Right behind the GDPR, there’s the ePrivacy Regulation
How are companies supposed to comply with both if the ePrivacy Regulation isn’t finished?
If your company is complying with the upcoming General Data Protection Regulation (GDPR), what about the ePrivacy Regulation?
While GDPR is finalized and scheduled for implementation on May 25, the accompanying ePrivacy Regulation is still in the approval process, and its language could change.
An “optimistic” forecast, Future of Privacy Forum Policy Counsel Gabriela Zanfir-Fortuna told me, is that the ePrivacy Regulation will be finally approved by the end of 2018, although the implementation date remains to be seen.
The two are meant to go together, she said, and there are ongoing good faith efforts to ensure they will match.
There are two laws because they are derived from two different rights in the European Charter of Human Rights, a kind of Bill of Rights for European Union countries. The GDPR covers the right to protection of personal data, while the ePrivacy Regulation encompasses a person’s right to a private life, including confidentiality.
Zanfir-Fortuna said the possibility of having one law cover both rights was considered, but the decision was that separate laws could more efficiently protect the separate rights.
The GDPR is focused on defining and protecting personal data, Interactive Advertising Bureau (IAB) Director of Public Policy Alex Propes told me. That includes all kinds of personal data in whatever form — health data as well as online data, for instance, whether paper-based or electronic.
The ePrivacy Regulation, he added, “particularizes GDPR for electronic communications” and is focused only on electronics — devices, processing techniques, storage, browsers and the like.
One question: Even though the GDPR and the ePrivacy Regulation are meant to be in sync, will there be differences?
Propes said the ePrivacy Regulation “will likely require additional compliance.”
One example: The current ePrivacy Regulation version dictates browser-level settings that take the control of personal data out of the hands of publishers, an approach that is not found in GDPR.
Zanfir-Fortuna also suggested there might be some uses of personal data that are permissible under GDPR that are not under ePrivacy.
But the same organizations — the data protection supervisory authorities in EU countries — will be enforcing both, so assumedly they will try to make sense of any differences.
Another question: Once the ePrivacy Regulation is finalized, which of the two laws will have supremacy if there is a difference?
In that case, Zanfir-Fortuna said, the ePrivacy Regulation will rule.
But the big question is: How can companies comply with two laws when one is not yet finished?
“All you can do is comply with the law as written,” Propes said, meaning that organizations can only target GDPR at the moment. That’s what IAB Europe is doing with its new standard for handling user consent — it’s conforming to GDPR, since ePrivacy is still up in the air.
Compliance with GDPR, Zanfir-Fortuna said, “will put you in pole position for compliance” with the ePrivacy Regulation.