ePrivacy Regulation and messaging platforms
There is an ePrivacy Regulation 2021 status update and it comes in the form of the current EU Council’s new draft proposal published on 10th February 2021. Notably, the ePrivacy Regulation 2021 draft proposal makes the text simple and shows significant alignment with the GDPR (General Data Protection Regulation). If approved, the ePrivacy Regulation 2021 draft will establish new data processing requirements in relation to electronic communications, cookies, direct marketing, to name a few. With that in mind, let us take a closer look at what you should expect in case ePrivacy Regulation draft is eventually adopted by the EU.
The Scope of the ePrivacy Regulation Draft Proposal
The ePrivacy Regulation 2021 draft proposal seeks to protect the right of EU citizens to the confidentiality of their electronic communications content and metadata of that content. The scope of the ePrivacy Regulation draft also extends to machine-to-machine data transmitted over a public network (privacy of users’ data when using Internet of Things (IoT) applications). If adopted, the latest draft will apply to the processing of personal data of users by electronic communication service providers and networks.
Examples of businesses that will be subject to compliance include;
- Email service providers
- Internet calling services e.g FaceTime and Whatsapp
- Phone call service providers
- Internet access service providers
- Messaging platforms
- Personal messaging through social media platforms
Differences from Previous Proposals
Compared to previous proposals, ePrivacy Regulation draft simplifies the text of the law and provides a clear alignment with the GDPR.
- Broadening the scope of the regulation to apply to the processing of electronic communications data by businesses outside the European Economic Area (EEA).
- Defining location data
- Reintroducing provisions that permit the processing of electronic communications data for purposes that align with the initial purposes for collecting this data.
- Adding a requirement for businesses sharing anonymized statistical personal data from electronic communications with third parties to conduct Data Protection Impact Assessments and inform users about their intended data processing activities.
- Allowing service providers to access personal data on users’ devices for the performance of a contract. The previous version permitted this only where it was technically necessary. The term ‘technically’ has been omitted.
Key Differences with the ePrivacy Directive
If the ePrivacy Regulation 2021 draft proposal is adopted, it will expand the 2002 ePrivacy Directive’s scope to incorporate emerging technologies such as;
- Instant messaging apps and VoIP (Voice over Internet Protocol) platforms,
- Machine-to-machine communications such as the IoT (Internet of Things).
Will the ePrivacy Regulation replace the GDPR?
No. The ePrivacy Regulation is not meant to be a substitute for the GDPR. It’s designed to complement it. The GDPR provides an oversight framework for activities involving the processing of personal data. On the other hand, the ePrivacy Regulation focuses on supporting the GDPR’s general requirements by providing specific rules to govern the confidentiality of electronic communications of EU residents. Since the GDPR focuses specifically on personal data while the scope of the ePrivacy Regulation can cover not only personal data, but also B2B data, it is likely that the ePrivacy Regulation may take precedent over the GDPR in instances where both laws are applicable.