Oct 5, 2017 — The proposed ePrivacy Regulation, once adopted, will update the “rules of the road” for privacy and electronic communications.

153 KB – 13 Pages

PAGE – 1 ============
Postal address: rue Wiertz 60 – B – 1047 Brussels Offices: rue Montoyer 30 E – mail : edps@edps.europa.eu – Website: www.edps.europa.eu Tel.: 02 – 283 19 00 – Fax : 02 – 283 19 50 5 October 2017 The proposed ePrivacy Regulation , once adopted , will update privacy and electronic communications . It will m odernis e existing principles, clarify the technological requirements and provid e for effective enforcement. The EDPS issued his advice on the ePrivacy review in a Preliminary Opinion ( 5/2016 ) and proposed Regulation in Opinion 06/2017 . Given developments in deliberations on the proposal, and for the benefit of the co – legislator, we have decided to offer advice and clarifications on some spec ific issues , in line with our previous opinions . 1 These recommendations focus on the need to ensur e legal certainty and a high level of protection of the fundamental rights to privacy and data protection . The ePrivacy Regulation should reflect the importance of the pr inciple of confidentiality of communications which is closely linked to the right to private life and as such protected by the EU Charter of Fundamental Rights, the European Convention of Human Rights, and constitutional and legal orders of most of the Member States. The confidentiality of communications encompasses both content and metadata and data related to the terminal equipment . This should be adequately reflected in the permitted purposes of processing and the legal bases of processing. These cons iderations apply to all provisions of the ePrivacy Regulation. The ePrivacy Regulation should provide for a genuine protection in line with current and anticipated technological developments, in particular in the context of machine – to – machine communicatio ns . Therefore , we support amendments explicitly providing for data related to or processed by terminal equipment The confidentiality of communications should also be ensured when data are stored in the cloud rather than only in transmission. The approach according to which the ePrivacy Regulation particularises and complements the GDPR should be maintained to reflect the importance of the confidentiality of communications. T he ePrivacy Regulation should not lower the level of protection as foreseen in the GDPR . Instead, a higher level of protection than the one the GDPR offers should be provided. At the same time, unnecessary repetitions of GDPR provisions should be avoided for the sake of clarity and legal certainty: selectively repeating some GDPR provisions risks failing to include important provisions. 2

PAGE – 2 ============
2 Broad legal bases for processing of communications data by reference to the GDPR or by re – stating the GDPR would undermine the ratio nale for a specific legal instrument and would not adequately reflect the importance of the confidentiality of communications enshrined in both the Charter of Fundamental Rights and the CJEU and ECtHR case law. In particular, there should be no possibility under the ePriv acy Regulation to process meta data under the legitimate interest ground . Allowing processing on legitimate interest ground would significantly lower the standards applicable today under the ePrivacy Directive 2002/58/EC and put into questio n the added value of the draft R egulation. Similarly, further processing of metadata would create a loophole and allow circumventing the high level of protection. D ata related to the terminal equipment should be processed only upon consent or if technicall y necessary for a service requested by the user and only for the duration necessary for this purpose . We, therefore, support amendments which remove the broad legal basis for tracking of individuals across time and space for any purpose . Appropriate definitions are crucial to implement the protection of the fundamental rights. Therefore, we support amendments that provide for standalone definitions , replacing the reference to the European Electronic Communications Code, ensuring that conse nt, when a legal entity subscribes to a service, is given by the natural person who is using the service and/or the technical equipment. We also support that services merely provided as ancillary nal Finally, we strongly recommend that the definition of metadata shall not exclude data not required for the purpose of transmitting electronic communications content nor for the provision of the service. In this way, no loophol es are created for the processing of these data on the basis of the GDPR. Consent under the ePrivacy Regulation must have the same meaning as in the GDPR, including that it must be freely given and specific . o Therefore, we support amendments clarifying that all GDPR provisions, including Article 4(11) on the definition of consent, Article 7 and Article 8 GDPR, apply also for purposes of the ePrivacy Regulation. o We support amendments that clarify that access to services and functionalities must not made conditional to consent ing to the processing of personal data and the processing of information related to or processed by the terminal equipment of end – users ; o We also welcome amendments requiring that the technical settings enabling user control under Arti cle 9 should allow for sufficient granularity . This requirement reflects the rule in the GDPR that consent to be specific shall be given for specified purposes and for specific data controllers (here providers). As mentioned above, there should be no unnec essary repetitions of the GDPR. Therefore , we recommend that the settings shall Without appropriate technical, privacy settings expressing and withdrawing consent in an on – line, highly sophisticated environment can be substantially hampered. We therefore support amendments strengthening Article 10 and require privacy protective settings by default. Moreover, p rivacy settings shoul d genuinely support expressing and withdrawing consent in a n easy, binding and enforceable manner against all parties. should become a substantive provision and a legal requi rement. Accordingly, e nd – users to change their privacy settings at any time during use

