13.10.2017   

EN

Official Journal of the European Union

C 345/138

Rapporteur:

Laure BATUT

1.1.

The EESC regrets very much that these texts are voluminous and entangled, and that to understand them it is necessary to go back and forth between them, such that it is unlikely that anyone other than a select few will ever read and apply them and that their added value is not evident to the public, a principle that is missing from the entire proposal for a regulation. We recommend that a factsheet be published online with a description of the texts for the general public which makes them accessible for everyone.

1.2.

The EESC notes that from the options proposed in the impact assessment the Commission has chosen the one that would entail ‘measured’ reinforcement of privacy. Is this to guarantee a balance with the interests of industry? The Commission does not specify which aspects of a ‘far reaching’ reinforcement of privacy would have harmed industry interests. This position has the effect of already watering down the proposal at the drafting stage.

1.3.

The EESC recommends that the Commission:

2.1.

Electronic communications networks have expanded considerably since Directives 95/46/EC and 2002/58/EC (2) on the protection of privacy of natural and legal persons in the electronic communications sector.

2.2.

The General Data Protection Regulation (GDPR) adopted in 2016 (Regulation (EU) 2016/679) became the basis for the measures concerned and laid down the main principles, including those for judicial and criminal data. In accordance with this regulation, personal data may only be compiled under strict conditions, for legitimate purposes, and respecting confidentiality (Article 5 of the GDPR).

2.2.1.

In October 2016, the Commission presented a proposal for a European Electronic Communications Code (3) (300 pages long), which has not yet been adopted, but to which reference is made for certain definitions which are not set out in the GDPR or in the proposal in hand.

2.2.2.

Two proposals dated January 2017 stipulate certain aspects which are based on the GDPR: the proposed regulation on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies (COM(2017) 8 final, EESC rapporteur on this subject: Mr Pegado Liz); and the proposed regulation in hand (COM(2017) 10 final), on respect for private life and the protection of personal data.

2.3.

The three aforementioned texts will apply as of the same date — 25 May 2018 — and aim to harmonise rights and monitoring procedures.

2.4.

Note that, in order to facilitate this approach, it has been decided to protect privacy using a European regulation and no longer a directive.

3.1.

Civil society would like to understand whether, in this all-digital world which is taking shape, the Union is bringing added value which guarantees forums where private life can thrive without fear.

3.2.

Data being generated continuously means that all users are traceable and identifiable everywhere. Data processing carried out in centres which are mostly located physically outside Europe is a cause for concern.

3.3.

Big Data has become a currency, and the smart processing thereof means that natural and legal persons can be ‘profiled’, their data ‘marketed’ and money made, often without a user’s knowledge.

3.4.

However, it is above all the appearance of new players in the data-processing sector, over and above internet access providers, which must lead to a review of the relevant texts.

4.1.

The Commission’s intention with this proposal is to establish a balance between consumer and industry interests by:

4.2.

The proposal is aimed at the deployment of the GDPR, which is of general application, as are confidentiality of private data and the right of erasure, with regard to the specific aspect of respect for privacy and the protection of personal data in telecommunications; the intention is to establish stricter rules for protection of privacy, as well as coordinated monitoring and penalties.

4.3.

The proposal does not lay down specific measures with regard to ‘breaches’ in personal data caused by the users themselves, but does confirm the principle of the confidentiality of electronic communications data at the outset (Article 5).

4.4.

Providers may process the content of electronic communications:

4.5.

They are obliged to erase the data or make it anonymous after receipt by the intended addressees.

4.6.

Under Article 4(11) of the GDPR, the ‘consent’ of a data subject means any freely given, specific, informed and unambiguous indication of that data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

4.7.

The proposal maintains the requirement for consent to be expressly given, as defined in the GDPR, burden of proof being on the operator.

4.8.

