ePrivacy? The Next GDPR directive?

We have not yet digested the GDPR legislation, or Europe is coming up with a new legislation. This time about EPrivacy. Time for an update with Sirius Legal lawyer Bart Van den Brande.

Kevin Van der Straeten
Comment on this tv episode

Do you have an account on eventplanner.net? Log in here
Do not have an account yet? Write your comment here:

Also available as a podcast:

Also on podcast:

Listen on Google PodcastsListen on Apple PodcastsListen on Shopify


We have not yet digested the GDPR legislation, or Europe is coming up with a new legislation. This time about EPrivacy. Time for an update with Sirius Legal lawyer Bart Van den Brande.


Hi Bart, welcome back to our studio.


Hello Kevin, nice to be back.


I think it was a year ago, you've been here talking about GDPR. Now EPrivacy is coming up.

But before we go to the EPrivacy stuff, first maybe a reminder of what GDPR is.


A short reminder.




We've been working almost exclusively in GDPR for the past two years.

And what I've seen with a lot of our clients, is that they have difficulty in understanding what GDPR means for them.

And actually, it's pretty easy. GDPR is two types of things.

On the one hand it's a series of administrative organisational obligations. You have to review a certain number of contracts. You have to build a data register. You have to do a data protection impact assessment. Those are things that you have to build into your organisation.

But the main focus of GDPR is very simple actually. It's the obligation, the sense of awareness that a company needs to have on how data is used within the company. Am I not collecting too much data? What am I using it for? Where is it coming from? Am I using it for the purpose that people gave it to me. Am I not building in new purposes, new uses for the same data?

The entire exercise of reviewing for yourself, as a company, how you're working with data of customers, of staff also, of suppliers, that's what GDPR brings.

And for the first time, and that's what's new in GDPR, you don't just have to make the mental exercise, but you have to document it. Because you have an obligation, a responsibility to be able to demonstrate, if something goes wrong, that you actually made the exercise in advance.

And that's the difficulty in GDPR: you have to document yourself and make sure that you can prove that you actually needed to ask people their birthday, because you needed the data for this or that purpose. That has to be documented.


Or in case of a data breach, for example.


That's the main moment in the future, where you will have to be able to prove that you did your homework correctly.

We've seen a serious rise in our neighbouring countries, in the number of data breaches that have been reported over the past year. Since there is a data breach notification obligation now.

Strangely enough in Belgium the number of notifications hasn't risen yet. But that probably has other reasons. One of the main reasons is that there is no actual enforcement today in Belgium.

Which will come in the near future.


But in most European countries we see a rise?


We see a rise in data breach notifications. We see a rise in sanctions also.

And in case of a data breach in the future, you will have to be able to demonstrate that you took all reasonable measures to prevent the data breach. And nobody can...

Technology doesn't allow to build in 100% security. Nobody is 100%...


No, even the Pentagon is hackable.


Everybody is hackable. And it's not just hacking. It's also loss of data.

We've seen a few cases with our clients, where there's no question of malignant hacking attacks. It's just pure negligence by people that work in the company and data gets lost.


Put everyone in Carbon Copy and then see how many responses you get.


For instance. But we saw...

We had a client last year, they're in e-commerce, where part of the clients orders by phone. And where, apparently, the credit card numbers of the clients that order by phone are all written down during the week. And once a week, an e-mail is sent with 5-6 different people in copy, with 10-15-20-25 credit card numbers, CVC codes, expiration dates, names of the people concerned. If that mail is sent to the wrong person, that's not a hacking attack. That's pure stupidity and that happens.


I didn't want to say that about your customer, but it is kind of stupid to do it in that way.


And if that happens in the future, then you have to be able to demonstrate that you thought about that process, in time...


You were convinced that was a very smart thing to do.


And you were convinced that was a smart idea. Which you will have a hard time explaining.


Yes, of course.

EPrivacy is new and is building up on the GDPR laws there are already.


Yes, there is, on one hand, GDPR. That's been around for a year now.

A few elements of how organisations use data, was not built into GDPR. It’s going to be built in a second regulation, EPrivacy regulation, that should've been ready now.

Actually in 2018 already. But for a number of reasons, it's unfinished work for the moment. We have European elections coming up now, next month. So, work has really stopped now. The idea is that it will be ready by 2020. Yes, 2020.

It contains a number of things, that will add a layer to GDPR. That will add a layer on the level of direct marketing. Opt-in rules for e-mail marketing or other electronic marketing. Do I need an opt-in? When do I need an opt-in? How can I get an opt-in? Those rules differ almost everywhere in Europe now.

We have 28 member states, we have 28 different regimes. In some countries, you really need a double opt-in, for instance. I give you an opt-in on your website, you send me an email and I have to confirm my opt-in, before it's valid. That's something that doesn't exist in Belgium, for instance, but it does exist in some other countries.