PAGE – 3 ============
3 and to allow the user to make exceptions for or to whitelist certain websites or to specify for which websites (third) party cookies are . Any restrictions on rights under Article 11 should properly reflect the importance of the confidentiality of communications, in line with the CJEU settled case – law . For this reason, the restrictions should be more limited in scope than in the GDPR , and specific obligations should be provided towards enhancing transparency of access requests. When restricting the scope to serious crimes, this notion should be further defined. The minimum requirements for a legislative measure from A rticle 23(2) should apply in all cases . The Data Protection Authorities should be entrusted with the supervision of the ePrivacy Regulation. As the supervisory authorities in charge of ensur ing compliance with the GDPR , they are best placed to ensure legal certainty and consistent application between the two, strongly interrelated, legal instruments. Moreover, the DPAs will be uniquely placed to deliver consistent application of the ePrivacy Regulation throughout the Union thanks to the European Data Protec tion Board . Protection against unsolicited communications should be effective. We therefore welcome amendments that provide that semi – automated calling systems are permitted only upon consent and call on the EU legislator to ensure that such systems are c learly included in the definition for We also welcome amendments that provide for effective technical measures, in particular the combined application of presenting the calling line and using a prefix to identi fy unsolicited calls , and support broadening the scope of protection to all forms of unsolicited communications rather than only direct marketing communications . The following p ages provide our specific recommendations on the key points highlighted above.

PAGE – 4 ============
4 One of the main potential benefits of the draft ePrivacy Regulation is that – as the ePrivacy Directive today – it would provide additional protection for electronic communications by limiting and specifying the legal grounds on which basis these data can be processed. We welcome the proposed am endments to Article 6 , which clarify that , electronic communications data may be processed [on the legal grounds specified in the ePrivacy Regulation] . This Article, as amended, helps ensure clarity and lega l certainty regarding the fact that other legal grounds such as the legitimate interest ground, are not applicable for processing under the Proposed Regulation. We also welcome LIBE 4, which also clarifies, by amending recital 5, that processing should only be permitted A s an additional improvement we would recommend to rephrase this sente nce in order to make this provision applicable to any parties , not just providers of electronic communications services. We would further welcome, as advocated in our Opinion, amendments, which would specify, in a substantive provision, that neither pro viders of electronic communications services, nor any third parties, shall process personal data collected on the basis of consent or any other legal ground under the ePrivacy Regulation, on any other legal basis not specifically provided for in the ePriva cy Regulation . Some amendments propose an additional exemption to the confidentiality of communications based on legitimate interest of service providers and other part ies to process electronic communications data . Neither the current ePrivacy Directive nor the Proposed Regulation contain such exemption and the Draft Repor t also did not propose any such exemptions , neither for metadata nor for content . The data protection authorities and independent experts support this position and all agree i n their assessment that an additional exemption on legitimate interest grounds, either for metadata or for content, would risk creating a loophole and would take a way much of the protection provided by the ePrivacy Regulation for the confidentiality of communications . 3 The legislator should keep in mind that the information about the circumstances of communications and who participated in it are explicitly prote cted by the fundamental right to communications secrecy, and as such it is protected by the constitutions and legal order of many Member States. Allowing the processing of communications related data without consent or a limited purpose which is specifical ly and with sufficient precision laid down in the legislation could affect the very essence of this fundamental right and end the tradition of trustworthy messengers.

