The Next Wave of Data Protection – the ePrivacy Regulation and its impact on financial servicesshieldadmin
Many firms still struggle with the implementation of the GDPR and the increasing number of fines is a testament to that. And those that seem to have dodged the bullet so far, the next one seems on its way. The ePrivacy Regulation promises to bring more challenges to the financial services industry that is still struggling with the first wave of new data protection regulations. Jochen Heussner of PlanetCompliance explains what we can expect and what it means for financial institutions.
More than nine months have passed since the GDPR (General Data Protection Regulation) came into effect but still, many companies struggle to adapt to the new rules. This was perhaps most noticeable in the decision of some US-based publishers blocking access entirely to readers based in the EU out of fear of breaching the GDPR. And this concern is not entirely unwarranted. GDPR has introduced potential fines of up to €20 million or 4 percent of the global annual turnover. While initially, regulators seemed to give companies some leeway, enforcement action has been coming thick and fast in the last couple of weeks culminating in the €50 million Google has to pay for failing to comply with its obligations. Even though most fines that have been issued so far are significantly lower, the prospect of being penalised was enough to rather block large parts of an audience and lose advertising money than the risk of crossing the line.
Even though the dust slowly seems to settle on GDPR, these struggles are far from over. The upcoming ePrivacy Regulation is the next mammoth task in terms of data protection that companies have to master.
What’s the ePrivacy Regulation and why do we need more data protection rules?
What’s the rationale behind more data protection regulations if the GDPR has not even been around for a year? Well, initially a large of the rules of the current draft of the ePrivacy Regulation was intended to be part of GDPR but was shot down in early discussions. But the need to address the elements that were not covered in the GDPR and the necessity to update the existing framework that started to be rather out-dated remained.
The Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) – as is its proper name – is, therefore, an extension of the GDPR. The name also contains the difference to the GDPR as the latter aims at the protection and processing of personal information and the ePrivacy Regulation focuses on the specific uses of electronic communication such as email, SMS, cookies, and device fingerprinting as well as the integrity of the information itself. In that sense, the ePrivacy regulation is an enhancement of the GDPR since it covers the use of personal data as regulated under GDPR in the form of electronic communication like an email. Hence, companies need to comply with both sets of regulations if they are to use these forms of communication – and let’s be honest who doesn’t?!?
Follow Shield on LinkedIn for more exclusive content
So far, so good. The problem is though that the ePrivacy Regulation has hit several roadblocks right from the start: Its provisions were kicked out of the original GDPR proposal. Then its rather ambitious start date that was to coincide with that of the GDPR last year May was delayed and thanks to extensive industry lobbying a number of changes have been recommended since the original proposal, with the latest compromise text being published by the current Romanian presidency of the Council on February 4th. The Romanian presidency has announced that it aims to produce a compromise text by the beginning of June that could be the basis for trialogue negotiations between the three EU institutions since all parties will have to agree on a final text. However, with the elections for the new European Parliament coming up in May and the change in the Council presidency in July, this again may be too ambitious to achieve, but hope springs eternal.
Potential impact on financial services and compliance.
So, the bottom line is that there are a number of variables to consider that will likely further delay the coming into force of the new regulation. We will also see additional changes that might water down the current obligations. What is sure though is that the ePrivacy Regulation will be introduced at some point in the not all too far future. For financial institutions, this means that they will need to try to find holistic solutions. Covering the regulatory obligations of the GDPR cannot be more than a starting point and not using the opportunity to address the combined requirements of the new EU data protection framework only means kicking the can down the road.
And there is little time to lose: Considering both the current popularity of artificial intelligence in FinTech applications and the potential that lies within the Internet of Things for financial services, the risks can multiply quickly. The use of data in machine-to-machine services is a key element of the current conversations regarding the ePrivacy Regulation and all parties have made it clear that they are fully aware of the emerging role of IoT devices. Treating these risks lightly might soon result in a hefty bill – just ask Google!