Data Mapping: Frequently Asked Questions
Most people find data privacy compliance to be complicated enough....Read Now
July 8, 2020
The European Union takes the flow of data seriously. They recognize that data is a representation of our private lives that can be used to undermine our autonomy. We may choose to relinquish our data, but it should always be our choice.
You’re probably aware of the General Data Protection Regulation (GDPR), but there’s another important piece of privacy legislation that completes the EU’s data security framework: the ePrivacy Directive.
The ePrivacy Directive (ePD) is an older piece of legislation, enacted in 2002 and amended in 2009. It requires each EU Member State to pass their own national laws on data protection and privacy. It regulates several important issues, such as consent, confidentiality, spam, cookies, and treatment of traffic data.
The purpose of the ePD is to align national protections of EU fundamental rights - namely the rights to privacy, confidentiality, and the free movement of data. It applies to the processing of data in connection with electronic communication services. Its main provisions include:
Article 5 is the most important section for website owners. This section directs the 27 EU Member States to create laws that state websites may only store information or gain access to information already stored on users’ devices if they have provided users with clear and comprehensive information about the purpose of the processing and received user consent.
Recital 17 of the ePD explains how consent can be obtained. It offers a few appropriate methods, but one is most popular: ticking a box when visiting a site. This method is called a “cookie consent banner” (and why the ePD is commonly called the “EU cookie law.”) You’ve probably seen a lot of banners lately like this one on Osano's website.
While there’s plenty of overlap between ePD and the GDPR, they do not conflict. The GDPR deals generally with the rules of processing personal data. The ePD, however, focuses on the right to privacy and the right to freedom of communication, two rights in the EU Charter of Fundamental Rights. In a sense, the ePD elaborates on the GDPR in regards to electronic communications.
The ePrivacy Regulation (ePR) is an upgrade to the ePD. It’s intended to complete the GDPR. When it passes, it will override the many country-specific laws and create a single data protection standard for electronic communications in the EU. It broadly applies to traditional telecommunications service providers and over-the-top communications services such as instant messaging apps, social media platforms, webmail, voice- and video-calling services, and machine-to-machine communication services.
What’s the difference between a regulation and a directive? A directive is a flexible legislative instrument. It’s an objective EU Member States must meet. States can implement a directive however they like as long as they achieve the desired result. They can adapt their existing law or pass new ones.
A regulation, however, is more powerful than a directive. Once passed, a regulation is binding across all EU Member States. It becomes enforceable on its set date. It does not need to be transposed into law at the state level as it supersedes existing state law.
The GDPR, for example, is also a regulation that replaced a directive (the Data Protection Directive). The change from an ePrivacy Directive to an ePrivacy Regulation will be equally impactful.
Why change from a directive to a regulation? Because state laws are all different. A single regulation makes things simpler for everyone to do business with each other. As European Commissioner Andrus Ansip puts it:
"All this will mean the same level of protection for everyone in the EU. It also cuts red tape for European businesses. They will have just one set of rules to deal with, not 28."
There has been significant evolution in electronic communications over the last decade, which is why the Directive is now considered obsolete. ePR aims to modernize and harmonize existing law around electronic communications. According to the EU Commission, the ePrivacy Regulation will...
The ePR is designed to complement the GDPR. Whereas the GDPR provides a framework for activities involving personal data, the ePrivacy Regulation will apply the framework to privacy in electronic communications. If ePrivacy conflicts with the GDPR in any way, ePrivacy will override the GDPR.
Like the GDPR, ePR is extra-territorial. It would apply to companies offering services in Europe, not just EU-based companies. And it includes serious penalties - up to 2% or 4% of a company’s global annual turnover).
Additionally, people and businesses in the EU are prohibited from transferring data to countries outside the EU unless those countries are deemed to have an adequate level of data protection. The US does not meet the “adequate level” requirement as it lacks comprehensive federal legislation equivalent to the ePD and GDPR. US businesses and organizations can use the US Privacy Shield to obtain an adequacy agreement with the EU, allowing the transfer of data between US and EU entities.
The European Commission's proposal came out in January 2017. It was supposed to pass in May 2018, but EU institutions are still trying to reach a consensus. As of June 2020, EU legislators are still debating the language. There’s no guarantee that it will pass at all. If ePR fails to pass, ePD still applies.
|GDPR predecessor Directive 95/46/EC is adopted
|First GDPR proposal
|GDPR predecessor Directive 95/46/EC is adopted
|EU Council, Parliament and Commission reach an agreement on the first draft
|EU Council and Parliament adopt new Data Protection Regulation
|GDPR is implemented. No consensus on ePrivacy reached
|Expected implementation of ePrivacy Regulation
Businesses and organizations are holding up the legislation because their models are based on exploiting online activity, which means ePR will require big changes on their end. On the other hand, consumer protection groups want stronger protections, especially in the light of data misuse scandals like the Facebook-Cambridge Analytica mess that highlight our need to protect people from data-driven business models.
Regardless of when the EU will enact the ePR, the breadth of the regulation and its potential penalties mean companies inside the EU and abroad should take it seriously today. It’s important to use this time to work toward compliance.
Osano's consent management software is the most popular cookie consent solution on the planet, serving more than 2 billion consents per month across 3.5 million websites. Our private, fast quantum blockchain records every single visitor consent.
If you want to comply with the current ePrivacy Directive and the upcoming ePrivacy Regulation, get started with Osano now.
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.