IT 2267

EDPS on the Proposal for ePrivacy Regulation

EDPS on the Proposal for a Regulation on Privacy and Electronic Communications (ePrivacy Regulation), Opinion 6/2017, 24 april 2017.
This Opinion outlines the position of the EDPS on the Proposal for a Regulation on Privacy and Electronic Communications, which is to repeal and replace the ePrivacy Directive.

Without the ePrivacy Regulation, the EU privacy and data protection framework would be incomplete. While the GDPR -the General Data Protection Regulation- is a great achievement, we need a specific legal tool to protect the right to private life guaranteed by Article 7 of the Charter of Fundamental Rights, of which confidentiality of communications is an essential component. The EDPS therefore welcomes and supports the Proposal which aims to do just that. The EDPS also supports the choice of legal instrument, i.e. a regulation which will be directly applicable and contribute to a greater level of harmonisation and consistency. He welcomes the ambition to provide a high level of protection with respect to both content and metadata and supports the objective of extending the confidentiality obligations to a broader range of services - including the so-called ‘over the top’ services (OTTs) - which reflects the progress of technology. He also considers that the decision to grant enforcement powers solely
to data protection authorities, and the availability of the cooperation and consistency mechanisms within the future European Data Protection Board (EDPB), will contribute to more consistent and effective enforcement across the EU.

At the same time, the EDPS has concerns whether the Proposal, as it stands, can in fact deliver on its promise to ensure a high level of protection of privacy in electronic communications. We need a new legal framework for ePrivacy, but we need a smarter, clearer and stronger one. There is still a lot to do: the complexity of the rules, as outlined in the Proposal, is daunting. Communications are sliced into metadata, content data, data emitted by terminal equipment. Each being entitled to a different level of confidentiality and subject to different exceptions. This complexity may bring a risk of -perhaps unintended- gaps in protection.

Most of the definitions on which the Proposal relies will be negotiated and decided in the context of a different legal instrument: the European Electronic Communications Code. There is no legal justification today for linking the two instruments so closely and the competition and market-focused definitions from the Code are simply not fit for purpose in the fundamental rights context. The EDPS therefore argues for including a set of necessary definitions in the ePrivacy Regulation, taking into account its intended scope and objectives.

We also need to pay particular attention to the question of processing of electronic communications data by controllers other than providers of electronic communications services. The additional protections offered to communications data would be pointless if they could easily be circumvented by, for example, transferring the data to third parties. It should also be ensured that the ePrivacy rules do not permit a lower standard of protection than that enshrined in the GDPR. For example, consent should be genuine, offering a freely given choice to users, as required under the GDPR. There should be no more 'tracking walls'. In addition, the new rules must also set strong requirements for privacy by design and by default. Finally, in this Opinion, the EDPS also addresses other pressing issues, including the restrictions to the scope of the rights.