Digging Into the New ePrivacy Regulation: Balancing Privacy and Progress
Data protection and privacy has been prevalent in public discourse for the past years, and even more so this year as the EU’s General Data Protection Regulation (GDPR) went into effect along with similar laws in other countries. After GDPR’s implementation, discussions have not waned as enterprises anticipate the impact of a proposed legislation to secure electronic communications — the ePrivacy Regulation (ePR). The ePR is intended to update the current ePrivacy Directive (commonly called the cookie law) and unify the patchwork of other local legislation. It was originally planned for enactment in tandem with the GDPR, but the release of the final regulation was postponed in order to address questions and concerns from various sectors.
Keeping in step with electronic communication innovation
Apart from changing the rules on cookies, the ePR also wants to secure content and metadata in all forms of electronic communications — this time including non-traditional messaging services like WhatsApp and Skype. Furthermore, unsolicited communications like spam and marketing mails or calls will be more strictly regulated. The internet of things (IoT) may also be affected, particularly machine-to-machine (M2M) electronic communications channeled through an electronic communications service. These are possible changes that the ePR will lead to, but the scope and requirements may change depending on revisions to the latest draft of the regulation.
Users and enterprises will definitely feel the impact of ePR since it touches on aspects of communications that most people use daily: visiting websites, email and online messaging, among others. The implementation of ePR will be a major shift for enterprises because they will have to adapt their operations to comply with the ePR, just like they did with the GDPR.
Business impact on enterprises
The impact of the ePR on digital and electronic communications businesses is being debated, particularly for digital marketing, online messaging, and IoT enterprises. An economic impact study commissioned by a global alliance of developers and connected companies estimated that the regulation could reduce the annual turnover by up to €551.9 billion and annual profit by up to €58 billion, across sectors all over the EU. These numbers would indeed be a huge blow to the EU economy; but the numbers are also based on a scenario where the extent of the regulation’s prohibitions is not yet well-defined.
In addition to financial losses, the ePR could also impact how apps and devices will be designed or operated and the developers’ business model. For instance, the restrictions on data collection would make it harder for apps dependent on data-driven ads to flourish and continue working. Developers of free apps may have to start charging fees or find other ways to make revenue. In the IoT field, if M2M communications were to be restricted, then the development of IoT devices could be stalled as well. For example, restricting connected cars that communicate user data with smart devices on the road might make travel less efficient.
As more privacy regulations are introduced, enterprises should expect to go through growing pains. Being compliant with new regulations might mean an overhaul of traditional operations, but it is a necessary change. Users’ data, which has been stolen and misused by cybercriminals for years, should be better protected.
Negotiating privacy and progress
As with the GDPR, enterprises can view new privacy regulations as an opportunity. Users are becoming more concerned about their data and are actively looking for more secure options. Offering better-protected services or products gives businesses an edge with their customers.
Of course, as with any technology-related regulation, strict privacy restrictions can sometimes impede innovation. In this situation, enterprises have to work with the legislators to come up with a reasonable resolution. For the ePR, industry groups have suggested adding a component also in the GDPR: allowing processing “if there is legitimate interest.” The current draft of the regulation has also clarified some areas of uncertainty, such as M2M communications and when cookie consent is not required.
As the European Union’s Council continues to hold dialogues with industry players while the ePR is being finalized, businesses should begin looking at the role and security of user data in their operations. Data mapping and, in turn, minimization and encryption or pseudonymization should be considered. From this point on, enterprises should adopt a “privacy by design” approach and integrate security into every facet of their products, services, and processes. Data-driven businesses have to deploy more secure ways to analyze and process communications content and metadata, and smart devices have to protect customer and communications data during transmission. Security should not be an “add on” in response to the latest cyberthreats — it should be developed hand in hand with technological innovations.
This ePrivacy Regulation, along with the GDPR, is part of a broader EU agenda to ensure the safety and privacy of its citizens and, taking their cues from the EU, other regions are following suit. Data protection is a global standard, one that, when met, benefits both users and enterprises. While the compliance journey may be arduous, it can only lead to secure advancements in technology.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.