GDPR-Complementing Regulations Just a Hair’s Breadth Away
The GDPR itself, however, is only part of the general requirements to be implemented by the EU Member States – some GDPR-related issues (such as imposition of administrative fines for data security breaches, etc.) are required to be transposed into national laws while other regulations (ePrivacy Regulation and others) are being discussed and proposed by the European Commission.
Published in January 2017 after months of consultations, the proposed ePrivacy Regulation is to react (as claimed by the European Commission) to the development of IT services and as such ensure alignment with the GDPR and reflect the market reality. The proposed ePrivacy Regulation should apply also to new players providing electronic communications services such as WhatsApp, Facebook Messenger, Skype and other similar operators that are currently being only vaguely and hence quite non-systematically regulated by the present EU law and whose position and business conditions (in particular as regards the data/privacy protection and related obligations) should be brought in line and unified with that of the traditional telecommunications service providers pursuing business in the EU. Electronic communications should thus enjoy an equal level of protection irrespective of the mode of data transmission (traditional networks, mainstream public electronic communications services or new apps). With the tightened regulation, the market conditions should get unified – while most disputes over the application of e-communication regulatory framework to the providers of on-line communication tools are currently resolved ex post before the EU Court of Justice, the new regulation should dispel the ambiguity and bring more transparency to the legal environment. The near future will show us the result for sure.
The effort to leverage the protection of content and metadata alike (date, time and duration of communication) is also quite interesting. So far, the level of metadata protection in the EU Member States is different from that in the Czech Republic – including traditional telecommunications (cf related Czech legislation being regularly amended with reference to the decisions of the Czech Constitutional Court gradually providing greater protection to the operational and localisation data). Under the proposed ePrivacy Regulation, the metadata will need to be anonymised or deleted if users have not given their consent, unless the data is required for billing.
As claimed by the European Commission, the proposed ePrivacy Regulation should provide legal certainty also for new services that are already offered today by the service providers and operators (who, however, are uncertain as to whether they can do so).
By simplifying the existing cookie rules, the proposed ePrivacy Regulation positively aims to streamline the overload of consent requests for internet users – no consent will be needed for non-privacy intrusive cookies improving internet experience (e.g. to remember shopping cart history) or cookies used by a website to count the visitor numbers.
The proposed ePrivacy Regulation should further ensure protection against unsolicited commercial communications by introducing further restrictions on nuisance calls and other unsolicited marketing communication such as email spam – under the new rules, telemarketers will have to use a number with a special prefix/code so that users can recognise an incoming marketing call; or present the identity of a line on which they can be contacted.
Finally, the ePrivacy Regulation will introduce harmonised enforcement mechanisms under which the confidentiality rules will be enforced by the data protection authorities already acting as competent enforcers and dispute resolvers under the GDPR.
The GDPR is further complemented with sets of guidelines (Guidelines) published by the Article 29 Working Party (WP29) focusing on: data protection officers; data portability (Article 20 of the GDPR); and lead supervisory authorities having primary responsibility for the organisation’s cross-border data processing activity and co-ordinating investigations where necessary (Articles 44-50 of the GDPR). Non-binding and advisory, the Guidelines can be used as an interesting tool to diminish GDPR-related uncertainties of interpretation already faced by EU citizens and companies alike; together with additional guidelines being currently published by WP29 focusing on impact assessment (Article 35 of the GDPR).
With the GDPR, other related EU and national activities must further be monitored and taken into account as the new privacy rules will be transposed into a number of GDPR-complementing regulations and directives and/or national laws.
Article provided by: Tomáš Nielsen - NIELSEN MEINL, advokátní kancelář, s. r. o., the Czech Republic