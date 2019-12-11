11 Dec 2019 | 11.04 am

An EU regulation complementing the GDPR has run into delays, says Steven Roberts of Griffith College — but it’s on the way

For many Irish businesses, particularly SMEs, the issue of data protection and privacy centres primarily on the General Data Protection Regulation or GDPR. This piece of legislation has occupied the minds of business leaders for more than two years, particularly since its introduction on 25 May 2018.

It has significantly affected consumer awareness around privacy. The Data Protection Commission reported a 70% year on year increase in the number of data breach notifications it received. In the UK, 73% of people expressed concerns over personal data being exploited.

However, the GDPR is only one in a series of initiatives planned by the European Union. This is part of the EU’s commitment to a Digital Single Market, allowing for the free flow of data across member states, while ensuring the privacy of that data is maintained.

The ePrivacy Regulation

The ePrivacy Regulation is a key building block in this project. The ePrivacy Regulation’s aim is to provide confidentiality and privacy to electronic communications. It overhauls the existing 2002 Directive, which requires a significant update to reflect rapid advances in technology over almost two decades. For example, the emergence of Over The Top (OTT) communications providers such as WhatsApp, Netflix, Skype and other similar services.

While not as far-reaching as GDPR, the ePrivacy Regulation is still of prime importance for businesses. Key elements of the proposed regulation include:

Cookies: ePR will overhaul the current system of consent pop-ups on websites, which many commentators view as both annoying and ineffective.

Content and metadata: The regulation will seek to guarantee the privacy of both the content of a communication (voice, text, video, and image) and the metadata associated with it, such as location, time and device-related information.

Direct marketing: Unsolicited electronic direct marketing by any means will be prohibited where consent has not been given. An opt-in will be required for all types of electronic marketing. The exception is where email details have been obtained in the context of a sale or service.

Legal persons are also covered: In addition to individuals, businesses as legal entities are covered by the definition of ‘end user’.

This is a significant change. One of the regulation’s objectives is ‘to ensure an equivalent level of protection of natural and legal persons’. This will pose difficulties for many firms, as the principles outlined under GDPR were designed primarily with an individual’s personal data in mind.

Companies should take note that fines for non-compliance will be set at the same levels as for the GDPR, with a maximum fine of 4% of global turnover or €20 million, whichever is the greater.

Delays and lobbying

The EU originally intended to introduce ePR simultaneously with the GDPR, providing a comprehensive framework covering data protection and the confidentiality of communications. That proved to be ambitious. Instead, the legislation has become bogged down in disagreements at member state level as to its content. The potential impact of the regulation for the current ad-tech model relied on by Google, Facebook and other online advertisers has meant substantial lobbying has taken place.

The most recent delay in the progress of ePR occurred on November 22, when member states rejected a latest draft proposed by the Finnish Presidency. Businesses, in particular the big tech firms, are waiting to see how EU legislators will respond to this latest setback. Some commentators are now predicting a substantial rethink will be required for any subsequent draft of ePR. A number are suggesting a better way forward may be a return to the risk-based approach adopted by GDPR.

Looking ahead to 2020

Looking towards next year, it is important for Irish business owners and executives to keep the ePrivacy Regulation on their radars. While we are unlikely to see any significant progress in the immediate months ahead, this legislation, if introduced, has the potential to affect business and compliance requirements significantly. This is particularly the case for online advertisers, communications firms, and the big technology companies.

• Steven Roberts is head of marketing at Griffith College. A certified data protection officer and Fellow of the Chartered Institute of Marketing, he writes on strategy, marketing and data protection issues.