Arguably 2018 saw the greatest shift in the data protection and privacy landscape ever, with The General Data Protection Regulation (EU) 2016/679 (“GDPR”) finally coming into force on the 25th of May. The impact of the GDPR on a global scale cannot be understated, as organisations across the world, who processed the personal data of data subjects within the EEA had to either comply with the new requirements of the legislation or cease their processing activities all together to avoid risking a fine (infamously done by a number of US news outlets).
To date the GDPR still stands as the most lobbied piece of regulation to pass through the European Union after four long years of negotiation. However, the new year brings new horizons in the sphere of data protection. Whilst developments in the sector over the next 12 months are likely to lack the sheer significance and gravitas which the GDPR brought with it, it still remains paramount that organisations are fully aware and informed of their impending regulatory obligations. This article will discuss the new proposed ePrivacy Regulation and a few of the significant departures from the current directive.
Originally slated to be brought into force alongside the GDPR, the new ePrivacy Regulation has been pushed back and is expected to emerge in late 2019.
Similar to how the GDPR aligned the previous nationally implemented Data Protection Directives, the new ePrivacy Regulation aims to repeal and replace the current Privacy and Electronic Communications (EC Directive) Regulations 2003 (more commonly known as PECR) and deliver a uniform set of rules across the European Economic Area (EEA) members, rather than a set of 28 different rules across Member States. The shift from a directive-based approach to a regulatory one continues the EU’s trend of tighter legal integration across the EEA.
The proposed regulation is an attempt to bring privacy rules up-to-date with developments in contemporary technology, with a specific focus on internet driven communications tools. Current ePrivacy rules only apply to traditional telecommunications providers, leaving computer and smartphone apps such as Skype, WhatsApp and iMessage out of scope.
Official EU stakeholder consultations estimate that 76% of citizens and civil society actors agree that there is need for an extension of such scope for contemporary communications services in order to protect their private communications. The ePrivacy regulation proposes to address the concerns of Europeans by guaranteeing that their electronic communications and metadata of these communications are kept confidential regardless of technological medium used. Organisations who intend to collect such metadata will only be able to do so if the users give consent to do so, the data is anonymised, or it is required for billing purposes.
Another key area that the regulation seeks to influence is the sharing of unsolicited marketing materials via email and telephone calls. Any direct marketing done via a telephone call must now display a telephone number, or a clear prefix to indicate to the person receiving the call that it is marketing in nature.
More concerning however, is Article 16.1 of the Regulation, which covers unsolicited communications:
“Natural or legal persons may use electronic communications services for the purposes of sending direct marketing communications to end-users who are natural persons that have given their consent”.
The phrase “natural persons”poses a threat to some types of Business to Business (B2B) marketing as it will now be required to market on the basis of consent if the email is sent to the address with a personal identifier, rather than legitimate interest which is often used currently. For example, if an email is sent to email@example.com from a potential parts supplier, consent will have to been obtained beforehand. Substantial concern has been exercised around this Article and its imprecise language. For the time being this is an area to keep a close eye on.
Finally, an interesting takeaway is the “simplification” of the rules on cookies, as well as clarification surrounding cookies which collect non-personal data. Cookies which strictly collect non-personal data (such as saved shopping baskets and Google Analytics) will no longer need consent from the user.
Websites will now no longer be able to display cookie banners for users to consent into receiving cookies from that website, but rather users will define their cookie preferences in their browsers which will uniformly apply across all websites they visit. It is likely that such changes will have a significant impact on targeted advertising to individuals via cookies as non-compliance is the same as the GDPR fine (up to €20 million/4% global annual turnover). This has already caused a significant stir within industry bodies.
Although the ePrivacy regulation is not yet in force, organisations who take data protection and privacy seriously should begin planning on adjusting their current business methods to meet their impending regulatory requirements. Although no way near the same amount of work will be needed as was to achieve GDPR compliance, it should be expected that significant amounts of work will have to be put in to ensure that methods are compliant for the onset of Web 3.0.
Trilateral is on hand to offer guidance and assistance to organisations who are looking to get ahead of the compliance curve. For more information visit the Trilateral Data Governance page and contact our team:
See “1 – Proposal for a Regulation of the European Parliament and of the Council at 3.2”