The European Data Protection Supervisor (EDPS) has published an Opinion on the Proposal for a Regulation on Privacy and Electronic Communications (ePrivacy Regulation), which will complement the GDPR within the European Data Protection Framework.
Buttarelli appreciates several positive aspects of the Proposal and also the fact that the legislator has adopted some of its previous considerations, but points out several significant perplexities and some specific requests for modification.
Paragraph 3 of the Opinion specifies in detail the problems encountered:
- The first issue concerns terminology: the definitions should be released from the European Code of Electronic Communications (EECC), which is intended to manage the market in this sector, which was initially linked to the ePrivacy Directive but is no longer linked to the new ePrivacy Regulation; this also to avoid ambiguity on terms such as “end-user” which could be applied indifferently to natural persons and legal persons, with emphasis on the existence of a contract, while the rights of persons using an electronic communications service should be safeguarded regardless of subscribing to a contract. In addition, the definition of “metadata” should include all data other than the content, not just those processed on the network but also those on the devices. Last but not least, secure data should not only be those “in transit” but also those “stored” on the network, for example in Cloud.
- The second concern is about the practice of Consent, which in the ePrivacy Regulation seems to be possibly conferred by entities other than those who will use the service (eg an employer on behalf of its employees or a hospitality facility on behalf of its guests), which contrasts with the principles of the GDPR. It should also be clarified that consent to the processing of personal data should be conferred by all parties involved by a communication (eg sender and recipient of an email) but also by third parties whose data are included in the communication (even if they do not take part in the communication).
- Regarding the relationship between GDPR and the ePrivacy Regulation, in the event of further processing beyond the originally envisaged (for which further consent is required) the safeguards provided by the Regulation should not be avoided by invoking the application of the GDPR and hence all the lawfulness of processing provided for in Art. 6; in order to avoid the lowering of the guarantee levels for the passage of data to third parties, the use of the GDPR as a loophole should be explicitly prohibited, reiterating the need for further consent.
- The EDPS also considers that the ePrivacy Regulation measures against “tracking walls” are inadequate, that is, the mechanism that tends to exclude end-users from a service who refuse to allow the extension of the consent given to another service. This practice contrasts with the principle of “explicit and specific consent” and must be effectively countered. Furthermore, end-users who install intrusion defenses (like ad-blocks) must be protected against the ban from the service; in the IoT context, smart devices should not be set to deny the service to users who refuse consent to the processing of data that is unnecessary for the operation of the service.
- Art.10 of the ePrivacy Proposal requires end-users to use device settings to determine whether or not authorize vendors to install their own data or access end-user data. This contrasts with Art. 25 of the GDPR that includes Privacy by Default.
- Concern also raises the excessive freedom granted by Art. 8 (2) to “device tracking” in public space in the physical world, imposing as the only limitation the need to notify users the chance of tracking disabling; this is considered unacceptable as the opt-out mechanisms are less and less effective than those of opt-in; in addition, such disabling by the end-user may result in disconnection from the service.
The Opinion concludes with an attachment that contains 21 more specific analysis and clarifications.
It will be interesting to check which kind of acceptance this document will receive from Parliament and Council.
Here is the text of Opinion 6/2017