Get Ready For ePrivacy Regulation

While the Facebook-Cambridge Analytica situation catapulted the GDPR (in force since May 25th) into national prominence and jolted many non-EU companies into action vis-a-vie data protections, there is an even more concerning regulation waiting in the wings; ePrivacy Regulation or ePR for short. 
 
ePR is essentially a complement to the GDPR covering all electronic communications and data. It is intended to provide a single digital data privacy framework under which all companies doing business with EU residents must conform, and the penalties are similar to those enforced under the GDPR. 
 
Originally intended to roll out simultaneously with the GDPR, ePR has caused such extreme concerns across a variety of industries that rollout has been postponed as rigorous negations and clarifications take place.
 
According to an economic impacts’ report commissioned by the Developers Alliance, concerns include:
 
• Up to a 30 percent fall in economic profits dependent, directly or indirectly, on electronic communication.
• Impacts felt far beyond telecommunications and into many data-driven industries;
• And EU residents paying a stiff price in terms of stifled innovation, lost jobs and reduced economic growth.
 
In a Nutshell - ePR
Regulators developed ePR because the volume and complexity of digital data are increasing exponentially and the environment for generating, storing and consuming these emerging types of data can be quite different from more traditional data formats. 
 
While the GDPR focuses on providing consumers with protections for and control over the use of personal data stored in a company’s databases or passed to a third party, ePR speaks specifically to electronic communications data. In some cases, it enumerates how GDPR protections should be applied to electronic communications data. In others, it adds restrictions not found under GDPR. In all cases, the intent is to create a single unified regulatory platform between GDPR and ePR for handling of personal data, whether digital or traditional.
 
The regulation cuts a broad swath, applying to traditional telecommunications companies and internet service providers, to e-mail, messaging apps and VOIP services, to anyone any company using electronic tracking (e.g., cookies) and to some uses of IoT and machine-to-machine communications.
 
In a divergence from the GDPR, business-to-business companies are also required to comply which incorporates business employees into the GDPR protections currently afforded to consumers.
 
Extended or expanded requirements under ePR include the following:
 
Consent – the GDPR delineates rules for obtaining clear and unambiguous consent for collection and use of personal information. ePR follows the same definition of what constitutes valid consent but makes it the “central legal ground” for the processing of electronic communications data, direct marketing communications and the access to end users’ terminal devices (phones, wearable devices, gaming consoles, etc.). 
 
One area of concern under ePR is that while GDPR also includes legitimate interest (as long as the consumers are aware of this and have consented to it) and contractual necessity as allowable factors for collecting and processing personal data, ePR lacks these exemptions to consent. This adds ambiguity, brings into question the alignment and relationship between GDPR and ePR and may effectively narrow how companies can process electronic communications data as well as what they can collect. 
 
For example, without contractual necessity, what happens if a company needs to process certain electronic communications information to provide service, but the customer refuses to give consent? Or on the flip side, does it mean that companies have to alter account origination processes to obtain consent for processing necessary to set up the account? Both questions seem to extend the need for obtaining consent beyond what the GDPR established. 
 
Cookies – Although ePR will allow the use of first-party cookies for analytics, it imposes severe restrictions on the use of third-party cookies. Under the regulation, companies will have to obtain specific consent for social plug-in cookies, third-party cookies used for behavioral advertising and third-party analytics. Companies are concerned that this type of consent will be quite hard to obtain. 
 
Also under discussion is the question of whether companies whose business model is based on targeted advertising (e.g., Facebook) can deny users who refuse consent access to the site or if they must provide other fair and reasonable options for access (subscription, paid access or limited access to parts of the site). 
 
Communications Data, Metadata – ePR delineates between communications content (what was said) and metadata (type of communication, length, location, involved parties, devices involved, etc.). It also limits the ability to access the processing and storage of terminal devices (e.g., phones) to collect metadata and to implement the tracking options discussed above. 
Metadata usage is limited to statistical counting, requires data to be deleted and anonymised immediately after the function it was collected for is complete. Users also have the ability to object. 
 
Industry groups are negotiating to have legitimate interest (e.g., analysis of customer behaviors and hardware performance needed to improve service) added into the rules here, particularly for metadata, as they feel customer experience and network efficiency will be negatively impacted under the current rules. 
 
Predicted Business Impacts
The projected impacts are significant and impact a varied number of industries. Concerns revolve mainly around the restrictions of metadata and the inclusion of IoT and machine-to-machine communications. Put simply, if you can’t transmit and analyse activity, you can’t use it, which calls into question a significant number of current IoT and customer experience management activities. 
 
Gaming – Video game developers rely on gamer metadata to feed machine learning algorithms that make play better in subsequent versions and help find and fix bugs post-release. Under ePR, this would cease to be a viable path for product improvement and will severely impact game quality. 
 
