Despite the passage and implementation of the General Data Protection Regulation (GDPR) more than a year ago, the actual application of the law to businesses within the EU — and the world over — remain unclear.
In the wake of the GDPR’s passage, firms from a range of sectors scrambled to make internal changes. Many decisions took the form of hasty privacy statement changes, and most consumers saw their inboxes flooded with emails from brands they had long forgotten about.
ePrivacy Regulation
It is clearly important, then, to prepare for upcoming legislation well in advance. The Regulation on Privacy and Electronic Communications (commonly known as the ePrivacy Regulation) is set to be discussed by the EU Member States upon the opening of Parliament next month, and savvy firms should be keeping their ears to the ground in the meantime.
The ePrivacy Regulation is just the latest step by Brussels toward the realization of the EU’s Digital Single Market strategy and, like the GDPR, the focus of the law is a regulation that doesn’t require separate implementation into national laws.
Unlike the GDPR’s far-reaching application to every single legal person registered in, or catering to, the EU, the ePrivacy regulation’s subjects are focused on businesses providing digital communication services, using online tracking tools or engaging in direct electronic marketing.
Cookies
At its core, the ePrivacy Regulation proposal is designed to protect the private lives of individuals, while still opening up new opportunities for business. Given the regulations pay particular attention to cookies, cookie walls, script and “tags”, the emergence of digital consultancies would not be a far-fetched prediction. This is especially true now that the ePrivacy Regulation’s provisions mandate the expansion of cookie and anti-spam rules to individuals and corporations alike, which would mean significant new administrative challenges for online retailers.
Metadata
Further, the requirement that firms delete metadata unless consent has already been provided, is sure to be another headache for online communications firms. This new stipulation is of especial relevance to companies with major Internet of Things (IoT) projects in the pipeline; for IoT businesses, storing metadata forms the backbone of most projects. Furthermore, since the new ePrivacy Regulation applies to machine-to-machine communications in addition to human communications, IoT organizations must seriously consider how well their current projects and products take consent requirements into account. IoT firms must also consider whether their metadata is processed for specific exceptions, such as billing, statistical or network management purposes.
Enforcement
At present, it is difficult to estimate the extent to which GDPR penalties would be applied under the ePrivacy Regulation. Given their high amount, from 2% to 4% of annual revenue, it is best to stay on the safe side of the law in this instance.
Next Steps
At present, firms can breathe easy: European ePrivacy Regulation has not yet come into force, and it may take several months before it does. Still, it remains a useful exercise for soon-to-be-affected businesses to consider the implications of a legal change. It’s always better to be safe than sorry.