Presently a draft EU legislative instrument, the EU’s ePrivacy Regulation is intended to replace the existing Privacy and Electronic Communications Directive, this directive, was adopted by the UK in 2003. The new law aims to consolidate the implementation of it by member states, and to align with The GDPR regulation which came into force in May 2018.
The regulation has been designed to ensure the protection of user privacy, while the data is being communicated from one party to another.
ePrivacy Regulation Vs GDPR
The fact that the new law is a ‘regulation’ is important, as it means that it will be a legal act that is enforceable in its entirety across all member states just like GDPR. Additionally, it would also allow member states to implement their own mechanisms for the law, provided they follow the aims of the original ePrivacy regulation.
With GDPR it is more focused on the protection of personal data to ensure the smooth flow of data between member states. The ePrivacy regulation is more focused on the protection of privacy when the data is being communicated electronically.
The regulation was due to come into force on 25th of May 2018 next to GDPR, but due to continued deliberation and lobbying of specific details on the regulation meant that its enactment was delayed. It is unlikely to be passed in 2019, and when it will pass next year remains uncertain.
What is covered by ePrivacy Regulation?
Data that is sent through satellites, cables, fixed networks, electricity cable systems all fall under the ePrivacy Regulation. Unlike GDPR where the focus is on the protection of personal data, the ePR regulates electronic communication even if it includes non-personal data.
In a broader perspective data should always remain confidential, any interference with the communication of the data, be it through automated processes or by a human and without the consent of the user is strictly prohibited.
Interference of data can occur at anytime during the transfer of data or metadata, which includes during its transmission and at its destination. An example of this can be listening to calls, the scanning of electronic messages, monitoring of visited websites, as well as monitoring of interactions between users, all can be constituted as a breach of the regulation.
Since 2009 (when the ePrivacy directive had its last iteration,) how we communicate electronically has grown and changed immensely, and so the new ePrivacy regulation has been put together to consider this level of change, to ensure personal privacy is always maintained.
There are several key aspects to the act, which includes the addition of privacy controls for communications content and for the ‘metadata’ that is related to it (such as the time of a call, or the location you are calling from) to be anonymised. The use of unsolicited electronic communications be it through email, SMS, and automated calling machines will also be banned.
The penalties for breaches: - The financial penalties that apply for breaches of this regulation are dependent on what type of infringement has occurred. The same sanctions that are applicable under GDPR also apply under the new regulation. Fines will range from 2% of annual turnover for incidents that are deemed to be minor, to 4% of annual turnover, for breaches that are more serious.
As seen by the application of the UK’s Data Protection Act 2018 and the GDPR, the actual amount of the fine is dependent on mitigating factors – i.e. the scale of the incident and whether the breach occurred because of a deliberate act and how aware was the company to try and prevent such an incident occurring.
Does it apply in the UK?
The new ePrivacy regulation will apply to the UK even though it is set to leave the EU on October 31st, 2019. Brexit is unlikely to have any impact on the regulation as the UK would want to adhere to the same principles as all other EU member states would be following once the regulation comes into effect. Also, because the regulation covers technologies and communications that are across territories, a large majority of businesses would have to comply even if they are based outside of the European union.
Just as the Information Commissioner’s Office (ICO) is responsible for enforcing data protection laws that apply to the UK, it will also be responsible for implementing and policing the ePrivacy Regulation, though how exactly it will enforce the new law remains to be seen.
With Europeans taking the lead with the GDPR and the ePrivacy regulation when it comes to data privacy, enterprises around the world are also concerned about honoring their responsibilities of protecting our personal information.
Find out how this can be achieved in The Hitchhikers Guide to Privacy by Design which looks at how the right technology and Privacy by Design can enable innovation and creativity.