While quite some organizations are investing to be more or less compliant with the upcoming European General Data Protection Regulation (GDPR) and others are still trying to get their heads around it and aren’t even in the awareness stage, another EU Regulation requires your attention: the new EU ePrivacy Regulation.
This Regulation, which in January 2017 was published as a proposal text, aims to be an update of the EU’s existing ePrivacy legal framework, more specifically the EU ePrivacy Directive which goes back to 2002 and was revised in 2009, requiring prior consent regarding cookies.
Since then the Directive on Privacy and Electronic Communications (Directive 2002/58/EC and the 2009 update, Directive 2009/136) often was called the cookie law by the marketers and Web folks among us (and is the reason why you see cookie consent popups on many websites, including ours) since it became national law in EU countries with a gradual implementation, national differences and, let’s say relatively inconsistent enforcement across these countries.
Attention though: the ePrivacy Directive and Regulation isn’t just about cookies. It concerns electronic communications and the right of confidentiality, data/privacy protection and more. In other words: personal data protection.
Electronic communications means that it includes the Web, the Internet (email, apps, you name it), telephone, instant messaging and so on. So we are also talking about spam, direct marketing, telecommunication firms, mobile app developers, online advertising networks and, often overlooked, the Internet of Things (IoT), among many many others. A look at the text and the impact. Ready? Go!
Table of Contents
- 1 ePrivacy: from a Directive to a Regulation
- 2 New stipulations and consequences of the coming ePrivacy Regulation
- 2.1 The EU ePrivacy Regulation and cookies
- 2.2 The ePrivacy Regulation and the Internet of Things
- 2.3 The ePrivacy Regulation and Over-the-Top communication services
- 2.4 The ePrivacy Regulation, direct marketing and email marketing
- 2.5 The impact of the correlation with the GDPR
- 2.6 (Tele)communications content and metadata
- 3 When will the new EU ePrivacy Regulation come into action?
- 4 More EU ePrivacy Regulation resources
ePrivacy: from a Directive to a Regulation
Why is this coming new ePrivacy Regulation important, why is it needed and how is it different?
First of all note the difference in the terms: whereas now we have an ePrivacy Directive, the newcomer is called an ePrivacy Regulation. This means that the new ePrivacy Regulation is self-executing and becomes legally binding across the EU, whereas its predecessor, the ePrivacy Directive, required local regulations for implementation with the mentioned inconsistent enforcement as one consequence.
Secondly, the current ePrivacy Directive came as a complement of the EU’s Data Protection Directive. It’s exactly this Data Protection Directive that is being replaced by the General Data Protection Regulation or GDPR in 2018. As a consequence but also to ‘improve’ the current so-called ‘cookie law’ and, among others, include new forms of electronic communications (IoT and more), the new ePrivacy Regulation complements the GDPR and in pretty much the same way strives towards uniformity across the single digital market as a Regulation instead of a Directive.
New stipulations and consequences of the coming ePrivacy Regulation
Is that all? No. The new ePrivacy Regulation of the EU also goes several steps further than the current laws which exist as a result of the current Directive.
We tackle the majority of aspects and impact of the “new” ePrivacy Regulation but for a very handy overview of pretty much everything below is a slideshare you can first go through in order to get the specifics.
Although the ePrivacy Directive has become known as the cookie law to some, as said it’s about more than just cookies.
But cookies and cookie consent are among the most visible aspects and there is also quite a bit that is poised to change in this regard.
The ePrivacy Regulation AIMS to simplify the rules regarding cookies and streamline cookie consent in a more ‘user-friendly’ way. As such that is great news. In practice it, among others means that EU websites and websites with EU visitors, will not need to show those cookie consent pop-ups anymore. Hurray, that is indeed more user-friendly and less of a hassle for website owners (for us it’s another plug-in that can go).
Easier cookie rules: yes and no
HOWEVER, the current proposal says that browser settings will enable website visitors to accept – or refuse – cookies, as well as other ‘identifiers’.
Using browser settings for cookie consent/refusal de facto means that you’ll see more and more websites that show pop-ups saying “sorry, no visit if no cookies” as we already see with adblockers. So, it seems that one pop-up is indeed being replaced by another one, on a site level (unless the site doesn’t care about cookies which is not really the case for publishers nowadays). This is one of the most heard concerns from delegations and food for discussions as you can read below: the fact that the suggested cookie method will simply miss its goal.
For some cookies there is good news. In the proposal it is also foreseen that consent is not needed for “non-privacy intrusive cookies” which improve the Internet experience of the user.
Examples include e-commerce cookies, remembering shopping cart histories and cookies for Google Analytics and the many others. It’s not very likely that cookies for online advertising will be interpreted as improving the Internet experience, although opinions will obviously differ.
