When we access the web, we often entrust vital personal information, such as our name, address, and credit card number, to our Internet Service Provider and to the website we are using. What happens to this data? Could it fall into the wrong hands? What rights do we have with regards to our personal information?
Common EU rules have been established to ensure that personal data enjoy a high standard of protection everywhere in the EU. Currently, the two main pillars of the data protection legal framework in the EU are:
The Privacy and Electronic Communications Directive commonly known as ePrivacy Directive (Directive on Privacy and Electronic Communications came into force July 2002, amended in 2009). The ePrivacy Directive builds on the EU telecoms and data protection frameworks to ensure that all communications over public networks maintain respect for fundamental rights, in particular, a high level of data protection and of privacy, regardless of the technology used.
And the General Data Protection Regulations (GDPR), adopted in May 2016 and coming into force in May 2018. The EU GDPR ensures that personal data can only be gathered under strict conditions and for legitimate purposes. Organisations that collect and manage our personal information must also protect it from misuse and respect certain rights. I am hoping you are on your journey to compliance. If not, check out my GDPR posts for guidance and a 4 phase plan.
As GDPR may have crept up on you, today I am providing an overview of what is coming next in the data legislation world.
Why a reform of ePrivacy legislation?
We all know how much the world has changed since 2009 and significantly since 2002. When smart phones and, banking and shopping apps were not as prolific as they are today. Therefore, on 10 January 2017 the European Commission adopted a proposal for a regulation on Privacy & Electronic Communications to replace the 2009 Directive.
Another reason for reforming the ePrivacy legislation is that it needs to be adapted to align with the new rules of GDPR.
As with GDPR, ePrivacy will be transposed into UK law after Brexit. The UK wants to remain the gold standard for data regulations and security as discussed in the Parliamentary Select Committee at the end of last year.
Digital Single Market
Building a European data economy and having the right legislation to support it is part of the Digital Single Market (DSM) strategy. The initiative aims at fostering the best possible use of the potential, of digital data to benefit the economy and society. It addresses the barriers that impede the free flow of data and the privacy and protection of our data to achieve a European single market.
Proposal for an ePrivacy Regulation
The European Commission’s proposal for a Regulation on Privacy and Electronic Communications aims at reinforcing trust and security in the Digital Single Market by updating the legal framework on ePrivacy.
The key points of the Commission’s proposal for updating the ePrivacy regulation for a high level of privacy rules for all electronic communications includes:
New players: privacy rules will in the future also apply to new players providing electronic communications services such as WhatsApp, Facebook Messenger and Skype. This will ensure that these popular services guarantee the same level of confidentiality of communications as traditional telecoms operators.
Stronger rules: all people and businesses in the EU will enjoy the same level of protection of their electronic communications through this directly applicable regulation. Businesses will also benefit from one single set of rules across the EU.
Communications content and metadata: privacy is guaranteed for communications content and metadata, e.g. time of a call and location. Metadata have a high privacy component and is to be anonymised or deleted if users did not give their consent, unless the data is needed for billing.
New business opportunities: once consent is given for communications data – content and/or metadata – to be processed, traditional telecoms operators will have more opportunities to provide additional services and to develop their businesses. For example, they could produce heat maps indicating the presence of individuals; these could help public authorities and transport companies when developing new infrastructure projects.
Simpler rules on cookies: the cookie provision, which has resulted in an overload of consent requests for internet users, will be streamlined. The new rule will be more user-friendly as browser settings will provide for an easy way to accept or refuse tracking cookies and other identifiers. The proposal also clarifies that no consent is needed for non-privacy intrusive cookies improving internet experience (e.g. to remember shopping cart history) or cookies used by a website to count the number of visitors.
Protection against spam: this proposal bans unsolicited electronic communications by emails, SMS and automated calling machines. Depending on national law people will either be protected by default or be able to use a do-not-call list to not receive marketing phone calls. Marketing callers will need to display their phone number or use a special pre-fix that indicates a marketing call.
More effective enforcement: the enforcement of the confidentiality rules in the Regulation will be the responsibility of data protection authorities, already a charge of the rules under GDPR.
Background – The Review Process
To achieve the new proposal, the Commission organised a series of workshops with stakeholders and ran an online public consultation between April and July 2016.
A survey was conducted in July 2016 to gather the views of citizens. An impact assessment, supported by a study was carried out and the resulting draft regulation was adopted on 10 January 2017. No information is available yet on when this new Directive will go live. My expectation is end of 2019 / mid 2020.
