Yesterday (24 April 2017) the European Data Protection Supervisor (EDPS) published Opinion 6/2017 on the Proposal for a Regulation on Privacy and Electronic Communications.
The Opinion stresses the importance of the Proposal and the fact that European data protection regulation would be incomplete without an instrument that governs the confidentiality of communications as protected under Article 7 of the Charter of Fundamental Rights. The EDPS, however, also expresses a series of concerns which should be taken into consideration in forthcoming discussions.
Here’s a short guide to the Pros and Cons presented in the Opinion.
Pros according to the EDPS:
In the Opinion, the EDPS confirms its support of the proposal and the notion that it is a regulation which means that it will be directly applicable, contributing to the unity and conformity of EU data protection regulations.
- Covers content and metadata
- Extends confidentiality to OTTs
- Enforcement powers only to DPAs = more effective enforcement
- Processing only under clearly defined conditions
- Consent: new articles 9 and 10
- Focus on security and alignment with GDPR on data breaches
- Opt-in for unsolicited commercial communications.
Cons and Suggestions according to the EDPS:
The EDPS, however, has several concerns with regards to the proposed Regulation which it believes could put at risk the protection which it promises.
- The Proposal is incredibly complex (metadata, content data, data emitted by terminal equipment have different levels of confidentiality and different exceptions)
- Definitions a. will be negotiated within the context of the European Electronic Communications Code (the EDPS argues that there is no legal justification to link the two instruments); b. Code definitions are unfit in the context of protecting rights (the EDPS suggests new definitions for the ePrivacy regulation, “taking into account its intended scope and objectives”
- The Proposal must ensure that there are no loopholes, for example, “data collected based on end-user consent or another legal ground under the ePrivacy Regulation must not be subsequently further processed outside the scope of such consent or exception on a legal ground which might otherwise be available under the GDPR, but not under the ePrivacy Regulation”
- Consent needs to be strengthened: should be requested from the users of services “whether or not they have subscribed for them and from all parties to a communication” and “data subjects who are not parties to the communications must also be protected”. The EDPS calls for the elimination of tracking walls as website access should not be conditional. Consent needs to be “genuine”, meaning freely provided by users
- Rules could be easily avoided in the processing of electronic communications data by controllers that are not providers of electronic communications services
- Exceptions for tracking of location of terminal equipment are too broad and inadequate
- Member States should be able to call for and introduce specific safeguards
- Still need to establish strong requirements for both privacy by design and privacy by default.
You can read the entire EDPS Opinion, from which this post was inspired, here.