The European Commission has proposed a series of privacy rules for all electronic communications. Among the companies impacted are Facebook, WhatsApp, Messenger, Skype, Gmail, iMessage and Viber.
As it stands, the current ePrivacy Directive only applies to traditional telecoms operators. The proposed Regulation on Privacy and Electronic Communications will, according to the EU, "increase the protection of people's private life and open up new opportunities for businesses".
Digital communications companies will have to guarantee the confidentiality of their customers and secure their consent before tracking their activity online, to present them with personalised ads. There will need to be a clear and explicit agreement between both parties. Services such as Gmail, for example, will not be able to scan user's accounts until that consent is given.
Many of the free online services, such as Facebook and Gmail rely on the revenue generated from advertising to fund themselves. This revenue may now take a hit, if these measures are introduced.
The European Commission says that users will "enjoy full transparency without having to click on a banner asking for their consent on cookies each time they visit a website".
- Stronger rules: By updating the current Directive with a directly applicable Regulation, all people and businesses in the EU will enjoy the same level of protection for their electronic communications. Businesses will also benefit from one single set of rules across the EU.
- Communications content and metadata: Privacy will be guaranteed for both content and metadata derived from electronic communications (e.g. time of a call and location). Both have a high privacy component and, under the proposed rules, will need to be anonymised or deleted if users have not given their consent, unless the data is required for instance for billing purposes.
- New business opportunities: Once consent is given for communications data, both content and/or metadata, to be processed, traditional telecoms operators will have more opportunities to use data and provide additional services. For example, they could produce heat maps indicating the presence of individuals to help public authorities and transport companies when developing new infrastructure projects.
- Simpler rules on cookies: The so called "cookie provision", which has resulted in an overload of consent requests for internet users, will be streamlined. New rules will allow users to be more in control of their settings, providing an easy way to accept or refuse the tracking of cookies and other identifiers in case of privacy risks. The proposal clarifies that no consent is needed for non-privacy intrusive cookies improving internet experience (e.g. to remember shopping cart history). Cookies set by a visited website counting the number of visitors to that website will no longer require consent.
- Protection against spam: Today's proposal bans unsolicited electronic communication by any means, e.g. by emails, SMS and in principle also by phone calls if users have not given their consent. Member States may opt for a solution that gives consumers the right to object to the reception of voice-to-voice marketing calls, for example by registering their number on a do-not-call list. Marketing callers will need to display their phone number or use a special pre-fix that indicates a marketing call.
- More effective enforcement: The enforcement of the confidentiality rules in the Regulation will be the responsibility of national data protection authorities.
This proposed regulation on the protection of personal data seeks to ensure there's a level playing field for both new and old forms of communication. The current rules date back to 2001, while newer rules set out by the General Data Protection Regulation were set out in 2016. The proposal from the European Commission will ensure all rules are aligned.
The European Commission is now calling on the European Parliament and Council to work to ensure the smooth adoption of these proposals by May 25th 2018. It's hoped that a fully-fledged and complete framework for privacy and data protection in Europe will be in place by that date.