Insights European Data Protection Supervisor publishes recommendations on specific aspects of proposed e-Privacy Regulation

Contact

The EDPS says that the recommendations focus on the need to ensure legal certainty and a high level of protection of the fundamental rights to privacy and data protection.

The key recommendations include:

  • any processing of communications data must be based on a legal ground under the Regulation (Article 6, recital 5) — this should apply to all parties, not just providers of electronic communications services;
  • legal grounds under the Regulation must not include legitimate interest — some amendments propose an additional exemption to the confidentiality of communications based on legitimate interest of service providers and other parties to process electronic communications data. This should be removed;
  • confidentiality of communications data shall be ensured “at rest” and for machine-to-machine communications (Article 5) — this provision should be extended to cover communication data not only in transit, but also when stored by the provider or any other party (e.g. data stored in the “cloud”);
  • the protection of data related to the terminal equipment deserve equally high protection — detailed additional legal grounds to be added to the e-Privacy Regulation to provide specific exceptions (with a possible, very narrowly tailored exception for “people-counting”) should not be encouraged;
  • appropriate definitions are crucial to implement the protection of the fundamental rights (Article 4) — the term “user” should be used consistently used throughout the Regulation instead of the term “end-user”, and it must be clear that it is the individuals concerned and affected, rather than, for example, their employers or landlords who should be in a position to provide valid consent to the processing of their communications;
  • consent must have the same meaning as in the GDPR, including is freely given and specific (Article 6, 8 and 9). Technical and privacy settings should genuinely and in an easy manner support giving and withdrawing consent (Article 9 and 10);
  • restrictions on rights and obligations should be limited in scope (Article 11) — only selected grounds listed in Article 23(1) of the GDPR should be accepted as grounds for restricting scope;
  • the weakening of confidentiality and integrity of electronic communications should be prohibited (Article 17) — this should apply both at the level of the service itself and the user’s terminal equipment;
  • supervision powers should be granted to the Data Protection Authorities (Article 18) — amendments providing for the representation of all national competent authorities (not only DPAs) at the European Data Protection Board should be removed; and
  • protection against unsolicited communications should be comprehensive (Article 16) — the display of the identity of a line on which the person placing the call can be contacted, and the use of a specific code/prefix to identify it as a marketing call should not be alternatives, but should both be mandatory.

To read the EDPS recommendations in full, click here.

Expertise