What’s the ePrivacy Regulation and why do we need more data protection rules?
What’s the rationale behind more data protection regulations if the GDPR has not even been around for a year? Well, initially a large of the rules of the current draft of the ePrivacy Regulation was intended to be part of GDPR but was shot down in early discussions. But the need to address the elements that were not covered in the GDPR and the necessity to update the existing framework that started to be rather out-dated remained.
The Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) – as is its proper name – is, therefore, an extension of the GDPR. The name also contains the difference to the GDPR as the latter aims at the protection and processing of personal information and the ePrivacy Regulation focuses on the specific uses of electronic communication such as email, SMS, cookies, and device fingerprinting as well as the integrity of the information itself. In that sense, the ePrivacy regulation is an enhancement of the GDPR since it covers the use of personal data as regulated under GDPR in the form of electronic communication like an email. Hence, companies need to comply with both sets of regulations if they are to use these forms of communication – and let’s be honest who doesn’t?!?
So far, so good. The problem is though that the ePrivacy Regulation has hit several roadblocks right from the start: Its provisions were kicked out of the original GDPR proposal. Then its rather ambitious start date that was to coincide with that of the GDPR last year May was delayed and thanks to extensive industry lobbying a number of changes have been recommended since the original proposal, with the latest compromise text being published by the current Romanian presidency of the Council on February 4th. The Romanian presidency has announced that it aims to produce a compromise text by the beginning of June that could be the basis for trialogue negotiations between the three EU institutions since all parties will have to agree on a final text. However, with the elections for the new European Parliament coming up in May and the change in the Council presidency in July, this again may be too ambitious to achieve, but hope springs eternal.
Potential impact on financial services and compliance.
So, the bottom line is that there are a number of variables to consider that will likely further delay the coming into force of the new regulation. We will also see additional changes that might water down the current obligations. What is sure though is that the ePrivacy Regulation will be introduced at some point in the not all too far future. For financial institutions, this means that they will need to try to find holistic solutions. Covering the regulatory obligations of the GDPR cannot be more than a starting point and not using the opportunity to address the combined requirements of the new EU data protection framework only means kicking the can down the road.
And there is little time to lose: Considering both the current popularity of artificial intelligence in FinTech applications and the potential that lies within the Internet of Things for financial services, the risks can multiply quickly. The use of data in machine-to-machine services is a key element of the current conversations regarding the ePrivacy Regulation and all parties have made it clear that they are fully aware of the emerging role of IoT devices. Treating these risks lightly might soon result in a hefty bill – just ask Google!