a manner that guarantees the safety of data and privacy of the user.
Who does it impact?
The ePrivacy Regulation has the same territorial scope as the GDPR, so it applies to everyone and any country (in and outside of the EU) that provisions electronic communication services to the EU.
Some industries will be affected more heavily than others. The regulation is likely to substantially affect online advertising, direct marketing, media and digital/tech services; however, the scope of the new regulation is much broader than before.
Industries, big and small, are becoming more reliant on digital and connected forms of communications. Health care, finance, and manufacturing (for example) are working in this way more and more, among others. You might find the impact has a wider reach than expected.
It encompasses a broader scope of electronic communication services, all traditional telecommunication services (voice calls) as well as all online versions. Also, all types of emails, messaging services, and group chats.
Additionally, it covers any data communicated by electronic devices: computers, smartphones, tablets, IoT— any connected electronic device.
So, any business providing such services to end users must comply.
It focuses greatly on ‘the principle of confidentiality’
Electronic communications must be handled in a way that protects the users’ privacy and confidentiality, according to the regulation:
Confidentiality of electronic communications ensures that information exchanged between parties and the external elements of such communication, including when the information has been sent, from where to whom is not to be revealed to anyone other than to the parties involved in a communication…The principle of confidentiality should apply to current and future means of communication, including calls, internet access, instant messaging applications, e-mail, Internet phone calls, and personal messaging provided through social media.
It focuses on nonpersonal data too
The GDPR’s focus is personal data, but the ePrivacy Regulation focuses more broadly on the confidentiality of communications and this means that it covers nonpersonal data in addition to personal data.
Hefty fines comparable to those of the GDPR
Fines up to €20 million up to 4 percent of worldwide annual turnover, whichever is the highest, can be assessed for:
“Infringements of the principle of confidentiality of communications permitted processing of electronic communications data and time limits for erasure.”
Fines up to €10 million or up to 2 percent of worldwide annual turnover, whichever is the highest, can be assessed for:
“Infringements regarding obligations of legal or natural persons who process electronic communications data, the obligations of providers of publicly available directories and/or the obligations of legal/natural persons who use electronic communications services”
The regulation is not yet in its final form
The regulation must still be approved before it can enter into EU law. There may be some adjustments to it and there is likely to be a transitional period, like with the GDPR, before the new rules take effect later this year or next year.
Having said that, it would be sensible for organizations to begin preparations already as the change will happen and it will happen fast.
Featured image: Shutterstock