‘Processing’ is itself based on consent. The controller has to ‘be able to demonstrate that the data subject has consented to processing of his or her personal data’ (GDPR Article 7(1)).

4.9.

Some limitations (on obligations for and rights to) confidentiality could be provided by EU law or national law to safeguard public interest or guarantee an inspection exercise.

4.10.

Natural persons must have given their consent to appearing in a publicly available directory, with the means to verify or correct the data that concern them (Article 15).

4.11.

A right to object will enable all users to block the use of data concerning themselves which has been entrusted to a third party (for example a trader) and then each time a message is sent (Article 16). The new rules will give users more control over their parameters (cookies, identifiers) and unsolicited communications (spam, messages, texts, calls) will be able to be blocked if the user has not given his or her agreement.

4.12.

As regards the identification and blocking of unwanted calls (Articles 12 and 14), the regulation underlines that these rights also apply to legal persons.

4.13.

The structuring of a monitoring system is in accordance with the GDPR (Chapter VI on supervisory authorities and Chapter VII on cooperation between supervisory authorities).

4.13.1.

It is the Member States and their national authorities responsible for data protection who will have to ensure compliance with the rules on confidentiality. Other supervisory authorities will, as part of mutual assistance, be able to draft objections that might be submitted to national supervisory authorities. They will cooperate with the latter or with the European Commission in the framework of a consistency mechanism (GDPR Article 63).

4.13.2.

For its part, the European Data Protection Board (EDPB) is responsible for ensuring consistent application of the regulation in hand (GDPR Articles 68 and 70).

4.14.

Remedies are possible for natural and legal persons who are final users so they can assert interests adversely affected by infringements; they may receive compensation from the infringer for damage suffered.

4.15.

The amounts envisaged for administrative fines are intended to act as a deterrent, since for those offending they can be as high as ten million euros and, for firms, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher (Article 23). Where there is no provision for an administrative fine, Member States set penalties and notify the Commission thereof.

4.16.

The new text on respect for privacy and the use of personal data will apply as of 25 May 2018: on the same date, therefore, as the 2016 GDPR and the regulation on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies, and the proposal for a directive establishing the European Electronic Communications Code (COM(2016) 590 final), if these texts are adopted.

4.17.

Scope of the lex specialis implementing the GDPR

—

Ratione personae: players

—

Ratione materiae: data

—

Ratione loci: where?

4.18.

EU objectives: the digital single market

5.1.

The Committee welcomes the fact that a coherent package of rules is being put in place simultaneously throughout the EU to protect the rights of natural and legal persons linked to the usage of digital data by means of electronic communications.

5.1.1.

It welcomes the fact that the Union is playing its role as advocate of the public’s and consumers’ rights.

5.1.2.

It stresses that, while we are aiming for harmonisation, interpretation of many of the concepts falls to the Member States, and this is turning the regulation into a sort of directive, which leaves a great deal of room for the marketing of private data. The domain of health in particular provides an open door for the collection of huge quantities of private data.

5.1.3.

Articles 11(1), 13(2), 16(4) and (5), and 24 are provisions that could be described as ‘transposition’ provisions which would be appropriate for a directive, but not for a regulation. Operators are allowed too much leeway for the purposes of improving the quality of services (Article 5 and 6). This proposal should be an integral part of the proposal for the European Electronic Communications Code directive (COM(2016) 590 final).

5.1.4.

The EESC regrets very much that these texts are entangled and voluminous, such that it is unlikely anyone other than a select few will ever read them. In effect, it is necessary to constantly go back and forth between them. Moreover their added value is not evident to the public. The fact that the proposal is difficult to read and highly complex runs counter to the spirit of the Regulatory Fitness and Performance (REFIT) programme, and to the ‘Better Regulation’ objective; it will make it difficult to interpret and will create loopholes in the protection arrangements.

5.1.5.

