Dangers to third party data usage in the new ePrivacy rules | DMA

Filter By

Show All

Connect to


Dangers to third party data usage in the new ePrivacy rules


​On Tuesday this week the Commission published its proposal for an ePrivacy Regulation

The DMA is extremely concerned that the ePrivacy Regulation, though an improvement on the leaked copy, will severely restrict the use of third party data and hold back technological developments in the digital economy.

The new ePrivacy Regulation will replace the current ePrivacy Directive, which informed the UK’s own Privacy and Electronic Communications Regulations (PECR).

Updated from a Directive to a Regulation means the ePrivacy Regulation will apply equally to all EU member states as with the General Data Protection Regulation (GDPR). The UK will therefore have to update its own PECR as the new regulation is expected to come into force in May 2018 before the UK has left the EU.

Reporting on the publication of the final text earlier this week the DMA focused on the positive changes since we obtained a leaked copy of the text.

Since the leak, negative changes affecting B2B marketers have been removed. Furthermore, the existing customer soft opt-in has been maintained.

Our concerns are over:

1) Scope of the legislation: the scope is not limited to electronic communications personal data. The definition used is much broader than that as it includes electronic communications data. This means that the Regulation will apply to machine-to-machine communication and to over the top services (OTT) such as Skype and WhatsApp.

2) Definition of direct marketing: This remains as in the leaked December draft of the proposal. All advertising on over the top service providers (Skype and Whats App) and social media sites (Facebook, Twitter) regardless of whether it is generic or targeted would fall within the definition.

3) Definition of consent: the definition of consent in the proposal is the same as the definition within the GDPR. However, Article 9 in the proposal does add some extra detail regarding consent for individuals who have consented to the processing of their electronic communications data. As long as the data processing continues individuals must be reminded of their right to withdraw their consent at any time. The proposal mandates that this takes place at six monthly intervals. Furthermore, consent may be expressed by making changes to software settings enabling access to the internet. This could be changing the settings on your internet browser on your computer or altering privacy settings on a mobile app that accesses the internet. Regulatory guidance will be necessary on this issue.

4) Publically available directories: directories in this category will also need to have the consent of individuals to share their data. As well as ensuring that the personal data available is up-to-date. Individuals should have a means to verify, correct or delete personal data relating to them.

5) Passing information on to third parties: the rules are tightened for passing electronic communications information on to third parties. Software providers, which could include internet browsers will need to offer individuals the right to stop third parties from storing and using their data. When installing new software individuals should be informed of the privacy settings and asked whether they consent to their electronic data being processed in a particular way and passed on to third parties. This places a great deal of power in the hands of the internet browsers or other software companies. They will need to record consent in some way and be able to share that with third parties relying on consent expressed via technical settings. What data third parties can used will depend on the language used by the browser when gaining consent and the granularity they go into when naming what sector, group or organisation the data will be shared with.

6) Telemarketing: the proposal includes a requirement for organisations making direct marketing calls to either present the identity of a line they can be contacted on or have specific code/prefix that identifies a direct marketing call. The second ask is troublesome as a direct marketing prefix would be difficult to agree on, there are a plethora of different organisations carrying out calls and their aims are all quite different. For example, would there be a different prefix for fundraisers? The policy quickly becomes very complicated and is therefore unlikely to actually help consumers or affect the rogue operators breaking the rules to make nuisance calls.

The DMA will be lobbying the UK Government and through FEDMA will be lobbying the EU institutions to make the case for the above changes. We will keep members updated of developments.

Hear more from the DMA

Please login to comment.