Ahead of the introduction of the EU’s General Data Protection Regulation (GDPR), the GSMA has highlighted the busybody bureaucrats should not get too excited with their favourite pastime of coating the industry with red-tape.

The regulation comes into effect this Friday (May 25th) launching a mad dash for the finish line. Insiders have told us many firms are doing their best duck impression, calmly floating on the surface, while flapping vigorously below trying to get in-line with Europe’s demands. It’s almost like some were caught by surprise by the rule changes, because it was only the privileged who were given almost two years to prepare.

While the risk of hefty fines, 3% of annual revenues or €20 million (whichever is greater), is enough to keep you awake at night, this is not what is worrying the GSMA. The associations concerns are more to do with the red-tape fiends over-complicating rules, and creating inconsistencies, mostly with the upcoming ePrivacy Regulation (ePR).

“Consumers should rightfully celebrate the new protections the GDPR brings them,” said John Giusti, Chief Regulatory Officer at the GSMA. “The GDPR is driving up standards of responsible data governance, not only in the EU, but also around the world, stimulating efforts to find a common ground for data privacy.

“However, the benefits of GDPR could easily be undermined if the current regulatory imbalance between the telecommunications industry and other players in the digital world is not resolved. Telecom operators are still subject to additional obligations vis-à-vis other digital players imposed by the ePrivacy Directive. When the European Council shortly decides on their position on the proposal to replace the current directive with an ePrivacy Regulation (ePR), we must not ignore the impact of the ePR on both existing and future services that are critical to Europe’s digital growth.”

These are rules which have not been fully addressed by the industry as of yet, primarily because most are panicking about getting everything in order for GDPR. The rules will be an update of the EU’s existing ePrivacy legal framework, specifically the EU ePrivacy Directive which goes back to 2002 and was revised in 2009. A lot has changed in the last nine years, so it would be fair to assume ensuring compliance for ePR might be as complicated as GDPR.

ePR focuses specifically on electronic communications and the right of confidentiality and data/privacy protection. In short, ePR builds on definitions of privacy and data that will be introduced within GDPR, and acts to clarify and enhance it. In particular, the areas of unsolicited marketing, Cookies and Confidentiality are covered in a more specific context. While GDPR was created to enshrine Article 8 of the European Charter of Human Rights in terms of protecting personal data, ePR will enshrine Article 7 in respect to a person’s private life.

The legal and regulatory world is a complicated one, but in enhancing an individual’s privacy through ePR, regulators will have to ensure they don’t contradict anything which is said in GDPR, but also leave enough flexibility in rules for companies to explore new business models and services for the future digital economy. It is a complicated task, and the GSMA isn’t being paranoid in expressing its concerns.