EDPS Offers Further Recommendations on the Draft ePrivacy Regulation

October 5, 2017

Building on his earlier Opinion,
Giovanni Buttarelli, the EDPS, has published a series of recommendations which ‘focus
on the need to ensure legal certainty and a high level of protection of the
fundamental rights to privacy and data protection’.

The following ‘key messages’ are set out at the beginning of
the detailed points raised in the document.

The ePrivacy Regulation should reflect the importance of the
principle of confidentiality of communications which is closely linked to the
right to private life and as such protected by the EU Charter of Fundamental
Rights, the European Convention of Human Rights, and constitutional and legal
orders of most of the Member States. The confidentiality of communications
encompasses both content and metadata and data related to the terminal
equipment. This should be adequately reflected in the permitted purposes of
processing and the legal bases of processing. These considerations apply to all
provisions of the ePrivacy Regulation.

The ePrivacy Regulation should provide for a genuine
protection in line with current and anticipated technological developments, in
particular in the context of machine-tomachine communications. Therefore, we
support amendments explicitly providing for the protection of the
confidentiality of communications to ‘data related to or processed by terminal
equipment’. The confidentiality of communications should also be ensured when
data are stored in the cloud rather than only in transmission.

The approach according to which the ePrivacy Regulation
particularises and complements the GDPR should be maintained to reflect the
importance of the confidentiality of communications. The ePrivacy Regulation
should not lower the level of protection as foreseen in the GDPR. Instead, a
higher level of protection than the one the GDPR offers should be provided. At
the same time, unnecessary repetitions of GDPR provisions should be avoided for
the sake of clarity and legal certainty: selectively repeating some GDPR provisions
risks failing to include important provisions.

Broad legal bases for processing of communications data by
reference to the GDPR or by re-stating the GDPR would undermine the rationale
for a specific legal instrument and would not adequately reflect the importance
of the confidentiality of communications enshrined in both the Charter of
Fundamental Rights and the CJEU and ECtHR case law. In particular, there should
be no possibility under the ePrivacy Regulation to process metadata under the
legitimate interest ground. Allowing processing on legitimate interest ground
would significantly lower the standards applicable today under the ePrivacy
Directive 2002/58/EC and put into question the added value of the draft
Regulation. Similarly, further processing of metadata would create a loophole
and allow circumventing the high level of protection. Data related to the
terminal equipment should be processed only upon consent or if technically
necessary for a service requested by the user and only for the duration
necessary for this purpose. We, therefore, support amendments which remove the
broad legal basis for tracking of individuals across time and space for any

Appropriate definitions are crucial to implement the
protection of the fundamental rights. Therefore, we support amendments that
provide for standalone definitions, replacing the reference to the European
Electronic Communications Code, ensuring that consent, when a legal entity
subscribes to a service, is given by the natural person who is using the
service and/or the technical equipment. We also support that services merely
provided as ancillary features should be included in the definition of ‘interpersonal
communications services’. Finally, we strongly recommend that the definition of
metadata shall not exclude data not required for the purpose of transmitting
electronic communications content nor for the provision of the service. In this
way, no loopholes are created for the processing of these data on the basis of
the GDPR.

Consent under the ePrivacy Regulation must have the same
meaning as in the GDPR, including that it must be freely given and specific.

Therefore, we support amendments clarifying that
all GDPR provisions, including Article 4(11) on the definition of consent, Article
7 and Article 8 GDPR, apply also for purposes of the ePrivacy Regulation.

We support amendments that clarify that access
to services and functionalities must not made conditional to consenting to the
processing of personal data and the processing of information related to or
processed by the terminal equipment of end-users;

We also welcome amendments requiring that the
technical settings enabling user control under Article 9 should allow for
sufficient granularity. This requirement reflects the rule in the GDPR that
consent to be specific shall be given for specified purposes and for specific
data controllers (here providers). As mentioned above, there should be no
unnecessary repetitions of the GDPR. Therefore, we recommend that the settings
shall ‘allow the user to actively select the purposes and the service

Without appropriate technical, privacy settings expressing
and withdrawing consent in an on-line, highly sophisticated environment can be
substantially hampered. We therefore support amendments strengthening Article
10 and require privacy protective settings by default. Moreover, privacy
settings should genuinely support expressing and withdrawing consent in an
easy, binding and enforceable manner against all parties. This includes that
the last sentence of recital (24) of the Commission’s proposal should become a
substantive provision and a legal requirement. Accordingly, end-users shall be
given the possibility ‘to change their privacy settings at any time during use
3 and to allow the user to make exceptions for or to whitelist certain websites
or to specify for which websites (third) party cookies are always or never

Any restrictions on rights under Article 11 should properly
reflect the importance of the confidentiality of communications, in line with
the CJEU settled case-law. For this reason, the restrictions should be more
limited in scope than in the GDPR, and specific obligations should be provided
towards enhancing transparency of access requests. When restricting the scope
to serious crimes, this notion should be further defined. The minimum
requirements for a legislative measure from Article 23(2) should apply in all

The Data Protection Authorities should be entrusted with the
supervision of the ePrivacy Regulation. As the supervisory authorities in
charge of ensuring compliance with the GDPR, they are best placed to ensure
legal certainty and consistent application between the two, strongly
interrelated, legal instruments. Moreover, the DPAs will be uniquely placed to
deliver consistent application of the ePrivacy Regulation throughout the Union
thanks to the European Data Protection Board.

Protection against unsolicited communications should be
effective. We therefore welcome amendments that provide that semi-automated
calling systems are permitted only upon consent and call on the EU legislator
to ensure that such systems are clearly included in the definition for ‘automated
calling and communication system’. We also welcome amendments that provide for
effective technical measures, in particular the combined application of
presenting the calling line and using a prefix to identify unsolicited calls,
and support broadening the scope of protection to all forms of unsolicited
communications rather than only ‘direct marketing communications’.