EDPS Issues Further Recommendations on E-Privacy Regulation

The European Data Protection Supervisor (EDPS) has published recommendations on specific aspects of the E-Privacy Regulation (COM(2017) 10 final, 2017/0003 (COD)).

The recommendations focus on the need to ensure legal certainty and a high level of privacy and data protection, in particular that:

• Any processing of communications data must be based on a legal ground under the E-Privacy Regulation (Article 6, recital 5).
• Legal grounds under the E-Privacy Regulation must not include legitimate interest.
• Confidentiality of communications data shall be “at rest” and for machine-to-machine communications (Article 5).
• The protection of data related to terminal equipment deserve equally high protection.
• Appropriate definitions are crucial to implement the protection of fundamental rights (including “user”, “end user” and “metadata”) (Article 4).
• Consent must have the same meaning as in the General Data Protection Regulation ((EU) 2016/679) (GDPR) (Article 6, 8 and 9). Technical and privacy settings should support giving and withdrawing consent (Article 9 and 10).
• Restrictions on rights should be limited in scope (Article 11)
• Weakening of confidentiality and integrity of communications should be prohibited (Article 17).
• Supervision powers should be granted to Data Protection Authorities (Article 18).
• Protection against unsolicited communications should be comprehensive (Article 16).