The Member States of the European Union have agreed on a negotiating framework for new and revised rules to protect people’s privacy and confidentiality when using electronic communication services.
This means that new ePrivacy rules will be drafted which will lay down specific actions and obligations that service providers such as Facebook, Signal, and Instagram will have to abide by. The new rules will particularly relate to those that process electronic communications or have access to any data stored on the device of the users such as a mobile phone or tablet.
But why was this necessary?
The previous ePrivacy directive was enforced in 2002 and things have changed significantly since then. With the increased use of voice over IP, email, direct messaging services, and new ways of tracking users’ activity and behavior, the EU felt changes were necessary.
In particular, concerns of how personal data was being used for the purpose of targeted advertising, was something that had to be addressed.
In combination with other EU-wide laws, various solutions have been rolled out over the last few years such as Geoedge which provides secure and safe advertising services for marketers. This was much needed at a time many consumers felt that everything about them was being made available and sold off to advertisers. Important safeguards such as this became more necessary and more in demand.
What about the GDPR?
The EU passed a bloc-wide law called the GDPR in 2018. This law provided a significant upgrade to existing privacy laws and brought all member states and companies working with EU customers, up to date. It focussed on the way that personal data was collected and then used by corporate and business interests with a focus on protecting the client. Overall, the aim was to give control back to the individual in terms of their data and how it is utilized.
The new rules will compromise and expand upon the GDPR.
What will it cover?
The new rules will cover the entire electronic communications market, even if the company is foreign. A US company that caters to EU clients, for example, will still be bound by the rules. It will also apply if the servers and any processing take place outside of the bloc, like with the GDPR.
Data such as personal and private information, location, time, recipients, and other metadata will now be considered as sensitive as the content of the messages themselves. Taking into account the popularity of technology such as the Internet of Things, the rules will also cover machine-to-machine data transmission.
If a company wants to process personal or metadata without consent, it will only be allowed to check for viruses, in the prosecution of criminal cases, or to prevent threats to public safety. It can also be used to prevent fraud or to protect users’ interests in situations such as pandemics, natural disasters, and humanitarian emergencies.
Other measures include tightening of rules around accepting cookies. Sites will no longer be able to make site access dependent on accepting cookies and they will be allowed to opt-in and out of different kinds of cookies via their browser.
There are also rules on ways in which companies can directly or indirectly solicit marketing.
This may be an EU law but its impact will be felt globally. It’s also likely it will provide guidelines for other lawmakers on how to regulate, and protect citizens in our digital society.