By Kim Smouter
The end of 2015 marked the adoption of Europe’s new General Data Protection Regulation, a legislation with massive implications for research organisations collecting and processing data on data subjects located in the European Union. It’s entry into force May 2018 does not leave a lot of time for companies to comply with the law, and there are still many grey areas in the adopted text that need to be clarified. But it may be tempting to focus solely on the General Data Protection Regulation forgetting that there is a whole set of legislation that may have just as much impact.
What’s been proposed by the European Commission:
The ‘Cookie’ law is getting new teeth
The ‘Cookie’ Law is up for renewal and the ambition of the European Commission to tackle head-on the issues with the last one, namely that each Member State was free to creates its own rules in a field where harmonisation would have been most helpful. The aim is also to regulate tracking much more strictly, and create a level playing field between traditional telecoms operators and new entrants into the communications field.
Unlike the previous ePrivacy law, the proposal is for the new ePrivacy law to benefit from the same teeth as the General Data Protection Regulation, that means non-compliance with the law would yield fines of up to EUR 20 million or 4% of annual global turnover whichever is the highest. That certainly elevates the legislation from its current operational status as a website hygiene to consider, to something far more serious from a compliance perspective.
Scope to be extended to non-EU based entities, and to all communications channels
The Commission has proposed expanding the scope of the European electronic communication confidentiality rules, and introduces an extraterritorial dimension similar to the EU GDPR. It no longer makes a distinction between classic communication mechanisms like your telephone operator and digital communication channels like WhatsApp. All actors using electronic communication services used by Europeans, regardless of their physical location, will come into scope of the new regulation as is explained in Recital 9. The definitions of key concepts are now aligned with the GDPR and other relevant EU legislation.
Electronic communications are confidential and to be governed by strict purpose-limitation
The proposed text contains provisions requiring the confidentiality of electronic communications, and definitions strict purpose limitation and processing requirements for the communication data. The Internet of Things is also brought into scope as it requires a guarantee for the integrity of the information stored, and the information emitted.
It’s consent, but not as we know it: informed, unambiguous, and specific
The Regulation is bringing online an opt-in, rather than an opt-out model requiring consent, as expressed and conditioned under the EU GDPR, and requires providers of communication-enabling software to help end-users make effective choices in their privacy settings.
The Regulation places a strong emphasis on the rights of end-users to control the sending and reception of electronic communications, whether that is call-blocking, but also the conditions for their inclusion in publicly available directories, the conditions of unsolicited marketing.
A new enforcer in town: the national Data Protection Authorities
Interestingly, the Regulation is proposing that enforcement of the ePrivacy Regulation will be entrusted to Data Protection Authorities (a position supported by ESOMAR and EFAMRO in our consultation response). Clearly with the intention for the Regulation to not be as loosely applied as the previous Directive.
The Key Battle Lines
Yesterday, the European Parliament’s Civil Liberties Committee, in charge of leading the negotiations on behalf of the European Parliament in this dossier, held its first public hearing on the dossier having named Marju Lauristin, an Estonian MEP as its chief negotiator. During the hearing the perspectives of the supervising authorities was confronted with the perspectives of academics, industry representatives, and privacy advocates.
- Cookie walls: The most visible face of the current ePrivacy Directive today is the presence across thousands of websites or pop-ups that notify users of the placement of cookies and their purpose. Criticised by legislators and privacy advocates alike because they neither give a real choice, often ignore choice once a choice is made, and do not offer enough ability to modulate access to a service. During the hearing there was an open discussion about banning these outright.
- Tracking (including WiFi Tracking): This is likely to be the focus of sensitive and heated debates between stakeholders, there are real concerns focused around surreptitious placement and tracking of individuals’ behaviours across the web and their mobile devices, particularly if these happen without the users being made aware of it and given a choice to opt-in to such tracking. The use of WiFi tracking is also another sensitive topic.
- Browser Privacy Settings: Browsers are seen as a crucial interlocutor to ensure the confidentiality of communications and the privacy of individuals, accordingly the proposed regulation seeks to impose on browsers the need to institute privacy-by-default settings, and the need to comply with Do-Not-Track Signals set by the user. How strict these settings should be, should they be default-on or default-off are all going to be the subject of sensitive debates.
- Communications confidentiality: Ensuring end-to-end confidentiality is one of the key concerns of the ePrivacy Regulation and it seeks to balance this with the increasing concerns of the use of new digital communications channels to plan and execute terrorist acts.
- Legitimate interest vs Consent: The General Data Protection Regulation allows EU organisations to use a range of legal processing grounds to fit the specific contexts under which data collection and processing takes place. The ePrivacy Regulation is a much more consent-driven tool. Industry in particular is concerned that because of the stricter requirements imposed on consent that many of the use-cases to be governed by the ePrivacy Regulation would be impossible to continue if forced to use GDPR consent. Accordingly there is hope that legitimate interest which allows processing so long as the rights of the individual are not infringed, could also be more generally introduced in the text.
What Concerns Research the Most
Our objective in the upcoming negotiations is to ensure that research organisations can continue to carry on doing the critical audience-measurement work undertaken to support the fair valuation of markets across the world. Additionally, we are deeply concerned that the proposal is written in such a way that only first-party web audience measuring is permitted.
We are making the case that provided we meet the conditions and safeguards required under the General Data Protection Regulation, and that we take all necessary measures to ensure our activities produce little or no impact on the individual, that we should benefit from derogations from the consent requirements foreseen.
We are also interested in strengthening legal certainty for telephone-based survey research which may be negatively impacted by proposed restrictions on unsolicited direct marketing telephone calls. The terminology used and the flexibilities afforded to Member States on this point could lead to certain countries being tempted to classify market, opinion and social research under marketing hampering our ability to assemble representative samples for a wide range of research users.
ESOMAR and EFAMRO will be actively advocating and defending the interests of our members, that is why today we have adopted a position statement that will be sent to key negotiators in the hopes that our views will be reflected in the final text. With the ambition of the European Union to see the text adopted by the end of this year, and its entry into force at the same time as the GDPR, time will be of the essence and we’ll continue keeping you informed of developments as we witness them.
More information and actions you can take today:
- Grab a copy of our joint position statement with EFAMRO to see where we stand
- Grab a copy of the European Commission’s proposed draft of the ePrivacy Regulation
- Check out the European Commission’s analysis confirming the need for a new ePrivacy Regulation
- Our Data Protection Checklist is a great starting point in case you’re worried about compliance, it operationalises key global requirements
- Queries? Get in touch with our Helpdesk, free-to-use for ESOMAR members
- Want more support? Why not subscribe to our ESOMAR Plus programme for Corporate Members. Register to get a sneak preview during our introductory webinar to be held on 2 May!
Kim Leonard Smouter is Head of Public Affairs & Professional Standards at ESOMAR.