The other shoe is about to drop: ePrivacy Regulations

The GDPR just came into effect, but there will still be some questions about data-privacy as a new regulation is on the anvil.
28 May 2018

Yvo Volman, Head of Data Policy and Innovation is responsible for drafting the ePrivacy Regulation. Source: Flikr / International Federation of Library Associations and Institutions

Wondering about the impact the General Data Protection Regulation (GDPR) has had on the world?

It’s caused a handful of companies and web services to shut down, like Klout and StreetLend, and forced another handful to temporarily suspend services to residents of the European Union (EU).

However, that’s not the end of it. While companies still struggle to get to grips with the new regulation and the EUR 20 million (approx USD 24 million) penalty it imposes on failing to comply, there’s another shoe that the regulators are waiting to drop.

This other shoe is called the ePrivacy Regulation, and was intended as a “lex specialis”, or “special” regulation, to the “general” regulation – the GDPR.

The ePrivacy Regulation will replace the ePrivacy Directive, commonly known as the “cookie law” because it prompted EU-hosted sites to inform users via a banner that continued use implied their acceptance of cookies from the site.

The law was intended to be finalized and expected to come into effect simultaneously with the GDPR, but there have been some hiccups which have caused a small delay.

Nonetheless, here’s what businesses need to know about the ePrivacy Regulations. These are the key points of the Commission’s proposal:

New players: Privacy rules will also apply to those providing electronic communications services such as WhatsApp, Facebook Messenger, and Skype.

This will ensure that these popular services guarantee the same level of confidentiality of communications as traditional telecoms operators.

Stronger rules: All people and businesses in the EU  will enjoy the same level of protection of their electronic communications through this directly applicable regulation.

Businesses will also benefit from one single set of rules across the EU.

Communications content and metadata: Privacy will be guaranteed for communications content and metadata, e.g. time of a call and location.

Metadata will have a high privacy component and will be anonymized or deleted if users do not give their consent –  unless the data is needed for billing.

New business opportunities: Once consent is given for communications data (content and/or metadata) to be processed, traditional telecoms operators will have more opportunities to provide additional services and to develop their businesses.

For example, they could produce heat maps indicating the presence of individuals. These could help public authorities and transport companies when developing new infrastructure projects.

Simpler rules on cookies: The cookie provision, which has resulted in an overload of consent requests for internet users, will be streamlined.

The new rule will be more user-friendly as browser settings will provide an easy way to accept or refuse tracking cookies and other identifiers.

The proposal also clarifies that no consent is needed for non-privacy intrusive cookies improving internet experience (e.g. to remember shopping cart history) or cookies used by a website to count the number of visitors.

Protection against spam: This proposal bans unsolicited electronic communications by emails, SMS, and automated calling machines.

Depending on national law people will either be protected by default or be able to use a do-not-call list to not receive marketing phone calls.

Marketing callers will need to display their phone number or use a special prefix that indicates a “marketing call”.

More effective enforcement: The enforcement of the confidentiality rules in the Regulation will be the responsibility of data protection authorities, already in charge of the rules under the General Data Protection Regulation.

Now, according to Tanya Wilkie, Associate at Charles Russell Speechlys LLP, “there are a number of areas of uncertainty and some of these might see a substantial departure from the current position”.

In her blog post on Lexology, she explains that the exact scope of the regulation might be broadened to include ancillary services and content data.

Wilkie also points out that there might be a new approach to consent and notifications when it comes to cookies. She expects these to become more user-friendly and streamlined to provide a better experience to users.

An interesting point Wilkie highlights is the fact that presently, in the UK, electronic marketing communications directed at individuals require special consent but no such consent is required to contact corporate subscribers.

The new rule might change that, she believes.

All in all, compliance managers and in-house legal teams are watching out for the new law and waiting for the finalization of its stipulations in order to refine and settle their organization’s policies.

At the moment, companies have changed their policies to meet GDPR requirements but are waiting for the other shoe to drop before they finalize their policies and take a break.