ePrivacy Regulation: What is it and how does it affect me?
We look at the new rules designed to maintain user privacy in the digital age
Just when businesses were starting to get comfortable with all the various compliance requirements of the EU's General Data Protection Regulation, along comes a brand new regulatory obstacle to scale in the form of the ePrivacy Regulation.
Set to come into effect this year, the new law has been designed to ensure the protection of user privacy while that data is being communicated from one party to another. It has also been shaped to work in tandem with GDPR - in fact, it should have come into force at the same time as GDPR on 25 May 2018, but the law has faced repeated roadblocks from lobbyists.
ePrivacy Regulation vs GDPR
The ePrivacy Regulation will replace the EU's existing ePrivacy and Electronic Communications Directive 2002, which was implemented in the UK in 2003.
The fact that the new law is a 'regulation' is important, as that means it will be a legal act and enforceable in its entirety across all member states, much like GDPR. That's instead of a directive, which allows each member state to introduce its own mechanisms for the law provided they match the spirit of the original directive.
While GDPR is concerned with the protection of personal data and ensuring the smooth flow of data between member states, the ePrivacy Regulation focuses more on the protection of privacy when that data is being communicated electronically.
The ePrivacy Regulation was due to come into force on 25 May 2018 alongside GDPR, however, continued deliberation and lobbying of some of its finer detail have delayed its enactment. It's unlikely that the regulation will be passed until the second half of 2019 and could be delayed even further in 2020.
The two EU laws not only deal in similar subject matter, but the ePrivacy Regulation will also be lex specialis to GDPR. In other words, ePrivacy will deal with specific subjects, applying particular rules around those subjects, while inside the scope of GDPR - that's to say that GDPR provisions will operate above ePrivacy and continue to apply to wider protection areas that ePrivacy does not cover.
When it comes to implementation, the regulation includes a provision that allows each member state to introduce additional mechanisms to help with the application and interpretation of ePrivacy within the context of existing national laws. That's to say that while the regulation applies to all member states, how it's applied may differ.
What does ePrivacy Regulation cover?
The regulation states that "electronic communications data should be defined in a sufficiently broad and technology-neutral way so as to encompass any information concerning the content transmitted or exchanged... and the information concerning an end-user of electronic communications services processed for the purposes of transmitting, distributing or enabling the exchange of electronic communications content; including data to trace and identify the source and destination of a communication, geographical location and the date, time, duration and the type of communication."
Communications are protected regardless of whether the data is transmitted by wire, radio, optical or electromagnetic methods. That means communication data sent via satellites, cables, fixed networks, and electricity cable systems falls under the ePrivacy Regulation.
Such data should always remain confidential, and any interference with the communication of that data, either directly by a human or through automated processes, without the consent of the user, is prohibited. Interference in this context can occur at any time during the transfer of that data or metadata, including during its transmission and at its destination. For example, listening to calls, scanning of electronic messages, monitoring of visited websites, and the monitoring of interactions between users all constitutes a breach of the regulation.
The last iteration of the ePrivacy Directive (which the ePrivacy Regulation is set to replace) came in 2009. Since then, how we communicate electronically has grown and changed massively, and the new regulation has been designed to take account of this and ensure personal privacy is maintained.
There are several key aspects:
OTT services and metadata
Today our online communications are characterised by 'over the top' (OTT) services. Most of us use OTT services every day, maybe without even realising that's what we're doing. OTT services sit on top of the services provided by our network provider, and they are 'fronted' by a named service or app. Think of Skype, WhatsApp, Facebook Messenger, or even Internet TV services.
The directive intends to bring these services within the scope of EU privacy protection rules, to ensure they are bound by the same confidentiality of communications rules as traditional telecommunications providers.
There will be privacy controls for communications content and for the 'metadata' that is associated with it, such as the time of a call, or the location you are calling from. The new regulation will require that metadata is anonymised or deleted if users don't give their consent to such data being stored.
The draft regulation states: "currently, the default settings for cookies are set in most current browsers to 'accept all cookies'. Therefore providers of software enabling the retrieval and presentation of information on the internet should have an obligation to configure the software so that it offers the option to prevent third parties from storing information on the terminal equipment; this is often presented as 'reject third-party cookies'."
The new regulation recognises that there has been something of an excess of cookie consent requests from websites. The new regulation aims to make it easier for browser settings to allow blanket acceptance or refusal of tracking cookies and other identifiers, and will clarify that consent is not needed for non-privacy intrusive cookies aimed at improving our internet experience (such as those which remember shopping cart history) or cookies used by a website to count visitors.
