Given the scope and complexity of General Data Protection Regulation it can be difficult to imagine that there are elements of privacy and data-sharing that the regulation didn’t address. But yes, that seems to be the case. The European Union is updating its ePrivacy Directive with a possible implementation date for 2019 and the regulation will usher in a new set of rules for marketers and communications providers.
While GDPR is fresh in everyone’s minds, it is helpful to explain how ePrivacy, or ePR as it is called, will intersect with that mammoth regulation as well as a third additional related regulation, the Privacy Shield. That is a legal framework struck among the US, the EU and Switzerland to provide companies with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States.
One way to think about the intersection of ePrivacy and GDPR, said David Matthewman, Data Protection Officer and Head of Production at Blis is to start with the current ePrivacy Directive, which requires consent for cookies and device IDs. “The new regulation will likely change how that consent is gathered and which areas consent is needed for,” he said.
So ePrivacy will dictate which items of personal information you require consent for, as opposed to, say, using the legitimate interest standard under GDPR, which lays out specific circumstances in which personal data is to be processed — such as changing the consent for cookies and device IDs from an opt-out to an opt-in.
Related Article: What You Should Know About the ePrivacy Regulation
The Origins of GDPR, ePrivacy
In short, the GDPR and ePrivacy regulations are complementary to each other, said Pravin Kothari, CEO of CipherCloud. He explained that the GDPR regulates — quite extensively — the protection of personal and sensitive data and was derived, in part, from the EU charter of human rights Article 8 which describes the protection of personal data. “Article 8 speaks to consent, access to data, protection of data, and compliance by an independent authority,” Kothari said. The ePrivacy regulation, he continued, is centered on privacy in the context of communications and was derived, in part, from the EU charter of human rights Article 7 which describes everyone has the right to respect for his or her private and family life, home and communications.
Where Privacy Shield Fits In
Privacy Shield, which replaced an earlier regulation called Safe Harbor, went into effect in July 2016 and details requirements for data protection when data on EU citizens is exported to the United States or vice versa. Using Privacy Shield U.S. companies can self-certify compliance to GDPR, Kothari said. “Privacy Shield was authorized under the GDPR by language that allows the EU commission to determine if a third country has adequate safeguards to manage and protect the personal and sensitive data of EU residents. If so, then data can be transferred between the EU and the US based companies, he said.
But, Kothari continued, it is key to note that the Privacy Shield only addresses one portion of the GDPR. “Companies that are self-certified under Privacy Shield still have many additional requirements to fulfill to be GDPR-compliant.”
Related Article: Why the Privacy Shield Won't Make You GDPR-Compliant
Privacy Shield In Trouble?
Unfortunately it is questionable whether Privacy Shield will remain in place. The European Commission has charged that the US has been delaying full compliance with the agreement’s terms and has warned that Privacy Shield could be suspended. Events are unfolding in near real-time on this issue as the EC has given the US until Sept. 1 to comply.
For the companies that used Privacy Shield to comply with EU regulations — according to Security Boulevard over 3,000 US companies self-certified their acceptance of the requirements of the Privacy Shield — its suspension would result in a mad scramble to find another legal basis for data transfers.
Wait and See
For the time being, Lily Li, owner of Metaverse Law suggested companies take a wait-and-see approach on ePR and Privacy Shield. “It remains to be seen whether it will even remain intact by the time ePR is instituted,” she said.