As Theresa May set out her 12-point plan for the UK to make a "clean break" from the EU, she has been keen to stress that existing European Unon laws in force in the UK would be converted into full UK laws. The move effectively means that the General Data Protection Regulation (GDPR) will be put on the UK statute, too, finally confirming what most experts - and the Information Commissioner's Office - have been trying to drum home for months.
And, while the message is finally getting through that firms need to get in shape for GDPR, some believe the overhaul of the ePrivacy Directive - announced in April last year - could have far wider consequences for the data and marketing industries. The legislation - which also includes the Privacy and Electronic Communications Regulations (PECR) - was last updated in 2009 and covers all online and mobile marketing, SMS, email and telemarketing activity.
In its current form, PECR is already a major headache for marketers and breaches of the laws represent the lion’s share of the ICO's workload. One key tenet is that it is also being changed from a Directive, which enables member states to decide which parts to adopt, to a Regulation, which applies equally to all countries in the EU.
German MEP and the EU Parliament’s lead on the GDPR, Jan Philipp Albrecht, believes this is only right. He said: “The very good side is that it’s a Regulation and not a Directive anymore. It will bring it in line with the GDPR, which is not only a necessity, it makes sense not to open up all the discussions again and create a fragmented framework."
For its part, the European Commission insists the review is one of the key initiatives aimed at reinforcing trust and security in digital services with a focus on ensuring a high level of protection for consumers and a level playing field for all market players. The initial draft did not bode well, however. Over the Christmas break, it was revealed that the European Commission was planning to make all business-to-business (B2B) electronic marketing opt-in only - a measure the UK industry body the Direct Marketing Association (DMA) warned would have dire consequences for the sector.
The changes would have meant that any marketer wanting to email corporate employees would require opt-in consent, a challenge even the DMA recognised was beyond most of its membership.
However, these fears were dismissed last week when the European Commission published its updated position, which instead stated that B2B marketers must ensure corporate employees are able to easily object to - and therefore opt-out of - receiving direct marketing.
DMA managing director Rachel Aldighieri said: “If the [original proposals] had gone ahead, these alterations to the law could have had a profound and negative effect on the UK economy, so we welcome the announcement from the Commission. The DMA will continue to lobby the EU Parliament and Council to ensure that these rules for B2B marketers are maintained in the final text. We will be working closely with our European partners at Fedma to achieve this and continue to protect the B2B marketing sector that is so vitally important to the UK economy.”
But as one threat recedes, another rears its ugly head, according to the digital advertising industry, which has cried foul over the proposal to simplify the rules on so-called “cookies". Since 2012, online businesses have been forced to flag up to users what cookies are being placed on their machines. The European Commission has now proposed that Internet users should not have to click on a banner every time they visit a website. Instead, websites could read the cookie preferences set in users’ browsers, similar to those which record online history or website hits.
However, the digital industry has claimed the changes could have a serious impact on the online advertising market, warning that users may have to set their preferences for every app and on every device they use. “People who thought cookie banners were annoying will be disappointed to hear that things won’t get better,” said Townsend Feehan, chief executive of IAB Europe.
Also, email services such as Gmail and Hotmail and messaging services like Facebook Messenger and WhatsApp would not be able to scan communications to serve targeted ads without users’ explicit permission. The IAB's head of policy and regulatory affairs Yves Schwarzbart said: “It will particularly hit those companies that find it most difficult to talk directly to end users and what I mean by that is tech companies that operate in the background and facilitate the buying and selling of advertising, rather than the ones that the user directly engages with.”
According to IAB figures, online advertising generates £10 billion of revenue for publishers and content creators in the UK alone, so the stakes are high. And one consequence of the legislation being linked to GDPR is that companies falling foul of the new laws will also face fines of up to 4% of their global turnover.
However, Dr Sachiko Scheuing, co-chair of Fedma and European privacy officer at Acxiom, reckons the shake-up is a chance to build consumer confidence as well as create jobs in the European digital economy sector. She added: "Acxiom recognises and applauds the amount of effort put in by the European Commission to arrive at this first draft, as it must have been a monumental task. We believe that the draft can be improved further by better aligning it with the risk-based approach of the GDPR particularly around cookie use. Acxiom will continue to work with the relevant stakeholders to shape this key piece of legislation and make Europe the preferred place to run a business in relation to people-based, data-driven marketing."
Of course, being only the first draft of the Regulation, there will be many more twists and turns in this particular tale, athough the Commission has insisted it will be all wrapped up long before 25th May next year when GDPR comes into force. Whether this is feasible remains to be seen, but unlike GDPR, which has had a two-year lead in, companies and data regulators alike will have to hit the ground running when it comes to the ePrivacy Regulation.
Related articles: Have we passed peak data protection?