The European Data Protection Supervisor has published recommendations on specific aspects of the proposed ePrivacy Regulation
Building on his earlier Opinion, Giovanni Buttarelli, the EDPS, has published a series of recommendations which ‘focus on the need to ensure legal certainty and a high level of protection of the fundamental rights to privacy and data protection’.
The following ‘key messages’ are set out at the beginning of the detailed points raised in the document.
The ePrivacy Regulation should reflect the importance of the principle of confidentiality of communications which is closely linked to the right to private life and as such protected by the EU Charter of Fundamental Rights, the European Convention of Human Rights, and constitutional and legal orders of most of the Member States. The confidentiality of communications encompasses both content and metadata and data related to the terminal equipment. This should be adequately reflected in the permitted purposes of processing and the legal bases of processing. These considerations apply to all provisions of the ePrivacy Regulation.
The ePrivacy Regulation should provide for a genuine protection in line with current and anticipated technological developments, in particular in the context of machine-tomachine communications. Therefore, we support amendments explicitly providing for the protection of the confidentiality of communications to ‘data related to or processed by terminal equipment’. The confidentiality of communications should also be ensured when data are stored in the cloud rather than only in transmission.
The approach according to which the ePrivacy Regulation particularises and complements the GDPR should be maintained to reflect the importance of the confidentiality of communications. The ePrivacy Regulation should not lower the level of protection as foreseen in the GDPR. Instead, a higher level of protection than the one the GDPR offers should be provided. At the same time, unnecessary repetitions of GDPR provisions should be avoided for the sake of clarity and legal certainty: selectively repeating some GDPR provisions risks failing to include important provisions.
Broad legal bases for processing of communications data by reference to the GDPR or by re-stating the GDPR would undermine the rationale for a specific legal instrument and would not adequately reflect the importance of the confidentiality of communications enshrined in both the Charter of Fundamental Rights and the CJEU and ECtHR case law. In particular, there should be no possibility under the ePrivacy Regulation to process metadata under the legitimate interest ground. Allowing processing on legitimate interest ground would significantly lower the standards applicable today under the ePrivacy Directive 2002/58/EC and put into question the added value of the draft Regulation. Similarly, further processing of metadata would create a loophole and allow circumventing the high level of protection. Data related to the terminal equipment should be processed only upon consent or if technically necessary for a service requested by the user and only for the duration necessary for this purpose. We, therefore, support amendments which remove the broad legal basis for tracking of individuals across time and space for any purpose.
Appropriate definitions are crucial to implement the protection of the fundamental rights. Therefore, we support amendments that provide for standalone definitions, replacing the reference to the European Electronic Communications Code, ensuring that consent, when a legal entity subscribes to a service, is given by the natural person who is using the service and/or the technical equipment. We also support that services merely provided as ancillary features should be included in the definition of ‘interpersonal communications services’. Finally, we strongly recommend that the definition of metadata shall not exclude data not required for the purpose of transmitting electronic communications content nor for the provision of the service. In this way, no loopholes are created for the processing of these data on the basis of the GDPR.
Consent under the ePrivacy Regulation must have the same meaning as in the GDPR, including that it must be freely given and specific.
· Therefore, we support amendments clarifying that all GDPR provisions, including Article 4(11) on the definition of consent, Article 7 and Article 8 GDPR, apply also for purposes of the ePrivacy Regulation.
· We support amendments that clarify that access to services and functionalities must not made conditional to consenting to the processing of personal data and the processing of information related to or processed by the terminal equipment of end-users;
· We also welcome amendments requiring that the technical settings enabling user control under Article 9 should allow for sufficient granularity. This requirement reflects the rule in the GDPR that consent to be specific shall be given for specified purposes and for specific data controllers (here providers). As mentioned above, there should be no unnecessary repetitions of the GDPR. Therefore, we recommend that the settings shall ‘allow the user to actively select the purposes and the service providers’.
Without appropriate technical, privacy settings expressing and withdrawing consent in an on-line, highly sophisticated environment can be substantially hampered. We therefore support amendments strengthening Article 10 and require privacy protective settings by default. Moreover, privacy settings should genuinely support expressing and withdrawing consent in an easy, binding and enforceable manner against all parties. This includes that the last sentence of recital (24) of the Commission’s proposal should become a substantive provision and a legal requirement. Accordingly, end-users shall be given the possibility ‘to change their privacy settings at any time during use 3 and to allow the user to make exceptions for or to whitelist certain websites or to specify for which websites (third) party cookies are always or never allowed’.
Any restrictions on rights under Article 11 should properly reflect the importance of the confidentiality of communications, in line with the CJEU settled case-law. For this reason, the restrictions should be more limited in scope than in the GDPR, and specific obligations should be provided towards enhancing transparency of access requests. When restricting the scope to serious crimes, this notion should be further defined. The minimum requirements for a legislative measure from Article 23(2) should apply in all cases.
The Data Protection Authorities should be entrusted with the supervision of the ePrivacy Regulation. As the supervisory authorities in charge of ensuring compliance with the GDPR, they are best placed to ensure legal certainty and consistent application between the two, strongly interrelated, legal instruments. Moreover, the DPAs will be uniquely placed to deliver consistent application of the ePrivacy Regulation throughout the Union thanks to the European Data Protection Board.
Protection against unsolicited communications should be effective. We therefore welcome amendments that provide that semi-automated calling systems are permitted only upon consent and call on the EU legislator to ensure that such systems are clearly included in the definition for ‘automated calling and communication system’. We also welcome amendments that provide for effective technical measures, in particular the combined application of presenting the calling line and using a prefix to identify unsolicited calls, and support broadening the scope of protection to all forms of unsolicited communications rather than only ‘direct marketing communications’.