On Tuesday January 10th 2017, the European Commission unveiled policy initiatives on data aiming to ensure stronger privacy rules and boost the EU data economy. This package, described as ‘the last major Digital Single Market initiative’ by Commissioner Andrus Ansip, includes three main pieces:
This note provides an overview of the key elements and challenges arising from the first two initiatives. Please do not hesitate to contact us should you wish any further information.
5 THINGS TO KNOW ABOUT THE NEW E-PRIVACY REGULATION
Officially called ‘Regulation on Privacy and Electronic Communications’, the proposal complements the General Data Protection Regulation adopted in May 2016 and aims to ensure the same level of trust and security for B2B communication and communication between individuals. The e-Privacy regulation is an important piece of the Digital Single Market strategy and several elements must be highlighted:
1. A direct and binding effect
Once adopted, the e-Privacy regulation will have binding legal effects and will be directly applicable in all European Union countries with no need to be transposed into national law. It will create rights and obligations for individuals that can be directly invoked before national courts. Data Protection Authorities of Member States will be responsible for enforcing the regulation.
2. New rules for new players
For the European Commission, there was a great need to update the last version of the ePrivacy Directive dating back to 2009 as new actors ensuring inter-personal communications have emerged in the meantime. Initially, ePrivacy rules were only applied to telecom companies. Therefore, the main goal of this regulation is to extend its scope to new Internet based services, also called ‘Over-the-Top communications services’ (OTTs) by the European Commission. This will have a significant impact on online messaging applications such as Facebook, WhatsApp or FaceTime that will have to engage new costs to respect new privacy rules. Also, it is worth mentioning that although the Commission wanted to guarantee a level playing field for telecom operators when processing data, the regulation still imposes telco-specific restrictions on traffic and data location.
3. A pro-consumer regulation
Andrus Ansip clearly stressed that ‘consent of users is paramount’ in this regulation. Indeed, any activities linked with data and metadata processing (including intercepting, scanning, or storing) will require the users’ explicit consent. The regulation also seeks to give full control to users on their privacy settings. Regarding cookie warnings, users will not have to click on cookies banners anymore as they will set their own level of protection in their internet browser. Only a few exceptions do not require users’ consent: non-privacy intrusive cookies aiming to improve internet experience (e.g. login information for the same session) or cookies counting the number of visitors for a website.
4. The advertising sector highly affected
If the regulation does not prohibit online ads, it will have a significant impact on ad companies or website containing ads. Indeed, by giving an extensive control to users on their privacy settings, it will limit targeted online ads, threatening publishers that count on online ads as a source of revenue. Spam and direct marketing communications will be also conditioned on users’ consent. Companies failing to respect users’ consent could be fined up to €10 million, or 2 percent of their annual turnover.
5. Next steps
The Commission set an ambitious schedule, calling European legislators to ensure the adoption of the regulation by 25 May 2018, when the General Data Protection Regulation will enter into force.
5 THINGS TO KNOW ABOUT THE COMMUNICATION
1. The Commission is not introducing new rules… yet
2. There is a lot at stake
The Commission once again recognizes the crucial importance of data flows for the European Economy across all sectors, from manufacturing to transport, healthcare, financial services, agriculture and energy:
3. Four key questions raised… but left unanswered
Data localization – In a very welcome move for data-driven businesses, the Commission took a stand against data localization, that is measures that would require data to be stored or used in the country where it is collected:
Access to data – recognizing the substantial value of access to large datasets to innovate across different sectors e.g with data collected via Internet of Things, the Commission intends to explore ways to promote such access and data sharing in horizontal and sector-specific discussions.
Liability – In a world where factories, cars and everyday objects are connected, who should be held liable? Should it be manufacturers, operators or software providers? The Commission does not believe that current rules fully answer these questions. Alternatives will be explored in the consultation process.
Data portability and interoperability – Should new rules be adopted to ensure that non-personal data is easily transferable to other providers?
4. An inward-looking take on a global issue
5. Next steps
What can you do?
How can we support you?
 European Data Market study, SMART 2013/0063, IDC, 2016
This website requires Chrome, Firefox, Safari or Internet Explorer 9+