OPINION OF THE EUROPEAN DATA PROTECTION SUPERVISOR on the Proposal
for a Directive of the European Parliament and of the Council amending, among
others, Directive 2002/58/EC concerning the processing of personal data and
the protection of privacy in the electronic communications sector (Directive
on privacy and electronic communications).
On
16 November 2007, the EDPS received a request from the Commission for an
opinion on the aforementioned proposal. The proposal aims at enhancing the
protection of individuals' privacy and personal data in the electronic communications
sector. This is done not by entirely reshaping the existing e‑Privacy Directive
but rather by proposing ad hoc amendments to it, which mainly aim at
strengthening the security-related provisions and improving the enforcement
mechanisms. The proposal is part of a wider reform of the five EU telecom
Directives (the telecoms package).
The EDPS fully
welcomes the proposal. The proposed amendments strengthen the protection of
individuals' privacy and personal data in the electronic communications
sector and this is done with a light touch, without creating unjustified and unnecessary
burdens upon organisations. More specifically, the EDPS considers that, for
the most part, the proposed amendments should not be modified insofar as they
fulfil properly their pursued objective.
Notwithstanding
the overall positive consideration of the proposal, the EDPS considers that
some of its amendments should be improved to ensure that they effectively
provide for a proper protection of the personal data and the privacy of
individuals. This is particularly true regarding the provisions on security
breach notification and for those that deal with the legal actions
initiated by electronic communication service providers for violation of spam
provisions. In addition, the EDPS regrets that the proposal fails to
tackle some issues, not properly dealt with in the current e‑Privacy
Directive, missing the opportunity of this review exercise to resolve the
outstanding problems.
The amendments
contained in the Proposal where the EDPS would strongly favour
modification, include the following:
- Security
breach notification: the proposed amendment applies
to providers of public electronic communication services in public
networks who are compelled to notify national regulatory authorities and
their customers of security breaches. The EDPS fully supports this
obligation. However, the EDPS considers that the obligation should also
apply to providers of information society services which often process
sensitive personal information;
- Legal
actions initiated by providers of public electronic communication
services in public networks: the proposed
amendment provides civil law remedies for any individual or legal person
particularly for electronic communication service providers to fight infringements
of Article 13 of the e‑Privacy Directive which deals with
spam. The EDPS is satisfied with this provision. However, the EDPS does
not see the rationale for this new capability to be limited to the
infringement of Article 13. The EDPS suggests enabling legal
persons to take legal actions for infringement of any provision of the e‑Privacy
Directive.
The scope of
application of the e‑Privacy Directive which is currently limited to
providers of public electronic communication networks is one of the most
worrisome issues that the proposal has failed to address. The EDPS considers
that the Directive should be amended to broaden its application to include
providers of electronic communication services also in mixed (private/public)
and private networks.
The amendments
that the EDPS would strongly favour to remain unmodified include the following:
- RFID: the proposed amendment according to which electronic
communication networks include ‘public communication networks supporting
data collection and identification devices’ is fully satisfactory. This
provision is very positive as it clarifies that a number of RFID
applications must comply with the e‑Privacy Directive, thus
removing some legal uncertainty on this point;
- Cookies/spyware: the proposed amendment is to be welcomed because, as a result,
the obligation to inform and give the right to oppose to have
cookies/spyware stored in one's terminal equipment will also apply when
such devices are placed through external data storage media such as
CD-ROMs, USB Keys. However, the EDPS suggests that a minor amendment be
made to the last part of Article 5(3) which consists in deleting the
word ‘facilitating’ from the sentence;
- Choice of
comitology with consultation to the EDPS and conditions/limitations to
the obligation to notify: the proposed
amendment regarding security breach notification leaves up to comitology
the decision of complex questions regarding the circumstances/format
procedures of the security breach notification system. The EDPS strongly
supports this unified approach. Linked to this matter is the call by
some stakeholders to draw up exceptions to the obligation to notify
security breaches. The EDPS strongly opposes this approach;
- Enforcement: the proposed amendment contains many helpful elements to be
kept which will contribute to ensuring effective compliance, including
the strengthening of the investigatory powers of national regulatory
authorities and the creation of the national regulatory authorities'
power to order the cessation of infringements.