02 Jan European e-privacy regulation
As the name says, the European e-privacy regulation, replaces the 2002 (revised, 2009) e-privacy directive with a new instrument, turning a directive into a regulation. As a reminder, directive is a regulatory instrument that has to be implemented in each member state, whereas a regulation will cover all member states without the need for state level implementation. The European e-privacy regulation complements the General Data Protection Regulation. Together these two regulations provide a sweeping reform (and protection) of electronic data related to natural persons / citizens, and legal persons of the European Union.
The European e-privacy regulation is at the draft stage at this moment. You can review the proposal here. Where the GDPR concentrates on protecting the privacy of our (as I’m a citizen of the EU) data, introducing better transparency and greater control, the new regulation complements these aspects by extending the privacy regulation to telecommunications and modern online services such as Facebook, Skype etc. that are out-of-scope with the current e-privacy directive.
Why is this important?
When you consider how data related to end users is treated on a global scale, these two new regulations are created to protect the citizen. On the other end of the spectrum we have nations, where online privacy and protection of the user data is non-existent, and personal data is treated as a commodity, something that can be sold to anyone interested. According to the stakeholder comments for the European e-privacy regulation proposal it is obvious that the industry players affected by the new regulation are against the tightening of the rules. Citizens however are in favour of more stringent rules. Not a surprise really.
Trust – it’s what drives online commerce, even more than it does for traditional commerce (brick & mortar). These two regulations will increase trust through transparency, control and protection, backed up by stiff fines for violating the rules. So, we now have two regulations with maximum penalties of 4% of annual global turnover, or € 20 000 000. The European Union is becoming a beacon of trust in the online world, and this should boost the bottom lines of e-services operating in the European Union – I hope.
Consent is a part of the GDPR, but also the European e-privacy regulation (Chapter II, article 9). Currently the wholesale approach for consent for e.g. online advertising (well, no consent situation) will become more difficult for the advertisers as users can potentially actively opt-out using simple configuration changes in the browsers, or when browsers become with the pre-configured switch turned off for third party cookies. So, much like in the GDPR, in the new e-privacy regulation it becomes an issue for the industry players to acquire consent. Perhaps now I can avoid the pizza ads populating my Facebook feed 20mins after I’ve talked about pizza with someone (and my phone has been nearby).
Our devices and installed apps bleed data whether we know it or not. The European e-privacy regulation should put a stop to that (Chapter II, article 8). It also specifically mentions IoT devices in the introductory text. The broad definition of electronic communications data and the requirement for confidentiality has a direct result. Clear text, i.e. http or similar should no longer be possible after the European e-privacy regulation comes effective.
Time to panic?
Not really. There are not much that is added on top of the GDPR. Some concepts like consent is quite nicely outlined in the GDPR, and the European e-privacy regulation just extends it a bit. So if you’re on top of consent already, you should be fine with the second privacy regulation as well. You just have to extend the consent management to some aspects of the electronic communications you might be doing. To protect communications, remember to turn on encrypted comms, in most cases – just get that (preferably EV) certificate for your e-services, have your devices talking to each other and to the outside world in encrypted format. For app developers and device manufacturers – time to stop sending excessive amounts of data or metadata to backend services without proper consent from the users. For us all in digital marketing; get a clear understanding of what is legitimate interest and get your opt-in/consent and opt-out processes clear and easy to accomplish.
Oh – this might break some of the earning models of some giants like Facebook if users start to get antsy about their privacy. Or will it?