The European Data Protection Supervisor (EDPS) has published recommendations on specific aspects of the E-Privacy Regulation (COM(2017) 10 final, 2017/0003 (COD)).
The recommendations focus on the need to ensure legal certainty and a high level of privacy and data protection, in particular that:
- Any processing of communications data must be based on a legal ground under the E-Privacy Regulation (Article 6, recital 5).
- Legal grounds under the E-Privacy Regulation must not include legitimate interest.
- Confidentiality of communications data shall be “at rest” and for machine-to-machine communications (Article 5).
- The protection of data related to terminal equipment deserve equally high protection.
- Appropriate definitions are crucial to implement the protection of fundamental rights (including “user”, “end user” and “metadata”) (Article 4).
- Consent must have the same meaning as in the General Data Protection Regulation ((EU) 2016/679) (GDPR) (Article 6, 8 and 9). Technical and privacy settings should support giving and withdrawing consent (Article 9 and 10).
- Restrictions on rights should be limited in scope (Article 11)
- Weakening of confidentiality and integrity of communications should be prohibited (Article 17).
- Supervision powers should be granted to Data Protection Authorities (Article 18).
- Protection against unsolicited communications should be comprehensive (Article 16).