EDPS and the ePrivacy Directive Review

April 23, 2008

The European Data Protection Supervisor (EDPS), who in flesh and blood is Peter Hustinx, adopted an Opinion on the European Commission’s proposal amending, among others, the Directive on Privacy and electronic communications, usually referred to as the ePrivacy Directive. The Opinion was published on the EDPS Web site on 14 April and can be accessed here.

On the whole, the EDPS supports the Commission’s drive to enhance the protection of individuals’ privacy and personal data in the electronic communications sector. He particularly welcomes the proposed creation of a mandatory security breach notification system and the possibility for legal persons, such as consumer associations and ISPs, to take legal action against spammers. The clarification regarding the inclusion of a number of RFID applications in the scope of application of the Directive also represents significant progress.

The EDPS however expresses the view that the opportunity offered by the review should be used to its full potential so as to ensure that the proposed changes effectively provide for a proper protection of personal data and privacy. Peter Hustinx stated ‘I welcome the approach followed by the proposal which is in line with views expressed in previous opinions. However, the proposed amendments to the Directive are not as ambitious as they should be. In dealing with new issues, such as the setting up of a mandatory security breach notification system, the proposal remains too restrictive in its scope’.

In particular, the EDPS is calling for further improvements to the Directive that should include the following:
• security breach notification: the obligation to notify any breach of security should not only apply to providers of public electronic communication services in public networks but also to other actors, especially to providers of information society services which process sensitive personal data (e.g. online banks and insurers, on-line providers on health services, etc.);
• scope of the Directive: the rising importance of semi-public and private networks in everyday life requires that such services be subject to the same set of rules as apply to public electronic communication services. The Directive should therefore broaden its scope of application to include providers of electronic communication services also in mixed (private/public) and private networks;
• right of action against spammers: the new possibility given to legal persons to take action against those who infringe spam provisions should be extended to cover infringement to any provision of the ePrivacy Directive.

The EDPS states that he is hopeful that the EU legislator will take into account the comments and recommendations set out in his Opinion in a bid to tackle some issues that he feels are not properly dealt with in the current Directive.