PAGE – 5 ============
5 For these reasons, we strongly oppose any amendments that would introduc e the ground of legitimate interests as a basis for processing under the ePrivacy Regulation . Any possibility for further processing must not create a back – door to the high level of protection of confidentiality of communications . We would welcome amendmen ts introducing a a provision to clarify that when the processing is allowed under any exception to the prohibitions under the ePrivacy Regulation, any other processing on the basis of Article 6 of the GDPR sh ould be considered as prohibited, including pro cessing for another purpose on the basis of Article 6(4) of the GDPR. This sh ould not prevent controllers from asking for additional consent for new processing . We take note of amendments introduced to Article 7, suggesting that process the data in accordance with [the GDPR], if applicable. This clarification may also be acceptable, in addition to the amendments suggested above. At the same time, we strongly oppose any amendments that would allow further processing more broadly , as this would seriously undermine the protection of confidentiality of communications and create a dangerous loophole allowing circumvention of the Regulation, as explained in our Opinion. In the Opinion, we argued that the ePrivacy Regulation must not only clearly provide for the confidentiality and security of communications while in transit but must als o protect the confidentiality and security of end user equipment and communications data stored in the . W e recommended that Article 5 and Recital 15 of the Proposal should be revised to clearly cover both situations. To this end, we would further suggest extending this provision to also cover communication data not only in transit but also when stored by the provider or any other party (a typical case may be content of emails stored in the loud ). Amendments to Article 5 specifying that the prohibition set forth in paragraph 1 shall also apply to stored after the transmission has been completed (see LIBE 399 and 400) are a good example of the type of language that may be used to this effect. The language used in LIBE 401, may also be helpful. As explained in our Opinion, the protection of communications privacy should not be dependent on whether humans themselves speak or listen, type or read the content of a communication, or whether they simply rely on the increasingly smart features of their terminal devices to communicate content on their behalf . To this end, we support amendments (based on LIBE 59, 409, 410) providing that confi dentiality of electronic communications shall also apply to data related to or processed . Another way of formulating the same provision could be: prohibition set forth in paragraph 1 shall also apply to data related to or proces sed by terminal

PAGE – 6 ============
6 The protection of data related to terminal equipment should be implemented in line with the technological developments, and consisten tly with the principle of confidentiality of communications and with the rule that the ePrivacy Regulation should not lower the level of protection provided by the current ePrivacy Directive and the GDPR. We therefore welcome the amendments that require the consent of the user and remove the overb r oad exception in Article 8(2)(b) of the Commission Proposal. We also welcome that the information provided to users is turned to an additional requirement in line with the principle of transparency and does not become a legal basis for tracking of individuals across time and space for any purpose. We support amendments that clarify that when the processing is permitted for the sole purpose of establishing a connection , this is limited to the time necessary. At the same time, we do not encourage detailed additional legal grounds to be added to the ePrivacy Regulation to provide further, specific exceptions ( with a possible, very narrowly – ) . Nevertheless, if such detailed e xceptions were to be proposed as part of a compromise at any stage of the legislative process, it must be ensured, at a minimum, that they are drafted in such to the proposed legal grounds relating to establishing a connection, security updates, employment relationships, and web audience measuring. With regard to we recommend, at the minimum, adding of processing is limited to mere statistical ive opt – With regard to , we endorse amendments that specify that , we reite rate our concern that this ground must be narrowly tailored and interpreted and should not be unduly broadened during does not adversely affect the fundamental rights of the With regard to we recommend, at a minimum, that security updates With regard to proposed exceptions in the employment context , any exception must ed to cases where the employer provides and/or is the subscriber of the terminal

