deepagopi2011 - Fotolia

Firms should take note of EC privacy proposals, warns KPMG

Professional services firm KPMG is urging UK firms to ensure they are prepared for proposed EU privacy rules for electronic communications set to become law by May 2018

Firms should assess how they will be impacted by proposed European legislation to ensure stronger privacy in electronic communications, warns KPMG.

The measures proposed by the European Commission aim to update current rules, extending their scope to all electronic communication providers, including services such as WhatsApp, Facebook Messenger, Skype and Gmail.

They also aim to create new possibilities to process communication data and reinforce trust and security in the Digital Single Market, which is a key objective of the Digital Single Market strategy.

At the same time, the proposal aligns the rules for electronic communications with the European Union’s (EU’s) General Data Protection Regulation (GDPR), which becomes enforceable on 25 May 2018.

The European Commission (EC) is also proposing new rules to ensure that when personal data is handled by EU institutions, privacy is protected in the same way it is in member states under the GDPR, and to set out a strategic approach to facilitate international data exchanges in the global digital economy.

According to the EC, privacy will be guaranteed under the new rules for both the content and metadata, such as time and location, of electronic communications. “Both have a high privacy component and, under the proposed rules, will need to be anonymised or deleted if users have not given their consent, unless the data is required, for instance, for billing purposes,” said the EC in a statement.

However, once consent is given for communications data to be processed, traditional telecoms operators will have more opportunities to use data and provide additional services, such as producing heat maps to help public authorities and transport companies.

Stepping away from the cookie law

The new rules include a streamlining of the “cookie law”, which has resulted in an overload of consent requests for internet users by clarifying that no consent is needed for non-privacy intrusive cookies. This means cookies to remember shopping cart history or count the number of visitors to that website will no longer require consent.

The new rules ban unsolicited electronic communication by any means, and make national data protection authorities responsible for the enforcement of the confidentiality rules in the GDPR.

The EC said it plans to engage proactively in discussions on reaching “adequacy decisions”, allowing for the free flow of personal data to countries with “essentially equivalent” data protection rules to those in the EU with key trading partners in East and South-East Asia. This will start with Japan and Korea in 2017, as well as interested countries in Latin America and the “European neighbourhood”.

In addition, the EC will make full use of other alternative mechanisms provided by the new GDPR and Police Directive to facilitate the exchange of personal data with other third countries with which adequacy decisions cannot be reached.

The EC hopes to have the new rules in place by the time the GDPR becomes applicable on 25 May 2018.

“The intention is to provide citizens and businesses with a fully-fledged and complete legal framework for privacy and data protection in Europe by this date,” said the EC.

Read more about GDPR

The proposed rules represent the next step for EU regulators, as they attempt to ensure personal data is adequately protected and that users have increased control over how it is collected, used, retained and disclosed, said Mark Thompson, global privacy advisory lead at KPMG.

“For consumers, it means more control over the use of personal data. For businesses, the proposal will be felt in a spectrum of different ways,” he said.

First, for organisations that use cookies for non-intrusive purposes, Thompson said the new rules will make life easier by not requiring consent for non-privacy intrusive cookies that improve an internet experience.

“However, businesses that fall under increased consent requirements, where users are required to take action to allow cookie usage before information can be collected, in certain circumstances, are likely to face some challenges,” he said. “The new rules will allow users more control over their settings, providing an easy way to accept or refuse the tracking of cookies and other identifiers in case of privacy risks.”

Increasing transparency and building trust

Businesses involved in personal data-rich tracking services could potentially face even greater challenges, and need to start thinking about how they can increase transparency and build trust with individuals who use their services.

“The broad scope of this legislation also has the potential to impact other service providers whose businesses rely on gathering and analysing information processed by terminal devices such as phones and laptops,” said Thompson.

However, for organisations that are trusted by individuals and perceived to deliver a high level of reward for sharing their personal data, the changes may hand them a key business advantage due the likelihood of individuals consenting to them processing their personal data.

“On the flipside, for organisations that are not trusted or are perceived to offer a low value exchange, we could see a significant reduction in the individuals who permit them to processes their personal data,” he said. “This could potentially undermine the use of these services, the turnover and, eventually, market value.

“Organisations will need to consider whether they are impacted and how to respond as soon as possible.”

Read more on Privacy and data protection