The ePrivacy Regulation (formally known as Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications) has been proposed by the Council of the European Union to protect the privacy of online users by standardizing the privacy controls of electronic communications service providers who gather and manage data of online users residing in the European Union. The regulations would include legal procedures for (a) storage of user cookies; (b) gathering of user geolocation data; (c) unsolicited electronic correspondence such as emails or SMS messages; and (d) third-party involvement in private electronic communications.
The ePrivacy Regulation is designed to upgrade and replace the current ePrivacy Directive of 2002 and complete the 2016 General Data Protection Regulation (GDPR). The main difference between the incumbent Directive and the ePrivacy Regulation is that the Directive depends on varying local regulation and enforcement support in each EU Member State, while the Regulation would supersede these legal structures, serving as a uniform data protection standard which is legally binding across the EU. The Regulation will grant more regulatory powers and affect the operations and services of software providers such as Facebook more than any previous data protection policies.
Objectives of the Regulation
For many years, Brussels has aimed to launch clear privacy policies to safeguard online users. The EU now seeks to develop privacy protection regulation in accordance with increasing consumer usage, enhancing the powers and reach of the GDPR. The new proposed regulation will protect users against unsolicited electronic correspondence by new-age electronic communication corporations.
Currently, many websites display a cookie information banner, and if a user does not accept cookies, they cannot use the website. Under the new regulation, website visitors will be able to reject cookies from browsing and website operators and still be able to access website content without any restrictions. This has been introduced to restore the trust of online users of digital communication channels like Facebook and WhatsApp.
The Regulation would apply to all firms that offer their services in the EU, not just those that are EU-based. Violation of this regulation will result in fines of 2% to 4% of the company’s annual global turnover.
This would have radical implications for the operations of online services, due to data localisation responsibilities. Digital communication services and other competitors will have to adapt to the impact on API usage for business. Online marketers using online platforms for B2B marketing will also face challenges. Unlike under previous policies allowing direct marketing without the consent of the users, users will now operate on an opt-out basis, and no contact can be made without their permission. SMEs relying on a third-party contact list to contact customers without their permission will also be impacted. The Regulation also proposes to require marketers to notify a call recipient of the fact that the call is for marketing purposes and to identify the caller. Customers can opt to block these calls.
As the commission has not provided guidance on the text that should be shown to website user regarding cookies, marketers are concerned that companies like Google and Facebook will gain greater power, changing the dimensions of digital advertising. Third-party cookies will be more difficult to use than ever.
The first draft of the ePrivacy Regulation was approved by the EU in early. On 5 January 2021, the latest version was announced by the Council of the European Union.
On 10 February 2021, the Presidency of the Council of the EU declared that EU Member States agreed on the proposed draft text. The Regulation will now enter trilogue negotiations between the Commission, the Council and the European Parliament.
This comes at a time when the European Union has become more concerned about possible surveillance from the United States and is looking to limit the exchange of user data. In September 2020, an EU privacy regulator directed a preliminary order towards Facebook, calling for a stop to the transfer of data of EU-based users to the United States.
Despite legal overhauls post-Brexit, the GDPR and its elements are retained in UK domestic law after the transition period, but the UK has the independence to keep the framework under review and alter it elements. The ePrivacy Regulation will not have any jurisdiction over UK Internet services as a result of Brexit but will be legally binding for firms operating online in the EU.
Response and Future Implications
The majority of stakeholders, especially small marketers who depend upon third parties for their customer network, have reacted negatively to the announcement of the Regulation. Digital Europe, the organization representing the digital technology industry in Europe, has raised concerns that the Regulation acts in a disproportionate way, affording greater powers to large Internet companies. In a 2016 EU-led Summary Report “On the public consultation on the Evaluation and Review of the ePrivacy Directive”, EU citizens and stakeholders were consulted about opt-in/out data collection, with 90% of citizens preferring the opt-in option, while 73% of stakeholders prefer an opt-out policy. Industry leaders are also worried about damager to user experience due to the quantity of user authorisations required by the ePrivacy Regulation. User approval would potentially be required for each individual action.
Online media firms such as blogs and newspaper sites which rely on online advertisements could face a financial risk. If online visitors do not make payments, ad consumption provides revenue. The number of pop-ups is mostly based on data collected by advertisers through tracking. If the Regulation is enacted, these ads would require user agreement, damaging the flow of free information online. Services relying on third-party advertising cookies may see a drop in revenue due to cookies being blocked. Companies may have to use creative solutions to persuade users to enable cookies their sites.
Firms relying on electronic communications may need to audit their operations, adapt them to the regulation and anticipate threats to data security.
Industry players have also noted that the Regulation would make the detection and response to harmful content and activities, like child abuse and illegal materials, more difficult.
As a result of the narrative around the regulation, data protection debates have been revived. In late 2020, before the signing of the announcement of latest draft regulation, a French user protection body delivered two substantial charges against tech firms for infringing national data protection laws, fining Amazon France Core EUR 35 million, and Google LLC and Google Ireland Limited EUR 100 million. The French data protection authority discovered that neither Google nor Amazon had acquired permission from online users before introducing cookies to their devices, nor did they sufficiently advise users about the cookies or create a means of opting out. As in the GPDR, the fines for non-compliance with ePrivacy are heavy, and companies may face additional reputational damage for non-compliance or for violating people’s privacy.
Author: Oliver Gonzalez