While organisations are only acclimatising to the impacts of GDPR, a new set of regulations focussing on ensuring individual privacy with regard to electronic communications are on the way in the form of the ePrivacy Regulation (ePR).
The ePrivacy Regulation will repeal the current ePrivacy Directive, a legal act of the European Union, and is expected to come into force sometime in the next year. The regulation aims to guarantee the "right to privacy in the electronic communication sector”.
The regulation will work in conjunction with GDPR to further ensure data is handled with care by organisations and will give individuals more control over their internet data.
It carries the same penalties as GDPR, which means a possible fine of €20 million or 4% of your annual turnover, whichever is larger.
ePrivacy specifically covers electronic communications which means that, when a data privacy issue is raised regarding communications, regulators will default to ePrivacy for that given instance not, as you may expect, GDPR.
The proposed regulation not only covers email and SMS but also addresses data privacy in services like WhatsApp, Facebook Messenger, Skype and the complex area of Internet of Things (IoT) devices and applications. What’s more ePR will also include regulations and tools to protect metadata associated with electronic communications such as location data.
Article 16.1 of the proposed regulation states: “Natural or legal persons way use electronic communications services for the purposes of sending direct marketing communications to end-users who are natural persons that have given their consent.”
This means emailing an individual at a business would require prior consent which is in some ways at odds with Recital 4 of GDPR which states that regulation respects the fundamental ‘freedom to conduct a business’.It may also conflict with Recital 47 of GDPR which states that “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”.
Further clarification on this issue in particular will be needed.
In theory this could mean the end of consent banners when you visit a site directly affecting things like targeted ads or retargeting ads (the ads which follow you around the internet because you visited a product) but also potentially a lot of the very useful site analytics many organisations use to improve their services for consumers and users.