A new EU ePrivacy directive is expected to be enacted into legally binding regulation in 2019.  The new regulation is expected to bolster trust in and the security of the digital market, the regulation aims to create greater legal certainty, and to increase the effectiveness and level of protection for privacy and personal data in electronic communications.  While the GDPR protects personal data, the ePrivacy Regulation ensures the confidentiality of communications, and applies to both individuals and legal entities.

As the blog article of the European Data Protection Supervisor explains:

Data is not secure even when processed by the technologically most advanced and financially-powerful resourced companies on the planet. The Facebook/Cambridge Analytica revelations are still under investigation in Europe and America, but they are only the tip of the iceberg, a sign of a much wider problem and a symptom of many more problems still unnoticed.

A vast ecosystem has developed over the recent years, financed by advertising, for exploiting these special types of personal data without meaningful consent. It has developed in the legal grey zone between electronic communications services and information society services. Traditional electronic communications services – fixed line and mobile telecommunications providers – have long been subject to clear limitations.  They cannot snoop on conversations over their networks. They can use metadata – that is, data revealing the location, time and persons involved in the communication – for marketing and ‘value added services’ beyond the provision of the communications service itself only with consent of the user or subscriber. Companies within the category of information society services have been able to grow rapidly thanks to loopholes in our current legal environment. In essence, they can justify their data use practices without the obligation to seek consent for using communications data. There is a clear and urgent need to close these gaps and to strengthen the protection of privacy and security of online communications.

While the news about data breaches, each affecting millions of users, indicates a serious issue in itself, it also reveals more about the underlying culture and business practice: the functions that were used illegally by attackers were often provided for supposedly legal use by data brokers and aggregators. The high impact of the breaches and misuse is the result of the standard surveillance or tracking business model that has taken hold of the entire internet for years.

This must stop. In order to create a digital environment in which users can feel safe, it is necessary that abusive, trust-corroding practices are robustly tackled with clear rules.

The fines to be levied by the regulation are in line with GDPR levels and could be as much as EUR 20,000,000, or in the case of a business, up to 4% of total worldwide annual turnover for the preceding financial year: whichever is higher.

Click the button below to read more.