On June 9, Marju Lauristin, the Member of the European Parliament (MEP) and Member of the Committee on Civil Liberties, Justice and Home Affairs (LIBE), released a draft report containing amendments to the Regulation.
In the preparation of this report, the rapporteur Marju Lauristin has conducted extensive and thorough discussions with the following Committees: draft opinion of the Committee on Legal Affairs, draft opinion of the Committee on the Internal Market and Consumer Protection, draft report of the Committee on Industry, Research and Energy.
On June 21, Marju Lauristin presented her draft report to her colleagues in the LIBE Committee, on 10 July 2017 the LIBE Committee meeting was held to discuss of the draft report containing the amendments to the Regulation.
The main aspects highlighted by draft report are the following:
1.The draft report clarifies the relationship between the GDPR and the ePrivacy Regulation, specifying that the ePrivacy Regulation “aims to provide additional and complementary safeguards taking into account the need for additional protection as regards the confidentiality of communications” and for this “Processing of electronic communications data by providers of electronic communications services should only be permitted in accordance with, and on a legal ground specifically provided for under, this Regulation” (see amdt 4).
2. The amendment 18 proposes the deletion of Recital 18 of the Regulation (under which “the consent for the processing of data from the use of internet or voice communication will not be valid if the data controller has no genuine and free choice, or is unable to refuse or withdraw consent without detriment”) and introduces of new recital 17, point a, which partially repeats what is already provided in the recital 18, i.e. “for the purposes of this Regulation, the consent of an end-user, regardless of whether the latter is a natural or legal person, should have the same meaning and be subject to the same conditions as the consent of the data subject under Regulation (EU) 2016/679” and also clarifies the fact that “the end-users should have the right to withdraw their consent from an additional service without breaching the contract for the basic service. Consent for processing data from internet or voice communications usage should not be valid if the user has no genuine and free choice, or is unable to refuse or withdraw consent without detriment” (see amdt 17).
3. The draft report removed the cross-reference to European Electronic Communications Code by amending article 4, paragraph 1 point b) and removing article 4, paragraph 2, of the Regulation and introducing these definitions directly in the new paragraph 3 of Article 4 (see amdt 47 to 54).
In this way, the Regulation would be free and separate from any other legislative initiatives adopted by EU, such as European Electronic Communications Code, in line with the opinion expressed by EDPS who raised, as noted above, about the fact that the Regulation simply refers to article 2 of the of the proposal for a directive of the European Electronic Communications Code for the definitions (see article 4, paragraph 1 point b) of the Regulation).
4. The draft report introduces the distinction (absent in the original version of the Regulation) between ‘end-user’ means “a legal entity or a natural person using or requesting a publicly available electronic communications service” (see amdt 53, our underline) and ‘user’ means “any natural person using a publicly available electronic communications service, for private or business purposes, without necessarily having subscribed to this service” (see amdt 54, our underline).
By reason of this distinction the definition “end-user” has been replaced, in some points, by that of “user” (ex multis, see amdt 58, 59, 69, 70) limiting, in this way, the protection of the confidentiality of communications to only natural persons, and this despite the draft report has left unchanged recital 3 of the Regulation which similarly protects the confidentiality of communications of both natural and legal persons.
5. The definition of ‘electronic communications metadata’ is also extended to “any other communications related data processed for the provision of the service, which is not considered content” including “data broadcasted or emitted by the terminal equipment to identify users’ communications and/or the terminal equipment or its location and enable it to connect to a network or to another device” (see amdt 55). As specified in the draft report “this amendment serves to clarify the exact concept of metadata, as underlined by the Article 29 Working Party, scholars and case-law authorities” (see justification at the end of the amdt 55).
6. In addition to the specific cases of “permitted” processing (now defined as “lawful” based on amendment 60) of electronic communication under Article 6 of the Regulation, the draft report provides that “for the provision of a service explicitly requested by a user of an electronic communications service for their purely individual or individual work-related usage, the provider of the electronic communications service may process electronic communications data solely for the provision of the explicitly requested service and without the consent of all users” but this is possible “only where such requested processing produces effects solely in relation to the user who requested the service and does not adversely affect the fundamental rights of another user or users” (see amdt 71, my highlighting in bold).
