Over the Top Providers should not rely on the delay in the ePrivacy regulation to commence compliance.

Over the Top Providers should not rely on the delay in the ePrivacy regulation to commence compliance.
March 14, 2019 Blogger

With the ePrivacy debate recently afflicted by comments such as ‘the death of ePrivacy’ it would seem that organizations are putting their ePrivacy compliance plans on a back foot whilst awaiting the European Union to reach a consensus.

This is the wrong approach.

Whilst it is true that there is currently significant divergence between the various ePrivacy drafts proposed by the European Commission, Parliament and the Council and whilst it is also true that the upcoming European Parliament elections will further stall ePrivacy talks, delaying compliance is a risky position for certain organizations.

Why? Because the scope of ePrivacy has already expanded.

The current ePrivacy Directive only entered into the EU data protection landscape in 2002. Technology has evolved exponentially since then. Tools we use on a daily basis to communicate – Whatsapp, Messenger, Skype – are far apart from the more traditional forms of communication (e.g. calling) that we were using seventeen years ago.

That means, whereas traditional telecommunications providers (think Vodafone, Proximus, Orange) have long been prevented by ePrivacy rules from snooping on confidential communication, no such boundaries have been placed on more modern providers of electronic communications services. Over the Top Providers (hereinafter OTTs), such as Whatsapp, Messenger and Snapchat have long been able to circumvent the rules on ePrivacy.

For this reason, the ePrivacy Regulation had the ambition to extend the scope of ePrivacy rules to OTT services. This has been achieved via a change in definition in the new European Electronic Communications Code (hereinafter EECC), where ‘electronic communication services’ are defined as including (i) interpersonal communications (ii) internet access services and (iii) transmissions using a network. This is a significantly broader application than under currently applicable rules and directly captures OTTs in scope of the regulation. This is an important update from the perspective of the consumer, as communications comprise a significant privacy concern.

More importantly, this expansion in scope already applies. The EECC is already in force and will be enforced from December 2020. This means OTTs already fall in scope of current ePrivacy rules, irrespective of what happens with the new ePrivacy Regulation.

Consequently, OTTs should start reviewing their practices surrounding electronic communication immediately. With no ePrivacy compliance historically to draw on, the time, effort and resources OTTs will need to dedicate to ePrivacy compliance promises to be substantial. And with marketing and targeted advertising (both of which are regulated directly by ePrivacy) remaining some of the most scrutinized activities by the supervisory authorities, leaving compliance to the last minute remains the riskier compliance position.

For a more comprehensive and in-depth analysis of the ePrivacy Regulation, the different proposals by the European Commission, Parliament and Council and what they mean for organizations, download CRANIUM’s free white paper here: https://cranium.business/product/white-paper-electronic-communications-eprivacy/