Data privacy in the EU will soon be guided by two regulations: the General Data Protection Regulation (GDPR), which most people are familiar with, and the ePrivacy Regulation. The ePrivacy Regulation was born later, and its goal is to provide privacy protection for users of electronic communication services. It focuses specifically on regulating the provision of electronic services and the tracking of users. Whereas the GDPR addresses Article 8 of the EU Charter of Fundamental Rights, which focuses on the protection of personal data, the goal of the ePrivacy Regulation is to support Article 7, focusing on respect for privacy and family life.
The new EU ePrivacy Regulation has the potential to be as impactful as the GDPR. But, it hasn’t received the same attention within the privacy and security community. One reason for this is that the ePrivacy regulation is still in draft form. Based on the feedback received in January 2017, it’s unlikely to become an enforceable law before the end of 2019– or even 2020.
This article will provide you with some background to the ePrivacy regulation, delving into its requirements and the parties who will be affected by it.
The History: From Directive 2002 to ePrivacy Regulation
Directive 2002 (Privacy and Electronic Communications Directive, 2002/58/EC) is a forefather of the new ePrivacy regulation, which will be repealed by it. Directive 2002, however, was a directive, not a regulation. That is, member states of the EU were responsible for deriving their own regulations from it. The UK implemented the directive and passed the Privacy and Electronic Communications Regulation (PECR) in 2003. The implementation of the 2002 directive and the language of PECR made significant contributions to the field of privacy. It was in light of these that the ePrivacy regulation was better understood. The main considerations of PECR include(d):
- Restrictions on email direct marketing
- Use of cookies (cookie notice and consent) and the general storing of data on terminal equipment
- Security and confidentiality of communications
- Provisions regarding phone marketing and caller IDs
- Privacy of customers, such as restrictions on processing location data
How does the ePrivacy Regulation Relate to the GDPR?
The ePrivacy proposal describes itself as lex specialis to the GDPR. That is, it deals with a specific matter such as cookies or emails, as opposed to lex generalis, which deals with more general matters, such as personal data. Lex specialis overrides lex generalis. Therefore, the ePrivacy regulation complements and even overrides GDPR in areas where it provides more specific requirements for a given subject, such as commercial emails or access to terminal equipment.
The ePrivacy Regulation at a Glance
Though it was initially planned to come into force the same day as GDPR, on May 25, 2018, the proposal is still in draft form, and its finalization date is, as of yet, undecided. The proposal includes 43 sections, resembling GDPR’s recitals, and 29 Articles. It deals with the usage and offering of Electronic Communication (EC) services, and it applies to end-users of services residing in the EU (Article 2 and 3). The prospective regulation applies, even if the data in electronic communications is not Personally Identifiable Information (PII), as defined in North American privacy guidelines such as NIST SP 800–122. The EC services should be publicly available, but do not need to be paid (free services are still in the scope of the regulation). Article 4 of the proposal defines some terms such as direct marketing, automated calls, and EC metadata.
Who is affected by the ePrivacy Regulation?
Almost everyone in IT that provides services, performs intermediary processing, or provides end-point products for electronic services. The list includes, but is not limited to:
- Manufacturers and developers of IoT and endpoint devices (including browsers)
- Developers of web applications and web services
- Data analysis service providers, including digital and smart advertisement companies
- Marketing companies or any entity that sends commercial messages
- Providers or users of publicly available directories
What are the Stipulations of the ePrivacy Regulation?
There is a long list of mandates that are stipulated by the ePrivacy regulation. For IT organizations, these are the requirements worth noting:
- Ensuring confidentiality and end-to-end encryption of data
- Confining the processing of data to the legitimate interests of the processor (for example, quality assurance of communication)
- Asking consent for any extra activity, deleting any data that is no longer needed, and asking consent in a variety of other situations
- Allowing consent withdrawal (article 9)
- Avoiding the collection of data about terminal equipment (article 8), and keeping the data for the duration necessary
- Showing notice in a variety of situations (for example, when collecting signals from terminal equipment)
- Following stringent requirements of spam-free commercial communication
- Presenting caller information and following the restrictions of telephone direct marketing
- Informing users about security risks and measures (recital 37)
What are the Potential Negative Impacts and Objections to the Draft?
In an April 2017 report, the European Data Protection Supervisor (EDPS) elaborated on the shortcomings of the proposal, such as its lack of clarity, specifically regarding targeted advertising and the possibility of creating a ‘tracking wall’ in the absence of real consent. Among other objections, in an open letter, fifty companies from various European countries stated that the current draft harms the development of start-ups, digital advertising companies, and telecom operators. Ongoing discussions argue that there are conflicts between AI initiatives and GDPR requirements that govern profiling. Similar arguments can be made for ePrivacy regulations and the automatic processing of data by third parties. It is also put forward that the regulation is written without a complete understanding of the revenue streams and business models of Internet and mobile advertising companies.
The Future of ePrivacy Regulations
While it’s doubtful that the ePrivacy regulation will come into effect until around 2019 or 2020, it is certain that the regulation will be an important piece of legislation. The ePrivacy regulation is a crucial law to keep tabs on, and it will certainly raise the bar for future privacy laws.
Author: Farbod H Foomany, Lead Application Security Researcher at Security Compass