All or any e-privacy, directive, act or regulation is massively overdue, this we saw with the general data protection regulation (GDPR) that came in to force May 2018. That regulation was an update to the data protection directive 95/46/EC, implemented in 1998.
Not only 20 years old, but also as being only a directive, it had been enforced differently across Europe.
Another long overdue directive is what we know has the Privacy and Electronic Communications Directive 2002 (ePrivacy Directive, ePD).
The media has covered the GDPR extensively in the last year, and companies have scrambled to get compliant. For some, it was too late, and European supervisory authorities have issued fines.
€50 million fine to Google from the French through CNIL so far the biggest. In that sense, it has made an impact, but it is still in the early stages of efficiency in terms of policing the regulation.
This directive was a continuation of the data protection directive and has increased focus on cookies, spam, the confidentiality of information, data traffic treatment, and similar.
An amendment was made in 2009 to cover more in terms of cookies (and that's why we have those annoying popups). The next step now, as with the introduction of GDPR, is the ePrivacy Regulation or ePR.
Again a regulation, so it becomes a legal act that goes into effect immediately in all EU states.
It was meant to go into effect at the same time as the general data protection regulation, but it was put on hold, as there were substantial discussion and lobbying from prominent industry players.
Moreover, when the draft was published, it was too late. The GDPR got main priority, which also delayed the ePrivacy regulation.
While the GDPR aims to protect your Personal data, the ePR focuses on protecting your personal privacy based on electronic communication. It is essential to understand this difference between the two regulations as it for many will sound the same; however they are dependant on each other.
The GDPR overrides the ePR, and it will complement it in matters where electronic communications data that is personal and supposed to be private. Meaning that the GDPR is the main regulation.
Examples of these are such as consent for cookies and opt-outs. It will make the GDPR a sturdier regulation and cover more areas.
Being that the IT-based space is evolving at the pace, it is doing the need to update and modernize accordingly, the laws regulating the use of electronic communication.
It states that all communication should be protected.
The method of communication doesn't matter, whether it is sent via satellite, wire, radio, fixed networks, to mention some. The ePrivacy regulation protects it regardless.
The proposed services that the ePR should apply specifically to is: confidentiality, online marketing, and cookies.
As a general principle, all communication providers should secure their customer data with the latest and best technology available.
Companies such as Facebook, with Whatsapp and Messenger, Skype, and Google through Gmail need to protect their user's data as good as any other service provider.
If a physical company locks its employee's information away for prying eyes with the best available methods, a website or app must make the same effort.
All metadata needs the same treatment as the actual content.
Emails and text messages are included and need consent before being used.
In essence, as it is now with the consent article (art. 7) in the GDPR, all marketers need to have specific approval from every person they send any marketing.
The rules for how cookies work on websites will get simpler.
Cookie settings now will more easily be set in the browser settings.
Also, there will be no need to consent to non-privacy cookies that improve the internet experience, such as cookies to track how many people visit a website.
There is also outlined in the regulation a stronger protection against spam.
Hidden numbers for marketing will not be allowed, and automated calling and SMS services and unsolicited email communication will be banned.
For business owners, asking and getting explicit consent from the customer will now open new doors for business opportunities. Websites can use, for example, heat-maps that tell about the user's interaction with the pages.
IoT or the Internet of Things network will also now get higher scrutiny of cover. The number of devices we keep at home that we connect to the internet is increasing rapidly. The communication between these devices must be encrypted and protected.
At the moment, there is no fixed date for when the regulation will go into effect.
The proposal was delayed, but it has been expected to be ready by the end of 2019.
The latest is a progress report, submitted on May 20th, 2019, where a common position on the text needs to be adopted.
At the moment, due to European elections this year, any negotiations will not happen until November.
Even with all efforts done so far, the regulation and discussion around seem dead or at least set on pause at the moment.
The need to have a strong privacy regulation is evident more than ever.
We seem not to be able to end how we stay connected to our online communication devices, and our personal information and digital identity is at risk.
The GDPR introduced Privacy by Design, and we are, therefore seeing the big industry players such as Apple and Google, focusing more on Privacy in their devices.
We can't expect the ePR to go into effect any time soon, but when it comes we will welcome it, and as the customer in all this, enjoy better protection of our personal information.