Data protection in Europe 2020: the ePrivacy Regulation and further changes to the GDPR

What is the current status of data protection in the EU? What are the legal aspects in force and which are currently being developed? These are some of the questions we will address on a matter of growing interest to the public

Data protection is a hot topic. If you look at the media, you will notice how many news on fines for legal violations or tips for protecting information are published on a daily basis.

Society is becoming more aware of applying cybersecurity measures on a daily basis, both at home and at work. As a result, for years EU institutions have been developing legislative environments to ensure adequate data protection for their inhabitants.

That is why we believe that it is time to discuss future changes in both securing and protecting digital identity of European citizens.

What is the current situation of the GDPR?

The General Data Protection Regulation (GDPR) went into effect on 24th May 2016, and mandatory to adhere since 25th May 2018.

Despite the legal requirements to comply with the GDPR, there are still many companies and institutions that do not comply with this regulation, with the resulting sanctions.

According to DLA Piper 160,000 GDPR violations have been reported in European Union member countries, as well as in Norway, Iceland and Liechtenstein since May 2018. This translates into fines that, all together, amount to 114 million euros.

The countries that most violate the GDPR are:

  • The Netherlands (40,647)
  • Germany (37,636)
  • United Kingdom (22,181)

Examples of legal actions taken are millionaire fines to large technology companies, such as Google and Facebook. In the case of the most popular search engine, at the beginning of 2019 Google was fined 50 million euros by the French data regulator CNIL.

Regarding the measures adopted by public institutions to make it easier for companies to follow the GDPR, the Spanish Data Protection Agency (AEPD) has implemented the following initiatives:

Cookies law europe

EU Cookie Laws

One of the most important aspects of data protection is the use of cookies on websites. Every time we browse the Internet, it is very common to find cookie warnings requesting to accept cookies from the site.

What are Cookies?

By Cookies we mean files installed on our web browser which contain information about your visit to the web page. They are used, for example, to streamline our future experiences on the site.

Cookies were introduced in Europe in 2002 and updated in 2009 under the Privacy and Electronic Communications Directive, as a complement to the RGPD. This Directive states that cookies will only be installed after the user’s valid consent, after being duly informed.

This excludes technical cookies from being indispensable for the website to work correctly, (e.g: language selection cookies or accessing to data of a specific service).

Changes to come: the new ePrivacy Directive

As we have seen, the latest legal update on digital privacy in Europe dates from 2009, so it is clear that this text needs to be updated to reflect current developments.

In order to take a step forwards in achieving a Digital Single Market, the regional authorities have been drafting and developing the new Regulation on Privacy and Electronic Communications, also known as the ePrivacy Directive.

This ePrivacy Directive complements the RGPD, as the first one specifically refers to data related to e-communications which are considered as personal data, prevailing over the GDPR. If electronic personal data that is not displayed in the ePrivacy Directive, the GDPR will prevail.

We could say that the GDPR is more flexible and covers aspects that go far beyond the digital world, while ePrivacy only focuses on the digital world.

Processing the ePrivacy Directive is turning out to be extremely complex and controversial, as the latest version was rejected by the Committee of Permanent Representatives of the Governments of the Member States of the EU Council (COREPER) in November 2019 after eight drafts. Nevertheless, it’s expected during 2020 the call for resumption of dialogue regarding this important legal text.

Some relevant aspects the ePrivacy Directive deals with is the fact that browsing websites is not subject to accepting both tracking or advertising cookie policies, which could be a setback for companies that benefit from collecting data related to user tastes.

While continuing with cookies, the latest draft established that cookies should not be used on user devices, excepting the following cases:

  1. That there is valid consent from the user
  2. That there are essential for a particular service
  3. Required by the service provider for audience measurement
  4. Required for maintenance or service safety
  5. They are necessary to update the software if:
  • It is requested for security purposes and does not require changing privacy settings
  • The user is informed
  • The user can postpone or disable the updates

Furthermore, Regarding personal data and related metadata, it is stipulated that these may only be used for the purpose for which they were originally collected, unless the user gives his consent to change this purpose. 

We can also highlight the arrival of 5G and, therefore, the collection of information between machines, as with IoT (Internet of Things) technology. A feature that must also be included in this new legal framework.

So far, this is a general review of both the current situation and the main future developments regarding data protection in Europe. We hope this has helped you understand the current scenario of data protection that is already present on our daily lives.

Viafirma keeps on working to offer digital signature solutions that are fully adhered and up-to-date with the current legislation on personal data, so you can use our signature and authentication tools with peace of mind, knowing full legal support.