Free Flow of Data
The DSM aims to maximise the positive impacts of digital technologies on job creation, economic growth and new innovations beneficial to society, while protecting competition and consumers. High-powered computation and large-scale data fuel much of the progress seen in the global digital economy. Therefore, in order for the DSM to flourish, the free movement of data and effective cloud computing are essential.
Free flow of data means the freedom to process and store data in electronic format anywhere within the EU. It is necessary for the development and use of innovative data technologies and services.
The EU needs to ensure that data flows across borders and sectors is already being enabled in many Member States and is explicitly supported by regulations in some sectors. GDPR for instance, guarantees the free flow of personal data within the public sector for the re-use of information ensures the availability of data and its repeated used in the public sector. For example research data that is generated by public budgets, which is already having a positive effect scientific on collaboration and achievement of results. However, these regulations are far from a comprehensive approach and the free flow of data does not exist in all sectors.
Unjustified data localization contributes to the lack of incentives for the development of the High Performance Cloud Computing centres on a European scale. Cloud service providers cannot choose competitive locations that might be more suitable when constrained by data localization rules, creating challenges for governments and businesses in their cloud strategies and cost-effective use of cloud services.
Travelling and doing business abroad requires that the personal data of a citizen or business are available in the visited Member State. Whether it be a company applying for a permit or an individual opening a bank account, consumers and business would benefit from services being able to exchange data across borders in electronic and machine-readable formats.
Considering the current challenges in this field and the wider context of the Digital Single Market, the Commission has announced an initiative on the free flow of data. The Commission published the Free Flow of Data Inception Impact Assessment which identifies at least 50 restrictions that could force data localization within a Member State. The goal of the Commission is to propose a new regulation to remove unjustified data location restrictions and to publish a Communication on the emerging issues of data ownership, access and liability.
Beyond data localization, the emerging issues regarding data ownership, access and liability pose further challenges.
In discussing these emerging issues, it will be important to consider all situations: business-to-business, business-to-consumer scenarios, machine generated and machine-to-machine data. Consumers might need to better understand what type of data they can control and how they can control it, for example the difference between data processed by a proprietary algorithm or created by another author and thus subject to Intellectual Property rights (e.g. a list of products that I might like, or the risk of a disease) and data created by the user (e.g. sensor data from a wearable or a smartphone or browsing data).
To move the debate forward and to gain political guidance, Ministers are asked to reflect on the following questions:
- At present, there is no specific EU regulation concerning data localization requirements. Therefore, there still exist many national restrictions, e.g. in the financial and health sectors. Are there any specific conditions that can legitimize maintaining these restrictions?
- What should be the main guidelines or principles for a legislative proposal, if relevant, on data to address the localization and/or the barriers to the free flow of data?
- In your view, what are the main barriers to future innovation and growth of the data economy? What type of data should a user have access to or control over?
Lots to consider there on the free flow of data and I cannot see legislation being developed by the time we leave the EU. However, there will be legislation developed in this space which we will need to comply to.
NAO, a SoftBank Robotics robot
The EU Drafts Laws of Robotics
When Isaac Asimov formulated his three laws of robotics back in 1942, they were still considered to be pure science fiction. Now they are becoming reality: The EU wants to regulate the deployment of civilian robots and give them a special legal status.
Isaac Asimov’s “Three Laws of Robotics”
- A robot may not injure a human being or, through inaction, allow a human being to come to harm.
- A robot must obey orders given it by human beings except where such orders would conflict with the First Law.
- A robot must protect its own existence as long as such protection does not conflict with the First or Second Law.
The commission is currently working on EU-wide “Laws of Robotics”. The reason for this is legal and ethical issues raised by the increasing use of robotics and artificial intelligence. One option could be to assign robots the status of an “electronic personality” – for instance when it comes to damage compensation. However, a legal framework for autonomously-intelligent systems that are already on the market or will become available over the next ten to fifteen years is considered more urgent.
The EU legal committee calls for a “kill switch” for robots: Designers are asked to incorporate appropriate devices to ensure that the machines can be switched off in case of emergency. We have all seen the films when AI robots take over and we the humans become the hunted of the lesser intelligent race. It never ends well!
Work will move to creating common European standards before the member states start drafting their own laws for our robot friends.
In summary, we have a number of pieces of regulation on the horizon:
ePrivacy – Proposals for new legislation currently being reviewed, to replace the 2009 regulation with a new Directive.
The Free Flow of Data / Data Ownership / Access / Liability – At least 50 restrictions derived from an impact assessment being reviewed with the goal of new regulation to remove unjustified data location restrictions and to publish a communication on the emerging issues of data ownership, access and liability.
AI Laws of Robotics – Creation of common standards for electronic personal.