The ePrivacy Regulation: Another Layer of EU Data Regulations
Just as organizations are responding to the now-enforced General Data Protection Regulation (GDPR) of the European Union talks begin to focus on another EU legislation. The ePrivacy Regulation is garnering more fame as the next big regulation to prepare for after the GDPR.
The ePrivacy Regulation is set to replace the EU ePrivacy Directive, which goes back to 2002 and was amended in 2009. It was first published as a proposal text on January 2017. At present, the ePrivacy Regulation is still being reviewed and finalized by the European Parliament and the Council, with no set implementation date yet in sight. The most recent draft was released on April 13, 2018.
What is the ePrivacy Regulation and how is it different?
The ePrivacy Directive was referred to as the cookie law because it required websites to ask for user consent before using cookies to save and collect data on user activity. However, the ePrivacy Directive and the proposed ePrivacy Regulation are both more than about cookies. Both deal with various aspects of electronic communication, which includes telephone, the web, and the internet. Many other forms of electronic communication branch out of the internet alone, like email and messaging or social media apps.
The difference of the ePrivacy Regulation from its predecessor lies in scope and enforcement. The directive originally dealt with traditional telecommunication while the regulation incorporates new forms of communication that are now prevalent. The current ePrivacy is a directive, meaning enforcement is reliant on local authorities of member states. Turning ePrivacy from a directive to a regulation gives it more independence in terms of enforcement and makes it legally binding across the EU.
The ePrivacy Regulation was proposed to complement the GDPR by adding another layer of compliance for relevant organizations. The European Commission factsheet provides a comparison between the GDPR and the ePrivacy Regulation. The GDPR deals with the data processing of personal information of EU citizens, whereas the ePrivacy Regulation covers electronic communication and the integrity of the information — whether personal or not. A point in common between the two regulations is the infringement fines: GDPR fines for non-compliance are also applicable to non-compliance to the ePrivacy Regulation.
Overall, the ePrivacy Regulation is part of Europe’s strategy to create a Digital Single Market. The Digital Single Market strategy aims to break down barriers and lessen the market restriction to EU consumers, by moving from 28 separate EU digital markets to a single one. With it in full force, the GDPR is already helping facilitate this plan.
Why is the ePrivacy Regulation necessary?
- ePrivacy rules must align with the GDPR.
The ePrivacy Directive was also created to complement the Data Protection Directive 95/46/EC, the GDPR’s own predecessor. Therefore, since the Data Protection Directive 95/46/EC was replaced by the GDPR, updating the ePrivacy Directive to a more GDPR-aligned ePrivacy Regulation was necessary.
- The ePrivacy Directive itself needs an update.
The ePrivacy Directive was implemented in 2002 and amended in 2009. Fully updating its terms will allow legislation to keep up with the latest technology, specifically in the area of telecommunications. The current directive only covers more traditional telecom providers, whereas more European users now opt for internet-based messaging and call services.
How can organizations prepare for the ePrivacy Regulation?
Through the new ePrivacy rules, privacy will be guaranteed for both content and metadata derived from any form of electronic communication, for example, the time and location of a call. The proposed rules would require the anonymization or deletion of such information if users did not give their consent for retention, unless the information is absolutely necessary.
In addition, the proposed ePrivacy Regulation includes a ban on unsolicited electronic communication, such as through emails, phone calls, and SMS. Therefore, any form of marketing done by means of electronic communication would require user consent.
Taking lessons from the GDPR
Learning from the GDPR, organizations can begin preparations for the ePrivacy Regulation by mapping out their data and identifying the devices and services used for communication within and outside the company — from employees to customers. Making a thorough account of the pathways through which data flows can help in drafting initial plans that are in line with the overall goals of both the ePrivacy Regulation and the GDPR.
One of the shared goals of the GDPR and the ePrivacy Regulation is to strengthen the protection of data in the EU. As the ePrivacy Regulation extends its scope to “new players” or new providers of electronic communication services like emails and traditional and over-the-internet calls, it is important to update protection for networks and internet channels. It is vital not only to secure the network an organization is using but also the very devices that are connected to it.Given that the regulation still does not have a final set of rules, organizations must ultimately stay informed on developments and discussions while taking a proactive approach to securing communication channels. As with the GDPR, the ePrivacy Regulation is a new challenge for most organizations — one that has its advantages in the long run. To reiterate the European Commission's statements on the new regulation, stronger rules help ensure equal protection in terms of electronic communication for both EU citizens and the businesses that cater to them.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.