What will the ePrivacy Regulation (ePR) change?
Since 25 May 2018, we have the new General Data Protection Regulation (GDPR) to protect our personal data. It once was the intention to have the new ePrivacy Regulation (ePR) take effect on the same day. This did not succeed and will not happen again before the European elections. There is still talk about the specifics and we hope that it will all happen in 2019. But what is actually going to change?
Electronic mail confidentiality
For our regular mail, you know, that on paper if it’s in a sealed envelope, we have the letter confidentiality for that. We do not have this for email, but the proposal is to regulate this with the ePrivacy Regulation.
All electronic communications must be treated as confidential. It is no longer allowed to listen in on phone calls, emails can no longer be scanned and read, as Google did in Gmail, and metadata of communications can no longer be read just like that. Facebook is therefore not allowed to read WhatsApp messages.
Communication must therefore no longer be intercepted. According to the proposal of the ePR, interception also occurs when third parties keep track of how websites are visited, how long people visit websites and what interactions take place there. In any case, this is not permitted without the consent of the website visitor.
ePrivacy Regulation | Building profiles
The ePR also tries to ensure that profiles of users are not built with metadata obtained without the consent of users.
Metadata may only be used for the purpose for which it was originally obtained. This is also known from the GDPR: personal data may only be used on the basis of the original basis and for the purpose for which it was originally obtained. These may be multiple purposes, but the purpose or basis may not be changed afterwards. This will be included in the ePrivacy Regulation.
Anything is allowed with permission. This also applies to the ePR. If people give their conscious and free consent to use the metadata for building profiles, then nothing is wrong. The problem lies in the fact that many companies find it annoying to have to ask permission. After all, it is a threshold and it makes people far too aware of what they are giving away, if they cross that threshold at all.
Anonymised data can, of course, be used again.
The cookie wall
The placement of cookies that are not necessary, such as tracking cookies and advertising cookies, requires permission. This consent must be informed, given freely and explicitly. A new click on the website is not enough.
This causes many websites to use a cookie wall: either accept the cookies or you won’t get in.
This is allowed, in some cases, as stated in the proposal for the ePR. Especially if there are alternative websites where the same kind of information can be found. This is especially not allowed for websites of, for example, the government or other services, where there is little or no other choice than the use of this specific website. A cookie wall for government Tv network, for websites of the municipality and of semi-government are therefore not permitted.
It is of course possible to indicate cookie preferences, as long as the website is fully usable, as long as the website visitor sets the preferences in such a way that no cookie may actually be placed, except for the functional cookies.
Which cookies are allowed?
Examples of functional cookies mentioned are session cookies for filling out forms, authentication cookies to verify an identity and cookies that remember what you have placed in an online shopping cart.
Analytic cookies that measure the effectiveness of a website, or count how many people have seen an advertisement, are also allowed, as long as those cookies or other identifiers such as pixels do not measure which person is visiting the website or what the nature of that person is.
Permission via default settings
The ePrivacy Regulation acknowledges that people are ‘overwhelmed with requests for permission’. Transparent and user-friendly settings can solve this problem. They therefore want to place more responsibility on browsers and other apps in order to be able to set whether or not you want to accept cookies, all cookies or, for example, only first party cookies in general. The chosen setting is then binding for all parties.
Such a setting is equivalent to allowing cookies to be placed. This permission must comply with the permission as requested by the GDPR. This means that it is precisely the browsers and apps that must provide information about cookies and the possible settings, but without subtly persuading people to accept many cookies in the process.
Cookie banners continue to exist
Those cookie banners that many websites now use to obtain permission to place advertising and tracking cookies, for example, will therefore continue to exist.
Many people are expected to choose to allow few cookies. In that case, it will still be necessary to ask permission to be allowed to place additional cookies.
Please note, however:
- Cookies may not be placed until permission has been given.
- Users need to be well informed about the cookies
- Permission must be active. The preferences must not be ticked in advance!
Viewing where people are and how they move by tracking them based on unique numbers such as MAC addresses, IMEI numbers or a wifi signal is allowed for statistical purposes, as long as it is limited in time and place.
Counting how many people are inside or how many people are queuing is allowed, without the permission of those people being required. However, data must be anonymised as soon as possible when it is no longer needed for the purpose for which it is being counted.
However, this tracking must be reported in advance. Compare it with the signs that are required for surveillance cameras to be installed. The area of the tracking, the purpose and the responsible person (or company) must be stated. This can be done with standardized icons.
Please note that if the data is used further, the GDPR will come back into view and therefore also the obligation to have a privacy statement and also to give this information to the users.
Data Processing agreements
Data collected may only be shared anonymously with third parties. Sometimes third parties, such as online software and services, are required to be able to collect and analyse the data at all. Of course, they will then see the actual data and not the anonymised version of it.
This is allowed, says the ePR, but then there must be a processor agreement, as referred to in the GDPR. Well, not surprising, of course, because if personal data are processed by one party, for the other party, this obligation already existed by virtue of the GDPR. In fact, we do not need the ePR for that.
Are we making progress?
At the moment we are still working with the old ePrivacy Directive. There are still many unclear points in this and we have the problem that reference is now made to articles in the Personal Data Protection Act that has been replaced by the GDPR. The ePrivacy Regulation is therefore desperately needed in any case in order to bring the rules back into line, so that strange situations can no longer arise.
The intention of the ePR is to make the rules more future proof. Techniques are mentioned even less and it is more about the impact that this can have on the privacy of those involved. That is a pleasant development.
The fact that permission for cookies and similar techniques can be done via the default settings of browsers and apps is also a step forward. Whether it really solves a lot of problems is, of course, a question. The standard will also be that no cookies will be accepted (except for the necessary ones, of course), and the group that accepts more cookies via the default settings will be relatively small. The future must show how this will really work.
Actually, the same applies to the ePR as to the GDPR: with permission, anything is allowed. It is only difficult to obtain permission. In any case, it is not very user-friendly. Using data obtained via cookies and similar techniques for commercial purposes will not be easy with this regulation either.
The advantage is, of course, that the GDPR has already enabled many companies to work with privacy. That is why the ePrivacy Regulation will not change a great deal in the daily work.