Last year, many businesses in the EU and around the world alike have been extremely busy trying to make themselves compliant with the General Data Protection Regulation (GDPR). A lot of them have managed to do so, to an extent (much of the GDPR’s actual application is still unclear), but even more are still struggling.
To avoid making hasty decisions and writing flawed privacy policies, it’s always helpful to prepare for any relevant upcoming legislation in advance. The Regulation on Privacy and Electronic Communications (commonly known as the ePrivacy Regulation) is due to be discussed by the Member States next month and is a good example of such legislation. It’s the latest step towards the realization of the EU’s Digital Single Market strategy.
GDPR’s lex specialis – the ePrivacy Regulation replacing the current ePrivacy Directive– has first been proposed in 2017. Its legislative function is supposed to be to serve as complementary to the GDPR in relation to electronic communications data that qualifies as personal data (cookies, etc.).
Like the GDPR, this law is a regulation and doesn’t require implementation into national laws. Unlike the GDPR that applies to every single legal person registered in, or catering to, the EU, the ePrivacy regulation’s subjects are going to be businesses providing digital and online communication services, using online tracking or engaging in direct electronic marketing. WhatsApp, Viber, Facebook, etc. are the obvious examples.
Last month, the Finnish government has put forward a proposal to amend the Regulation, particularly in relation to its scope. This proposal will be discussed by the EU Council next month. We’ve taken a look at what they’ve proposed and considered its possible significance for the law and the Digital Single Market in general.
Currently, Article 6 of the ePrivacy Regulation proposal outlines permitted processing of electronic communications data by the providers of electronic communications network and services. The article is split into two sections related to metadata processing and content processing. The Finnish government has proposed to split Article 6 into four different provisions – 6, 6a, 6b, 6c. The split is as follows:
– 6 – “All e-communications data (metadata and content alike);
– 6a – “E-communications content”;
– 6b – “E-communications metadata”;
– 6c – “Further e-communications metadata processing”.
In addition, a general rule was added to Article 6, stating that data can only be processed for the duration of time necessary for fulfilling permitted purposes, and if those purposes can’t be fulfilled by processing anonymized information. These amendments primarily purport to the need to clarify the scope of the ePrivacy Regulation and uphold the principle of secrecy of e-communications (content and metadata), save for specific exceptions.
Another amendment is to the Recital 32. This recital is about direct marketing – advertising directly to the end-user. The new proposal limits the Regulation’s application to targeted advertising, which was previously covered. In the edition revised by the Finnish government, advertising that’s only “sent” for the “reception of a specific end-user” constitutes direct marketing, whereas previously it could be “presented” as well as “sent” for the Regulation to be applicable to it.
Finally, the Finnish government put forward an amendment to Article 16. This one is about unsolicited communications (commonly known as “spam”). Here, they’ve omitted “presented” the same way as in Recital 32. In other words, if the Finnish proposal is approved by the rest of the Member States, online targeted advertising shall not be considered unsolicited communication and direct marketing and would, therefore, be excluded from the scope of the regulation.
What Do These Amendments Mean?
In essence, the ePrivacy Regulation proposal is supposed to function to protect the private lives of individuals and to open up new opportunities for businesses. One can argue that the GDPR has already done the latter, given the rise of various DPaaS and DRaaS service providers across the world that we’ve covered earlier this year.
Given the comprehensiveness of the new rules related to cookies, cookie walls, script and “tags”, provided by the ePrivacy Regulation, it wouldn’t be a stretch to say that we would soon see the emergence of digital consultancies and start-ups providing something akin to “Cookies-as-a-Service” in the EU. And given the immensely increasing influence of the Internet of Things (IoT) and the new subject of the ePrivacy Regulation which is machine-to-machine communications, I’m confident we’d see something like IoT-security-as-a-service just as soon. And of course, one can’t forget the increased spending on cybersecurity insurance – with the ePrivacy Regulation coming into force, that industry might just get another boom.
Together with the amendments made by the Finnish government that we described above, the ePrivacy Regulation’s provisions deviate substantially from the current ePrivacy Directive that’s been in force since 2002. For instance, the cookie rules and the anti-spam rules would apply to individuals and corporations alike, which would mean significant new administrative challenges to B2B webshops, for instance.
The requirement to delete metadata, unless consent has been provided and unless the current exceptions apply is another challenge. This could be particularly relevant to those companies who have big IoT projects in the pipeline. It’s never too early to start thinking about the security of the communications within the projects. For some IoT businesses, storing metadata is necessary for a project to work correctly – after all, they literally run on all kinds of data. Since the new Regulation applies to machine-to-machine communications as well as human communications, the IoT organizations would have to seriously consider whether their projects and products take into account the consent requirements and/or whether their metadata is processed for specific exceptions, such as billing, network management or statistical purposes. The clarity the Finnish proposal is aiming provide to the rest of the Member States and the businesses alike could be pivotal for the organizations’ awareness of what would need to be done under the Regulation.
How will Compliance Be Enforced?
Lastly, the enforcement of the Regulation. Its confidentiality rules would be enforced by the Member States’ data protection authorities, same as with GDPR. The fines would be the same as the GDPR’s under the Regulation:
– up to 2% of the annual revenue or 10m EUR (whichever is higher) for infringements of protection of information stored in end-user’s terminal equipment (Art. 8), misinformation about privacy settings (Art. 10), publishing personal data in public directories without consent (Art. 15), and violation of Article 16’s provisions on spam;
– up to 4% of the annual revenue or 20m EUR (whichever is higher) for infringements of confidentiality principle, permitted e-communications data processing, or time limits for erasure, as well as non-compliance with an order of a supervisory authority.
As the precedents of GDPR penalties show, the fines can vary, and it’s hard to estimate the extent to which they would be applied under the ePrivacy Regulation. However, given their high amount, it would be unwise for businesses to ignore them.
These fines would be partially at the Member States’ discretion. However, a uniform framework for enforcement, scope, and subjects was long overdue, according to the European Commission’s Impact Assessment.
Too long, the personal data and general laws related to digital marketing have been applied very differently across all 28 Member States (and with the uncertainty of Brexit, uniformity is needed more than ever). It was placing a great burden and costs on SMEs who wanted to conduct their activities across the European Union’s entire digital space. And in turn, the citizens didn’t have a clear idea of what was being done with their data collected online and were quite annoyed with constant marketing e-mails.
The flux of GDPR-related emails many of us have received in the first half of 2018 might have been just as annoying, but it has at least raised awareness of privacy and personal data protection.
Where Do Digital Businesses Go from Here?
Of course, at the moment the ePrivacy Regulation hasn’t come into force yet and it might take a few months before it actually does. However, it’s useful for businesses to take its text into account, at least in the spirit, and start working on solutions that are compliant by design. The best way to avoid risk is, after all, to be prepared, especially taking into account the GDPR-mirroring fines we should be expecting upon its implementation.