Online cookies used to track behaviour online are commonplace in the modern internet world, serving many functions, from storing login information to telling websites which pages you visit. In 2011, EU member states implemented their respective cookie policies, dictated by amendments made in 2009 to the EU directive for privacy and data protection online. But what do these rules mean for UK...
ePrivacy regulation is on the way! What do you have to expect?
The jungle of digital guidelines is becoming murkier by the day. While online privacy policies are already slightly standardised under the Data Protection Act, discussion as to legislation specific to the UK and dealing strictly with online security is still underway. There has also been discussion in the EU, which may not directly affect UK users in the future, but is still worth keeping an eye on. The fruits of that discussion: The EU ePrivacy regulation. With this, the European Union wants to formulate binding data privacy regulations with EU-wide applications. These policies will not have any direct effect on internet services operating within the United Kingdom, but will be important to know for anybody looking to operate their online practices within the borders of the EU. It hasn’t yet been determined, though, when the EU’s ePrivacy Act will come into force and which requirements it will bring with it for the digital industry.
As a result, there’s a lot left unclear. In this article, we’ll inform you about what we know so far, so that you can get a picture of what to expect.
The ePrivacy regulation is not identical to the EU General Data Protection Regulation (GDPR), which is set to come into effect starting May 2018. Read more about this regulation in our detailed article.
What is ePrivacy all about?
With the ePrivacy regulation (officially: Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications), the European Union wants to strengthen the online privacy sphere of citizens and intensively regulate data protection. Basically, it’s concerned with restoring people’s trust in digital communication channels. Officially, at least, ePrivacy should bring about a reinforcement of the digital single market. It’s the third, and presumably last, measure of a European digital initiative. There’s also a desire to introduce Europe-wide regulations so that companies on the internet (at least within the EU) don’t run into issues as a result of national borders.
With this initiative, the EU embarks on a path that’s more than necessary: The internet, as we all know, knows no borders. But what exactly does the European authority anticipate with the ePrivacy regulation? It’s important to first establish that the ePrivacy Regulation will affect more companies than any previous data protection policy. The requirements that are made this time are aimed specifically at software providers, for example, at providers of apps like WhatsApp or Skype – basically at the entire online industry.
The World Wide Web Consortium (W3C) also took a critical look at privacy protection. The result was the do-not-track-HTTP-header, which many popular browsers already support. With this, users can set the preference in the browser that they don’t want any tracking. The HTTP header then forwards this information to the website. At the moment, though, website providers are not obligated to comply with this wish. This could be changed with the EU’s ePrivacy regulation. It goes one step further, though, because according to the regulation, not only the browser but also all other technology for data transmission is supposed to be privy to the data protection.
The draft for ePrivacy also includes machine-to-machine communication. This is the EU’s response to the challenges of the Internet of Things. For these types of data transfer, the same should go for such instances where users are directly involved. The plan is that devices will only transfer personal data if the user has agreed to it. This could apply to GPS data for smartphones, for example. In general, it should apply that users must be informed about which data is being collected from them and for what purpose. Therefore, it shouldn’t be possible to hide an agreement in the GTCs or link it to another service. For example, if user data needs to be transferred for online shopping – as it always does – this is allowed. It should not be allowed, though, to use this data for advertising purposes at the same time. For this, a new, specific agreement would be needed.
The ePrivacy regulation shouldn’t be limited to the tapping of personal data by companies, though. Intervention on the state side should also be strongly regulated by ePrivacy. An end-to-end encryption should be obligatory: All data transmissions should be fully encrypted and not viewable by governments. The introduction of backdoors is also to be forbidden: Backdoors that the producer build to grant access for government would be illegal.
ePrivacy shifts away from the internet when it comes to direct marketing: While nothing changes in the principle of e-mail marketing, the regulation intends to more strongly regulate telephone marketing in particular. The proposal says that telephone calls for solicitation purposes should only be allowed if the caller reveals their telephone number or if they use an integrated code to indicate that it’s an advertising call.
ePrivacy regulation vs. ePrivacy guidelines vs. general data protection regulation
The ePrivacy regulation partially exists to replace the old ePrivacy guidelines and partially to supplement the GDPR. The old regulations have existed since 2002, and were expanded in 2009. However, a European community guideline is not directly effective and binding law, but instead directives that have to be converted into national law. As a result, individual nations are afforded a longer period. In the case of the regulation, the situation is different: As with the GDPR, it’s an EU-wide law that’s binding for all countries and comes into effect immediately. The law can grant a transitional period, though, for example, like the basic data protection did: The GDPR doesn’t apply to all citizens until 25 May 2018.
The introduction of the GDPR this year will create even more confusion, though: What do you need to stick to now? As soon as the ePrivacy regulation also takes effect, the answer is simple: to both! The plan is that the regulations in ePrivacy will make the GDPR more concrete. The ePR (as the new regulations will be called) should be a lex specialis. This means that it has priority over the basic data protection regulation – a lex generalis. The GDPR is more general, and should be made clearer by the ePR through specific points with definite rules. The data protection regulation is not specifically tailored to the internet. ePrivacy will better protect this area.
Neither the GDPR nor the ePrivacy regulation render any state data protection laws obsolete. This has already been decided in the GDPR, and the ePR should also contain the opening clauses: local regulations should be able to influence certain sections of the regulation when it comes to implementation details. Individual lawmakers must change or adapt points that are inconsistent with EU laws, however.
When will the ePrivacy regulation arrive?
The ePrivacy regulation has been discussed since April 2016, but has not yet come to a binding conclusion. In January 2017, the European Commission published its first draft. Subsequently, multiple committees issued responses to the Commission’s proposals, which eventually led to the EU Parliament’s own draft in October 2017 (the GDPR had already been decided at this time). Almost one month later, the EU Council Presidency published an assessment report, in which the current state of things was summarised. At this point, it’s the most current publication. The next move is for the EU Council to decide on the draft.
Originally, it was planned that ePrivacy and the GDPR would take effect at the same time. This plan has long since been abandoned. It’s now assumed that a decision will be reached at the beginning of 2019 at the earliest. Since a year-long transition period is also predicted for the ePrivacy regulation, there won’t be any need to reckon with an immediate implementation of the draft. To which extent the draft will still be changed can’t yet be predicted. However, it’s fairly likely that this won’t remain as the final version.
Criticism of the draft
Cuts made by an ePrivacy regulation such as the one currently under negotiation affect operators of internet services and the online marketing industry, in particular (in addition to citizens whose privacy is to be protected). So, it’s not very surprising that the greatest criticism is drawn from these areas. The advertising industry, in particular, finds fault with the EU project.
- More effort for users: The industry expects that users in the future will be overwhelmed by the amount of approvals that would be required by the ePR. This is assuming that for each individual transmission, a specific approval would have to be given.
- Financing for online media at risk: The biggest point of criticism is that ad-financed online media are in danger. At the moment, there are individual blogs, newspaper websites, and other media in our business model that are dependent upon pop-up ads. Users don’t pay with monetary value, but instead through ad consumption. The number of pop-ups is based for the most part on data that’s collected by advertisers through tracking. If the ePrivacy regulation takes effect in its current form, then such advertisements would only be possible when paired with explicit approvals that most users probably would not give. Parts of the online marketing industry are apprehensive that the free availability of information on the internet could be prevented.
- No coherence with GDPR: There are contradictions visible with the GDPR. For this reason, the concerned organisations assume that the new regulation won’t bring more clarity in data protection for online communication, as envisaged by the European Commission, but rather lead to more legal uncertainty. Some are afraid that changes in the business model being made now for the GDPR will be changed even further in the future.