Patrick Gibbels: New EU Privacy laws are gaining momentum

With the European Commission’s proposal for a new e-Privacy Regulation finally gathering speed after years of semi-deadlock in the European Council, our columnist Patrick Gibbels explores how the new laws could impact charities and NGOs.

It’s been four years since the European Commission tabled its proposal for a new e-Privacy Regulation, but the file is once again gaining momentum. The Regulation, which will replace the existing e-Privacy Directive, will likely introduce stricter privacy rules.

At a time where public fundraising is limited, reliance on electronic communication is high. Any new measures that further increase the privacy and data protection of citizens, might reduce the ways in which charities and NGOs reach out to and keep track of existing and potential donors.

The Regulation is supposed to replace the 2002 e-Privacy Directive and specify the General Data Protection Regulation (GDPR). However, the proposal has been in a semi-deadlock in the European Council since 2017, with Member States failing to align on its specific contents. The objective of the Regulation is to reinforce trust and security in the Digital Single Market, whilst providing a measure of flexibility for stakeholders. Since one contradicts the other, this creates a win-lose situation. The Council has tabled several compromise papers, during the Presidencies of Finland, Croatia, Germany and, most recently, Portugal in an attempts to find balance.

One of the main issues for fundraisers and NGOs within the e-Privacy Regulation will lie within the areas of data processing and direct marketing. Maintaining relevant databases of donors, as well as the ability to reach out to potential donors, are crucial elements in many EFA members’ daily operations. The key issue in both areas will be explicit consent, in other words, whether an opt-in by citizens is needed and which activities will fall within the scope of this.

Another major point of discussion amongst the Member States is the ‘do not track’ standard, which is difficult to enforce in practice. This standard would have made sure that cookies and other digital trackers need to be disabled by default and from the outset – and could only be enabled with the explicit consent of the user. Such a standard would be harmful for the sector as it is unlikely that many people will go and actively enable cookies and trackers, and that is assuming they know what they are in the first place.

Most organisations have already experienced tighter rules on things like email and telephone marketing campaigns, in terms of who may be contacted and how consent must be acquired. The e-Privacy Regulation seeks to extend this much further into digital marketing by including providers of electronic communication networks or services (internet companies, such as Google and Facebook) and, more importantly, by covering not only communications data but also metadata (e.g. sender, time, location).

It will cover cookies, online identifiers, search engine directories, and direct marketing. These tools are used by fundraisers to target potential donors and will be particularly relevant to those that use ad-supported business models, given their reliance on cookies and tracking technologies. Anything that could impede their ability to track and behaviourally target ads at web users is a threat to the current modus operandi.

It is important to note that this concerns an EU Regulation. Unlike a Directive, which is the legal basis of the current e-privacy rules, Regulations are legal acts that apply automatically and uniformly to all EU countries as soon as they enter into force, without needing to be transposed into national law. They are binding in their entirety on all EU countries. Therefore, what is decided in Brussels will be implemented in the Member States unaltered and will apply to all organisations undertaking activities that fall within the scope of the Regulation.

Once the EU Council reaches a General Approach on the matter, it will enter into negotiations with the European Parliament. After both Institutions vote in favor or the final report, the Regulation will be published in the EU’s Official Journal, upon which it will become law. This means there is a limited window of influence to address any concerns EFA’s members may have to the European Parliament and Council, so that they can take these into consideration during their negotiations.

In the coming week, EFA will reach out to members with more specific information and questions.

Main image credit: Photo by Tim Mossholder on Unsplash

Patrick Gibbels, Gibbels Public Affairs

Patrick is EFA’s public affairs columnist in Brussels. He is the director of Gibbels Public Affairs. Follow Patrick @GPA_Brussels.

Read more from Patrick in our View from Brussels column here.