The European Data Protection Supervisor (EDPS) has published recommendations on specific aspects of the E-Privacy Regulation (COM(2017) 10 final, 2017/0003 (COD)).

The recommendations focus on the need to ensure legal certainty and a high level of privacy and data protection, in particular that:

  • Any processing of communications data must be based on a legal ground under the E-Privacy Regulation (Article 6, recital 5).
  • Legal grounds under the E-Privacy Regulation must not include legitimate interest.
  • Confidentiality of communications data shall be “at rest” and for machine-to-machine communications (Article 5).
  • The protection of data related to terminal equipment deserve equally high protection.
  • Appropriate definitions are crucial to implement the protection of fundamental rights (including “user”, “end user” and “metadata”) (Article 4).
  • Consent must have the same meaning as in the General Data Protection Regulation ((EU) 2016/679) (GDPR) (Article 6, 8 and 9). Technical and privacy settings should support giving and withdrawing consent (Article 9 and 10).
  • Restrictions on rights should be limited in scope (Article 11)
  • Weakening of confidentiality and integrity of communications should be prohibited (Article 17).
  • Supervision powers should be granted to Data Protection Authorities (Article 18).
  • Protection against unsolicited communications should be comprehensive (Article 16).