While the EU’s General Data Protection regulation is aimed at protecting the rights of individual EU residents, the new e-Privacy Regulation’s goal is to bring European e-privacy law into line with the latest technology and give both European residents and businesses equal rights.
What is the new e-Privacy Regulation?
Earlier this year, the European Commission published a draft e-Privacy Regulation. It will replace the current e-Privacy Directive and because it is a regulation it will be automatically brought in to law in all Member States. The regulation takes on board all definitions of privacy and data that were introduced within the General Data Protection Regulation and clarifies and enhances it. The areas of unsolicited marketing, Cookies and Confidentiality are covered in a more specific context.
The goal is for the regulation to come into force on May 25th, 2018, the same date GDPR comes into force.
It is important to consider the e-Privacy regulation in parallel to GDPR as both are complimentary and will have deep implications to your business.
The regulation includes any type of communication. Positive opt-in consent must now be clearly given prior to sending both email and text messages. This means that Digital Marketers will be unable to send emails or text without express prior permission from each email or mobile account holder. Additionally, it must be as easy to remove consent as it is to give it.
One aim of the new e-Privacy regulation is to broaden the scope to include online communications providers with the requirements that pertain to traditional telecommunications providers. Companies including Gmail, Skype, Facebook Messenger and WhatsApp are now required to provide the same level of customer data privacy as traditional “bricks and mortar” providers.
Providers of any electronic communication service are required to secure all communications through the” best available techniques.” This creates a need for websites to stay technologically in sync with the best safety and privacy features currently available.
The new provisions mandate metadata is treated with the same care as the actual content of the communication that it is facilitating being sent.
The General Data Protection Regulation (GDPR) was created to align the data privacy laws across all EU countries. GDPR replaces the Data Protection Directive 95/46/EC. A major effect of GDPR is that the processing of any EU resident’s information is now protected regardless of whether the information processing is done within the EU or not, and regardless of where the firm processing the data originates from. Any firm around the globe is bound by law to protect the private data of EU residents.
The concept of Personally Identifiable Information (PII) has been expanded by GDPR to include all metadata that derives because of the communications. GDPR also strengthens the need for consent for how a user’s personal information can be used and if it can be shared. GDPR also makes it easy for users to request access their personal data and includes a requirement for all businesses and websites that take any information from any user to maintain the information and make it available to the user if requested. Users have also been given the right to be and a right to data portability so that they can use their data in any way they desire.
Who will the regulation apply to?
The regulation is much broader than the current directive e-Privacy directive and affects many more businesses. If your business provides publicly-available ‘electronic communications services’ which process data, utilise online tracking technologies or engage in electronic direct marketing then the regulation directly affects your business. The new e-Privacy regulation is directed at new communications platforms such as:
- Facebook messenger
- Machine-to-Machine communication (Internet of Things)
- Dating apps
- Video games (provided there is a ‘communication’ element to the game)
Do we need both GDPR and the e-Privacy Regulation?
GDPR is focused on protecting the rights of individual data subjects. Whereas, the new e-Privacy Regulation will apply to both individuals and businesses. The new regulation gives specific rights that are not covered in the GDPR, for example, the right of confidentiality and integrity of the users’ device (e.g. smart phones and tablets).
The new regulation will have an extra-territorial effect, meaning that it will apply to all electronic data generated by users in Europe that is processed inside and outside of the European Union. This is particularly important for cloud-based services and consideration should be given to cloud agreements.
Confidentiality and Metadata
The requirements around confidentiality of communications is being strengthened such that the listening, tapping, interception, scanning or storing of communications is prohibited without user consent. The processing of communications data will continue to be restricted except in the case of national security or criminal law enforcement.
Metadata such as the location from which the message was sent, the duration of a call, who sent the message and the contents of a user’s online shopping basket at the time of the communication are now included in the regulation and must be protected such that they cannot be communicated without the user’s consent. Metadata will need to be anonymised or deleted if users have not provided their consent for it be retained.
The restrictions placed on unsolicited marketing communications will also apply to ‘electronic communications services’ like text, automated calls or email. To increase transparency to consumers, marketing callers will be required to use their actual telephone number or use a specific marketing-only prefix.
Each regulation was drawn up to reflect a different aspect of EU law. GDPR was created to enshrine Article 8 of the European Charter of Human Rights and the e-Privacy regulation was created to enshrine Article 7 of the charter.
It is important to remember that the e-Privacy regulation was created to complement and particularise the GDPR, so the rules of the GDPR are always relevant and an overall part of the legislative aspects of the e-Privacy directive which considers how personal information might be used.
The European Union’s new privacy regulations can seem quite daunting and we often find firms are not sure if or how they are affected. If GDPR is worrying you or if you simply are not sure how GDPR might affect your business, we are here to help. We are happy to set up a short, no obligation call to help you understand the implications of GDPR on you and your business.