However, in this way, the processing of electronic communications could be permitted without consent in many cases given that “individual or individual work-related usage” surely are among the main purpose of use of electronic communications services. For “the consent of all users” we suppose we should refer to both senders and recipients, therefore, the consent of only one of the data subject should not be sufficient.
7. The amendment 78 provides that tracking user (for example, via cookies) may be permitted with their consent (i.e. “the user has given his or her specific consent”) “which shall not be mandatory to access the service”. Therefore, the draft report conforms with the opinions of WP29 and EDPS making the user’s consent actually free and by allowing the user access to the service even if the user do not consent to be tracking.
Moreover, this rule is strengthened in a new and separate paragraph of article 8 introduced by amendment 83 whereby “No user shall be denied access to any information society service or functionality, regardless of whether this service is remunerated or not, on grounds that he or she has not given his or her consent under Article 8(1)(b) to the processing of personal information and/or the use of storage capabilities of his or her terminal equipment that is not necessary for the provision of that service or functionality”.
8. In addition to those already provided for in article 8 of the Regulation, the draft report introduces other exceptions for the tracking of terminals equipment (see amdt 75 to 83). Especially, the amendment 82 proposes an exception for tracking employees “if it is necessary in the context of employment relationships” but only on condition that the employee uses the equipment provided by the employer and only if this tracking is “strictly necessary for the functioning of the equipment by the employee” (see amdt 82).
9. The draft report introduces some important amendments about tracking terminal equipment (i.e. WI-FI tracking or Bluetooth tracking) by providing the collection of information emitted by terminal equipment only (i) in order to, for the time necessary for, and for the sole purpose of establishing a connection requested by the user, or (ii) with the informed consent of the user, or (iii) if the data are anonymised and the risk are adequately mitigated (see amdt 84 to 90).
For the mitigation of risk, the draft report recommends the following measures: (a) the purpose of the data collection from the terminal equipment shall be restricted to mere statistical counting; and (b) the tracking shall be limited in time and space to the extent strictly necessary for this purpose; and (c) the data shall be deleted or anonymised immediately after the purpose is fulfilled; and (d) he users shall be given effective opt-out possibilities (see amdt 89).
Lastly, users must be informed about tracking their terminals equipment by a clear information detailing how the information will be collected, the purpose of collection, the person responsible for it and other information required under Article 13 of Regulation (EU) 2016/679 (see amdt 90). Anyway, “the collection of such information shall be conditional on the application of appropriate technical and organisational measures to ensure a level of security appropriate to the risks, as set out in Article 32 of Regulation (EU) 2016/679” (see amdt 90).
Therefore, the draft report proposes, in line with the opinion of WP29, a significant change compared to Commission’s proposed (which suggests that for tracking user is sufficient to display a mere alert/banner to inform the users of the possibility of “stopping or minimizing such collection”, together with the adoption of appropriate technical and organisational measures to mitigate the risk: see article 8, paragraph 2, of the Regulation).
10. Article 10 of the Regulation refers to options for terminal equipment and software by default and this article is amended with a clear preference for “Do-Not-Track” mechanisms (DNTs) by providing that all software are set by default to “offer privacy protective settings to prevent other parties from storing information on the terminal equipment of a user and from processing information already stored on that equipment” (see amdt 95).
In this regard, the rapporteur explains at the end of the draft report that “the settings should allow for granulation of consent by the user, taking into account the functionality of cookies and tracking techniques and DNTs should send signals to the other parties informing them of the user’s privacy settings. Compliance with these settings should be legally binding and enforceable against all other parties” (see p. 88 of the draft report).
11. The penalties provided for in article 23 of the Regulation are also extended to cases of infringements of obligations covered by article 8 (WI-FI tracking, cookies, Bluetooth tracking) with administrative fines up to 20.000.000 EUR or up to 4% of the total worldwide annual turnover (see amdt 131).
For further information:
opinion n. 1/2017 WP247, of the Art. 29 Working Party
opinion n. 6/2017, of the European Data Protection Supervisor
proposal for a Regulation, of the European Commission
draft report, of the Committee on Civil Liberties, Justice and Home Affairs, Rapporteur: Marju Lauristin