Electronic communications: universal service, users' rights relating to networks and services, processing of personal data, protection of privacy, consumer protection cooperation. 'Telecoms Package'

2007/0248(COD)

OPINION OF THE EUROPEAN DATA PROTECTION SUPERVISOR on the Proposal for a Directive of the European Parliament and of the Council amending, among others, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).

On 16 November 2007, the EDPS received a request from the Commission for an opinion on the aforementioned proposal. The proposal aims at enhancing the protection of individuals' privacy and personal data in the electronic communications sector. This is done not by entirely reshaping the existing e‑Privacy Directive but rather by proposing ad hoc amendments to it, which mainly aim at strengthening the security-related provisions and improving the enforcement mechanisms. The proposal is part of a wider reform of the five EU telecom Directives (the telecoms package).

The EDPS fully welcomes the proposal. The proposed amendments strengthen the protection of individuals' privacy and personal data in the electronic communications sector and this is done with a light touch, without creating unjustified and unnecessary burdens upon organisations. More specifically, the EDPS considers that, for the most part, the proposed amendments should not be modified insofar as they fulfil properly their pursued objective.

Notwithstanding the overall positive consideration of the proposal, the EDPS considers that some of its amendments should be improved to ensure that they effectively provide for a proper protection of the personal data and the privacy of individuals. This is particularly true regarding the provisions on security breach notification and for those that deal with the legal actions initiated by electronic communication service providers for violation of spam provisions. In addition, the EDPS regrets that the proposal fails to tackle some issues, not properly dealt with in the current e‑Privacy Directive, missing the opportunity of this review exercise to resolve the outstanding problems.

The amendments contained in the Proposal where the EDPS would strongly favour modification, include the following:

  • Security breach notification: the proposed amendment applies to providers of public electronic communication services in public networks who are compelled to notify national regulatory authorities and their customers of security breaches. The EDPS fully supports this obligation. However, the EDPS considers that the obligation should also apply to providers of information society services which often process sensitive personal information;
  • Legal actions initiated by providers of public electronic communication services in public networks: the proposed amendment provides civil law remedies for any individual or legal person particularly for electronic communication service providers to fight infringements of Article 13 of the e‑Privacy Directive which deals with spam. The EDPS is satisfied with this provision. However, the EDPS does not see the rationale for this new capability to be limited to the infringement of Article 13. The EDPS suggests enabling legal persons to take legal actions for infringement of any provision of the e‑Privacy Directive.

The scope of application of the e‑Privacy Directive which is currently limited to providers of public electronic communication networks is one of the most worrisome issues that the proposal has failed to address. The EDPS considers that the Directive should be amended to broaden its application to include providers of electronic communication services also in mixed (private/public) and private networks.

The amendments that the EDPS would strongly favour to remain unmodified include the following:

  • RFID: the proposed amendment according to which electronic communication networks include ‘public communication networks supporting data collection and identification devices’ is fully satisfactory. This provision is very positive as it clarifies that a number of RFID applications must comply with the e‑Privacy Directive, thus removing some legal uncertainty on this point;
  • Cookies/spyware: the proposed amendment is to be welcomed because, as a result, the obligation to inform and give the right to oppose to have cookies/spyware stored in one's terminal equipment will also apply when such devices are placed through external data storage media such as CD-ROMs, USB Keys. However, the EDPS suggests that a minor amendment be made to the last part of Article 5(3) which consists in deleting the word ‘facilitating’ from the sentence;
  • Choice of comitology with consultation to the EDPS and conditions/limitations to the obligation to notify: the proposed amendment regarding security breach notification leaves up to comitology the decision of complex questions regarding the circumstances/format procedures of the security breach notification system. The EDPS strongly supports this unified approach. Linked to this matter is the call by some stakeholders to draw up exceptions to the obligation to notify security breaches. The EDPS strongly opposes this approach;
  • Enforcement: the proposed amendment contains many helpful elements to be kept which will contribute to ensuring effective compliance, including the strengthening of the investigatory powers of national regulatory authorities and the creation of the national regulatory authorities' power to order the cessation of infringements.