PAGE – 8 ============
8 5.3 Definition of Metadata The proposed amendments show that MEPs are aware of the privacy and data protection risks of processing metadata . No twithstanding this awareness, the amendments continue to follow the approach of the Proposal and limit the notion of metadata processed for . While these definitions encompass a large part of meta data, this definition is not exhaustive as it neglects any metadata that is neither required for the purpose of transmitting, distributing or exchanging electronic communications content nor processed for the provision of the service. An example for this is location data in an instant mess aging application. Thus, the EDPS proposes to change the definition to cover all metadata, as follows: communications network data broadcast or emitted by the terminal equipment that provides additional information about the communication or is used to identify end – or to enable it to connect to s uch network or to other terminal equipment. It includes, but is not limited to, data used to trace and identify the source and destination of a communication, data on the location of the device and the date, time, duration and type of communication. With regard to Article 9(1), we would welcome amendments clarifying that all GDPR provisions relating to consent (including Article 8 of the GDPR ) apply also for purposes of the ePrivacy Regulation . In particular, we would welcome the following text The definitions of and conditions for consent provided for in Regulation (EU) When this is may be omitted. The elements of consent, notably a freely given consent, imply that the processing does not have adverse effects on the rights and freedoms of individuals. We therefore welcome amendments requiring that any processing based on consent must not adversely affect the rights and freedoms of individuals whose personal data are related to or transmitted by the communications We strongly support amen dments which re – enforce the principle that consent must be freely given, and prohibit take it or leave it approaches. In particular, we support the proposed amendments to Article 6, which clarify that consent to the processing must not be to a This should apply to processing of both content and metadata. Similar proposed amendments to Article 8, clarifying that consent must not be a are also welcome. W e also welcome the proposed amendments requiring that

PAGE – 9 ============
9 service or functionality, regardless of whether this service is remunerated or not, on ground that he or she has not given his or her consent un der Article 8(1)(b) to the processing of personal data and/or use of the storage capabilities of his or her terminal equipment that is not necessary for the provision of that service or functionality. With regard to Article 9(2), we w elcome amendments requiring that the technical settings referred to in this paragraph should allow for sufficient granularity in terms of purposes and providers , while avoiding un n ecessarily repeating provisions of the GDPR. As an alternative to further improve c urrent amendments , the provision may provide instead that the settings shall These amendments should further specify that the preferences We would also support additional clarifications that if a user provides consent , this shall update the pre – existing privacy settings . This update, however, should be limited for the processing requested by the user for this particular service . (For example, a user may agree to be tracked on a particular news website by a specific ad network. However, this should not permit the same ad network to track the user on a different website, unless the user ha s also specifically consented to be tracked when visiting that other website.) We would strongly welcome amendments that would strengthen Article 10 and would require privacy protective settings by default. Accordingly, we recommend that software placed on the market permitting electronic communications b y default, offer privacy protective setting s to prevent anyone other than the user from storing information on the terminal equipment of the user and from processing information a lready stored on that equipment We would also welcome amendments (see LIBE 639, 640 ) for the requirements of data protection by default to apply not only to software but also to hardware providers . This would provide a stronger and more direct incentive for providers of Internet of Things (IoT) devices to consider d ata p rotection by d efault and by d esign. F inally , we consider it crucial that users should have an easy way to give or withdraw their consent at a granular level, for specific pur poses a n d with regard to specific service providers at any time during or after installation of the software . This should include easy ways to update their privacy setting s (e.g. add or remove one or several specific organisations to their individual, cust omised white – lists and/or black – lists saved in their privacy settings ) , without having to go through a range of settings and options each time they navigate to a different website . In practice, t his could mean that individual s visiting a website and encountering a new request for consent could update their privacy settings directly by clicking one of the options offered on the website and their choice will then be stored in their privacy settings . I f the individual wishes to wi thdraw his or her consent, this should also be done in a similar, easy manner. The last sentence of recital 24 of the Proposal already hints at such a possibility, providing that – users to change their privacy settings at any time during use and to allow the user to make exceptions for or to whitelist certain websites or to specify for which websites (third) party cookies are always or never We substantive provision and a legal requirement. Further, this legal requirement should be applicable not only to web – browsers, but also to any providers coming under the scope of

