While the GDPR has garnered all the attention as of late, ePrivacy presents another upcoming regulatory layer full of implications for those marketing and gathering data online within the EU and beyond that should not be overlooked.
The General Data Protection Regulation (GDPR) came into force on May 25, 2018, replacing the Data Protection Directive of 1995. Now, marketers whose businesses depend on online interaction with customers and prospects should be looking at the horizon for the proposed regulation that will specifically address data protection issues in the “world” of electronic communications, such as on the Internet.
The “Regulation on Privacy and Electronic Communications “will repeal the Directive of the same name dating to 2002, and like the GDPR will be the “law of the land” throughout the European Union and, quite likely, the UK.
The Regulation will also assure that its terms apply to the Internet. The existing Directive applies only to telecommunications, and the internet is an entirely different universe and environment compared to the telecommunications world.
Do we really need this? Probably. It focuses on the discrete aspects of electronic communications data which qualify as “personal data” in order to assure that this data is treated in the same way it would be if it were in another form. In short, that electronic data which consists of personal data of individuals, as defined by the legislation, will receive the same legal protection as under the GDPR.
The ePrivacy Regulation will apply to any business that provides online communication services, such as Skype or Gmail, et al., or uses tracking technologies, or “engages in electronic direct marketing.” That last category apparently brings anyone who markets online within the reach of the Regulation.
The Regulation is vigorous in pursuit of data protection. The current draft regulation requires a consumer’s explicit permission to use her data or metadata about her electronic communications, which might include, for example, the time and her location when using a dating app.
Apparently, a restaurant, car dealer, department store, university, bank, airline or any other business that would like to know where its website visitors are physically located would have to ask permission to capture that data, at least from visitors who register. The implications for anyone using a website that applies adaptive design based on geography is evident.
It is conceivable that the law would require that owners of the newer smart cars that automatically send information about their functioning to the manufacturer would have to consent to this. And while we would be delighted to know the manufacturer of our car wants to catch malfunctions before they become too serious, their keeping a record of where our car is operating might make us nervous. The penalties under this Regulation are the same as under the GDPR: fines of up to 20 million Euros or 4% of global revenue.
Originally “calendared” by Brussel authorities to come into effect at the same time as the GDPR, the completion, adoption and implementation of the ePrivacy legislation may now be extended, possibly substantially. To take effect, it would have to be approved by the Council of the European Union and finally completed in a three-way negotiation involving the Council, the European Parliament and the European Commission. This will probably not be a speedy process.
The tech world in Europe has raised significant opposition to ePrivacy and lobbying efforts have been launched by the American Chamber of Commerce, IBM, Google, Cisco, Facebook, Microsoft, SAP and many others.
Other companies and delegations have visited relevant government ministers and published research studies which indicate significant revenue cuts would occur for online news and advertising agencies and profits for companies in Europe dependent on electronic communication would shrink by 30%.
Full-court presses like this have in the past been significant impediments to legislation so vigorously opposed by business in Europe, so there is no immediate need to undertake operational changes, but the subject bears monitoring. We are reminded of the three or so years that were required for the original Data Protection Directive to be adopted in 1995; however, the debate process for matters of this nature has been speeded up since then.
It is conceivable that one or another of the functionalities on your website might trigger liability under the Regulation when it is finally adopted, so it would be prudent to become familiar with this subject as the development of the Regulation is evolves.
Previous directives were loosely enforced with inconsistent consequences for violations. Each member country was able to decide how best to reach the goals stated by the directive. Once finalized, the ePrivacy Regulation will provide a common definition with clearly stated consequences.
Lex specialis, i.e., the “newer law on the same subject applies in the case of inconsistencies”
Very likely, yes. If you are currently communicating with EU natural persons (either as a data controller or data processor), your company will be held to the standards set by the pending ePrivacy Regulation and the GDPR. For every EU natural person that provides their contact information, you will need to also capture their express consent prior to sending them marketing communications.
As with all form of data privacy regulation which may impact your business, Data Services, Inc. will continue to keep an eye on ePrivacy in order to keep our readers as up to date as possible.