GDPR isn't the end of stringent regulations for privacy in tech.
After months of waiting, the EU's General Data Protection Regulation (GDPR) went into effect on May 25, 2018, and user inboxes were flooded with emails alerting them of changes to company privacy policies. However, even though the world has (mostly) accepted GDPR and kept moving forward, that isn't the end of EU privacy regulations for the tech industry.
On the heels of GDPR comes the ePrivacy regulation, a separate regulation that focuses on ensuring individual privacy as it relates to electronic communications. While the final draft of the ePrivacy regulation didn't make it out in time to release with GDPR, it is in the works and expected to release soon.
As such, it is important that companies understand the different ways in which the GDPR and ePrivacy regulations will affect their business. Here are the three differences that business leaders and professionals need to know.
1. ePrivacy specifically covers electronic communications
While the GDPR is the general regulation for personal data stored or used by a company, ePrivacy is lex specialis to GDPR when it comes to communications. What that means is that, when a data privacy issue is raised regarding communications, regulators will default to ePrivacy for that given instance. The two are meant to complement one another.
The ePrivacy regulation is an update to the standing ePrivacy Directive, which was originally put into place to guarantee "right to privacy in the electronic communication sector," according to the directive. The directive originally focused mainly on email and SMS messages, but the proposed regulation would also address data privacy in services like WhatsApp, Facebook Messenger, and Skype, along with Internet of Things (IoT) devices.
Additionally, the ePrivacy regulation will also protect metadata associated with electronic communications as well.
2. ePrivacy includes non-personal data
GDPR is laser-focused on the protection of personal data, but the ePrivacy regulation is focused more broadly on the confidentiality of communications, "which may also contain non-personal data and data related to a legal person," the proposal states.
The original ePrivacy Directive is often referred to as the "cookie law" because it imposed the need for informed consent before a firm could track an internet user with cookies. The regulation will add new clarifications and simplifications for the consent rule, along with other new tools for protecting against unwanted communication tracking and more.
3. They have different legal precedents
Both GDPR and the proposed ePrivacy regulation reflect similar aspects of privacy, but they do so from the perspective of different legal charters.
As noted in the proposal itself, the basis for the ePrivacy regulation are Article 16 and Article 114 of the Treaty on the Functioning of the European Union. However, it also reflects part of Article 7 of the Charter of Fundamental Rights: "Everyone has the right to respect for his or her private and family life, home and communications."
GDPR, on the other hand, is based on Article 8 of the European Charter of Human Rights, which states: "Everyone has the right to respect for his private and family life, his home and his correspondence." However, for ePrivacy, the proposal notes that the meaning and scope of Article 7 of the Charter of Fundamental Rights shall be regarded in the same way as Article 8 from the European Charter of Human Rights.
- IT pro's guide to GDPR compliance (free PDF) (TechRepublic)
- Security and Privacy: New Challenges (ZDNet)
- GDPR: A cheat sheet (TechRepublic)
- Machine learning as a service: Can privacy be taught? (ZDNet)
- User privacy and data management: Changes to expect in light of the Facebook debacle (TechRepublic)