The European Commission (EC) is proposing new legislation to ensure stronger privacy in electronic communications, while at the same time opening up new business opportunities. The measures aim to update current rules, in turn extending their scope to all electronic communication providers. They also aim to create new possibilities to process communications data and reinforce trust and security in the Digital Single Market (a key objective of the Digital Single Market strategy).
At the same time, the proposal aligns the rules for electronic communications with the new standards enshrined by the European Union’s (EU) General Data Protection Regulation (GDPR). The Commission is also proposing new rules to ensure that, when personal data is handled by EU institutions and bodies, privacy is protected in the same way as it is in Member States under the new GDPR, as well as setting out a strategic approach to those issues concerning the international transfer of personal data.
The proposed Regulation on Privacy and Electronic Communications will increase the protection of people’s private life and open up new opportunities for business:
*New players: 92% of Europeans believe it’s vitally important that their e-mails and online messages remain confidential. However, the current ePrivacy Directive only applies to traditional telecoms operators. Privacy rules will now also cover other electronic communication services such as WhatsApp, Facebook Messenger, Skype, Gmail, iMessage and Viber
*Stronger rules: By updating the current Directive with a directly applicable Regulation, all people and businesses in the EU will enjoy the same level of protection for their electronic communications. Businesses will also benefit from one single set of rules across the EU
*Communications content and metadata: Privacy will be guaranteed for both content and metadata derived from electronic communications (eg time of a call and location). Both have a high privacy component and, under the proposed rules, will need to be anonymised or deleted if users haven’t given their consent, unless the data’s required for billing purposes, for example
*New business opportunities: Once consent is given for communications data – both content and/or metadata – to be processed, traditional telecoms operators will have more opportunities to use data and provide additional services. For example, they could produce heat maps indicating the presence of individuals to help public authorities and transport companies when developing new infrastructure projects
*Simpler rules on cookies: The so-called ‘cookie provision’, which has resulted in an overload of consent requests for Internet users, will now be streamlined. New rules will allow users to be more in control of their settings, providing an easy way to accept or refuse the tracking of cookies and other identifiers in case of privacy risks. The proposal clarifies that no consent is needed for non-privacy intrusive cookies improving Internet experience. Cookies set by a visited website counting the number of visitors to that website will no longer require consent
*Protection against spam: The new proposal bans unsolicited electronic communication by any means, eg by e-mails, SMS and, in principle, also by phone calls if users haven’t given their consent. EU Member States may opt for a solution that gives consumers the right to object to the reception of voice-to-voice marketing calls, for example by registering their number on a ‘Do Not Call’ list. Marketing callers will need to display their phone number or use a special prefix that indicates a marketing call
*More effective enforcement: The enforcement of the confidentiality rules in the Regulation on Privacy and Electronic Communications will be the responsibility of national data protection authorities
The proposed Regulation on the protection of personal data by European institutions and bodies aims to align the existing rules – which date back to 2001 – with the newer and more stringent rules set out by the GDPR. Anyone whose personal data are handled by the European institutions or agencies will subsequently benefit from higher standards of protection.
The proposed Communication sets out a strategic approach to the issue of international personal data transfers, which will facilitate commercial exchanges and promote better law enforcement co-operation, while at the same time ensuring a high level of data protection. The EC will engage proactively in discussions on reaching “adequacy decisions” (allowing for the free flow of personal data to countries with ‘essentially equivalent’ data protection rules to those in the EU) with key trading partners in East and South East Asia, starting with Japan and Korea in 2017, but also with interested countries in Latin America and those within the ‘European Neighbourhood’.
In addition, the Commission will also make full use of other alternative mechanisms provided by the new EU data protection rules – ie the GDPR and the Police Directive – in order to facilitate the exchange of personal data with other countries with which adequacy decisions cannot be reached.
The Communication also reiterates that the EC will continue to promote the development of high data protection standards internationally, both at the bilateral and multilateral levels.
Allowing users more control
Mark Thompson, global privacy advisory lead at KPMG, has commented on the EC’s proposal for new legislation on stronger privacy in electronic communications.
That said, Thompson stressed: “In certain circumstances, businesses that fall under increased consent requirements where users are required to take action to allow cookie usage before information can be collected are likely to face some challenges. The new rules will allow users more control of their settings, providing an easy way to accept or refuse the tracking of cookies and other identifiers in case of privacy risks.”
Businesses involved in personal data-rich tracking services are, according to Thompson, potentially going to face even greater challenges and need to start thinking about how they can increase transparency and build trust with individuals who use their services.
“The broad scope of this legislation also has the potential to impact other service providers whose businesses rely on gathering and analysing information processed by ‘terminal devices’ like phones and laptops.”
Thompson explained: “For organisations that are trusted by individuals and perceived to deliver a high level of reward for sharing their personal data, the changes will potentially hand them a key business advantage due to the likelihood of individuals consenting to them processing their personal data. On the flipside, for those organisations who are not trusted or otherwise perceived to offer a low value exchange, we could see significant reductions in the individuals who permit them to processes their personal data. This could potentially undermine the use of these services, the organisations’ turnover and, eventually, market value.”
In conclusion, Thompson told Risk UK: “Organisations will need to starting thinking about whether or not they’re impacted in any way and, if they are, how they might actively respond as soon as possible.”