There has been a lot of talk about how to become compliant with data laws and regulations in the coming months, especially around GDPR. However, the European Council has also proposed a second regulation designed in line with GDPR to form the two pillars of data protection across Europe. The Regulation on Privacy and Electronic Communications (ePrivacy Regulation), is designed to reinforce trust in and security in the Digital Single Market, a sector of the European single market that covers digital marketing, E-commerce and telecommunication.
‘This regulation applies to the processing of electronic communications data carried out in connection with the provision and use of electronic communications services and to information related to the terminal equipment of end-users’
All processors and controllers who look after electronic communications will have to ensure compliance with the regulation, as well as the GDPR. Throughout the regulation there are regular references to the GDPR.
When is the regulation going to take effect?
Despite not being as well known as the GDPR, the date for compliance with the ePrivacy Regulation is the 25th May 2018, the same day as the GDPR. As the regulation has stipulations around the use of electronic communications data created by software applications, software implemented before May will have until August to become compliant.
Key points of the ePrivacy Regulation
The ePrivacy Regulation is being put into place to strengthen the protection that European citizens have. As with the GDPR, there are updated definitions relating to the regulation, these are set out in Article 4 of the regulation, some of the key ones are:
Electronic Communications Data is defined as electronic communications content and electronic communications metadata.
Electronic Communications content is defined as the content exchanged by means of electronic communications services, such as text, voice, video, image and sound.
Electronic Communications Metadata is defined as data processed in an electronic communications network for the purposes of transmitting, distributing or exchanging electronic communications content.
These new definitions aim to give clarity to the regulation and the data processors and controllers who will have to adhere to it.
One key area under the new regulation is the protection of data and the stance that ‘Electronic Communications data shall be confidential’. This will protect users from having their sensitive data such as text or email messages from being accessed by service providers and other organisations. Article 6 under the regulation sets out the conditions for the confidentiality of data to be removed, however the stated reasons for this include the need to have consent from the user. In line with the GDPR the definition for consent has also been updated.
Consent is defined as any freely given, specific, informed and unambiguous indication of the data subjects wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Chapter V: Penalties
Chapter V of the regulation documentation sets out all remedies, liabilities and penalties that can be enforced following a breach in compliance. These include the right to compensation for data-subjects. Different articles within the regulation, when breached, carry their own penalties, penalties which are the same as those posed by the GDPR.
The maximum penalty that can be given by the data regulation authority involved is up to €20million or 4% of global revenue. This penalty can be given should an undertaking (serious data breach) occur or if Articles 5, 6, 7 or 18 be breached.
- Article 5 is the Confidentiality of Electronic Communications Data.
- Article 6 is the Permitted processing of Electronic Communications Data.
- Article 7 is the Storage and erasure of Electronic Communications Data.
- Article 18 refers to the responsibilities of Independent Supervisory Authorities.
Penalties of €10million or 2% of global revenue can also be given (A8, A10, A15, A16) and for some Articles the decision of the penalty imposed falls to the member state.
Redstor have been helping organisations to comply with data protection laws and regulations for almost 20 years. As a specialist in protecting and securing data, Redstor have helped organisations adhere to the Data Protection Act (DPA), the School Financial Value Standards (SFVS) and other industry specific regulations. With the impending General Data Protection Regulation (GDPR), Redstor is committed to helping all organisations comply.