Despite timely advice, recent research shows that 32% of UK organisations are as yet unprepared for next year’s changes to data protection regulations (GDPR). But will this potentially costly failure to prepare be further compounded by a complementary and co-inciding law change – the EU ePrivacy law? The implications for the data driven marketing industry are far-reaching, in terms of how businesses can approach customers, collect and process data.
Last week, it was reported that 68% of businesses would be GDPR (General Data Protection Regulation) compliant in time for 2018. If the findings of the UK DMA’s ‘GDPR and you’ survey are correct, it means 32% of organisations are running the risk of substantial penalties if they are found to be in breach of the regulation. If that wasn’t bad enough, we now look towards Brussels, as the proposal for the adoption of new ePrivacy regulation has been published! And what’s more, the intention is to have this complementary law coincide with the GDPR deadline of May 2018, however unlikely that may be.
Earlier this month, I travelled to the European Parliament to learn more. The intention of the European Commission’s proposal for a regulation on privacy and electronic communications is to reinforce trust and security in the ‘Digital Single Market’. To do this, the legal framework on ePrivacy will be updated. Currently, it is the ePrivacy Directive 2009 and the pending GDPR that protects the digital privacy for EU citizens.
The ePrivacy Directive protects the fundamental rights and freedoms of EU citizens, and particularly confidentiality of communications and the protection of personal data in the electronic communications sector. The Directive guarantees the free movement of electronic communications data, equipment and services throughout the EU. However, whilst it is a relatively ‘young’ directive, it is has rapidly become outdated and does not take in to account so called Over-the-Top (OTT) services.
Therefore, the proposed regulation determines that the principle of confidentiality should apply to current and future means of communication. This includes calls, Internet access, instant messaging applications, email, Internet phone calls and personal messaging provided through social media.
I would encourage everyone in the data driven marketing industry to read the proposal. However, the two key aspects are as stated:
(8) This Regulation should apply to providers of electronic communications services, to providers of publicly available directories, and to software providers permitting electronic communications, including the retrieval and presentation of information on the internet. This Regulation should also apply to natural and legal persons who use electronic communications services to send direct marketing commercial communications or collect information related to or stored in end-users’ terminal equipment.
(9) This Regulation should apply to electronic communications data processed in connection with the provision and use of electronic communications services in the Union, regardless of whether or not the processing takes place in the Union. Moreover, in order not to deprive end-users in the Union of effective protection, this Regulation should also apply to electronic communications data processed in connection with the provision of electronic communications services from outside the Union to end-users in the Union.
The implications for the data driven marketing industry are potentially far-reaching in terms of how businesses can approach customers, collect and process data. For example, online advertisers will be affected by the intention to give ‘end-users’ more control via their Internet browser regarding the acceptance of cookies from third parties.
EU ePrivacy law, GDPR: be sure to take compliance seriously
Interestingly, during stakeholders consultations conducted by the EC, 83.4% of citizens and civil society organisations, along with 88.9% of public authorities, agreed that there needs to be special rules regarding the confidentiality of electronic communications. However, more than half (63.4%) of industry respondents did not agree. Perhaps they are weary at the prospect of another compliance initiative in the wake of GDPR.
As a responsible data provider, we take regulatory compliance very seriously indeed (whether it is regulation imposed on us, or the codes of practice we enforce upon ourselves) and I am comforted that we will be in the 68% of organisations that will be GDPR compliant by May. As such, I fully expect we will be well placed to comply with ePrivacy Regulation.
However, the path to GDPR compliance has not been easy for many organisations (and some are still to have this realisation!) It has been far from easy to reach this stage and has required a huge amount of work and resource, although the benefits we have been able to reap have been equal to the net loss, so our path to GDPR adherence has been cost neutral. So, it is perhaps not surprising that industry responded the way it did to this latest EC consultation.
Of course, the UK finds itself in a slightly difficult situation politically. Following the House of Commons vote, the UK is another step closer to triggering Article 50 and the commencement of our separation from the EU. Yet, depending on the speed at which this new regulation becomes law, it will dictate whether the UK will still be bound by it. That being said, as with GDPR it is likely that if organisations are using data from EU citizens they will be undoubtedly be held accountable for any wrongdoing.
Furthermore, there is also a strong likelihood that the Information Commissioners Office will view the regulation as best practice and take a similar if not identical stance. After all, the existing directive currently informs our Privacy and Electronic Communications Regulations (PECR) which sits along the Data Protection Act 1998.
In respect to direct marketing, it applies to organisations offering products and services for commercial purposes, as well as messages sent by political parties and other non-profit organisations.
This isn’t intended to be a definitive assessment of the ePrivacy regulation proposal, but a raising of the red flag to organisations that this is going on right now, and those who it will affect (and that is most organisations in the data industry) need to keep a watchful eye on its developments.
Read also:
Get your house in order ready for incoming data protection rule
The 2018 data protection regulation deadline is a ‘red herring’
Get your house in order
Leave your thoughts