The EU's ambitious plan to create a thriving data driven economy has gotten little attention the last year or so, with all eyes being focused on the General Data Protection Regulation and Privacy Shield. Now the GDPR is finalized, and Privacy Shield is in place, at least for the moment. So it's time to dust the GDPR off our palms and get on with things, right?
Not. Quite. Yet. With the path forward finally free, the ePrivacy Regulation roadblock thudded into place.
Digital Single Market: YAY!!!
The laudable, ambitious, and welcome Digital Single Market Strategy has been in the works since 2015. It's a plan to expand the data economy by freeing up data flows across Europe, adding a predicted €8 billion ($8.5 billion) to the European economy every year. It will deliver €415 billion in additional growth, add hundreds of thousands of new jobs, and a build a vibrant, knowledge-based society.
ePrivacy Regulation: booooo
But first, there is the ePrivacy Regulation. Just as everyone was giddily anticipating the promise of a Digital Single Market, the European Commission has hauled the ePR onto the table and demanded that member countries commence with new legislation. The ePrivacy REGULATION is actually an upgrade to the ePrivacy DIRECTIVE, which has been around since '02. The current proposals are aimed at aimed at modernizing the Directive, and bringing it into alignment with the standards set by the GDPR.
The European Commission consulted with every group or constituency having an interest, and came up with proposed regulations to modernize and strengthen digital privacy rules. But now those regulations must be examined, discussed, and eventually passed into law after approval by the European Parliament and the Council of Ministers. The European Commission hopes that can happen concurrent with the GDPR coming into effect in May 2018.
The ePrivacy Regulation and the GDPR
Like the General Data Protection Regulation, the new ePrivacy legislation is a regulation and not a directive. A regulation is passed into law and then takes effect as written, for all member countries. A directive lays out a series of objectives to be met and each member countiry decides how to meet those objectives and passes their own laws to do so. Directives result in a patchwork of laws that are directionally similar but with many inconsistencies.
The GDPR's focus is protecting the data of individuals and applies only to the processing of the personal data of individuals by the various entities that collect and hold it. The GDPR addresses what sorts of data can be collected and when, the storage of that data, lawful handling and transfers of it, how it can be used, and when it must be deleted. It also ensures that personal information must kept secure and be protected from misuse.
The ePrivacy Regulation, and the Directive before it, ensure the confidentiality, privacy, and security of electronic communications. It covers facets of electronic privacy that are other than data collection and processing. Some examples - the confidentiality and security of information stored on a person's smartphone or tablet, VoIP communication, instant messaging apps, web based email, and machine to machine communication such as used by IoT devices.
In future posts we will look further at the specifics of the ePrivacy Regulation, examine some of the many criticisms of it, and explore the promise of the Digital Single Market Strategy.