Now that the General Data Protection Regulation has passed, the EU privacy regime will be uniform once it comes into force, right? Well, not unless the ePrivacy Directive gets a refresh.
Otherwise, reported panelists at the IAPP Data Protection Intensive here in London, privacy law in the EU will be decidedly “misaligned.”
Known as the “cookie law,” the ePrivacy Directive was primarily intended to regulate the telecommunications industry, though it has been extended by member states to industry at large. It protects the confidentiality of communications, alongside establishing the EU’s lone data breach notification law, defining unsolicited communications, and governing how cookies, location data, and metadata are used. It was created in 2002, updated in 2009, and now the EU Commission’s report in October has begun the process of examining its effectiveness and need for yet another update.
Last week, the Commission announced the consultation on the ePrivacy Directive had officially begun, and it is taking comments on how it should be updated through July 5.
So, what are the comments likely to be? What are the problems that need addressing? Essentially, said Jones Day’s Laurent De Muyter, there’s been a “glitch in the agenda.” While DG Justice at the Commission oversees the GDPR, it’s DG Connect that oversees the ePrivacy Directive, and the two were not in concert as the GDPR was moving through its long and winding passage. Now, they are in ways misaligned.
With the passage of the GDPR, for example, there is a new breach notification standard with a 72-hour time period, while the current ePrivacy Directive has a requirement for 24 hours. And there is an enforcement disconnect, as well, as member states can have ePrivacy regulated by their telecom commissions rather than their data protection authorities.
While emphasizing that she was not providing an “official position,” Sophie Louveaux, head of unit for policy and consultation at the European Data Protection Supervisor, said “reform of the ePrivacy Directive is a top priority from a privacy point of view” and added that it’s vital to have “full coherence” between the new GDPR and ePrivacy.
For instance, Louveaux said ePrivacy should be handled as a regulation, and not a directive, in its next iteration, delivering “more consistency of application from across the EU.” And, as you might expect, Louveaux emphasized that the refresh ”can’t be used to lower privacy protection.”
She also offered the opinion that enforcement should be handled by DPAs and the newly established European Data Protection Board.
This would be welcome for Michaela Angonius, head of group regulatory affairs at telecom firm TeliaSonera, which serves Nordic and Baltic countries in Europe. “We’re now in a very short timeframe to make sure that before the GDPR comes into force we’ll have a directive that’s aligned and there are no gaps.” While the Commission has set a goal of finishing the refresh by December, there was general chuckling when that was discussed.
De Muyter diplomatically called it a “very ambitious agenda.”
One of Angonius’ big concerns, and that of the telecom industry in general, is lack of consistency of application between telecoms providers and what are known as “over the top,” or OTT, providers like WhatsApp or Wickr. Why are the communications through those kinds of apps treated differently than communications over cellular or landlines? To use location data, for example, telecom providers have to ask for explicit consent, while, in the new GDPR, Google Maps would clearly have unambiguous consent to use location data while providing the service of helping someone find their hotel.
Further, Angonius said she believes issues like location data and metadata are handled by the GDPR in general, and there needn’t be any separate ePrivacy regulations for telecoms at all. “We should be trying to move as far as possible from sector-specific legislation,” she argued. “We don’t know where technology will take us.”
And, similar to Louveaux, Angonius said, “We want to see something harmonized across Europe. … We would like a regulation, [and] it needs to be clear on who is the party that we need to deal with. We prefer the data protection authority.”
If other privacy professionals have opinions as well, now is the time to weigh in. You can find information on the consultation here.
If you want to comment on this post, you need to login.