If you thought GDPR was bad – just wait for ePrivacy Regulation
“Privacy is one of the biggest problems in this new electronic age.” ― Andy Grove, co-founder and former CEO, Intel
While the Facebook-Cambridge Analytica situation catapulted the GDPR into national prominence and jolted many non-EU companies into action vis-a-vie data protections, there is an even more concerning regulation - some say nightmare - waiting in the wings; ePrivacy Regulation or ePR for short.
EPR is essentially a complement to the GDPR (in force since May 25) covering all electronic communications and data. It is intended to provide a single digital data privacy framework under which all companies doing business with EU residents must conform, and the penalties are similar to those enforced under the GDPR.
Originally intended to roll out simultaneously with the GDPR, ePR has caused such extreme concerns across a variety of industries that rollout has been postponed as rigorous negations and clarifications take place.
According to an economic impacts report commissioned by the Developers Alliance, concerns include:
- Up to a 30 percent fall in economic profits dependent – directly or indirectly – on electronic communication.
- Impacts felt far beyond telecommunications and into many data-driven industries;
- And EU residents paying a stiff price in terms of stifled innovation, lost jobs and reduced economic growth.
In a nutshell - ePR
Regulators developed ePR because the volume and complexity of digital data are increasing exponentially and the environment for generating, storing and consuming these emerging types of data can be quite different from more traditional data formats.
While the GDPR focuses on providing consumers with protections for and control over the use of personal data stored in a company’s databases or passed to a third party, ePR speaks specifically to electronic communications data.
In some cases, it enumerates how GDPR protections should be applied to electronic communications data. In others, it adds restrictions not found under GDPR. In all cases, the intent is to create a single unified regulatory platform between GDPR and ePR for handling of personal data, whether digital or traditional.
The regulation cuts a broad swath, applying to traditional telecommunications companies and internet service providers, to e-mail, messaging apps and VOIP services, to anyone any company using electronic tracking (e.g., cookies) and to some uses of IoT and machine-to-machine communications.
In a divergence from the GDPR, business-to-business companies are also required to comply which incorporates business employees into the GDPR protections currently afforded to consumers. Extended or expanded requirements under ePR include the following:
Consent – the GDPR delineates rules for obtaining clear and unambiguous consent for collection and use of personal information. ePR follows the same definition of what constitutes valid consent but makes it the “central legal ground” for the processing of electronic communications data, direct marketing communications and the access to end users’ terminal devices (phones, wearable devices, gaming consoles, etc.).
One area of concern under ePR is that while GDPR also includes legitimate interest (as long as the consumers are aware of this and have consented to it) and contractual necessity as allowable factors for collecting and processing personal data, ePR lacks these exemptions to consent. This adds ambiguity, brings into question the alignment and relationship between GDPR and ePR and may effectively narrow how companies can process electronic communications data as well as what they can collect.
For example, without contractual necessity, what happens if a company needs to process certain electronic communications information to provide service, but the customer refuses to give consent? Or on the flip side, does it mean that companies have to alter account origination processes to obtain consent for processing necessary to set up the account? Both questions seem to extend the need for obtaining consent beyond what the GDPR established.
Cookies – Although ePR will allow the use of first-party cookies for analytics, it imposes severe restrictions on the use of third-party cookies. Under the regulation, companies will have to obtain specific consent for social plug-in cookies, third-party cookies used for behavioral advertising and third-party analytics. Companies are concerned that this type of consent will be quite hard to obtain.
Also under discussion is the question of whether companies whose business model is based on targeted advertising (e.g., Facebook) can deny users who refuse consent access to the site or if they must provide other fair and reasonable options for access (subscription, paid access or limited access to parts of the site).
Communications Data, Metadata – ePR delineates between communications content (what was said) and metadata (type of communication, length, location, involved parties, devices involved, etc.). It also limits the ability to access the processing and storage of terminal devices (e.g., phones) to collect metadata and to implement the tracking options discussed above.
Metadata usage is limited to statistical counting, requires data to be deleted and anonymized immediately after the function it was collected for is complete. Users also have the ability to object. Industry groups are negotiating to have legitimate interest (e.g., analysis of customer behaviors and hardware performance needed to improve service) added into the rules here, particularly for metadata, as they feel customer experience and network efficiency will be negatively impacted under the current rules.
Predicted business impacts
The projected impacts are significant and impact a varied number of industries. Concerns revolve mainly around the restrictions of metadata and the inclusion of IoT and machine-to-machine communications. Put simply, if you can’t transmit and analyze activity, you can’t use it, which calls into question a significant number of current IoT and customer experience management activities.
Gaming – Video game developers rely on gamer metadata to feed machine learning algorithms that make play better in subsequent versions and help find and fix bugs post-release. Under ePR, this would cease to be a viable path for product improvement and will severely impact game quality.
Communications content is also critical for social games as both the gaming community and the platform providers monitor for hate-speech, targeted harassment and illegal communications. Gamer-developer give and take feedback mechanisms could be adversely impacted as well.
Telecommunications - Monitoring network metadata (volume, location and duration of calls, data usage, device types, dropped calls, etc.) is critical to maintaining network performance, analyzing root causes of persistent issues and determining infrastructure investment requirements. Historical information is needed as well, making the requirement to delete problematic.
Telecommunications also use metadata to provide targeted offers and suggestions to individual customers. Detecting calling behaviors that indicate a need for plan changes or proactively identifying handset issues are good examples of activities which may be curtailed or restricted.
Online Advertising – The advertising business model will be significantly impacted by the restrictions placed on third-party analytics. Some fear that companies will have to move analytics in-house where they lack the technology and skillsets needed to precisely target communications and offers thus pushing smaller companies back to the days of “spray and pray” communications.
Another question concerns how to manage the specific consent requirements in today’s high-volume, real-time analytic environments needed for customer experience initiatives. And the big elephant in the room - a significant change to the many on-line businesses that rely on advertisers to provide free services (social media, paid search, etc.).
Smart Things and IOT in General – Smart cities and houses, automated distribution initiatives, fitness and health wearables – these all rely on activity data (metadata) and location data, and many have a human component – drivers, cell phone users, wearers etc.
It is unclear where ePR will land in terms what types of IoT data will eventually be covered, what consent will be needed and what processing can occur. This is an area of significant concern, and many industries are weighing in and watching closely.
The bottom line? Keep a close eye on the progress of discussions around ePR, because like it or not, some form of regulation will be in force one day. And that day may come sooner than you think.