Advertising and marketing cookies: not simple at all
Now, all is not said yet and of course work had been done to prepare the draft text, including discussions with various stakeholders, also in the advertising space.
In the 432-pages report made by Deloitte for the European Commission you can read the reasoning on the pros and cons of first-party and of course third-party cookies (“the backbone of digital advertising”). A link to it and all other sources below.
We don’t have to tell you that with all the marketing automation, audience measurement (on online media properties), connected databases of third-party cookies (for instance, enabling retargeting to name something still relatively simple), social network cookies, analytics cookies and so forth there is a whole lot of cookies going on. In the so-called ‘Cookie Sweep’ in 2014, it turned out that on average there were about 28.9 cookies on the analyzed media, public sector and e-commerce sites (in the EU), 70% being third-party cookies as the Deloitte report also mentions.
Cookies beware: major fines
Even if we deduct the ones where consent won’t be needed anymore it’s still a lot and we don’t think this debate is over. It is – to say the least – complex and changes quite some things.
Moreover, the stakes are high: did we mention that the same fines as in the GDPR apply? Indeed, you read that right. High fines and little margin for error in a heck of a difficult context.
It probably won’t come as a surprise that the IAB (Interactive Advertising Bureau) Europe rapidly responded as soon as the draft text was leaked, stating that it was “dismayed by the European Commission’s proposal for a new ePrivacy Regulation, the next iteration of the infamous cookie law”. Yet, so did other delegations.
From the draft text: “Currently, the default settings for cookies are set in most current browsers to ‘accept all cookies’. Therefore providers of software enabling the retrieval and presentation of information on the internet should have an obligation to configure the software so that it offers the option to prevent third parties from storing information on the terminal equipment; this is often presented as ‘reject third party cookies’. End-users should be offered a set of privacy setting options, ranging from higher (for example, ‘never accept cookies’) to lower (for example, ‘always accept cookies’) and intermediate (for example, ‘reject third party cookies’ or ‘only accept first party cookies’). Such privacy settings should be presented in a an easily visible and intelligible manner”.
The ePrivacy Regulation and the Internet of Things
From cookies we jump to something entirely different: the Internet of Things (IoT). By now we suppose people know what it is (and it’s not an it or thing but that’s another topic).
Before we start: do note that the Internet of Things is also tackled in the GDPR where, for instance, RFID tags, fall under the category of so-called identifiers (more about those online identifiers here).
In a European context we can say that the IoT is part of the backbone of Industry 4.0 and, not unimportant, in the coming years (until 2020) growth in the consumer segment of the Internet of Things is expected to be high in Western-Europe. As a matter of fact, by 2020 consumer IoT spend will jump to the third spot of IoT spend globally (until then, the market is led by respectively IoT spend in manufacturing or Industry 4.0, IoT spend in transportation and IoT spend in utilities, three segments of the Industrial Internet of Things).
However, in Western-Europe, consumer IoT already will rank second from an IoT spending perspective in 2020.
So, it’s probably noteworthy that in the proposal text of the ePrivacy Regulation, the Internet of Things is specifically mentioned and that “the principle of confidentiality which is enshrined in the Regulation should also apply to the transmission of machine-to-machine communications”. The text also calls for specific safeguards under sectorial legislation.
In the introduction, mentioning that principle of confidentiality the IoT is not specifically included but beware: it is mentioned further (and you can see it as part of ‘the current and future means on communication”).
From the introduction text: “Confidentiality of electronic communications ensures that information exchanged between parties and the external elements of such communication, including when the information has been sent, from where, to whom, is not to be revealed to anyone other than to the parties involved in a communication. The principle of confidentiality should apply to current and future means of communication, including calls, internet access, instant messaging applications, e-mail, internet phone calls and personal messaging provided through social media”.
The rules regarding to machine-to-machine communications are another concern of delegations and are and will be discussed.The Internet of Things and regulation: GDPR, ePrivacy and more
The ePrivacy Regulation and Over-the-Top communication services
Have you ever heard about Over-the-Top communication services or OTTs? In all honesty: we hadn’t.
Just as the Internet of Things is included, these new ways of communication are also subject to the ePrivacy Regulation. OK, but what are they? When we say Skype, Facebook Messenger and WhatsApp it’s probably clear enough.
So, in the new Regulation, the privacy and confidentiality and data protection rules of any company offering electronic communications services will apply to them as well: Voice over IP, instant messaging and anything else really.
Here as well, delegations asked the the Council’s Working Party on Telecommunications and Information Society to review the text.
The ePrivacy Regulation, direct marketing and email marketing
Like its predecessor, the ePrivacy Directive, the upcoming Regulation foresees various rules on spam and unsolicited electronic communications by other means such as SMS.
