Go Back

The next wave of data protection – the ePrivacy regulation and its impact on financial services

What’s the ePrivacy Regulation and why do we need more data protection rules?

What’s the rationale behind more data protection regulations if the GDPR has not even been around for a year? Well, initially a large of the rules of the current draft of the ePrivacy Regulation was intended to be part of GDPR but was shot down in early discussions. But the need to address the elements that were not covered in the GDPR and the necessity to update the existing framework that started to be rather out-dated remained.

The Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) – as is its proper name – is, therefore, an extension of the GDPR. The name also contains the difference to the GDPR as the latter aims at the protection and processing of personal information and the ePrivacy Regulation focuses on the specific uses of electronic communication such as email, SMS, cookies, and device fingerprinting as well as the integrity of the information itself. In that sense, the ePrivacy regulation is an enhancement of the GDPR since it covers the use of personal data as regulated under GDPR in the form of electronic communication like an email. Hence, companies need to comply with both sets of regulations if they are to use these forms of communication – and let’s be honest who doesn’t?!?

ePrivacy Regulation is an enhancement of the GDPR

But the ePrivacy Regulation is not only an extension of the GDPR. It also replaces existing regulations, i.e. ePrivacy Directive 2002 (Privacy and Electronic Communications Directive 2002/58/EC), which has been amended several times and most recently in 2009 by Directive 2009/136 – the Cookie Directive, which introduced a number of changes, in particular with regard to the use of cookies as you may have guessed. It is the nature of each EU directive that it needs to be implemented into national law and as such leaves room for interpretation and the potential of an uneven playing field across the member states. The new regulation aims to remove these differences since it will be directly applicable across the Union, which means the same level of data protection for all. It extends the scope to new communication services like Apple’s Facetime, WhatsApp or Facebook Messenger that have long overtaken traditional messaging services. The ePrivacy Regulation covers both content and metadata of electronic communications, which highlights the value in terms of privacy of information like the place and time of a call or message. On the other hand, the traditional telecoms operators will be able to explore more opportunities to provide additional services and to develop their businesses if they receive consent from the data subject to process the information.

An important aspect of the new rules is the use of cookies and tracking. Going forward the use of these instruments will by default be much more limited unless a user expresses its consent. And lastly, it aims to bring an end to the myriad of phone calls from people trying to sell us things we don’t want by enhancing the protection against unsolicited communications and spam. The ePrivacy Regulation will provide authorities with sharper teeth, too, by aligning the structure of administrative fines with those of the GDPR: violations of the new rules can, therefore, cost up to €10 million or up to 2 % of the total worldwide annual turnover – whichever is higher of the two.

Current Status

So far, so good. The problem is though that the ePrivacy Regulation has hit several roadblocks right from the start: Its provisions were kicked out of the original GDPR proposal. Then its rather ambitious start date that was to coincide with that of the GDPR last year May was delayed and thanks to extensive industry lobbying a number of changes have been recommended since the original proposal, with the latest compromise text being published by the current Romanian presidency of the Council on February 4th. The Romanian presidency has announced that it aims to produce a compromise text by the beginning of June that could be the basis for trialogue negotiations between the three EU institutions since all parties will have to agree on a final text. However, with the elections for the new European Parliament coming up in May and the change in the Council presidency in July, this again may be too ambitious to achieve, but hope springs eternal.

Potential impact on financial services and compliance.

So, the bottom line is that there are a number of variables to consider that will likely further delay the coming into force of the new regulation. We will also see additional changes that might water down the current obligations. What is sure though is that the ePrivacy Regulation will be introduced at some point in the not all too far future. For financial institutions, this means that they will need to try to find holistic solutions. Covering the regulatory obligations of the GDPR cannot be more than a starting point and not using the opportunity to address the combined requirements of the new EU data protection framework only means kicking the can down the road.

And there is little time to lose: Considering both the current popularity of artificial intelligence in FinTech applications and the potential that lies within the Internet of Things for financial services, the risks can multiply quickly. The use of data in machine-to-machine services is a key element of the current conversations regarding the ePrivacy Regulation and all parties have made it clear that they are fully aware of the emerging role of IoT devices. Treating these risks lightly might soon result in a hefty bill – just ask Google!



Follow Us

Subscribe to Shield’s Newsletter

Capture everything. Deploy anywhere. Store in one place.