The Committee on Civil Liberties, Justice and Home Affairs adopted the report by Marju LAURISTIN (EE, S&D) on the proposal for a regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications).
The present ePrivacy proposal seeks to achieve the modernisation of the Union data protection legal framework commenced by the General Data Protection Regulation (Regulation (EU) 2016/679 (GDPR)) and repeals the current ePrivacy Directive 2002/58/EC in order to align its rules to those of the GDPR and to establish a legal framework, which takes account of the important technological and economic developments in the electronic communication sector.
The committee recommended that the European Parliament’s position adopted at first reading under the ordinary legislative procedure should amend the Commission proposal as follows:
Scope: Members stated that the proposal shall apply to:
- the processing of information related to or processed by the terminal equipment of end-users;
- the placing on the market of software permitting electronic communications;
- the provision of publicly available directories of users of electronic communications;
- the sending of direct marketing electronic communications to end-users.
Members also introduced the definition of "end user", which is a legal entity or natural person using or requesting a publicly available electronic communications service; and that of "user" which covers any natural person using a publicly available electronic communications service for private or business purposes without necessarily having subscribed to that service.
Confidentiality of communications: Members proposed that the confidentiality of electronic communications shall also apply to data related to or processed by terminal equipment.
Providers of electronic communications networks and services may process electronic communications data only if it is technically necessary to achieve the transmission of the communication, for the duration necessary for that purpose.
Any interference with the content of electronic communications shall be allowed only under very clear defined conditions, for specific purposes and be subject to adequate safeguards against abuse.
Protection of information stored in or related to users’ terminal equipment: the Commission proposal aims to protect the information stored in the user’s terminal equipment from accessing it or installing or placing software or information without the consent of the user.
The amendments tabled are intended to provide a higher level of protection by ensuring legal consistency with the General Data Protection Regulation (GDPR). In this regard, the conditions allowing access to user’s terminal equipment or to information emitted by it are better framed and the conditions for user’s consent is brought in line with the GDPR.
In the context of employment relationships, access to the user's terminal equipment shall only be possible if it is strictly technically necessary for the execution of an employee's task, where: (i) the employer provides and/or is the user of the terminal equipment; (ii) the employee is the user of the terminal equipment; and (iii) it is not further used for monitoring the employee.
It is also specified that no user may be denied access to any information society service or functionality, regardless of whether this service is remunerated or not, on grounds that the end-user does not provide consent for processing any data that is not strictly necessary for the functionality requested by the end-user.
Options for privacy settings: this Regulation shall prevent the use of so-called "cookie walls" and "cookie banners" that do not help users to maintain control over their personal information and privacy or become informed about their rights.
Electronic communications software (such as browsers, operating systems and applications) shall be configured in a way that privacy is protected, and the tracking and storage of information on the terminal equipment by third parties are prohibited by default. Software providers of this type shall provide sufficiently detailed options to allow the user to consent to each distinct category of purposes.
At the same time, the user shall have the option to change or confirm the privacy setting options any time after installation.
The settings shall include a signal which is sent to the other parties to inform them about the user's privacy settings. These settings shall be binding on, and enforceable against, any other party.
Unsolicited communications for direct marketing: the use by natural or legal persons of electronic communications services, including automated calling, communications systems, semi-automated systems that connect the call person to an individual, faxes, e-mail or other use of electronic communications services for the purposes of presenting or sending direct marketing communications to users, shall be allowed only in respect of users who have given their prior consent.
The Regulation shall prohibit the masking of the identity and the use of false identities, false return addresses or numbers while sending unsolicited communications for direct marketing purposes is prohibited.
Restrictions on the confidentiality of communications: the scope of the rights provided for in the Regulation may be restricted by law provided that the restriction fully respects the essence of fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard (i) national security, (ii) defence; iii) public security.