For example, the proposed regulation contains no definition of the concept of ‘operator’; for this it is necessary to refer to the draft European Electronic Communications Code (4), which has not yet entered into force and which will modify the rules of the sector as part of the single digital market, namely framework directive 2002/21/EC, the ‘authorisation’ directive 2002/20/EC, the ‘universal service’ directive 2002/22/EC, and the ‘access’ directive 2002/19/EC, as amended; and to Regulation (EC) No 1211/2009 setting up the Body of European Regulators for Electronic Communications (BEREC), the radio spectrum decision 676/2002/EC, Decision 2002/622/EC establishing a group on radio spectrum policy, and Decision 243/2012/EU setting up a multiannual radio spectrum policy programme (RSPP). The main reference remains of course the GDPR (see point 2.2 above), which the proposal in hand aims to complement and to which it is therefore subsidiary.

5.2.

The EESC in particular stresses the content of Article 8 concerning the protection of the information stored in the terminal equipment and the potential exceptions, fundamental because it leaves to the information society opportunities for access to private data, and to that of Article 12 on presentation and restriction of calling and connected line identification. These articles are difficult for the average reader to understand.

5.2.1.

The 1995 directive (Article 2) defines ‘personal data’ as ‘any information relating to an identified or identifiable natural person (“data subject”)’. The regulation in hand, which broadens data protection to include metadata, will henceforth apply to natural as well as legal persons. It is important to reiterate that the purpose of the proposal is twofold: on the one hand to protect personal data and on the other to ensure free movement of electronic communications data, equipment and services in the EU (Article 1).

5.2.2.

The EESC stresses that the will to protect the data of natural persons (Article 1(2)) will clash with other texts where such will is absent: nowhere is it clearly said that this will have to apply to those cases (see GDPR, data in the European institutions, etc.).

5.3.

The EESC is wondering whether the real aim of this proposal is not to place more emphasis on its Article 1(2), namely to guarantee ‘the free movement of electronic communications data and electronic communications services within the Union’, which shall be neither restricted nor prohibited for reasons related to respect for the private life and communications of natural and legal persons, rather than actually guaranteeing that which is announced in its Article 1(1), namely ‘the rights to respect for private life and communications and the protection of natural persons with regard to the processing of personal data’.

5.4.

Everything is based on the person — natural or legal — expressing their consent. As a consequence, in the EESC’s view, users must be informed, trained and remain cautious, because once their consent has been given, providers will be able to process content and metadata further in order to obtain as much effect and profit as possible. How many people know, before accepting them, that cookies are trackers? Priorities linked to this regulation should include the education of users, teaching them to make use of their rights, as well as anonymisation and encryption.

6.1.

Personal data should only be collated by bodies which themselves have very strict conditions and aiming at known and legitimate goals (GDPR).

6.2.

However, the Committee again expresses regret at the fact that ‘the stated principles of the right to protection of personal data are qualified by an excessive number of exceptions and restrictions’ (5). The balance between freedom and security should remain the hallmark of the European Union, rather than balancing fundamental rights of individuals with industry rights. In its analysis of the proposal for a regulation (WP247, 4.4.2017, opinion 01/2017), the Article 29 Working Party indicates in no uncertain terms that the proposal would decrease the level of protection established in the GDPR, e.g. with regard to locating terminal equipment and the lack of limitations on the scope of data collection (point (17)), and the failure to introduce privacy protection by default (point (19)).

6.3.

Data are like an extension of a person, a ‘phantom identity’, a ‘shadow-ID’. The data belong to the person who generates them, but after they have been processed that person loses control over them. Each Member State remains responsible for data retention and transfer, and there is no harmonisation because of possible restrictions on rights introduced by the proposal. The Committee points to the risk of disparities resulting from the fact that such restrictions would be at the discretion of Member States.

6.4.

A question arises particularly for people working in firms: to whom do the data they generate in the course of their work belong? And how will they be protected?

6.5.

