#GDPR and ePrivacy: spot the difference

Strategy 2 May 2018

There’s been a lot of talk about the terms of the GDPR (General Data Protection Regulation) and ePrivacy Regulation, but – contrary to what many seem to believe – the two may not be referenced interchangeably. To avoid any confusion, fifty-five explains the difference between these two regulations and their scopes of application.

You might have noticed that the protection of European citizens’ data is having a moment.

The past 20 years have seen big developments in regulation, and several directives have already established a solid framework for personal data protection across the European Union. This series of European legislation includes the 1995 Data Protection Directive, the 2002 Privacy and Electronic Communications Directive, the 2009 Telecoms Package, or even the 2016 Privacy Shield Framework. Together, these texts have defined clear guidelines for member States, who must then integrate the principles into their local laws. Next, an independent regulatory office from each country (commonly called the Article 29 Working Party) must ensure these laws are being followed. As a result, there are many adaptations to be made and fragmentation is common among countries (for example, cookies policies differ between countries).

Now, two new regulations ( GDPR and ePrivacy) hope to harmonize the framework regarding users’ personal data and privacy in the European Union. Though current directives stopped at imposing a results obligation to member States, leaving them free to choose how to obtain these results, the new regulations apply directly to all States, without specifying how regulations should be transposed.

Protecting personal data of all European residents with the GDPR

The General Data Protection Regulation will be enforced from May 25th and will replace the 1995 Directive. It will be the reference when it comes to protecting personal data in the European Union.

The GDPR’s two principles are to:

  • Make organisations (companies, associations, governments, etc.) more accountable when it comes to processing personal data, and,
  • Give European residents more rights in the processing of their data.

The regulation is extraterritorial, meaning that it applies to any company that processes the data of EU residents – regardless of where the company is based. Any company that is present on the European market – even giants like Google, Apple, Facebook, or Amazon– will be affected by the regulation.

To know more, read our article about the 6 commandments of GDPR!

Simplifying cookie policies in the European Union with the ePrivacy Regulation

The EU’s ePrivacy Regulation seeks to regulate electronic communications, and particularly to protect privacy in these communications. It is still being considered by the Parliament and the European Council.

Initially planned for this year, but likely pushed back to 2019, the vote on this regulation will replace the current Telecoms Package from 2009 and its Directives 58-2002, which aim to protect private life on the internet (prohibiting spam, obtaining consent to gather cookies, etc.).

The ePrivacy Regulation will impact the following services:

  • Internet providers (browsers, telecom operators)
  • IoT (Internet of Things) players
  • OTT media services, messaging services (WhatsApp, Skype, Facebook Messenger, etc.)
  • Ancillary Internet services (Wi-Fi routers)

Like the GDPR, ePrivacy will be extraterritorial and could impact all service providers used by individuals residing in the European Union.

Main challenges for the Regulation are the following:

  • Whereas until now, an opt-out system was allowed in certain countries (meaning that website editors could install cookies in browsers by default), the ePrivacy Regulation will impose an opt-in principle. This means that users will have to explicitly agree to the use of cookies as they browse the Web.
  • Consent will have to be obtained at the browser level (and no longer at the website level, as is the case today) when it is installed or updated.

This second point has led to multiple debates, because some see it as furthering the imbalance between American titans ( GAFA, etc.) and European tech companies, particularly in the ad tech sector (Criteo, etc.). Google or Facebook can take advantage of their logged-in ecosystems (Chrome, Gmail, Facebook, YouTube, WhatsApp…) and thus get around using cookies for their ad services, unlike most of their competitors.

The main difference between the two regulations lies in their scopes of application. Though both texts have wide implications, the GDPR regulates the processing of personal data (collected on- or offline), while ePrivacy regulates information exchange (or metadata) sent via electronic service providers: browsers, SMS, e-mails, but other OTTs such as Skype, WhatsApp, and Facebook Messenger.

To sum up: when you hear GDPR think personal data, and when you hear ePrivacy think cookies (and other electronic trackers). 🙂

This article was originally published on Petit Web and translated from French by Niamh Cloughley.

Would you like another cup of tea?