Enza Iannopollo is a Forrester analyst on the Security & Risk team and a Certified Information Privacy Professional (CIPP/E). This article was initially published on the Forrester blog.
Opinions expressed by EM360 contributors are their own.
Just after a few months since the European Parliament approved the final version of the new General Data Protection Regulation (GDPR), the European Commission is working on updating yet another set of privacy rules. The European Commission published a new text that, when approved, will replace the current ePrivacy Directive: the EU law that ensures confidentiality of communication and the protection of personal data in the electronic communications sector.
While the Commission plans to complete the reform process quickly enough to allow the new law to come into force in May 2018 together with the GDPR, the road ahead is long and tortuous. In fact, both the EU Councils of Ministers and the EU Parliament must agree and approve the final text.
While EU policy makers aspire to finalize a new version of the ePrivacy Directive that goes hand-in-hand with the GDPR, it’s a task for all companies to update their processes, technology, workforce’s expertise, and oversight mechanisms to comply with both sets of rules. To meet compliance requirements consistently and without redundancies, it’s crucial that firms understand what’s changing and how ahead of time. According to the proposed text, the new ePrivacy law will:
1. Be a regulation. As the GDPR, the updated version of the ePrivacy Directive will be a regulation. This means that one single law will apply to all countries of the European Union. It’s good news for firms doing business across Europe, as they will not need to struggle with 27 different versions of the rules.
2. Have fines up to 4%. In line with the GDPR, also the new regulation will include fine up to €20 million, or 4% of companies’ annual global turnover, whichever is the highest. This is one more reason for firms to treat the updated version of the ePrivacy Directive with the same rigor as the GDPR.
3. Reach companies beyond telcos. The new rules will apply not only to traditional telcos, but also to providers of electronic communications services, including internet access, instant messaging applications, e-mail, internet phone calls, and personal messaging provided through social media. Practically, all firms that provide Europeans with products such as text messaging and calls, including OTT companies – those that use an internet connection to provide communication services, will face the same regulations as standard telecoms groups.
4. Require explicit consent to process data of costumers’ communication. Companies that wish to engage in processing customers’ data from their voice or internet communications, such as, for example, scanning their emails to serve personalized advertisements, will need to consult the supervisory authority (the data protection authority in most cases) beforehand and gather explicit consent from customers to do so. Firms will also need explicit consent to process metadata, such as duration of calls and their location, to provide additional services to their customers.
5. Make it more difficult to track customers’ online activities. Companies that wish to access information stored on customers’ devices and terminal equipment can do that upon customers’ consent and for transparent and specific purposes. But firms that place simple cookies for purposes such as measuring traffic on a website will not need to gather users’ permission. For tracking cookies – especially third-party cookies, in line with the principle of privacy by-design contained in the GDPR, the updated text of the ePrivacy Directive requires web browsers to ask users whether they want to allow websites to place cookies on their browsers upon installation.
6. Call for transparent notices when tracking customers’ physical activities. Firms that scan their customers’ physical devices to know, for example, how many people are in a queue or whether a new customer is entering their shop, must inform customers about this activity. Notices must contain information about the extension of the area where the tracking takes place, why, who is responsible for the initiative, and also how the customer can take control over the tracking, including opting out of it.
7. Give new rights to users. Users can object to the processing of their communication data. The law also allows for potential compensation of users that suffered material or no-material damage as a result of the infringement of the rules.