Despite the passage
and implementation of the General Data Protection Regulation (GDPR) more than a
year ago, the actual application of the law to businesses within the EU — and
the world over — remain unclear.
In the wake of the
GDPR’s passage, firms from a range of sectors scrambled to make internal
changes. Many decisions took the form of hasty privacy statement changes, and
most consumers saw their inboxes flooded with emails from brands they had long
It is clearly important, then, to prepare for upcoming legislation well in advance. The Regulation on Privacy and Electronic Communications (commonly known as the ePrivacy Regulation) is set to be discussed by the EU Member States upon the opening of Parliament next month, and savvy firms should be keeping their ears to the ground in the meantime.
Regulation is just the latest step by Brussels toward the realization of the
EU’s Digital Single Market strategy and, like the GDPR, the focus of the law is
a regulation that doesn’t require separate implementation into national laws.
Unlike the GDPR’s far-reaching application to every single legal person registered in, or catering to, the EU, the ePrivacy regulation’s subjects are focused on businesses providing digital communication services, using online tracking tools or engaging in direct electronic marketing.
At its core, the
ePrivacy Regulation proposal is designed to protect the private lives of
individuals, while still opening up new opportunities for business. Given the
regulations pay particular attention to cookies, cookie walls, script and
“tags”, the emergence of digital consultancies would not be a far-fetched
prediction. This is especially true now that the ePrivacy Regulation’s provisions
mandate the expansion of cookie and anti-spam rules to individuals and
corporations alike, which would mean significant new administrative challenges
for online retailers.
Further, the requirement that firms delete metadata unless consent has already been provided, is sure to be another headache for online communications firms. This new stipulation is of especial relevance to companies with major Internet of Things (IoT) projects in the pipeline; for IoT businesses, storing metadata forms the backbone of most projects. Furthermore, since the new ePrivacy Regulation applies to machine-to-machine communications in addition to human communications, IoT organizations must seriously consider how well their current projects and products take consent requirements into account. IoT firms must also consider whether their metadata is processed for specific exceptions, such as billing, statistical or network management purposes.
At present, it is difficult to estimate the extent to which GDPR penalties would be applied under the ePrivacy Regulation. Given their high amount, from 2% to 4% of annual revenue, it is best to stay on the safe side of the law in this instance.
At present, firms
can breathe easy: European ePrivacy Regulation has not yet come into force, and
it may take several months before it does. Still, it remains a useful exercise
for soon-to-be-affected businesses to consider the implications of a legal
change. It’s always better to be safe than sorry.