Mar 13, 2018
New ePrivacy Regulation – what is it?
You have read everything about the forthcoming General Data Protection Regulation (GDPR), but have you heard of the ePrivacy Regulation? The European Commission has proposed the ePrivacy Regulation to “reinforce trust and security” in the Digital Single Market. In many ways, it complements the GDPR, however, it will not be implemented at the same time.
Similarly to the revised Payment Services Directive (PSD2), European legislation needs to keep up-to-date with constant technological changes and developments. The GDPR is also modernising the data protection framework, and, according to the European Commission, the ePrivacy legislation needs to be adopted to align with these new rules.
What has been in place so far?
The proposed ePrivacy Regulation is an update of 2002’s ePrivacy Directive. Since the 2009 update requiring prior consent regarding cookies, the directive was known as the “cookie law” and it is the reason why you see cookie consent pop-ups and banners on many websites. The reason it complements the GDPR is that in addition to cookies, the ePrivacy Directive and Regulation also involves further personal data protection: electronic communications, the right of confidentiality, data/privacy protection, protection against spam, B2B consent and telemarketing.
If we already have a Directive, why do we need a Regulation? What’s the difference?
The current ePrivacy Directive requires local regulations in the EU to enforce the legislation, leading to inconsistencies across the continent. Enforcing a Regulation, on the other hand, makes it legally binding across the EU and its Member States. Similarly, the forthcoming GDPR is replacing the Data Protection Directive.
So, what does the ePrivacy Regulation proposal entail?
The European Commission’s proposal includes the following key points:
- New Players. The new privacy rules will also apply to new businesses providing electronic communications services. This includes, but is not limited to, services such as Whatsapp, Messenger and Skype.
- Stronger Rules. The proposal aims to increase the level of protection for all people and businesses for their electronic communications. Businesses trading internationally are said to benefit from one single set of rules across the EU.
- Communications content and metadata. The regulation guarantees privacy for communications content and metadata, such as the time of a call and location. The proposal suggests that metadata will have a high privacy component and should be anonymised or deleted if users do not give their consent, unless the data is needed for billing.
- Simpler rules on cookies. The proposal outlines a more user-friendly and streamlined cookie provision. Consent or refusal will be expressed by users in their respective browser settings.
- Protection against spam. It is proposed that unsolicited electronic communications by email, SMS or automated calling machines be banned, and that marketing callers will have to display their phone number or use a special pre-fix that indicates a marketing call.
- More effective enforcement. Local data protection authorities will have the responsibility to enforce the confidentiality rules in the Regulation. These authorities are also responsible for implementing GDPR.
Note that the ePrivacy Regulation is still in the proposal stage. The final approved details will be published by the European Commission in due course.
At SmartDebit, we are keeping up-to-date with the ICO to be fully prepared for GDPR when it is implemented on 25 May 2018.