Insights & Analyses

First GDPR, now ePR: EU’s next privacy law could regulate messaging services like WhatsApp, Skype, iMessage – One World Identity

June 13, 2018

On the heels of the EU’s General Data Protection Regulation, Europe is gearing up for its next big privacy push, this time taking aim at data collection within messaging apps. But critics contend the proposed law goes too far, potentially stifling innovation and hurting profits.

Note: “Trust, Safety & Compliance: A Survivor’s Guide to GDPR-mageddon” from OWI Labs is now available to download.

While Europe waits to see how GDPR and fines for violations might shake out, the EU is working on a follow-up to the 2002 ePrivacy Directive, also known as the “cookie law.” Presently said to take effect in late 2018 or early 2019, the new EU ePrivacy Regulation, or ePR, aims to treat online messaging applications with the same rules and regulations that apply to voice and text message services through wireless carriers.

Traditional voice calls and SMS messages are governed by laws that prevent carriers from collecting data or putting tracking information on messages. Lawmakers in the EU believe so-called “over the top” messaging clients, like WhatsApp and Skype, should be governed by those same rules.

But the law, which was approved by the European Parliament last fall and remains under review by the Council of the European Union, would also apply to applications where messaging is a feature of a larger platform. Think person-to-person messages within a game, or a social network.

Critics contend that the changes will reduce the revenue from electronic communications by 30 percent, or more than €550 billion. Because the law would affect all companies that do business in the EU, a consortium of companies — including Google, Facebook, AT&T, Comcast and Intel — have publicly opposed ePR, saying it will extend beyond the technology sector and hurt the EU economy. Many of those same companies tried unsuccessfully to block GDPR, which took effect in May.

If ePR takes effect as it is currently written, companies will only be able to collect data or metadata from electronic communications, including text and video chat, if the user provides explicit permission. In addition, companies cannot restrict or prevent access to a service if the user declines data collection.

Critics say those rules could impede innovation in many areas. One example they give is self-driving cars, which collect valuable safety information and send it back to the manufacturer for improved development.

OWI Insight: The EU is trying to walk a fine line with GDPR and ePR, ensuring consumer protection without stifling development of new technology and hurting businesses across Europe. There is one catch, though: It’s a bit easier for the EU to take these risks, because, as The Financial Times notes, the bulk of innovation in the tech sector is coming from China and North America. It is telling that many of the heaviest hitters opposing ePR in the Developers Alliance are American companies from Silicon Valley. With the dust from GDPR yet to settle, and apparent infighting at the Council of the European Union over ePR, don’t be surprised if the new law encounters further delays and doesn’t take effect by its targeted deadline of early 2019.