By: Matthew Sullivan, editorial coordinator for the Association of Corporate Counsel
As in-house counsel operating in the European Union await the impending General Data Protection Regulation (GDPR), the impact of its counterpart — dubbed the Regulation on Privacy and Electronic Communications (ePrivacy Regulation) — should not be underestimated. Slated to take effect on the same date as the GDPR, the ePrivacy Regulation is expected to completely reshape how businesses communicate digitally in the region. And with potential fines reaching upwards of four percent of the company’s global revenue, or €20 million, in-house counsel would be shortsighted to believe that compliance protocols for the GDPR and the ePrivacy Regulation are one-size-fits-all.
“The ePrivacy Regulation seems to be stealing bases while the batter (the GDPR) hits a homerun,” says K Royal, technology columnist for ACCDocket.com and general counsel for Aridessa.“ “I think many in-house counsel will be caught unprepared.”
Drafted in January 2017, the ePrivacy Regulation was initially intended to replace the existing Directive 2002/58/EC to include newer technologies (e.g., voice over IP, email, messaging services) as well as strengthen regulations for cookies, electronic marketing, and tracking technologies.
However, to ensure specificity, the European Commission announced in a report on May 19 that significant amendments would have to be made to the legislation, and that its original date of enactment, May 25, 2018, may be “unrealistic.” In support of this opinion, the European Commission provided three primary justifications.
- Expand the scope of consent;
- Decrease overlaps between the ePrivacy Regulation and the GDPR; and,
- Provide an effective solution for cookies.
Below, K Royal, general counsel at Aridessa and author of the June ACC Docket feature article entitled "ePrivacy: Has Europe Gone Mad?" discusses the impact of such changes, and makes a strong business case for why in-house counsel should be paying attention to the ePrivacy Regulation., discusses the impact of such changes, and makes a strong business case for why in-house counsel should be paying attention to the ePrivacy Regulation.
Expand the scope of consent
New ePrivacy standards are set to define and standardize consent across a broad spectrum of media platforms. With an increasing number of businesses using over-the-top (OTT) technologies like Skype, WhatsApp, and Gmail — which are currently outside of the purview of the current directive — standards will have to be expanded to establish consent for these new forms of communication.
Consent, in the context of ePrivacy, is defined in part by metadata — which is data used to identify a user’s communication through the time, date, location, or persons involved. Under the proposed changes, however, data will need to be deleted or anonymized when an end user does not expressly provide consent to the company in question.
While consent requirements are undoubtedly becoming more stringent, Royal believes that the need to better specify the scope of the legislation is to be expected. By effectively removing the “gray area” with regards to new technologies, the ePrivacy Regulation will effectively level the playing field. “The law moves very slowly when it comes to new technologies and we are often stretched to apply old law to new problems. I believe they like where they are headed; they like being on the forefront, and we are seeing change. I do see this trend continuing,” Royal says.
Decrease overlaps between the ePrivacy Regulation and the GDPR
In its current state, the ePrivacy Regulation carries notable inconsistencies with the GDPR. According to a report by the Article 29 Working Party of the European Union, many believe that the ePrivacy Regulation will ultimately loosen GDPR protections on equipment tracking, tracking walls, and consent requirements for metadata.
For example, GDPR mandates that any end user consent agreement for data tracking must be unambiguous — meaning that the user must expressly provide consent to be tracked. However, ePrivacy undercuts this standard by mandating that certain metadata tracking is allowed without consent, so long as it’s for the purposes of billing.
In her June ACC Docket article, Royal emphasizes that in-house counsel should stay especially vigilant regarding this discrepancy to ensure that compliance protocol does not overlook or downplay either piece of legislation.
“The biggest change here is that for consent [of the ePrivacy Regulation] to be valid, it must now meet the high bar of consent by the GDPR,” the article states.
This creates an interesting quandary: How can in-house counsel prepare for two impending pieces of legislation that carry conflicting or contradicting standards? Royal asserts that the best strategy to mitigate risk is to watch changes closely and align protocol to meet both the GDPR and the ePrivacy Regulation as best as possible.
“As long as the enforcement isn't retroactive, we should be fine," Royal explains. "I anticipate that there will be a period of time to come into compliance. I foresee the ePrivacy Directive being amended to accommodate at least the inconsistencies with the GDPR.”
Provide an effective solution for cookies
With regards to data protection, few terms are more frequently misunderstood than cookies — which are defined as small pieces of data sent from a website that are stored on the user’s computer to track browsing habits. Under the proposed ePrivacy Regulation, the European Commission aims to simplify cookie standards, allowing non-privacy intrusive cookies to operate without consent and providing a new exemption for first-party analytic cookies.
Although certain exceptions will be made, the ePrivacy Regulation does specify that browsers must provide opt-out controls to end users as part of the initial set up process. Existing software will require an update to allow for “unambiguous consent” provided under the GDPR.
In the aforementioned May 19 report, the European Commission established that it was still unclear as to whether the proposed solution for cookies would achieve its desired objective. In the coming months, the commission intends to analyze the impact of these provisions on specific market players, including advertisers.
“Cookie consent requirements have been one of the most frustrating data protection requirements for companies to consistently follow and maintain across the European Union,” Royal states in the article. “An online search yields many, often conflicting articles on what to do. This proposed regulation aims to simplify without reducing this requirement.”
A step in the right direction
While it may be increasingly difficult to predict the future of the ePrivacy Regulation, having a plan in place to monitor and amend compliance protocol is an essential step in the right direction.
To ensure compliance, in-house counsel should consider appointing a data protection officer to independently review regulations in relation with company operations. This will ensure that business processes adhere to the strict and ever-changing requirements surrounding data collection in the region.
Moving forward, expect specificity to be the new norm — especially with regards to the ePrivacy Regulation. The European Commission is clearly committed to data security, and will continue to amend regulations to protect the end user. For now, Royal asserts that the best strategy for in-house counsel is to pay attention and ask: Will these changes apply to my company? If so, how?
“Keep watching. The European Union is taking a tough stance to be as specific as possible to control the data-free-for-all that is our digital world right now,” she states.
For further reading, please download the ACC Docket article “ePrivacy: Has Europe Gone Mad?".