This post was originally published on the Covington InsidePrivacy blog on January 19, 2018.
On January 12, the International Consumer Electronics Show (CES) in Las Vegas closed its doors for another year. Each CES raises a new set of technology themes, ranging from robots to smart fridges — and this year, the winner was voice technologies. Such technologies, while not entirely new, are now becoming mainstream: sales of smart speakers like Amazon’s Echo more than tripled in 2017, and it is now estimated that one in six Americans own a smart speaker. It is always difficult to predict the future, but voice enabled cars, home appliances, and other devices are all either on the way or already on the market, and the potential for voice interfaces to become new “platforms” — supporting third party services just like smartphones supported apps — is now clear to us all.
On the other side of the Atlantic, however, policymakers are going in another direction. The European Union’s Council, made up of representatives of the 28 EU Member State governments, has been hard at work negotiating its preferred version of the next EU privacy law beyond the General Data Protection Regulation, known as the E-Privacy Regulation (EPR). Just as the GDPR is built upon a predecessor law, the Data Protection Directive, so too is the EPR envisaged as an update to an existing law, the E-Privacy Directive.
The EPR is still a draft, and subject to further revision. However, many of its key features are already largely clear. One of the main purposes of the EPR is to “level the playing field” between traditional (e.g., copper, fibre, mobile and satellite -based) telecommunications providers and new upstart technology providers (for example, those offering instant messaging or VoIP communication services), so that all market players are bound by the same privacy rules. In practice, this likely means that rules previously limiting how telecommunications companies can use certain types of communication data will be expanded to cover a much greater range of technology provider. As a result, many technology providers previously outside the scope of the legacy E-Privacy Directive may well find themselves regulated by the EPR.
Where the EPR applies, it is likely to significantly limit how voice communications data can be used.
- The EPR proposes a broad prohibition on the processing of electronic communications data in Article 5, except for use by end-users of communication systems, or where otherwise permitted in the EPR.
- The EPR then sets out grounds for processing in Article 6. These grounds are far more limited, however, than the array of options provided for in Article 6 of the GDPR. For example, the legitimate interest grounds; the grounds of processing that is necessary for performance of a contract; and even the grounds of processing where necessary for the vital interests of an individual, are all absent. Instead, in many cases, the only grounds available to providers to process voice communications will be consent — of either one end-user, or, in some cases, both. Even where consent applies, additional requirements — such as prior consultation with a data protection authority — may also apply.
- The EPR also sets out strict limits on the retention of electronic communications data in Article 7 (although deletion of covered data does not appear to be required where grounds under Article 6 continue to apply).
The upshot is that the EPR may, if adopted as drafted, set out significant limits on the ability of providers to collect and/or use electronic communications data — including many voice communications — for purposes such as product research, design, refinement, and development. Providers, hard at work generating new products and features, should look up and take note.