So, the idea is to create one level playing field in the entire European Union in the future. As far as direct marketing goes.

As far as we can see for the moment, rules in Belgium will not be affected, severely, by these changes. The system that we have today, is more or less the basis that will be applicable in the entire EU. So, that will not bring, with it, too many changes.

Something that will drastically change, over the next year, year-and-a-half, is the use of cookies on websites.


So, we all have those pop-ups, asking the user for permission.


Yes, and I'm sure you always read the information in those pop-ups.


Of course.


Nobody reads the information in the pop-ups. Nobody actually looks at the pop-ups. Everybody agrees that the pop-up banners are very annoying.

Not only consumers, but also website owners, web shop owners in the e-commerce particularly. Because any extra click in the ordering process on a web shop, means a loss of sales. So, you want to eliminate as many clicks as possible. And this is one that should be easy to eliminate.

So, it took a few years in Europe, in the European parliament, for the parliamentarians to understand that cookie rules today don't work. And the idea now is to replace the individual cookie banner warning, with the individual "I agree" on every website, on the first visit, by a general "I agree" that can be given in the settings of the browser you're using, the first time you start using the browser.

Will that work? Well, that remains to be seen.

There are a number of technical, organizational questions that need to be resolved first, I think. One of the main concerns that I have, two actually...

One is: I think we overestimate the average computer user in Europe, if we think that they understand what cookies are and that they understand...


There's a reason why all the pop-ups show an actual cookie.


I can imagine a number of people that will have a hard time diving into the settings of their browser, to choose certain categories of cookies that they will and will not accept.


Accept all or nothing.


Everything or nothing. With, in both cases, a number of consequences. That's one.

And a second is: the loss of control for users. Because, on one hand, the constant cookie pop-ups annoy me, enormously. But on the other hand, the give me control over my own decisions. I want to accept cookies from certain companies, because I trust those companies. And I want to refuse them from other companies, because I don't trust them, yet.

And if I give an okay once, in the browser settings, the first time I install my, I don't know, Firefox, or Chrome, or whatever, I lose that control, that individual control to trust certain companies and to distrust others.

So, that's something that needs to be resolved, in one way, or another. That will be resolved once the European elections are over and the parliament gets to work again. And that's the main reason why the new rules aren't 100% finalized, yet.


We have a lot of viewers or listeners worldwide. And a question we get a lot is: okay, the European legislation is obviously for everybody, every company in Europe.

But what if I have a ticketing company in the States? Do I also have to comply?


If you have a ticketing company in the States and you serve European customers, from the States, then you have to comply to GDPR.

From the moment that you offer services within the European Union, aimed at citizens of the European Union, even if those citizens are only Americans, living in the EU, even then, you have to comply to GDPR. You have to comply to all aspects of GDPR. Which is not always easy in the US. Because there is a serious difference in the way privacy legislation is perceived in the US, compared to the EU. There is Patriot Act and others, that give access to governments, to systematically actually all data that is being processed. Which is a serious issue.


Then you need to have permission from your customers.


You need to be very careful. You have to inform your customers on who you're sharing data with. In detail. Which would also mean, in the US, security services, the Government.

You have to get a permission, in most cases, from the clients, the customers concerned. In certain cases you will have to designate a Data Protection Officer, because you're treating sensitive data or you're treating a lot of data. If you're in the US, good luck finding a qualified Data Protection Officer.

GDPR says that you can only work with subcontractors that will process your data, if the sub-processor can guarantee that it in itself also respects GDPR.

That means that a ticketing company in the US, that uses a hosting company, that uses a web hoster, that uses a direct marketing firm, has to make sure that all of those partners also comply to GDPR, which is not easy.


That's the reason we see a lot of websites, just close down for Europe.


For Europeans. Unfortunately, yes.

Now, on the other hand, we see an evolution in a lot of countries around the world. Also, in certain states in the US. Where over the past 18 months GDPR-like legislation has been passed.

California has Data Protection Act, that is more or less the same as our GDPR.


GDPR is being the example there, because it's the strictest in the world.


It's serving as an example, but in itself, GDPR is based on older guidelines by the UN, for instance. So GDPR is not new. It's based on international standards, that are accepted throughout the world. But it's the first exhaustive set of rules on data processing, data protection, in the world. And it's serving as an example, for Brazil, for Russia, for Japan, for Australia, for certain states in the US. That are also implementing...


For Russia?


Yes, well, for China, for instance. China has a very interesting new Data Protection Act, that is very GDPR-like. Which is something that you wouldn't expect.


With one exception: their own government.


Probably, yes. But they have rules that have to protect consumers against companies, now.


Bart, thank you very much for coming over.


You're welcome.


And you at home, thank you for watching our show. I hope to see you next week.