The monitoring set-up is not very clear (6). Despite EDPB supervision, there do not appear to be adequate safeguards against arbitrary approaches and the time needed for proceedings to result in a penalty has not been assessed.

6.6.

The EESC advocates the creation of a European portal where all the European and national texts, rights, appeals procedures, case law and practical aspects are brought together in one place and kept up to date so as to help the public at large and consumers find their way through the maze of texts and practices so they can exercise their rights. This portal should, at least, be based on the requirements of Directive (EU) 2016/2102 of 26 October 2016 on the accessibility of the websites and mobile applications of public sector bodies, and the principles set out in recitals 12, 15 and 21 of the proposed directive known as the European Accessibility Act (2015/0278 (COD)), and provide content that is accessible and understandable to all end users. The EESC would be willing to be involved in the process of designing this portal.

6.7.

In Article 22 there is no reference to ‘class actions’, as the EESC already pointed out in its opinion on the European electronic communications code.

6.8.

The limitation of the substantive scope (Article 2(2)), extension of the powers to process data without the owner’s consent (Article 6(1) and (2)), the unlikely notion of obtaining the consent of all end-users concerned (Article 6(3)(b) and Article 8(1), (2) and (3)), and the restrictions which Member States may place on rights if they deem this to be ‘necessary, adequate and proportionate’ are all rules whose substance is susceptible to so many interpretations that they end up running counter to the idea of genuine protection of privacy. Particular attention should also be paid to data protection relating to minors.

6.9.

The EESC welcomes the right to control electronic communications covered in Article 12, but would highlight the particularly obscure wording, which seems to favour the use of telephone calls with hidden caller identity, as if anonymity were a recommendation, whereas the principle should be that the calling line can be identified.

6.10.

Unsolicited communications (Article 16) and direct marketing have already been dealt with in the directive on unfair trading practices (7). The default arrangements should be based on opting in (acceptance) rather than opting out (refusal).

6.11.

The Commission’s evaluation is scheduled every three years. In the digital world, that is too long. After two evaluations, the digital landscape will have changed completely. However delegation (Article 25), which will be able to be expanded, should be limited in time, and possibly renewable.

6.12.

Legislation must preserve users’ rights (Article 3 TEU) while guaranteeing the legal stability needed for commercial activity. The EESC regrets that the movement of data from machine to machine (M2M) is not mentioned in the proposal; reference has to be made to the European Electronic Communications Code (proposal for a directive, Articles 2 and 4).

6.12.1.

The internet of things (IoT) (8) is going to lead to ‘big data’, then to ‘huge data’, and finally to ‘all data’. This is a key for future waves of innovation. And machines, large or small, communicate and transmit private data between each other (e.g. information from your watch or the heartbeat data that it records and sends to your doctor’s computer). Many digital players have launched their own platforms reserved for connected devices: Amazon, Microsoft, Intel and, in France, Orange and La Poste.

6.12.2.

In daily life the IoT can easily be subject to malicious intrusion; the quantity of personal information which can be collected remotely is on the increase (geolocation, health data, video and audio streaming). Breaches in data protection interest for instance insurance companies, who are beginning to encourage their clients to equip themselves with connected devices and to take responsibility for their behaviour.

6.13.

Many internet giants are trying to turn their original applications into platforms: thus we should distinguish the Facebook application from the Facebook platform, which allows developers to devise accessible applications based on user profiles. Amazon was itself a specialised web application in online sales. Nowadays it has become a platform which allows third parties — from individuals to large groups — to market their products by benefiting from Amazon’s resources: reputation, logistics, etc. All this entails the transfer of personal data.

6.14.

The sharing economy is seeing a proliferation of platforms: ‘an intermediary platform — which is usually electronic — to put a significant number of people offering goods or services in touch with a significant number of users’ (9). While they are sought for the activity and the jobs they bring, the EESC is wondering how the data transfer they generate will be able to be controlled, in application of both the GDPR and this regulation.