In Data, it never rains… but it pours. In addition to the hefty General Data Protection Regulation, organisations also need to be prepared for changes to ePrivacy rules.
The ePrivacy Directive is set to be revised by 2017. The European Commission is aiming for consistency with GDPR, a broadening of the Directive’s remit to take into account technological advances in electronic communications and alignment with the upcoming EU Cybersecurity Directive. Crucially, it will mean significant changes to the Privacy and Electronic Communications Regulations (PECR).
As part of the process, the Commission has recently launched a Public Consultation on the Evaluation and Review of the ePrivacy Directive. The consultation closes on 5th July and comments are welcomed from, ‘citizens, consumer associations or user associations, civil society associations and businesses (e.g. electronic communications network provider; provider of communication services; internet content providers; companies from security or other interested sectors).’
The current scope of the ePrivacy Directive (Directive 2002/58/EC (amended 2009)) governs the “processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks.” Bedtime reading it ain’t.
Coming from the current Directive, PECR gives people specific privacy rights regarding electronic communications and covers areas such as marketing calls, emails, SMS and faxes. The revision of the Directive will therefore have obvious ramifications for direct marketeers.
The consultation covers areas such as personal data breaches, location data, cookies, unsolicited marketing and automatic call-forwarding. It also invites comment on specific areas which are seen as inconsistently applied across member states or open to wide interpretations such as;
- whether the same rules should be applied to communications sent through social media as those currently applied to email
- whether it is the right approach to allow individual member states to decide whether opt-in or opt-out is required for telemarketing
Prior to the consultation, the Commission undertook a review of the ePrivacy Directive and published a report (in two parts) last year. The report’s recommendations give us a flavour of the changes we can expect. In relation to unsolicited commercial communications, a key concern is the strict interpretation of electronic communications. It is argued this leaves marketing via services such as Facebook, LinkedIn or Twitter unregulated, resulting in an unfair playing field.
The report also expresses concern surrounding soft opt-in provisions, which it suggests may be inconsistent with the concept of Consent. The report is, in particular, critical of what it describes as the ‘flexible’ approach and advice given by the UK’s Information Commissioner.
In general, the report promotes a desire for greater harmony, and an ironing out of inconsistencies across member states. Does this sound familiar? GDPR round two.
In the UK, the Direct Marketing Association has said it will be actively lobbying in Brussels, as they did with GDPR, to try and ensure any new legislation strikes the balance between the interests of business and the rights of consumers.
Will Brexit throw into disarray all attempts at harmonisation? Will there be smooth transitional arrangements, or will the UK comply as part of any future negotiated trade deal? Whatever the coming months bring, Britain will need appropriate ePrivacy legislation to work with EU member states.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.