Companies will be obligated under the new regulation to ensure users are given the option of setting higher level cookie policies, such as a blanket 'never accept cookies', as well as those at a lower level, such as 'reject third-party cookies', presented in a form that's clearly visible and easy to understand. Clear, affirmative action from the user is also required, which will need to be offered to users on the point of installation of new software. Importantly, those users that have previously given their consent must be given options to easily withdraw their consent at a later date.
However, those cookies deemed to be 'non-privacy intrusive', such as e-commerce cookies and remembering shopping cart histories, something that we've become used to as internet users as part of an enhanced experience, will not be subject to restrictions under the regulation. Those that generate overly intrusive adverts will, of course, not be exempt under this category.
Marketing and spam
The regulation states: "Direct marketing refers to any form of advertising by which a natural or legal person sends direct marketing communications directly to one or more identified or identifiable end-users using electronic communications services. In addition to the offering of products and services for commercial purposes, this should also include messages sent by political parties that contact natural persons via electronic communications services in order to promote their parties. The same should apply to messages sent by other non-profit organisations to support the purposes of the organisation."
Unsolicited communication through channels such as email, SMS, MMS, instant messaging, Bluetooth, and automated calling machines, will be banned under the regulation. National laws will affect how this is implemented, and people might be protected either by default or through existing 'do not call' lists that are set up to prevent marketing phone calls.
Marketing calls will need to be identified by a mandatory prefix - primarily so that users have a clear idea of who they are receiving communications from if they wish to withdraw their consent for that particular company.
The regulation also states that it's "justified to require that consent of the end-user is obtained before commercial electronic communications for direct marketing purposes are sent to end-users in order to effectively protect individuals against the intrusion into their private life as well as the legitimate interest of legal persons."
Excluded within this is the case of a company using email contact details to offer similar services or products to those customers with an existing relationship with said company, provided those details were obtained in accordance with GDPR.
Internet of things and public Wi-Fi
The regulation also aims to bring the most cutting-edge communication technology under its umbrella - specifically the communication of data across IoT networks and devices.
As the regulation states: "the transmission of machine-to-machine communications involves the conveyance of signals over a network and, hence, usually constitutes an electronic communications service. In order to ensure full protection of the rights to privacy and confidentiality of communications, and to promote a trusted and secure Internet of Things in the digital single market, it is necessary to clarify that this regulation should apply to the transmission of machine-to-machine communications."
Publicly accessible wireless networks, namely 'Wi-Fi hotspots', will also be subject to the regulation, regardless of their location, the company providing the service, or method in which that service is delivered. Those that are closed from the public, such as business networks, aren't subject to the ePrivacy Regulation.
Where has it come from?
The ePrivacy Regulation has not come out of the blue. It's the latest in a line of regulations which successively updated and replaced each other. The most famous of these is often referred to as 'the Cookie Law', which came into force in May 2011, and remains in place until it is superseded by the ePrivacy Regulation. This brought in the right for users to opt out of cookie tracking on sites they visit.
What are the penalties for breaches?
The regulation lays out penalties for a breach in Article 23 which outlines different penalties for different infringements - the same sanctions that apply under GDPR also apply under the ePrivacy Regulation. Penalties range from up to 10,000,000 or 2% of worldwide annual turnover for some minor incidents and up to 20,000,000, or 4% of worldwide annual turnover, for more serious breaches - whichever is the higher in each case.
As we have seen with the application of the UK's Data Protection Act 2018 and GDPR, the eventual fine is heavily dependent on a number of mitigating factors, such as the scale of the incident, whether a breach of regulation occurred as a result of a deliberate act, and how diligent the company was in trying to prevent such incidents from happening.
Will it apply in the UK?
The short answer is yes.
In order to achieve a whitelisted status from the EU, and thus deemed as a safe zone under GDPR, the UK has been required to pass its own updated Data Protection Act 2018. The idea is to create harmony across the continent and prevent a halt to the transfer of data once the UK leaves the EU, which at the time of writing is set as 31 October 2019.
Brexit is therefore unlikely to affect the ePrivacy Regulation, as the UK will want to adhere to the same principles. Additionally, given that the regulation covers technologies and communications that cross territories, the majority of businesses will have to comply even if they're based outside of the EU.
In much the same way as the Information Commissioner's Office is responsible for enforcing the UK's data protection laws, it will be similarly responsible for policing the ePrivacy Regulation, although how it will go about that is still to be determined.