SECOND OPINION OF THE EUROPEAN DATA PROTECTION SUPERVISOR on the
review of Directive 2002/58/EC concerning the processing of personal data and
the protection of privacy in the electronic communications sector (Directive
on privacy and electronic communications).
On 10 April
2008, the EDPS adopted an Opinion on the Commission's Proposal amending,
among others, the Directive on privacy and electronic communications
(ePrivacy Directive). In September 2008, the European Parliament adopted
a legislative resolution on the ePrivacy Directive (first reading). The EDPS
viewed positively several of the EP amendments that were adopted. In November
2008, the Council reached a political agreement on a review of rules on the
telecoms package, including the ePrivacy Directive. However, the EDPS is
concerned about the Council’s Common Position as it does not incorporate some
of the positive amendments proposed by Parliament or the opinions of the EDPS.
Therefore, the EDPS now issues a Second Opinion, hoping that new amendments
will be adopted that will restore the data protection safeguards.
The main
conclusions of this Second Opinion are as follows:
Security
breach: the Parliament and Council must come up
with a solid legal framework for security breach. To this end, they should:
- maintain the
definition of security breach in the EP, Council and Commission texts;
- include providers
of information society services with respect to the scope of the
entities to be covered by the proposed notification requirement;
- regarding
the trigger for the notification of security breaches (‘reasonably
likely to harm’), to ensure that ‘harm’ is sufficiently wide to cover
all relevant instances of negative effects on the privacy or other
legitimate interests of individuals;
- set up a system
where it is up to concerned entities to make the assessment as to
whether they must notify individuals of security breaches;
- implement
the following safeguards regarding notification: (i) ensure that covered
entities are obliged to notify authorities of all breaches that meet the
requisite standard; (ii) provide authorities with an oversight role that
enables them to be selective in order to be effective; (iii) adopt a new
provision requiring entities to maintain a detailed and comprehensive
internal audit trail;
- provide the Commission
with the ability to adopt technical implementing measures;
- with regard
to the individuals to be notified, use the Commission or EP’s
terminology ‘individuals concerned’ or ‘affected users’.
Publicly
Accessible Private Networks: the EP and Council
should:
- keep the
essence of Amendment 121 (broadening the scope of application of the
Directive to include public and private communications networks, as well
as publicly accessible private networks), but rephrase it to ensure that
purely privately operated networks (as opposed to publicly accessible private
networks) would not be explicitly covered;
- amend all
the operational provisions to explicitly refer to publicly accessible
private networks in addition to public networks;
- include an
amendment defining a ‘publicly accessible private network’;
- adopt a new
recital per which the Commission would carry out a public consultation
on the application of the ePrivacy Directive to all private networks,
with the input of the EDPS and other stakeholders.
Processing
of Traffic Data for Security Purposes: the EP and
the Council should:
- reject
entirely Article 6.6(a), authorising the processing of traffic data
for security purposes, because it is unnecessary and, if abused, could
unduly threaten the data protection and privacy of individuals;
- if some
variation of the current version of Article 6.6(a) is to be adopted,
incorporate the data protection safeguards discussed in this Opinion.
Actions for
Infringements of the ePrivacy Directive: the EP
and Council should:
- endorse the
provision affording the possibility to legal entities, such as consumer
and trade associations, the right to bring legal action against
infringements of any provisions of the Directive (not only for
infringement of the spam provisions as is the current approach in the
Common Position).