Electronic communications: universal service, users' rights relating to networks and services, processing of personal data, protection of privacy, consumer protection cooperation. 'Telecoms Package'

2007/0248(COD)

SECOND OPINION OF THE EUROPEAN DATA PROTECTION SUPERVISOR on the review of Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).

On 10 April 2008, the EDPS adopted an Opinion on the Commission's Proposal amending, among others, the Directive on privacy and electronic communications (ePrivacy Directive). In September 2008, the European Parliament adopted a legislative resolution on the ePrivacy Directive (first reading). The EDPS viewed positively several of the EP amendments that were adopted. In November 2008, the Council reached a political agreement on a review of rules on the telecoms package, including the ePrivacy Directive. However, the EDPS is concerned about the Council’s Common Position as it does not incorporate some of the positive amendments proposed by Parliament or the opinions of the EDPS. Therefore, the EDPS now issues a Second Opinion, hoping that new amendments will be adopted that will restore the data protection safeguards.

The main conclusions of this Second Opinion are as follows:

Security breach: the Parliament and Council must come up with a solid legal framework for security breach. To this end, they should:

  • maintain the definition of security breach in the EP, Council and Commission texts;
  • include providers of information society services with respect to the scope of the entities to be covered by the proposed notification requirement;
  • regarding the trigger for the notification of security breaches (‘reasonably likely to harm’), to ensure that ‘harm’ is sufficiently wide to cover all relevant instances of negative effects on the privacy or other legitimate interests of individuals;
  • set up a system where it is up to concerned entities to make the assessment as to whether they must notify individuals of security breaches;
  • implement the following safeguards regarding notification: (i) ensure that covered entities are obliged to notify authorities of all breaches that meet the requisite standard; (ii) provide authorities with an oversight role that enables them to be selective in order to be effective; (iii) adopt a new provision requiring entities to maintain a detailed and comprehensive internal audit trail;
  • provide the Commission with the ability to adopt technical implementing measures;
  • with regard to the individuals to be notified, use the Commission or EP’s terminology ‘individuals concerned’ or ‘affected users’.

Publicly Accessible Private Networks: the EP and Council should:

  • keep the essence of Amendment 121 (broadening the scope of application of the Directive to include public and private communications networks, as well as publicly accessible private networks), but rephrase it to ensure that purely privately operated networks (as opposed to publicly accessible private networks) would not be explicitly covered;
  • amend all the operational provisions to explicitly refer to publicly accessible private networks in addition to public networks;
  • include an amendment defining a ‘publicly accessible private network’;
  • adopt a new recital per which the Commission would carry out a public consultation on the application of the ePrivacy Directive to all private networks, with the input of the EDPS and other stakeholders.

Processing of Traffic Data for Security Purposes: the EP and the Council should:

  • reject entirely Article 6.6(a), authorising the processing of traffic data for security purposes, because it is unnecessary and, if abused, could unduly threaten the data protection and privacy of individuals;
  • if some variation of the current version of Article 6.6(a) is to be adopted, incorporate the data protection safeguards discussed in this Opinion.

Actions for Infringements of the ePrivacy Directive: the EP and Council should:

  • endorse the provision affording the possibility to legal entities, such as consumer and trade associations, the right to bring legal action against infringements of any provisions of the Directive (not only for infringement of the spam provisions as is the current approach in the Common Position).