Here we go again, a new European regulation is on its way and it could have a major impact on businesses. GDPR‘s ‘little brother’, as the ePrivacy Regulation (ePR) is sometimes (albeit erroneously) dubbed, will replace the current telecommunication regulation. The regulation is designed to protect not only the communication of European consumers but also all their online activities.
Here’s some background information: The ePrivacy Regulation was conceived to represent the interests of the consumer when it comes to electronic communication. This was urgently needed because the Telecommunications Act was very outdated. In 2002, there was a European ePrivacy Directive but, as the name suggests, it was only a directive and not a law. And don’t forget, 2002 is 17 years ago, which is an eternity in the technology sector! We can therefore safely say that the directive wasn’t really fit for purpose anymore.
Referring to the ePR as GDPR’s ‘little brother’ isn’t actually correct. It might even be fair to say that it’s the other way round. The GDPR is, in fact, a ‘lex generalis’ or ‘general law’ whereas the ePR is ‘lex specialis’ or ‘special law’. This legal lingo highlights an important difference: the GDPR provides the basis and the ePR is an extension of the general law. In other words, when it comes to electronic communication, the (stricter) ePR is what’s actually in force – which makes sense since it’s an addition to the GDPR and will probably have a broader scope. The original intention was that both laws would enter into force together but, because the ePR has been so controversial, its introduction was delayed.
Anyone who thought that the GDPR covered all legislation is in for a surprise. The GDPR sets clear guidelines for the handling of personal data, but the ePR goes even further. Although the texts for the ePR are not final yet, there are already some notable differences:
The GDPR protects your personal data but the ePR protects all forms of communication – which means not only your personal data but also all your communication’s content and metadata. The ePR will also apply to legal entities, which was not the case with the GDPR.
2. Direct Marketing
Under the GDPR ‘legitimate interest’ can be assumed whereas, with the ePR, you can only contact people for direct marketing if you have their explicit consent. Whether the rules will apply to both B2B and B2C remains to be seen. Lobby groups are still trying to get a distinction between the two into the law. There will also be stricter rules for telemarketing. A requirement to use a visible number and a special prefix for marketing calls are among the possibilities.
3. Data Security
The GDPR is already very strict when it comes to personal data, the ePR will be even stricter. The law is intended to further improve the security of our communication. This means that ‘new’ services such as Skype, WhatsApp and iMessage will have to comply with the same strict rules as SMS. In other words, both the content of your message and all the metadata will have to be secured.
But how does this impact our sector? Well, that’s not entirely clear yet. A first version of the legislation was drawn up in 2017, but many parties were not able to agree to it. This, of course, does not mean that we have no idea what it will contain. The following points will certainly have a place in the ePR:
1. Voice over IP (VoIP) and Instant Messaging
As the current legal framework is out of date, VoIP and direct messaging have so far not been mentioned. This will almost certainly change in order to include messaging services like WhatsApp into the scope of European law. Which means they’ll also need to comply with the much stricter rules relating to data security.
The 2002 ePrivacy Directive focused heavily on cookies already, but this will be refined even further in the ePR. The old legislation received a lot of criticism because it was seldom clear to users what it permitted. Many people simply accepted cookies in order to get rid of the banner – which often meant agreeing to tracking cookies.
The GDPR already mentions that the user must give ‘specific and unambiguous’ consent and it looks like this aspect will also be included in the ePR. This means the user will need to be given a clear idea of which cookies are collected and why. Denying users access to your website unless they accept cookies, so-called ‘cookie walls’, will be prohibited. But there is good news as well: some cookies will no longer require permission.
3. Device Fingerprinting
The collection of data through the user’s device will still be allowed under certain conditions. The website visitor must be clearly informed about the data that you collect and they must also have the choice to opt-out. You can only collect data that’s paramount to making the connection possible.
We still have to wait for a final version of the ePR and we can only guess at the implementation date. Considering the fact that there is no final text yet, that won’t occur before 2020 at the earliest. What is certain is that the rules for all forms of electronic communication will become even stricter. To take concrete measures, we’ll have to wait for the final version of the legal texts. But don’t wait too long to get started because the ePrivacy Regulation fines will be just as high as those of its little brother.