The scene has been set as the next major framework in EU privacy regulations was formally proposed and published* on 10th January 2017 by the European Commission in Brussels.
The new Privacy and Electronic Communications (e-Privacy) Regulation, if implemented, would update current rules on the confidentiality of electronic communications. It aims to bring over-the-top service providers ("OTT") within scope of the EU's e-Privacy laws for the first time.
Giants such as Skype, Facebook’s, WhatsApp and Google have previously fallen into a “void of protection” that allows them to routinely track the data of EU citizens without regulatory scrutiny.
However, the proposal will also affect all services that have a communications element such as dating apps, video gaming, travel and ecommerce sites. Also those businesses engaged in digital marketing communications, online publishing and advertising.
The IAPP’s Privacy Tracker** reports,
“The type of data covered is likewise extended to include machine-to-machine communications in order to regulate the Internet of Things.”
The Cookie Monster
The new draft Regulation, amongst other things, seeks to can existing Cookie Laws. A long-awaited and called for move.
The EC wants users to be given more control to allow or prevent websites from tracking them depending on "privacy risks."
Under the new proposal, the commission said: "no consent is needed for non-privacy intrusive cookies improving Internet experience (e.g. to remember shopping cart history). Cookies set by a visited website counting the number of visitors to that website will no longer require consent."
Whilst this could relieve the compliance burden of many organisations, it is likely to result in rising costs for developers of software with communications elements who will bear the burden of building consent into privacy settings.
It’s also bad news for online advertisers as tracking consent is sure to be harder to obtain if lots of users reject third party cookies.
Privacy by design
Under the new proposals, web browsers, and other providers of software that permit electronic communications, would be obliged to inform users of their options to "prevent third parties from storing information on the terminal equipment of an end-user or processing information already stored on that equipment". It will require those users to select a particular privacy setting at the point of installation.
There will be much debate around privacy default settings and requirements over the coming months but change is undoubtedly on the way.
Whilst publishers and the online ad industry are unlikely to welcome the changes that are likely to see consumers blocking 3rd party ads it could be good news for responsible marketers.
Those who flagrantly breach current rules have disadvantaged those who play by them. Genuine marketing materials that may be pertinent to the recipient run the risk of getting lost in spam folders or automatically deleted by those tired of receiving unwanted and unsolicited emails.
"The UK's Information Commissioner's Office (ICO) has particularly targeted nuisance call makers and senders of spam emails and text messages in the past year or so, and UK law has also been updated to make it easier for enforcement action to be taken. However, introducing fines of up to €10 million, or 2% of annual global turnover, whichever is highest, would be a potential game-changing deterrent and stem the flow of unsolicited marketing messages, to the benefit of consumers and businesses that abide by the rules,".
What it all means
The new proposed EU e-Privacy regulation can’t become law until the 28 member states approve them. However, it is clear that long overdue changes in electronic communications regulations are on there way and are likely to coincide with the well publicised GDPR in May 2018.
It is also clear that it will affect the majority of organisations.
For any business engaging in digital communications and/or online services it’s critical to be considering this in terms of the organisational risks posed by both the known requirements of GDPR and the e-Privacy Proposal.
Whether seeking certification or not, the requirements laid out in the information security management system standard (ISMS), ISO 27001, can help.
In particular, those surrounding applicable legislation, risk management and interested parties give a sound framework to follow and can be an excellent start to building a comprehensive ISMS.
At ISMS Online we have all the frameworks and tools you need to prepare for GDPR and to start considering the implications of the ePrivacy Proposal:
- Identify and address informational, physical and legislative privacy risks
- undertake privacy impact screening and assessment
- map and manage stakeholders needs and consult as required
- conduct information audits using project frameworks and collaboration tools
- develop your policies
- handle 'subject access request' workflows
- manage security incident / data breach workflows