PAGE – 10 ============
10 Article 10. Accordingly, we recommend that Article 10 inc lude a requirement that hardware and software placed on the market permitting electronic communications shall The EDPS supported in his Opinion the approach of the Proposal pursuant to which only selected grounds listed in Article 23(1) of the GDPR can be accepted as grounds for restricting the scope of certain rights and obligations set out in the e Privacy Regulation. Respect of confidentiality of communications as enshrined in Article 7 of the Charter is essential for the exercise of other fundamental rights and it has thus a distinct role to play. This role is recognised in the constitutional tradi tions of many Member States which provide for a separate right protecting the confidentiality of communications. Some of these constitutional traditions limit the possibility to restrict this right for the purpose of combatting serious crimes only. We ther efore support amendments towards a less intrusive degree of interference which limit the categories of public interest to those specified in Article 23(1)(a) to (d) of the GDPR. It f ol lows from the CJEU case law that an interference with the rights enshri ned in Article 7 and 8 shall be strictly necessary. The condition of strict necessity is a horizontal one, irrespective of the sector at issue, such as commercial or law enforcement 5 . We support amendments that refer to the strict necessity of a measure limiting the rights provided for in Article 5 of the ePrivacy Regulation. We also support, in accordance with the Opinion, amendments which require that Union or Member State laws which restrict the rights should at least contain a set of provisions that help ensure legal certainty and a minimum set of safeguards. In fact, this requirement implements settled case law on the conditions for a lawful limitation of fundamental rights 6 . For instance, a law that does not provide for the purpose of processing or for the categories of data w ill not resist judicial scrutiny , as it lacks foreseeability , undermines legal certainty and the necessity of the legislative measure cannot be demonstrated , either . Consequently, r eference to Article 23(2) GDPR is all the more required where the law provides for a restriction of the right to confidentiality as provided for in Article 5 of the ePrivacy Regulation. Given the need to provid e for clear and precise rules capable of passing the n ecessity test, amendments which refer to serious crime should further define the degree of seriousness , a s such definition cannot be left entirely to the Member States . 7 Finally, we support the greatest possible transparency of access requests . To this end , and in accordance with the Opinion, w e support amendments introducing periodic reporting obligations of the providers vis – à – vis the supervisory authorities (in addition to the obligation, already foreseen in the Proposal, to provide information upon request by the supervisory author ities). We also support amendments imposing an obligation on the providers to publish information on access requests. Restrictions on the rights under Arti cle 11 may include technical measures to gain access to communications data. The EDPS supported in his Opinion the right of the users to use encryption and the prohibition of any measures reversing encryption. We therefore support amendments prohibiting th e overall weakening of confidentiality and integrity of electronic

PAGE – 11 ============
11 f or instance, by mandating to build – in backdoors). Based on the foregoing, we would welcome amend ments based on LIBE 776 – 780 . In his Opinion, the EDPS supported the Proposal, which entrusted data protection authorities Regulation. We continue to support this approach , as it ensures legal certainty and consistent application of the data protection avoids possible duplication of ro les amongst DPAs and other authorities, including overlapping of competence, for example if an authority other than the DPA would be competent for confidentiality of communications which entails the processing of personal data. We also oppose amendments th at provide for the representation of all national competent authorities significantly change the institutional setup as set forth in the GDPR and would bring additional – and possibly unmanageable – complexity. The current rules provide that members of the EDPB are only DPAs and in case of more than one DPAs the Member States have to designate a joint representative. On the other hand, we support amendments re – enforcing coopera tion of N ational R egulatory A uthorities with the DPAs. These amendments calling for a reciprocal cooperation obligation complement the Commission Proposal, which already included a unilateral obligation for DPAs to cooperate with N ational R egulatory A uthor ities. Finally, effective supervision can only be delivered when adequate resources are effectively provided . According to the GDPR, the EDPS is responsible to provide the Secretariat to the EDPB, including staff. We would therefore suggest including a p rovision requiring the Member States and the EU budgetary authority to ensure adequate resources for national DPAs and the EDPS , respectively. We welcome amendments replacing the word between paragraphs 16(3)(a) and (b) by . In effect, these amendments will make sure that the presentation of the identity of a line on which the natural or legal person placing the call can be contacted (Arti cle 16(3)(a)) and the use a specific code/prefix to identify it as a marketing call (Article 16(3)(b)) will not remain alternatives, as provided in the Proposal, rather, they will be both mandatory. We also welcome upd ates the current wording in line with technological changes. We welcome amendments providing that semi – automated telephone calls (i.e. those using automated systems to eventually connect an individual to the called person) be treated the same way as fully automated systems, and thus, would require prior (opt – in) consent. In this case, national or European do not call registries could be considered for (purely) voice – to – voice calls (not including semi – automated calls).

153 KB – 13 Pages