GPDR… many appear to be frustrated at the wave of consent-seeking
e-mails flooding the inbox these days, but we believe that there are at
least 3 good reasons to be happy about the new General Data Protection
Regulation (GPDR). There is also 1 reason to be unhappy about it, but
let us explain more.
GDPR is lots of work, but also a global standard European telecom operators have a long tradition in protecting the data and privacy of their customers. Consumer surveysconsistently
indicate that this is reflected in users’ trust, which is higher than
trust in other communication service providers. While this is good, we
cannot rest on our laurels and a lot of work has gone into preparing for
a strong GDPR implementation across the industry. However, the GDPR is
not a mere compliance exercise. The changes it will bring are much more
profound as businesses are transforming the way they collect and use
personal information. This is worth the effort, especially as the GDPR
promises to become a global standard for all those providing services,
especially digitally-enabled ones. Some believe that the GDPR will be
the European Union’s “major export” worldwide in the coming years. This
would be good news for all: no matter who the service provider is or
where it is located, all companies have to comply to the same standard
when offering services to European citizens. Some companies are already
announcing that they will be GDPR-compliant on a global basis and not
just for the EU. This will be good both for competitiveness, because all
players will eventually need to apply the same rules, and especially
for consumers, who will be clearer about their enhanced rights.
GDPR is about harmonisation and certainty – or at least it should be Another good thing about the GDPR is that it
will promote harmonisation across Member States. This is very important
when it comes to ensuring consistent rights and obligations across the
Single Market. It will make life easier for those who operate in various
countries, but it will also ensure more clarity for all users.
However, the telecoms community is looking with great concern at two phenomena that could jeopardize this positive achievement.
On the one hand, most Data Protection Authorities (DPAs) have openly stated
that they are not ready for the new rules. This clearly harms legal
certainty and might expose certain businesses to future consequences,
since many DPAs have been and still are unable to advise on the best
On the other hand, most Member States are not ready and only a few of
them have adopted their “specification” laws, causing yet more
uncertainty as these national laws will need time to be adopted. In
addition, national laws stemming from the GDPR might de-facto end up
creating a parallel or additional regime. This may be the case when
national laws go beyond the delicate balance achieved in the EU
Regulation. If they do, yet more additional uncertainty might be created
and the Single Market risks being threatened by legislative
fragmentation across various EU countries. It is of outmost importance
that while benefitting from the flexibility left by GDPR in certain
areas, Member States do not touch upon what is core in data protection
legislation: the protection of personal data as a fundamental right and
the promotion of the free flow of personal data in the Single Market.
The same goes for the Guidelines that DPAs gathered in the Article 29
Data Protection Working Party have been elaborating over the last
months. Both relevant national Laws and the Working Party’s guidelines
should not depart from the spirit of GDPR.
GDPR is the outcome of a long, careful democratic debate This leads us to the third reason why the
GDPR is good: it was the result of a diverse and democratic debate,
which included voices from civil society, business as well as experts
and DPAs. It was also a tough and long one, but it achieved a balance
that most stakeholders welcomed. Most importantly, while the GDPR will
now be put to the test of application and reality, most agree it strikes
a fair balance between fundamental rights and freedom to innovate for
the benefit of European citizens and society as whole. These are all
essential elements, especially from the viewpoint of EU values and in
light of the Continent’s need for sustained growth. For this reason, our
hope is that such a delicate balance is not altered by local debates,
over-reaching guidelines or additional sector-specific laws.
The proposed ePrivacy Regulation: a counterproductive double regulatory regime
As in all fairy tales, there is always an obstacle to the happy ending.
In the case of the GDPR, we believe, the obstacle might end up being the
proposed ePrivacy Regulation. The ongoing review of the current
ePrivacy Directive should respond to the need for a fair playing field
among different actors providing communications services, but also to
the need for alignment with the new GDPR.
The proposed Regulation extends the principle of confidentiality – not
specifically included in GDPR – to all players who offer electronic
communication services. And not only telcos. This is a positive step as
consumers will be able to enjoy a consistent privacy experience,
irrespective of technologies, infrastructure, business models and of who
provides a given service.
However, this cannot be an excuse to create a sort of double-regulation
regime on top of the GDPR. Instead of building on the new GDPR, the
proposed ePrivacy Regulation builds on the obsolete Directive and only
allows the processing of communication data based on prior consent, or
full anonymization. This with a very limited number of exceptions. This
is by no means sufficient or future-proof. Just think of metadata: the
GDPR already foresees strong protections and several grounds for
processing personal data, beyond mere “consent” and depending on the
context any another legal basis might be more adequate. Confidentiality
of communications has always been a fundamental principle applied by the
telecommunications industry and enshrined in national laws. It is not
about questioning the principle of confidentiality, but about asking for
broadening the legal grounds for processing metadata in line with the
In this context, if the ePrivacy Regulation is not corrected,
communication service providers might be forced to gather consent,
unlike all the other players in the digital value chain.
This would disrupt the balance achieved by the GDPR, but it would also
create problems of legal consistency and clarity. In addition, it would
create an unfair playing field, forcing telco companies and other
communication service providers to join the global digital competition
with one hand tied behind their back. GDPR is good for consumers, but
the ePrivacy’s attempt to increase protections could in fact result into
less clarity and into a reduced ability to create better products for
At ETNO, we believe that European telcos should be able to fully take
part into the game and provide European citizens with digital services
inspired by European values. In times of digital uncertainty, this would
not only be crucial in economic terms, but it would also provide
additional European choice for our citizens.
Cristina Vela is Chairwoman of ETNO’s Data Protection, Trust and Security Working Group.