Communications content is also critical for social games as both the gaming community and the platform providers monitor for hate-speech, targeted harassment and illegal communications. Gamer-developer give and take feedback mechanisms could be adversely impacted as well. 
 
Telecommunications - Monitoring network metadata (volume, location and duration of calls, data usage, device types, dropped calls, etc.) is critical to maintaining network performance, analyzing root causes of persistent issues and determining infrastructure investment requirements. Historical information is needed as well, making the requirement to delete problematic. 
 
Telecommunications also use metadata to provide targeted offers and suggestions to individual customers. Detecting calling behaviors that indicate a need for plan changes or proactively identifying handset issues are good examples of activities which may be curtailed or restricted. 
 
Online Advertising – The advertising business model will be significantly impacted by the restrictions placed on third-party analytics. Some fear that companies will have to move analytics in-house where they lack the technology and skillsets needed to precisely target communications and offers thus pushing smaller companies back to the days of “spray and pray” communications.
 
Another question concerns how to manage the specific consent requirements in today’s high-volume, real-time analytic environments needed for customer experience initiatives. And the big elephant in the room - a significant change to the many on-line businesses that rely on advertisers to provide free services (social media, paid search, etc.). 
Smart Things and IOT in General – Smart cities and houses, automated distribution initiatives, fitness and health wearables – these all rely on activity data (metadata) and location data, and many have a human component – drivers, cell phone users, wearers etc.
 
It is unclear where ePR will land in terms what types of IoT data will eventually be covered, what consent will be needed and what processing can occur. This is an area of significant concern, and many industries are weighing in and watching closely. 
 
The bottom line? Keep a close eye on the progress of discussions around ePR, because like it or not, some form of regulation will be in force one day. And that day may come sooner than you think. 
 
Information-Management
 
You Might Aso Read: 
 
California Passes Its Own GDPR Law:
 
GDPR Will Impact Data Management In The USA:
 
 
« UK CEOs Believe Cyber Attacks Are Inevitable
Top Cyber Spy Warns Against AI »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

WatchGuard

WatchGuard

WatchGuard is a leader in network security, secure Wi-Fi, and network intelligence products and services for SMBs and Enterprises worldwide.

CloudCheckr

CloudCheckr

CloudCheckr is a next-gen cloud management platform that unifies Security & Compliance, Inventory & Utilization and Cost Management.

Australian Cyber Security Growth Network (AustCyber)

Australian Cyber Security Growth Network (AustCyber)

AustCyber brings together businesses and researchers to develop the next generation of cyber security products and services.

NordForsk

NordForsk

NordForsk facilitates and provides funding for Nordic research cooperation and research infrastructure. Project areas include digitalisation and digital security.

CynergisTek

CynergisTek

CynergisTek is a top-ranked cybersecurity and information management consulting firm dedicated to serving the healthcare industry.

Ubiq Security

Ubiq Security

Ubiq has developed a software solution that secures any type of data, on any device, anywhere, with nearly no impact to system performance or user experience.

Omada

Omada

Omada is a leading provider of IT security solutions and services for identity management and access governance.

Kobil Systems

Kobil Systems

Kobil is a pioneer in the fields of smart card, one-time password, authentication and cryptography.

Hexnode MDM

Hexnode MDM

Hexnode MDM is an award winning Enterprise Mobility Management vendor which helps businesses to secure and manage BYOD, COPE, apps and content.

CyberSwarm

CyberSwarm

CyberSwarm is developing a neuromorphic System-on-a-Chip dedicated to cybersecurity which helps organizations secure communication between connected devices and protect critical business assets.

Riddle&Code

Riddle&Code

Riddle&Code is a product-led services company specializing in onboarding industries to Web3. The team's mission is to provide a trusted connection between the digital and physical worlds.

Kaspersky Industrial CyberSecurity (KICS)

Kaspersky Industrial CyberSecurity (KICS)

Kaspersky addresses all the cybersecurity needs of industrial organizations in its Kaspersky Industrial CyberSecurity (KICS) portfolio.

MAXXeGUARD Data Safety

MAXXeGUARD Data Safety

MAXXeGUARD: The High Security Shredder. MAXXeGUARD easily destroys hard disks up to the highest security levels as well as other digital data carriers like SSD’s, LTO’s, USB’s, CD’s etc.

Sencode Cyber Security

Sencode Cyber Security

Sencode provides a range of IT security solutions and services, including penetration testing and cyber awareness training to help mitigate the growing risks to your corporate infrastructure.

Wadilona Cyber Securities

Wadilona Cyber Securities

Wadilona Cyber Securities' sole aim is to bring and secure Information and Communications Technology (ICT) to and work for humans in its simplest terms.

Block Harbor Cybersecurity

Block Harbor Cybersecurity

Block Harbor has worked closely with automakers, suppliers, and regulators since 2014 on vehicle cybersecurity.

StepSecurity

StepSecurity

StepSecurity provides a comprehensive security platform for GitHub Actions.