The ePrivacy regulation will take effect on 25 May 2018 along with other rules for the protection of personal data, which are known as GDPR (General Data Protection Regulation) or, in Polish, as RODO (Rozporządzenie o Ochronie Danych Osobowych). The ePrivacy regulation has been drafted to replace the European Commission Directive on Privacy and Electronic Communications of 2002. Onwelo specialists in cybersecurity consulting and implementation have analysed the likely impact of this regulation on the Internet and telecommunications sectors.

The same rules will apply to VoIP and messaging application operators as to traditional telecoms providers
The current EU Internet-privacy directive concerns traditional telecommunications operators only. Because they will be extended to other providers of online-communications services, such as VoIP, messaging applications and e-mail, the new regulations will change this. In practice, this will affect brands such as WhatsApp, Facebook Messenger, Skype and Gmail. It will apply to companies headquartered in the EU and, where they render paid-for or free-of-charge services to citizens of an EU country, also to companies headquartered outside the EU.

“The proposed rules guarantee the confidentiality both of the content of messages and of metadata, such as the time they were sent or received, or the user’s location. When the new rules take effect, if the user does not agree to the storage of these kinds of data, they will have to be deleted or anonymised, unless the operator needs them for strictly defined purposes, such as invoicing. The consequences for social or advertising networks will be serious because their ability to target advertising will be severely restricted. This could mean that advertisers will be less interested in their services” –  explained Rafał Głąb, who is responsible for data-security services at Onwelo.

Harder for telemarketers The regulation does not tell the EU member states how to enforce this ban. But it does suggest a number of solutions.

“The EU states could, for example, decide to keep special registers that allow users to withhold their telephone numbers or E-mail addresses. Another very interesting idea is to introduce a special prefix designating telephone numbers used for marketing purposes. This will make it easy to tell that someone is phoning us with a marketing offer, so that we can simply not take the call” – said Marcin Baranowski, IT-Security expert at Onwelo.

Changes for the direct e-marketing sector
The ePrivacy regulation also introduces a number of changes for companies involved in e-marketing. First of all, the new law extends the definition of e-marketing. Business to customer communications (B2C), that is, those addressed to individual users, will now be distinguished from business to business communications (B2B), which are received by customers. Senders of B2C communications will require the express agreement of the people they are addressed to. The European Commission has left the question of B2B communications to the discretion of the EU member states, but has expressed the reservation that there must be a specified level of protection against unsolicited communications.

Just as in the earlier directive, the consent of users will not be required for sales of similar products and services. At the same time, users have the right to withhold consent and can easily withdraw their names from the address lists of marketing messages sent by e-mail, which means it should work more or less in the same way as it has done up to now – said Rafał Głąb.

Cookies and other changes
The new rules also simplify the principles that apply to cookies. Cookies that do not present a threat to privacy and are designed to make it easier for users to navigate the pages (for example remembering the contents of a basket in an e-shop) will not require the user’s consent. In turn, users will be able to accept other cookies by activating the appropriate settings in their Internet browsers. In practice, this will most probably signal the end of displaying cookie notifications on websites.

To make it possible for telecommunications providers to render new services based on the anonymised data of their users – insofar as they express their consent to such processing – is another interesting proposed changed in the ePrivacy regulation. An example is provided by heat maps generated by operators, which could show, for example, how many people are gathered at a specific location at a specific time. Their uses include planning for new infrastructure developed by local authorities or transport companies.

EU citizens strongly in favour of the proposed changes
The public opinion research published by the European Commission in December 2016 reveals that EU citizens want much greater protection for their personal data on the Internet. This concerns areas such as communication via e-mail and messaging applications, data protection on devices, monitoring Internet behaviour and receiving unsolicited marketing communications and telephone calls.

According to the poll, seven out of ten people think that the confidentiality of communications sent via e-mail and via messaging applications should be guaranteed. For eight out of ten of those polled, it is important that access to private data stored on a computer, smart phone or tablet should not be possible without the consent of the owner of these devices. Very nearly two thirds of respondents regard the monitoring of their online activity in return for unfettered access to some sites as unacceptable. Six out of ten Europeans also complain of receiving too many unsolicited telephone calls from marketers.

The European Commission began the research in April 2016 as part of preparations for the new regulations on the protection of personal data and IT security on the Internet. The research will form a base for drafting new EU regulation in this field.