While spam and unsolicited electronic communications obviously aren’t marketing, we mention it under that umbrella as we know a few publishers and others that will be in for some serious surprises as they seem to keep sending “marketing” messages, even if you unsubscribed a gazillion times. Identifying other spammers is obviously another ball game.
Direct marketing also means calls and here there is something we really really like: marketing callers will need to show their phone numbers or use a prefix which indicates the call is a marketing call.
Nowadays those numbers are virtually always hidden. As a result we stopped picking them up but now and then a customer uses them as well. So, when we do pick them up and for the 694th time need to say we don’t want a subscription to a magazine that’s pretty uncool.
The impact of the correlation with the GDPR
We touched upon it previously but can’t emphasize it enough: the new ePrivacy Regulation is one single set of rules concerning all EU citizens and companies but it also ‘inherits’ several principles and stipulations from the GDPR.
Undoubtedly one that will make many people concerned (from website owners to instant messaging developers, advertisers and – hopefully – spammers) are the fines.
Two different ‘sets’ of fines exist in the proposal’s text:
- “Infringements of the principle of confidentiality of communications, permitted processing of electronic communications data and time limits for erasure”: the up to 20 Million Euros or, in the case of an undertaking, up to 4 percent of worldwide annual turnover, whichever is the highest, as we know it from the GDPR.
- “Infringements regarding obligations of legal or natural persons who process electronic communications data, the obligations of providers of publicly available directories and/or the obligations of legal/natural persons who use electronic communications services: up to 10 Million Euros or, in the case of an undertaking, up to 2 percent of worldwide annual turnover, whichever is the highest.
The further details regarding these obligations can be found in the articles 5, 6 and 7, and paragraph 1 of the text for the first set of infringements and in articles 8, 10, 15 and 16 for the second set of infringements.
(Tele)communications content and metadata
As the summary of the Regulation draft text states, privacy is guaranteed for communications content itself and for the metadata of the content.
The metadata needs to be anonymized or deleted in case there is no consent with one exception; when it’s needed for billing.
Finally the summary also states that telecommunication firms can develop new services by leveraging content and/or metadata (but see the previous statement on anonymization) when consent is given for processing. This enables them and organizations to develop new services in a Big Data scope.
Examples of this already exist in the EU, whereby whomever is interested can gain insights in data from telecommunications providers and leverage them, for instance to detect patterns and heat maps showing the location of (mobile) users.
When will the new EU ePrivacy Regulation come into action?
Originally, the ambitious intention was to let the new ePrivacy Regulation come into force by May 25th, 2018 (the same date as the GDPR).
That timeline didn’t just ambitious but also turns out to be impossible, given the fact that the draft text was published so late on one hand (January 10th, 2017) and the comments and criticism from delegations since it was published on the other.
The Council of the European Union responded on May 19 with a so-called interinstitutional file (2017/0003, PDF opens) which states that the delegations which took part in the discussion in the Council’s Working Party on Telecommunications and Information Society consider the date unrealistic.
More work is needed with several concerns to tackle and the goal is to finalize the first examination of the proposal by the end of the Maltese Presidency in June 2017. This in turn should be a ‘solid base for future progress’.
In other words: it’s unlikely that the EU ePrivacy Regulation text will be finalized and published before the third and potentially even fourth quarter and equally unlikely that it will become enforceable on the same day as the GDPR.
In the meantime obviously the current ePrivacy Directive (Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector) remains in place, which is a matter of national legislation.
It, however, remains key to include online data and identifiers such as cookies and many others in your GDPR strategy as, regardless of where and how the text will be adapted according to discussions as a result of concerns raised by delegations (the extension to OTT companies, the machine-to-machine communications stipulations, the lack of clarity in some areas, the mentioned possibility that the suggested solution for cookies will not achieve what it aims to, the overlap with other regulations and legislation and so forth), the scope remains.
Moreover, some delegations point to the legal grounds which are available in the GDPR to tackle several of the EU Privacy Regulation’s original text, among others including the permitted processing.
More EU ePrivacy Regulation resources
This is about all we’ll cover for now, stay tuned for updates. There is a lot more to say and if you are, among others, a provider of public directories, there are specific stipulations. More in the resources below.
- Read the mentioned summary by the European Commission.
- Read the full draft in (it’s “only” 35 pages, far shorter for now than the GDPR).
- Browse through the “Evaluation and review of Directive 2002/58 on privacy and the electronic communication sector” by Deloitte which served as a guide/basis (it’s only 432 pages).
- Press release regarding the EU ePrivacy Regulation
- Infographic, which we used above (PDF)
- The comments by delegations and steps forward as published by the Council of the European Union with regards to the ePrivacy Regulation as of May 19, 2017 (PDF opens).
Top image: Shutterstock – Copyright: one photo – All other images are the property of their respective mentioned owners.