EU Board Adopts E-Privacy Rules to Complement GDPR

Published on March 19, 2019

In wake of the continuous nature of Facebook‘s privacy scandals, GDPR and European Union rulings couldn’t be more necessary.

Back in May of last year, the European Union (EU) enacted the long-awaited General Data Protection Regulation (GDPR), in efforts to strongly enforce national data protection and privacy rules for all individuals within the EU and the European Economic Area.

But take note, this wasn’t just a law out of the blue—this replaced its predecessor, Data Protection Directive, which just didn’t hold up.

On Monday, the European Data Protection Board (“Board”) ruled that EU regulators who have the power to enforce national privacy rules for electronic communications are able to incorporate these into GDPR violation considerations.

Why You Need to Worry About E-Privacy

If there’s anything we’ve learned from the multiple Facebook scandals is that even the most powerful of companies aren’t prepared to handle the infinitesimal amounts of information they claim to “manage” on a daily basis.

Since GDPR’s implementation in May, the issue of whether data protection authorities can or should consider potential violations of the 2002 e-privacy directive (“Directive”) for GDPR-compliance has been in question. The result of which led the Board to establish a uniform regime that allows authorities to impose fines of up to four (4%) percent of companies’ global annual revenue.

What You Need to Know From the Board

In its 25-page opinion, the Board identified and answered these very questions, adopting the opinion in its eighth plenary session last week:

#1 –Don’t Assume that E-Privacy Activities Are Outside of GDPR

In its lengthy opinion, the Board identified that a violation of GDPR might also be a violation of national e-privacy rules.

Far from being an obstacle to the development of new technologies and services, the e-privacy regulation is necessary to ensure a level playing field and legal certainty for market operators,” the board added.

#2 –This Power Only Applies When Authority Is Granted

But, the Board stressed that this power only applies when the national data protection regulators are granted the authority to enforce these e-privacy rules.

Unlike GDPR, where authorities are responsible for enforcing the regulation, the Directive provides member-states the flexibility on which authority or body to entrust with those enforcement powers.

For example, while some member-states may have appointed the same authority to address both laws, that member-state may have opted for a national telecommunications regulatory authority or another consumer protection organization to take the charge, the Board explained.

#3 –The Fines Vary Significantly By Jurisdiction

For companies like Facebook, be prepared to have deep pockets, because the penalties for violating GDPR are extremely harsh, purposely.

Under the Directive, however, fines vary significantly between jurisdictions, with most member states having set the fining threshold much lower than the hefty penalties that regulators are able to impose under GDPR.

When The Opinion Does Not Apply

But, in its opinion, the Board provided that it does not apply to the proposed e-privacy regulation, which, if enacted, would establish a similar framework to GDPR by harmonizing the rules governing confidentiality of electronic communications across the EU.

The proposal, which has been stalled by the European Commission since January 2017, would expose tech companies outside the traditional telecom space to stricter privacy rules on electronic communications. This might not be a bad thing for companies like Facebook, Google, and Apple.

What Does The Future Hold?

In its efforts to complete the data protection framework, the EU is “intensify[ing] efforts towards the adoption of the e-privacy regulation.”

Most importantly, the Board has argued that “under no circumstances should the new regulation lower the level of protection offered by the current directive” and […] “that it must complement the GDPR by providing additional strong guarantees for all types of electronic communications.”

“The EDPB invites Member States, under the leadership of the Presidency of the Council, to ensure a high level of protection and to proceed to the finalization of their negotiating position without further delay, so that negotiations with the European Parliament can begin as soon as possible.”

Andrew "Drew" Rossow is a former contract editor at Grit Daily.

Read more

More GD News