Get Ready For ePrivacy Regulation

While the Facebook-Cambridge Analytica situation catapulted the GDPR (in force since May 25th) into national prominence and jolted many non-EU companies into action vis-a-vie data protections, there is an even more concerning regulation waiting in the wings; ePrivacy Regulation or ePR for short. 
 
ePR is essentially a complement to the GDPR covering all electronic communications and data. It is intended to provide a single digital data privacy framework under which all companies doing business with EU residents must conform, and the penalties are similar to those enforced under the GDPR. 
 
Originally intended to roll out simultaneously with the GDPR, ePR has caused such extreme concerns across a variety of industries that rollout has been postponed as rigorous negations and clarifications take place.
 
According to an economic impacts’ report commissioned by the Developers Alliance, concerns include:
 
• Up to a 30 percent fall in economic profits dependent, directly or indirectly, on electronic communication.
• Impacts felt far beyond telecommunications and into many data-driven industries;
• And EU residents paying a stiff price in terms of stifled innovation, lost jobs and reduced economic growth.
 
In a Nutshell - ePR
Regulators developed ePR because the volume and complexity of digital data are increasing exponentially and the environment for generating, storing and consuming these emerging types of data can be quite different from more traditional data formats. 
 
While the GDPR focuses on providing consumers with protections for and control over the use of personal data stored in a company’s databases or passed to a third party, ePR speaks specifically to electronic communications data. In some cases, it enumerates how GDPR protections should be applied to electronic communications data. In others, it adds restrictions not found under GDPR. In all cases, the intent is to create a single unified regulatory platform between GDPR and ePR for handling of personal data, whether digital or traditional.
 
The regulation cuts a broad swath, applying to traditional telecommunications companies and internet service providers, to e-mail, messaging apps and VOIP services, to anyone any company using electronic tracking (e.g., cookies) and to some uses of IoT and machine-to-machine communications.
 
In a divergence from the GDPR, business-to-business companies are also required to comply which incorporates business employees into the GDPR protections currently afforded to consumers.
 
Extended or expanded requirements under ePR include the following:
 
Consent – the GDPR delineates rules for obtaining clear and unambiguous consent for collection and use of personal information. ePR follows the same definition of what constitutes valid consent but makes it the “central legal ground” for the processing of electronic communications data, direct marketing communications and the access to end users’ terminal devices (phones, wearable devices, gaming consoles, etc.). 
 
One area of concern under ePR is that while GDPR also includes legitimate interest (as long as the consumers are aware of this and have consented to it) and contractual necessity as allowable factors for collecting and processing personal data, ePR lacks these exemptions to consent. This adds ambiguity, brings into question the alignment and relationship between GDPR and ePR and may effectively narrow how companies can process electronic communications data as well as what they can collect. 
 
For example, without contractual necessity, what happens if a company needs to process certain electronic communications information to provide service, but the customer refuses to give consent? Or on the flip side, does it mean that companies have to alter account origination processes to obtain consent for processing necessary to set up the account? Both questions seem to extend the need for obtaining consent beyond what the GDPR established. 
 
Cookies – Although ePR will allow the use of first-party cookies for analytics, it imposes severe restrictions on the use of third-party cookies. Under the regulation, companies will have to obtain specific consent for social plug-in cookies, third-party cookies used for behavioral advertising and third-party analytics. Companies are concerned that this type of consent will be quite hard to obtain. 
 
Also under discussion is the question of whether companies whose business model is based on targeted advertising (e.g., Facebook) can deny users who refuse consent access to the site or if they must provide other fair and reasonable options for access (subscription, paid access or limited access to parts of the site). 
 
Communications Data, Metadata – ePR delineates between communications content (what was said) and metadata (type of communication, length, location, involved parties, devices involved, etc.). It also limits the ability to access the processing and storage of terminal devices (e.g., phones) to collect metadata and to implement the tracking options discussed above. 
Metadata usage is limited to statistical counting, requires data to be deleted and anonymised immediately after the function it was collected for is complete. Users also have the ability to object. 
 
Industry groups are negotiating to have legitimate interest (e.g., analysis of customer behaviors and hardware performance needed to improve service) added into the rules here, particularly for metadata, as they feel customer experience and network efficiency will be negatively impacted under the current rules. 
 
Predicted Business Impacts
The projected impacts are significant and impact a varied number of industries. Concerns revolve mainly around the restrictions of metadata and the inclusion of IoT and machine-to-machine communications. Put simply, if you can’t transmit and analyse activity, you can’t use it, which calls into question a significant number of current IoT and customer experience management activities. 
 
Gaming – Video game developers rely on gamer metadata to feed machine learning algorithms that make play better in subsequent versions and help find and fix bugs post-release. Under ePR, this would cease to be a viable path for product improvement and will severely impact game quality. 
 
