By Cristina Vela, Chairwoman, Data Protection, Trust and Security Working Group, ETNO and Paolo Grassia, Director of Public Policy, ETNO
Brussels, 24 May 2019 – The General Data Protection Regulation (GDPR) turns 1 year old and European telcos can look back with satisfaction at months of hard work on the implementation. Whilst GDPR has been seen as projecting European leadership on privacy globally, concerns about restricting innovation remain high, not least because of potential competing rules in the proposed ePrivacy Regulation.
As the GDPR turns one, implementation has implied a huge effort in terms of adapting organisations from a legal and managerial viewpoint. Challenges included the adaptation of the definition of consent, working on the legal bases for processing customer data and adapting IT systems to allow effective and meaningful exercise of user rights. According to the International Association of Privacy Professionals (IAPP), 500.000 European organisations have registered Data Protection Officers (DPOs) within the first year of GDPR application.
While GDPR implementation has been a challenging journey, telecom operators are looking at largely good results of this work. After 12 months, there was no significant increase of complaints and legal actions against operators. While implementation is still a learning process, telecom operators are fully committed to protecting customers’ privacy as trust is at core of operators business.
In this context, and with a view to take part into shaping the global privacy debate, ETNO has been a proud member of the Multistakeholder expert group on GDPR application, to which we have been actively contributing through our members’ experiences.
In one year, the GDPR has significantly shaped the global debate on privacy and it has set new standard in other regions. This has effectively transformed Europe into a standard setter for fundamental rights protection in the digital economy.
In the age of the data economy, privacy is also a competitiveness factor. In a world in which trust is a scarce resource, privacy is one of the factors that helps differentiate a product or a service from the crowd. This is why policymakers recognise that the data economy will be one of the fuels of Europe’s competitiveness in the years to come – especially in light of the on-going Artificial Intelligence transformation.
Being able to responsibly pool big data for R&D and innovative services, within the legal framework for data protection, can give the EU economy a competitive edge at the global level. Unfortunately, some European players – such as telcos – cannot jump on this opportunity and start producing European services. Despite being GDPR-compliant, in addition telcos need to follow outdated sectorial rules unfit to the digital environment that restrict their ability to use the same data assets that others are allowed to use.
In this context, telcos are looking with concern at the ePrivacy debate, currently hanging in between two EU presidencies and two mandates of the European Parliament. Huge uncertainty seems to be associated to this additional regulatory layer. The old ePrivacy directive has been implemented in national law differently, and now needs to be applied in light of major open questions as to its compatibility and coherence with the GDPR. The Proposal for a new ePrivacy Regulation was tabled in January 2017, when GDPR was not yet applicable and the European Electronic Communications Code (EECC) was still being negotiated.
Now, GDPR has been implemented, changing many of the approaches and behaviours that the ePrivacy Regulation aims to tackle. For example, websites have already reshaped their cookie policies in the past months. Additionally, the new EECC already ensures an extended definition of what an e-communications service is, thereby achieving one of the purported goals of the ePrivacy Regulation, which is to broaden the scope of application of confidentiality obligations to a larger number of Internet-based players.
The main target of the review of sectorial regulation thus must be to ensure rules are up to the task of fitting into a changing digital ecosystem. Indeed, in addition to legal development, technology innovation and market evolution have themselves turned even the 2017 proposal already outdated. Meanwhile, policy makers have been grappling with fostering Europe’s data economy and boosting new technologies such as Artificial Intelligence, Internet of Things, High Performance Computing, and block chain, which all require an extensive use of data. Our industry can play a key role in this challenge, considering the opportunities that 5G will bring, if it is not bridled by obsolete rules.
In the past year, we have seen some progress during ePrivacy negotiations, with attempts to align sectorial rules with GDPR and provide mechanisms for telcos to innovate and effectively compete with big digital companies in data-driven services, while sticking to a firm protection of what we believe is a sacred principle: confidentiality of communications.
However, the wide gap with the GDPR and its core principles, such as accountability and the risk-based approach, is far from bridged. Member States’ contrasting views in Council discussion have resulted in an intricate draft position that would not provide legal certainty, and has seemingly lead to a standstill after over two years of negotiations.
This begs a key question: does Europe really need sectorial rules in addition to the GDPR? Is a horizontal approach to digital regulation not the way to go, considering that technological evolution is blurring the lines between traditional sectors?
GDPR’s mission was to establish a cross-cutting, future-proof and technological neutral framework that be able to respond to future privacy challenges in the digital world. We don’t want the ePrivacy to become a missed opportunity: we need to ensure that it allows European players to take part in innovation and data-driven business models, while respecting in full the privacy of their customers. The GDPR has set a global standard. We should ensure that the ePrivacy does not unmake what GDPR achieved.
It is high time to give a fresh look at the ePrivacy as part of a wider context, to consider how it fits in the current regulatory and market landscape in 2019 and beyond, and how it helps reach the EU political goals. By May 2020, the European Commission will issue its first report on the evaluation and review of the GDPR that takes into account the state of the art of technology and digital economy. This will be unique opportunity to rethink how ePrivacy and the principle of confidentiality of communications fit into general rules, and how European industry and citizens could benefit from a coherent, technologically neutral, and future-oriented privacy framework.