Legislative proposal  
2017/0003(COD) - 10/01/2017  

PURPOSE: to enhance protection of confidentiality of electronic communications.

PROPOSED ACT: Regulation of the European Parliament and of the Council.

ROLE OF THE EUROPEAN PARLIAMENT: the European Parliament decides in accordance with the ordinary legislative procedure and on an equal footing with the Council.

BACKGROUND: the ePrivacy Directive (Directive 2002/58/EC) ensures the protection of fundamental rights and freedoms, in particular the respect for private life, confidentiality of communications and the protection of personal data in the electronic communications sector. It also guarantees the free movement of electronic communications data, equipment and services in the Union.

The Commission carried out an ex post evaluation of the ePrivacy Directive. It follows from the evaluation that the objectives and principles of the current framework remain sound. However, important technological and economic developments took place in the market since the last revision of the ePrivacy Directive in 2009. The Directive has not kept pace with technological developments, resulting in a void of protection of communications conveyed through new services.

A Eurobarometer survey on ePrivacy was conducted throughout the EU. The key findings are the following:

  • 78% say it is very important that personal information on their computer, smartphone or tablet can only be accessed with their permission;
  • 72% state that it is very important that the confidentiality of their e-mails and online instant messaging is guaranteed;
  • 89% agree with the suggested option that the default settings of their browser should stop the sharing of their information.

This proposal seeks to update the legal framework. It aims at reinforcing trust and security in the Digital Single Market – a key objective of the Digital Single Market strategy. The draft Regulation also aligns the rules for electronic communications services with the new world-class standards of the EU's General Data Protection Regulation (Regulation (EU) 2016/679).

IMPACT ASSESSMENT: the preferred option offers a measured reinforcement of privacy/confidentiality by extending the scope of the legal instrument to include new functionally equivalent electronic communications services and which protects against unsolicited communications and simplifies and clarifies the regulatory environment.

CONTENT: this proposed new Regulation seeks to enhance protection of confidentiality of electronic communications by extending the scope of the legal instrument to include new functionally equivalent electronic communications services. Like the European Electronic Communications Code, this proposal also brings the Over-the-Top (OTT) providers in its scope to reflect the market reality.

Confidentiality of electronic communications: the proposal:

  • contains the key provisions ensuring the limited permitted purposes and conditions of processing such communications data: privacy will be guaranteed for both content and metadata derived from electronic communications (e.g. time of a call and location). Both have a high privacy component and, under the proposed rules, will need to be anonymised or deleted if users have not given their consent, unless the data is required for instance for billing purposes;
  • addresses the protection of terminal equipment, by (i) guaranteeing the integrity of the information stored in it and (ii) protecting information emitted from terminal equipment, as it may enable the identification of its end-user;
  • details the consent of end-users, where technically possible and feasible, consent may be expressed by using the appropriate technical settings of a software application enabling access to the internet. End-users who have consented to the processing of electronic communications data shall be given the possibility to withdraw their consent at any time and be reminded of this possibility at periodic intervals of 6 months, as long as the processing continue;
  • imposes an obligation on providers of software permitting electronic communications to help end-users in making effective choices about privacy settings.

Rights of end-users to control the sending and reception of electronic communications: with a view to protecting their privacy, the new Regulation proposed:

  • the right of end-users to prevent the presentation of the calling line identification to guarantee anonymity;
  • the obligation for providers of publicly available number-based interpersonal communication to provide for the possibility to limit the reception of unwanted calls;
  • the regulation of the conditions under which end-users may be included in publicly available directories and the conditions under which unsolicited communications for direct marketing may be conducted.

Supervision and enforcement of this Regulation: this shall be entrusted to the supervisory authorities in charge of the GDPR. The powers of the European Data Protection Board are extended and the cooperation and consistency mechanism foreseen under the GDPR will apply in case of cross-border matters related to this Regulation.