If you thought the worst was over after you implemented GDPR, then I’m sorry to inform you but your business faces another major challenge – the ePrivacy Regulation.
This is the first of the series of articles on the matter. And to start off we’ll first take a look at the Proposal itself and the reason behind it. After that, we will look into the details of the ePrivacy Regulation itself, how it differs from the ePrivacy Directive, what are the proposed requirements and obligations and finally we will provide you with adequate advice on how to get compliant on time. After all, this is what we at Supportica do – help the businesses with their compliance.
The ePrivacy Regulation (ePR) is a proposal for a Regulation on Privacy and Electronic Communications. Its full name is “Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications)”. The reason behind this proposal is fulfilling the European Commission’s strategy regarding the achievement of better privacy in different aspects of the European residents’ everyday life. The first step of this was the GDPR, and it was expected that both regulations will come into effect o the same day. However, due to different obstacles, the implementation of the ePrivacy Regulation was postponed. The European Commission’s proposal for an ePrivacy Regulation aims at reinforcing trust and security in the Digital Single Market by updating the legal framework on ePrivacy.
Why is a Reform in the ePrivacy Legislation Necessary?
Over the last couple of years, European legislation has often been amended in order to keep up with the rapid progress of technology. The Commission has started a major modernisation process of the data protection framework, which culminated in the adoption of the General Data Protection Regulation in May 2016. The ePrivacy legislation needed to be adapted to align with these new rules.
Key elements of the Commission’s proposal:
- Scope: the new privacy rules will also apply to new players providing electronic communications services such as WhatsApp, Facebook Messenger and Skype. These popular services will have to provide guarantees that they are applying the same level of confidentiality of communications as traditional telecoms operators. Further, the rules this time apply to both natural and legal persons.
- Communications content and metadata: confidentiality is guaranteed for communication content and metadata, e.g. call time and location. Metadata has a high privacy component and must be anonymous or deleted if users have not given their consent unless the data is required for charging.
- New business opportunities: Once more, the traditional telecom operators will have more opportunities to provide additional services and to develop their businesses. For example, they could produce heat maps indicating the presence of individuals; these could help public authorities and transport companies when developing new infrastructure projects.
- Simpler rules on cookies: the provision of cookies, which has led to congestion requests for Internet users, will be simplified. The new rules will be more user-friendly and browser settings will provide an easy way to accept or deny the tracking of cookies and other identifiers. The proposal also clarifies that confidentiality is not required for intrusive privacy cookies, such as internet shopping or cookies used by a website, for counting the number of visitors
- Protection against spam: this proposal forbids unwanted comunications by e-mail, SMS and automatic callers. Depending on the national law, people will be protected by default or will be able to use a non-call list to avoid receiving phone calls. Marketing callers will need to show their phone number or use a special pre-posting number that shows a marketing call.
- More effective enforcement: the enforcement of the confidentiality rules in the Regulation will be the responsibility of the data protection authorities, already in charge under the General Data Protection Regulation.
The specific requirements and obligations presented by the ePrivacy Regulation will be looked into details in next articles of the series.
Disclaimer: The content of this article is intended to provide a general guide to the subject matter, it is not legal advice and should not be treated as one. Specialist advice should be sought about your specific circumstances.