The European Data Protection Supervisor has taken the unusual step of putting forward a Second Opinion on the proposals for review of the ePrivacy Directive. He is concerned that safeguards have been removed in the political settlement made by the EU Council and that EU citizens are at risk as a result.
On 13 November 2007, the European Commission adopted proposals amending, among others, the Directive on privacy and electronic communications, usually referred to as the ePrivacy Directive. Those proposals were amended in the course of discussions at the European Parliament and the EDPS (Peter Hustinx) was broadly supportive of the changes made, seeing them as consistent with the suggestions he had made in his first opinion. Since then the Council has finalised a ‘Common Position’ which includes further amendments weakening protection, including narrowing the reach of the security breach notification requirements – a change that the EDPS sees as of great importance.
In his second opinion, drafted in the hope that the European Parliament will reinsert the safeguards, the EDPS states that he is concerned about the content of the Common Postion, in particular because ‘in quite a few cases, provisions in the Amended Proposal and EP amendments, offering safeguards to the citizens, are deleted or substantially weakened. As a result, the level of protection afforded to individuals in the Common Position is substantially weakened’.
The Opinion of the EDPS makes for interesting reading for those closely involved in the politics of data protection but it is of considerable importance to for practitioners too – it sheds considerable light on the important changes in drafting that the Council has made. For example, the EDPS is concerned about the limited applicability of the security breach notification requirement. The revised proposals have very limited application: ‘the EDPS believes that from a public policy perspective it is critical to ensure that information society services which include online businesses, on-line banks, on-line health providers etc. are also covered by the notification requirement’.
The 20-page opinion is worth reading in full and can be found here.