“GDPR 2.0”: what to expect from the ePrivacy Regulation

    In our blog, we have already talked about the processing of personal data in Belarus , the regulation in the United States and Europe . We will discuss another European bill that will be a kind of addition to the GDPR and will tighten the rules for working with cookies and PD.


    / Flickr / robmadeo / CC BY

    Origin and Objectives of ePrivacy Regulation


    Now in Europe (in addition to the GDPR), the ePrivacy Directive ( PDF ) directive , which was adopted in 2002, "responds" to the description of the mechanisms for working with personal data of users . It is because of it that site owners began to ask visitors for consent to the use of cookies. However, this directive is only a set of basic rules that EU member states can modify at their discretion. This was done , for example, in Italy by changing the penalties for withholding data leaks (National Decree Legislative Decree no. 69/2012, PDF ).

    However, the European Parliament decided to make adjustments to the current state of affairs and to make the requirements of the ePrivacy Directive uniform and immutable for the EU countries. For this reason, the project appeared ePrivacy Regulation .

    The new bill is intended to supplement and strengthen the requirements formed by the GDPR. At the same time, the main goal of the ePrivacy Regulation, according to parliamentarians, is to protect users of IT services from spam and intrusive advertising and strengthen their control over personal data (this is spelled out in Chapter Two, Articles 6–11 ).

    Previously, ePrivacy Directive only regulated telecommunications operators. The law prohibited them from performing any actions (recording, storing, monitoring) with telephone conversations and SMS messages without the knowledge and consent of customers. Now they decided to extend the action of the new regulations to applications for communication on the Internet: instant messengers, video calls, e-mail, IP telephony, IoT gadgets, etc. (the full list is specified in Article 4 of the draft law ).

    The ePrivacy Regulation was planned to be “launched” simultaneously with the GDPR on May 25, 2018. However, due to disagreements within the parliament and the negative reaction of the IT community (more on this later) the vote was postponed until 2019.

    What is the regulations?


    The regulation once again raises the issue of the regulation of cookies and forms the requirements for obtaining consent for processing. According to the text of the document, cookies can be processed without the knowledge of the user, but only if this process is conditioned by the technical necessity to provide this or that service. Consent the user will have to give for specific purposes, and his absence should not affect the quality or the possibility of providing the service. That is, the owner of the resource must provide an alternative use of the service without cookies. At the same time, all information collected via cookies is allowed to be stored only as long as it is necessary for the operation of the service.

    Although working with cookies is one of the main topics of the draft law, it also covers other aspects related to the processing of personal data of users in the network. In particular, the changes affected the IoT industry. According to the new law, the transfer of data from one smart device to another will require user consent. This means that smart home solution providers, who provide them with ongoing support at the ecosystem level of thematic devices and applications, will have to obtain consent for the transfer and processing of personal data.

    At the same time, ePrivacy describes restrictions for conducting direct marketing campaigns. The regulation will oblige advertisers to disclose their phone numbers and use special prefixes to identify the advertising call. Currently, this information is almost always hidden. At the same time, a strict ban on spam is imposed - if the user does not wish to receive marketing calls or letters, then the company must be included in a separate list (do-not-call list).


    / Flickr / Carsten Schertzer / CC BY

    ePrivacy Regulation, like the GDPR, covers all organizations that work with data from residents of EU countries, regardless of the location of the company itself ( article number 3 of the draft law). The maximum fine for violation of the ePrivacy Regulation will be between two and four percent of the guilty company’s annual income, or ten million euros ( Article 23 of the draft law ).

    How "met" ePrivacy Regulation


    In general, the new bill was met rather negatively. This is due to the concerns of those companies whose activities will be primarily affected by the law. So far, such an impact is assessed solely at the level of forecasts and studies.

    “The new regulation“ will hit ”on the advertising, marketing and media business,” says Sergey Belkin, head of the infrastructure infrastructure rental service development department, at a glance . “Many companies will also have to rethink a number of core business processes - since, in fact, work with cookies will be regulated even more compared to the situation after entering GDPR.”

    The study of the Developers Alliance, which includes 70 thousand programmers and representatives of software companies, says that ePrivacy will not only affect the IT sector, but will reduce the income of the entire European business by 30%. According to preliminary estimates, enterprises will lose 500 billion euros. A group of enthusiasts even recorded a video , which showed the negative side of the IT world without cookies and advertising.

    In response to such arguments, MEPs are reminding that the new law is being created to protect the rights of citizens, and not the development of Internet businesses. Birgit Sippel, MEP from Germany, notedThat ePrivacy’s goal is to give people control over their personal data. The task of the bill is to show that data confidentiality in the digital age is necessary and possible.

    Note that not all parliamentarians agree with Zippel. Daniel Dalton, who speaks to the European Parliament from Britain, said that ePrivacy would turn Europe into a “digital swamp”. All representatives of the companies Dalton spoke with (from Microsoft and Google to small startups) are against ePrivacy.

    It is not yet known what fate awaits the new regulation (will any major changes be made to it). The end will come in 2019. However, it can be assumed that the “struggle” for the adoption of the ePrivacy Regulation will be serious, possibly comparable to the one that has developed around the GDPR.

    PS Fresh materials on the topic from our corporate blog:


    Also popular now: