Regulating From Across The Pond: Rough Waters Ahead For Use of Big Data in the EU
A proposal for new e-Privacy legislation by the European Union may have a significant impact on businesses that wish to rely on use-generated data such as meta-data collected from users of mobile devices.
Mobile applications and other software often collect users’ meta-data from phones and other mobile devices (as well as from desktop computers) to analyse the data and make it available to other customers.
The proposed legislation, published by the European Commission earlier this year (see here), will update existing rules on issues such as direct marketing through email, the use of cookies to provide personalised services (including placement of targeted advertisements) and the collection and use of meta-data.
The proposed updated rules will apply to any company that collects data from users in the EU or that provides electronic communications services to end users located in the EU. It will not matter whether the business actually operates in the EU. If it has users in the EU, it will have to comply.
Whilst the proposed legislation may still undergo extensive review by European law makers, it is expected that its impact will be felt across the digital industry. The requirement to obtain an ‘opt-in’ from users will capture wider categories of data collection. There will also be specific requirements regarding anonymisation, disclosure and even obligations to consult with regulators before embarking on data collection. Collection of meta-data, even in non-identifiable form, will require consents and will be subject to legal scrutiny.
The rules against unsolicited targeted or direct marketing through digital channels will also be tightened with new technologies being captured including “over-the-top” services, such as internet voice calls, instant messaging and web-based e-mail services as well as social media. The EU’s approach is that, subject to certain exceptions, direct or targeted marketing through digital channels (including telephone) requires the prior opt-in by the user. These rules are still ignored by some companies and the EU Commission intends to ratchet up the enforcement tools and to give regulators the power to impose prohibitively high penalties.
At the same time, the legislation promises to open up new business models to companies in the telecoms and digital space by allowing even personally identifiable data to be harvested and used, as long as the necessary consents and safeguards are being maintained to avoid abuse of people’s privacy and to ensure that users can require compensation for the use of their data.