Summary of the Opinion of the European Data Protection Supervisor on the Proposal for a Regulation on Privacy and Electronic Communications (ePrivacy Regulation)

(The full text of this Opinion can be found in English, French and German on the EDPS website www.edps.europa.eu)

(2017/C 234/03)

This Opinion outlines the position of the EDPS on the Proposal for a Regulation on Privacy and Electronic Communications, which is to repeal and replace the ePrivacy Directive.

Without the ePrivacy Regulation, the EU privacy and data protection framework would be incomplete. While the GDPR — the General Data Protection Regulation — is a great achievement, we need a specific legal tool to protect the right to private life guaranteed by Article 7 of the Charter of Fundamental Rights, of which confidentiality of communications is an essential component. The EDPS therefore welcomes and supports the Proposal which aims to do just that. The EDPS also supports the choice of legal instrument, i.e. a regulation which will be directly applicable and contribute to a greater level of harmonisation and consistency. He welcomes the ambition to provide a high level of protection with respect to both content and metadata and supports the objective of extending the confidentiality obligations to a broader range of services — including the so-called ‘over the top’ services (OTTs) — which reflects the progress of technology. He also considers that the decision to grant enforcement powers solely to data protection authorities, and the availability of the cooperation and consistency mechanisms within the future European Data Protection Board (EDPB), will contribute to more consistent and effective enforcement across the EU.

At the same time, the EDPS has concerns whether the Proposal, as it stands, can in fact deliver on its promise to ensure a high level of protection of privacy in electronic communications. We need a new legal framework for ePrivacy, but we need a smarter, clearer and stronger one. There is still a lot to do: the complexity of the rules, as outlined in the Proposal, is daunting. Communications are sliced into metadata, content data, data emitted by terminal equipment. Each being entitled to a different level of confidentiality and subject to different exceptions. This complexity may bring a risk of — perhaps unintended — gaps in protection.

Most of the definitions on which the Proposal relies will be negotiated and decided in the context of a different legal instrument: the European Electronic Communications Code. There is no legal justification today for linking the two instruments so closely and the competition and market-focused definitions from the Code are simply not fit for purpose in the fundamental rights context. The EDPS therefore argues for including a set of necessary definitions in the ePrivacy Regulation, taking into account its intended scope and objectives.

We also need to pay particular attention to the question of processing of electronic communications data by controllers other than providers of electronic communications services. The additional protections offered to communications data would be pointless if they could easily be circumvented by, for example, transferring the data to third parties. It should also be ensured that the ePrivacy rules do not permit a lower standard of protection than that enshrined in the GDPR. For example, consent should be genuine, offering a freely given choice to users, as required under the GDPR. There should be no more ‘tracking walls’. In addition, the new rules must also set strong requirements for privacy by design and by default. Finally, in this Opinion, the EDPS also addresses other pressing issues, including the restrictions to the scope of the rights.

1.   INTRODUCTION AND BACKGROUND

This Opinion (Opinion) is in response to a request of the European Commission (Commission) to the European Data Protection Supervisor (EDPS), as an independent supervisory authority and advisory body, to provide an opinion on the Proposal for a Regulation on Privacy and Electronic Communications (1) (the Proposal). The Proposal is intended to repeal and replace Directive 2002/58/EC on privacy and electronic communications (the ePrivacy Directive) (2). The Commission also requested the opinion of the Article 29 Data Protection Working Party (WP29), to which the EDPS contributed as a full member (3).

This Opinion follows upon our Preliminary Opinion 5/2016 on the review of the ePrivacy Directive (2002/58/EC) (4), issued on 22 July 2016. The EDPS may also provide further advice in subsequent stages of the legislative procedure.

The Proposal is one of the key initiatives of the Digital Single Market Strategy (5), aimed at reinforcing trust and security in digital services in the EU with a focus on ensuring a high level of protection for citizens and a level playing field for all market players across the EU.

The Proposal seeks to modernise and update the ePrivacy Directive as part of the wider effort to provide a coherent and harmonised legal framework for data protection in Europe. The ePrivacy Directive particularises and complements Directive 95/46/EC (6), which will be replaced by the recently adopted General Data Protection Regulation (GDPR) (7).

The EDPS first, in Section 2, summarises his main observations about the Proposal, focusing on the Proposal's positive aspects. Second, in Section 3, he raises his remaining key concerns and provides recommendations how to address them. Additional concerns and recommendations for further improvements are described in the Annex to this Opinion, discussing the Proposal in more detail. Addressing the concerns raised in this Opinion and its Annex and further improving the text of the ePrivacy Regulation would not only serve to better protect end-users and other data subjects concerned, but also introduce more legal certainty for all stakeholders involved.

4.   CONCLUSIONS

The EDPS welcomes the Commission's Proposal for a modernised, updated and strengthened ePrivacy Regulation. He shares the view that there is a continued need to have specific rules to protect the confidentiality and security of electronic communications in the EU and to complement and particularise the requirements of the GDPR. He also considers that we need simple, targeted and technologically neutral legal provisions that provide strong, smart and effective protection for the foreseeable future.

The EDPS welcomes the declared ambition to provide a high level of protection with respect to both content and metadata, in particular the key positive elements outlined in Section 2.1.

Whilst welcoming the Proposal, the EDPS remains concerned about a number of provisions that risk undermining the intention of the Commission to ensure a high level of protection of privacy in electronic communications. In particular, the EDPS has the following key concerns:

These main concerns — along with recommendations how to address them — are outlined in this Opinion. Beyond our general comments and key concerns detailed in the main body of the Opinion, the EDPS also provides further — and sometimes more technical — comments and recommendations on the Proposal in an Annex, in particular, to facilitate the work of legislators and other stakeholders who wish to further improve the text during the legislative process. Finally, we also note the importance of a swift processing of this important dossier by the legislators, to ensure that the ePrivacy Regulation, as intended, may apply as of 25 May 2018, the date when the GDPR itself will also become applicable.

The importance of confidentiality of communications as laid down in Article 7 of the Charter is growing with the increased role that electronic communications play in our society and economy. The safeguards outlined in this Opinion will play a key role in ensuring the success of the Commission's long term strategic objectives outlined in its DSM Strategy.

(1)  Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on privacy and electronic communications), COM(2017) 10 final, 2017/0003 (COD).

(2)  Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (OJ L 201, 31.7.2002, p. 37).

(3)  WP29 Opinion 1/2017 on the Proposed Regulation for the ePrivacy Regulation (2002/58/EC) (WP247), adopted on 4 April 2017. See also WP29 Opinion 3/2016 on the evaluation and review of the ePrivacy Directive (2002/58/EC) (WP240), adopted on 19 July 2016.

(4)  See https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2016/16-07-22_Opinion_ePrivacy_EN.pdf.

(5)  A Digital Single Market Strategy for Europe, Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee, and the Committee of the Regions, 6 May 2015 (COM(2015) 192 final) available at: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52015DC0192&from=EN.

(6)  Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23.11.1995, p. 31).

(7)  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).

(8)  Proposal for a Directive of the European Parliament and of the Council establishing the European Electronic Communications Code, COM (2016) 590 final/2, 2016/0288(COD) of 12.10.2016.