Head in the Sand 9: if you thought GDPR was tough, be prepared for more. Not just the Privacy and Electronic Communications (PECR) or ePrivacy Directive and Digital Single Market, but US federal regulation too.
It is best to think of GDPR, PECR, e-Privacy Regulation, and the Digital Single Market (DSM) as interlocking complimentary directives which seek to provide a fair, secure and even playing field for all European citizens using the digital world. PECR refers to the Privacy and Electronic Communications Regulations, also known as ‘the e-privacy Directive’, which was introduced in 2002 and updated with amendments in 2004, 2011, 2015, 2016, 2018 and 2019. The EU is in the process of replacing the e-privacy Directive with a new e-privacy Regulation to sit alongside the GDPR. However, the new Regulation is not yet agreed. For now, PECR continues to apply alongside the GDPR. The GDPR does not replace PECR, although it changes the underlying definition of consent. Existing PECR rules continue to apply, but using the new GDPR standard of consent. Among other areas, the new regulation will apply to WhatsApp, Gmail, Skype, and Facebook Messenger.
The Digital Single Market has no independent enforcement mechanism, but insiders suspect the GDPR and e-Privacy Regulation can and will be used to drive digital equivalent across the European Economic Area (EEA). In May the European Commission announced that as part of the DSM strategy, the new Regulation on the free flow of non-personal data, will allow data to be stored and processed everywhere in the EU without unjustified restrictions. The directive focused on small and medium-sized enterprises (SMEs) in particular to ensure they comply with new rules involving datasets composed of both personal and non-personal data.
PECR (and the subsuming e-Privacy Regulation) cover several areas:
- Marketing by electronic means, including marketing calls, texts, emails and faxes.
- The use of cookies or similar technologies that track information about people accessing a website or other electronic service.
- Security of public electronic communications services.
- Privacy of customers using communications networks or services as regards traffic and location data, itemised billing, line identification services (e.g. caller ID and call return), and directory listings.
As a tapestry of regulation, these directives will add a security burden on SMEs that could prove cost-prohibitive for companies that do not opt for GDPR and PECR compliant hyperscale services. Additionally, the DSM specifically requires fair, open and accessible public cloud across the entire European Union and EEA.
How Does This Effect Digital Ethics?
As discussed earlier in Issue 6, many firms have responded to the GDPR by either harvesting consent or using overly complex privacy policies to avoid fines. Neither approach represents real informed consent. SMEs are prioritised under the DSM and protected to some degree by PECR rules while undergoing a regulatory shift with both GDPR and PECR that requires stringent data controls, privacy and data erasure and a much more in depth review of processes which had been taken for granted or outright ignored in prior years.
The EU has chosen to protect individual privacy and government / institutional security rather than adopt the laissez faire American model which allows both SMEs and enterprises to commodify and monetise private data. The GDRP, PECR, e-Privacy Regulation and DSM require European companies to either manually review data, code bespoke software or purchase potentially costly SaaS, PaaS and IaaS capabilities from a limited group of American owned providers who are not held to the same stringent data standards – many of them also previously or presently involved in adverse legal action over data breach, monopoly tactics, tax evasion and violations of the GDRP, etc.
Meanwhile in the US, privacy regulations are on their way. The California Consumer Privacy Act (CCPA) promises to enhance privacy rights and consumer protection for residents of California. It has been followed by similar proposals in others states, and a wave of lobbying for amendments to the CCPA, before it becomes effective on January 1, 2020, but federal regulations that might override California’s law have so far failed to materialize and are now unlikely before 2020.