Communications content is also critical for social games as both the gaming community and the platform providers monitor for hate-speech, targeted harassment and illegal communications. Gamer-developer give and take feedback mechanisms could be adversely impacted as well. 
 
Telecommunications - Monitoring network metadata (volume, location and duration of calls, data usage, device types, dropped calls, etc.) is critical to maintaining network performance, analyzing root causes of persistent issues and determining infrastructure investment requirements. Historical information is needed as well, making the requirement to delete problematic. 
 
Telecommunications also use metadata to provide targeted offers and suggestions to individual customers. Detecting calling behaviors that indicate a need for plan changes or proactively identifying handset issues are good examples of activities which may be curtailed or restricted. 
 
Online Advertising – The advertising business model will be significantly impacted by the restrictions placed on third-party analytics. Some fear that companies will have to move analytics in-house where they lack the technology and skillsets needed to precisely target communications and offers thus pushing smaller companies back to the days of “spray and pray” communications.
 
Another question concerns how to manage the specific consent requirements in today’s high-volume, real-time analytic environments needed for customer experience initiatives. And the big elephant in the room - a significant change to the many on-line businesses that rely on advertisers to provide free services (social media, paid search, etc.). 
Smart Things and IOT in General – Smart cities and houses, automated distribution initiatives, fitness and health wearables – these all rely on activity data (metadata) and location data, and many have a human component – drivers, cell phone users, wearers etc.
 
It is unclear where ePR will land in terms what types of IoT data will eventually be covered, what consent will be needed and what processing can occur. This is an area of significant concern, and many industries are weighing in and watching closely. 
 
The bottom line? Keep a close eye on the progress of discussions around ePR, because like it or not, some form of regulation will be in force one day. And that day may come sooner than you think. 
 
Information-Management
 
You Might Aso Read: 
 
California Passes Its Own GDPR Law:
 
GDPR Will Impact Data Management In The USA:
 
 
« UK CEOs Believe Cyber Attacks Are Inevitable
Top Cyber Spy Warns Against AI »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Praetorian

Praetorian

Praetorian is an offensive cybersecurity company whose mission is to prevent breaches before they occur.

Vitrociset

Vitrociset

Vitrociset design complex systems for defence, homeland security, space and transport. Activities include secure communications and cybersecurity.

National Center for Manufacturing Sciences (NCMS)

National Center for Manufacturing Sciences (NCMS)

NCMS is a cross-industry technology development consortium, dedicated to improving the competitiveness of the US industrial base. Strategic initiatives include industrial cyber security.

Tata Consultancy Services

Tata Consultancy Services

Tata Consultancy Services is a global leader in IT services, consulting & business solutions including cyber security.

Wizlynx PTE LTD

Wizlynx PTE LTD

Wizlynx PTE LTD is the Singapore branch of Wizlynx Group located in Singapore, offering Information and Cyber Security Services throughout the entire Asia Pacific (APAC) region.

Quantstamp

Quantstamp

Quantstamp are experts in Smart Contract Security Audits. We provide verification that your decentralized system works as intended.

Ultratec

Ultratec

Ultratec provide a range of data centric services and solutions including data recovery, data erasure, data destruction and full IT Asset Disposal (ITAD).

EvoNexus

EvoNexus

EvoNexus is a technology startup incubator with locations in San Diego, Orange County, and Silicon Valley.

European Center for CyberSecurity in Aviation (ECCSA)

European Center for CyberSecurity in Aviation (ECCSA)

ECCSA is a cooperative partnership within the aviation community to better understand emerging cybersecurity risks in aviation and provide collective support in dealing with cybersecurity incidents.

nsKnox

nsKnox

nsKnox is a fintech-security company, enabling corporations and banks to prevent fraud and ensure compliance in B2B Payments.

Presidio Identity

Presidio Identity

Presidio Identity offers a digital-native approach that brings security, privacy, and simplicity to user authentication and digital interactions.

SecurIT360

SecurIT360

SecurIT360 is a full-service specialized Cyber Security and Compliance consulting firm.

Factmata

Factmata

Factmata is an social and news media monitoring and analytics product that uses AI to identify and track narratives online, highlighting those most likely to cause brand harm or misinform the public.

Airiam

Airiam

Airiam provides cybersecurity, managed IT, consulting, incident response, and digital transformation services so you can focus on what matters most.

Apura Cybersecurity Intelligence

Apura Cybersecurity Intelligence

Apura is a Brazilian company that develops advanced products and provides specialized services in information security and cyber defense.

SEK Security Ecosystem Knowledge

SEK Security Ecosystem Knowledge

SEK helps companies in the complex path of cybersecurity; in the analysis, detection and prevention of digital threats.