ePrivacy Regulation Is Just Around The Corner…(aka Winter Is Coming!)

Let’s face it, most people think that compliance is boring. Maybe that’s why 71% of organisations are still not GDPR compliant[i] and most still don’t encrypt data properly[ii] (i.e. take “appropriate measures”).

And if GDPR wasn’t difficult enough to get your head around, the regulatory environment is going to get tougher and much more complicated when the ePrivacy regulations (aka ePR) come along later this year. Actually it should have become law when GDPR became law (aka The UK Data Protection Act 2018). Currently in the UK we have The Privacy and Electronic Communications (EU Directive) Regulations 2003 (aka PECR). The lobbyists have done a good job of holding ePR up, but they have only delayed the inevitable.

PECR covers electronic communications, including marketing emails, faxes, texts and phone calls; cookies that track website visitor information; the security of public electronic communications services; and the privacy of end users.

Much like the old UK Data Protection Act, where enforcement was fairly light-touch in comparison to GDPR, fines under PECR are below what we may expect under ePR.  ePR will extend the scope of PECR to cover end-to-end privacy of data in transmission and any metadata gathered. The two acts will operate together but will not cover intra-company communication.

In practice this means that listening to calls, scanning of electronic messages, monitoring of visited websites, and the monitoring of interactions between users will breach the regulation. The main sorts of services affected will be Over-The-Top services (OTT’s) such as Voice Over IP (VOIP) like Skype, instant and social media message services (e.g. Facebook, WhatsApp etc.); cookies used for cross-selling and advertising with more user-oriented control; unsolicited communications; and the Internet of Things (aka The IoT).

The penalties for breaching ePR will be the same as for breaching GDPR. And just in case you were wondering, yes it will be unaffected by Brexit because we want to maintain “adequacy” with EU regulation to be able to keep trading with the EU.

Watch this space. Winter is coming…


[i] IT Governance survey December 2108

[ii] nCipher Ponemon survey March 2019

Leave a Reply

Your email address will not be published. Required fields are marked *