Undoubtedly one of the biggest concerns of our decade is e-privacy – the more digital it gets the more it will raise our attention. It is true that from a general perspective privacy should be protected regardless of the means by which it is violated, however the volatility of our information laid out in the digital world has determined a specific regulatory process.
From the dawn of data protection brought by the 95/46/EC Directive to the present day, the European Union and, consequently, the member states have established a legal framework as to protect the digital side of our privacy.
Nevertheless, the amendments made in the legal framework regarding privacy are not causing adjustments solely to the privacy issue since now more than ever the regulatory process is a fine-tuning mechanism. The remaining question is whether the privacy adjustments have a radial effect on other domains and, if so, to which ones?
The Romanian e-privacy framework
As to respond to such questions, we could asses the current Romanian legislation on the unsolicited communications.
Law no. 506/2004 which implemented 2002/58/CE E-privacy Directive states that it is forbidden to make commercial communications unless the recipient expressly gave his consent to such notifications in advance. A prior consent is not mandatory when, for instance, the e-mail is obtained directly from a customer when selling a product as to inform the customer about equivalent products.
This means that if a marketing company, for example, submits unsolicited marketing material via e-mail, the company is subject to a fine equivalent to approx. EUR 1.100 up to EUR. 22.000, according to the above mentioned law. Moreover, if the company’s turnover is higher than EUR 1.100.000 the fine could reach 2% of the annual turnover.
The E-privacy Directive did not explicitly provide the sanctions to be applied to such commercial communications and neither did the 95/46/CE Directive, allowing states to establish these legal coordinates.
E-privacy Regulation proposal
The Regulation 2016/679 adopted by EU which shall repeal the previous Directive related to data protection intends to set a unified protection throughout Europe. Moreover, in January the European Commission has issued a proposal for a regulation specifically designed to regulate the privacy and electronic communications issues.
The main purpose of the proposed regulation is not to draw a ‘Digital Single Market’ as if it was missing, but in fact to efficiently control it. Privacy has already crossed its national borders a long time ago. It is interesting that in itself, the actual wording of its purpose – digital market – implies the overall implications of the European privacy idea.
So how does this affect other actors on this market, actors who represent a potential threat to those protected by the Regulation?
As it is evidenced in the Opinion 01/2017 issued by the Working Party, the choice for a regulation instead of a directive is welcomed because it brings consistency and clarity for supervisory authorities. Nonetheless, it is the company dealing with sensitive data that could actually benefit from this legal choice. The above-mentioned marketing company should have a better understanding of compliance since a ‘spam’ folder could have the same level of protection throughout the entire EU.
Although from a technical viewpoint the proposal is welcomed, such actors should not forget that stricter rules will soon enter force. Moreover, from a business perspective the risk of not properly assessing sensitive data operations both in a legal and a technical manner could turn out to be crucial in conducting one’s commercial activity.
A strong argument to these considerations could be the fact that the proposal provides infringement fines of the Regulation up to Eur 10.000.000.