No one knows what the effect of EU legislation will have on the UK post Brexit. We all have our hopes, and perhaps dreams, but there are going to be a lot of disappointed people about in two years’ time, always assuming we will have left by then. What that means is that we should still be aware of what is coming out of the European Commission with regards new regulations.
The EU has been concerning itself with updating the ePrivacy Directive, publishing a draft earlier this year, the current one dating from 2009. Two things are of note, the first being that it will be a regulation and not, as before, a directive. The effect of this is that it will not require national legislation to enable implementation. The hope, no doubt, is for consistency across the EU. As we have seen before, this might not happen.
Secondly, and quite surprisingly, it is intended that the regulation should apply from May 2018. This will coincide with the start date of the General Data Protection Regulation. The assumption is that the two will not conflict. The date is, to say the least, adventuresome but commentators suggest it is achievable, if only just.
Included in the draft are significant changes to the rules on cookies. These include:
1/ Fingerprinting
The new rules would apply not only to cookies. It would include information stored and/or accessed on devices and, notably, information about the device the person is using.
2/ Affirmative action
Unsurprisingly perhaps, consent to cookies via browser setting is allowed but will only be valid is some kind of overt action is required to signal consent to tracking. Some have suggested that this means the EU wants to move away from the irritation of constantly being presented with notification banners.
3/ Exceptions
Cookies necessary for the purposes of, for instance, language preference, shopping cart function and first party analytics, will not require consent, as currently. However, there are minor lowering of requirements.
There is more on cookies but this will be covered in later articles.
It has, no doubt, been noted that the interpretation of the existing directive on cookies varies throughout the EU. Indeed, some companies appear to not be aware of the requirements. The evidence is that the EU has taken this on board.
4/ Enforcement
The draft includes recommendations as to fines for those who choose to ignore the cookie and anti-spam laws. These top out at €20 million or 4% of worldwide annual turnover, this being group wide annual turnover. In other cases the maximum fine will be €10 million or 2% of worldwide annual turnover. This is a big stick.
The published aim of the new regulations is to reinforce trust and security in digital services by ensuring a high level of privacy in electronic communications without compromising the flow of personal data.
Given the level of fines, one method is to grab the attention of those in charge of online businesses.
We will cover the new legislation nearer the go live date. There might well be developments making it clearer what we in the UK will need to comply with.