Dr. Sachiko Scheuing on not only what the impending GDPR means for businesses in the era of data inevitability, but also the upcoming ePrivacy Regulation.
While a lot of organisations are preparing as best they can to be compliant with the upcoming European General Data Protection Regulation (GDPR) and others are still trying to get their heads around it, another EU Regulation also requires serious attention: the ePrivacy Regulation.
This Directive which in January 2017 was published as a proposal, aims to be an update of the EU’s existing ePrivacy legal framework, more specifically the EU ePrivacy Directive; which goes back as far as 2002 and was revised in 2009. It required prior consent from individuals regarding cookies.
However, the ePrivacy Directive and Regulation isn’t just about cookies. It concerns much broader implications for electronic communications and the right of confidentiality, data privacy and more. The proposed new ePrivacy Regulation is self-executing and should become legally binding across the EU, whereas its predecessor, the ePrivacy Directive, required local regulations for implementation.
Secondly, the current ePrivacy Directive came as a complement of the EU’s Data Protection Directive. It’s exactly this Data Protection Directive that is being replaced by the GDPR in 2018. As a consequence, but also to improve the current so-called ‘cookie law’ and include new forms of electronic communications, the new ePrivacy Regulation works alongside the GDPR and strives towards uniformity across the single digital market, as a Regulation instead of a Directive.
Much of the regulation is focused on securing the privacy of electronic data and communications that travel across the internet and other electronic services. However, the regulation also covers direct marketing activity. While it was passed as a law in the UK, it needed to complement the Data Protection Act 1998 which is the current privacy law ahead of the introduction of the GDPR.
However, the GDPR has raised the bar on privacy rights and has meant that the current relevant laws do not meet the needs of the wider use of electronic communications today. What is set out in this regulation will have a fundamental impact on how marketers can communicate to their customers after May 2018.
The e-Privacy regulation not only covers transmission channels, but will also impact technologies that support interest based marketing. Cookies and any other mechanism that is developed to serve interest based advertisement will need consent from that user. Compared to the previous e-Privacy directive, the draft regulation acknowledges the usefulness of browser based settings more prominently for obtaining consent for personalised online advertisement.
As there are still many steps to take, it is unlikely that the ePrivacy Regulation will enter into force by 25 May 2018, on the same day as GDPR. Probably triggered by the departure of the rapporteur of the dossier, the EU Parliament has given a negotiation mandate in October with a narrow margin. In the meantime, the Council has committed to generate a progress report by the end of December, so that the three negotiating bodies, the Parliament, the council and the commission, can commence a trialogue.
The final version of the ePrivacy Regulation will in any case add more requirements to the GDPR for the adtec sector. Organisations really need to have one eye on the upcoming ePrivacy Regulation when preparing for GDPR, as it is very likely that they will have to go through a second wave of getting ready for ePrivacy rules once the final text of the Regulation is available. Otherwise, the use of ePrivacy solutions and mechanisms will probably be more difficult for some users. It will require new habits as well as some kind of digital literacy.
Ultimately, businesses and consumers both need to have the time to prepare properly for it. The quest for compliant data-driven benefits for consumers and brands continues.