2017年1月10日,欧盟委员会公布了新的关于电子隐私 法规的草案 (即ePR,下称《电子隐私法规》) ,该法规 如经采纳,将会给在欧洲提供电子通信网络或服务的中 国公司带来一些新的问题,也会对近年来在欧洲投资的 中国公司更具有普遍适用性[1] 。

On 10 January 2017, the EU Commission published a proposal for a new regulation on e-Privacy (ePR) that, if adopted, will present particular issues for any Chinese company providing electronic communications networks or services in the EU, and may have more general applicability to Chinese companies that have invested in Europe in recent years[1].

《电子隐私法规》旨在取代现行的《电子隐私指令》 (ePD),更新该指令是为了符合《通用数据保护条 例》(GDPR)以及自2009年《电子隐私指令》最后一 次修订以来发生的技术性发展的要求。该《电子隐私法 规》提议将指令转化为法规,如经采纳,将不需要转化 为国家法律而直接对所有欧盟成员国产生效力。

The ePR is intended to replace the current e-privacy Directive (ePD), updating it in line with the General Data Protection Regulation (GDPR) and technological developments that have occurred since the last amendment of the ePD in 2009. By proposing to convert the directive into a regulation, the ePR, if adopted, will not need to be transposed into national law and will have direct effect in all EU Member States.

与现行指令类似,《电子隐私法规》草案包含了特别适 用于电子通信网络和服务提供商的规则以及普遍适用的 规则。《电子隐私法规》旨在对《通用数据保护条例》 进行补充且将优先得以适用。

Like the existing directive, the draft ePR contains rules specifically applicable to providers of electronic communications networks and services as well as rules of a general application. The ePR is intended to complement the GDPR and will take precedence when the ePR rules apply.


Rules Applicable to Electronic Communications

b对电子通信网络的定义将扩展至包括传统电信声讯和数 据服务之外的在线服务,包括IP声讯、短信服务及基于 网络的电子邮件服务。此项是与尚在欧盟议会和理事会讨论中的《电子通信法 案》(ECC)草案中的相关定义相符的。但是,《电子 隐私法规》中的定义更宽泛,还将包括一项服务的配套 电子服务,例如嵌入在约会软件和在线视频游戏中的短 信服务。

The definition of an electronic communications service would be expanded to include online services beyond traditional electronic communications voice and data services, including Voice over IP, messaging services and web-based email services. This is in line with the definitions contained in the proposed Electronic Communications Code (ECC), which is currently being debated by the EU Parliament and Council. However, the ePR is broader and will also cover ancillary electronic communications services linked to another service, e.g. messaging services that are embedded in dating apps and on-line video games.

类似于《通用数据保护条例》,《电子隐私法规》将扩 展至涵盖非成立于欧盟但向欧盟终端客户提供服务的电 子通信服务提供商,无论是自然人还是法人。该等服务 提供商将需要在至少一个欧盟国家委派一名代表。

Similar to the GDPR, the ePR will be extended to cover electronic communications service providers not established in the EU that provide services to end-users in the EU, including both natural and legal persons. Such providers will have to designate a representative in at least one EU Member State.

《电子隐私法规》坚持了电子通信数据的机密性原则, 并规定了处理该等信息的条件。草案中对电子信通数据 的定义包括内容(文本、语音、视频、图���和声音)和 元数据(即用于传输、分发或交换内容所需的数据,例 如个人打电话时的被叫号码、访问网站、地理位置、时 间、日期和持续时间等)。《电子隐私法规》还拟将该 原则适用于“物联网”下机器到机器之间的通信传输。

The ePR maintains the principle of the confidentiality of electronic communications data and sets out the conditions under which such information may be processed. The proposed definition of electronic communications data includes content (text, voice, videos, images and sound) and metadata (that is, data required for the purposes of transmitting, distributing or exchanging content, such as numbers called, the websites visited, geographical location, the time, date and duration when an individual made a call, etc.). The ePR proposes to apply this principle to the transmission of machine-tomachine communications underlying the "Internet of Things" as well.


Rules of General Applicability

与现行《电子隐私指令》一样,《电子隐私法规》中 的特定重要规定将普遍适用。这些规定关涉到访问保 护、信息存储、终端用户的终端设备(实质上是修订 “cookie”条款)以及发送未经请求的通信(垃圾邮 件)。

As in the current ePD, certain key provisions of the ePR will apply generally. These concern the protection of access to, and the information stored in, end-users' terminal equipment (essentially an amended "cookie" provision) and the sending of unsolicited communications (spam).


《电子隐私指令》中的“cookie条款”被《电子隐私法 规》草案修改了,其覆盖了更为广泛的使用终端用户设 备的处理或存储能力的类cookie应用程序(例如“数字 指纹”)。除在极有限的情况下,终端用户的事先同意 仍然是允许使用这些能力的关键基础。 然而草案中的规 则明确规定,如果用户通过透明和人性化设置使用了一 个浏览器的恰当技术设定,也可表明其同意。此外还有 一项关于收集终端设备发送的信息的规定。 

The "cookie provision" under the ePD has been modified in the proposed ePR to cover a wider array of cookie-like applications that use the processing or storage capabilities of an end-user's device (such as "digital fingerprinting"). The end-user's prior consent remains the key basis for allowing the use of those capabilities except in very limited circumstances. However, the proposed rules make clear that consent may be expressed if the user applies the appropriate technical settings of a browser through transparent and user-friendly settings. There is also a new provision regulating the collection of information emitted by terminal equipment.

与此相关的规定要求市场上所有允许电子通信的软件, 包括互联网信息检索和展示,都需要向用户提供防止第 三方存储或处理用户终端设备上的信息(如cookie)的 选项,包括使用隐私设置。这些设置需在安装浏览器时 可设定,且将适用于用户使用软件时浏览的所有网站[2] 。 例如,用户可以选择永不接受cookie、拒绝接受第三方 cookie或只接受第一方的cookie。

A related provision requires that all software placed on the market which permits electronic communications, including the retrieval and presentation of information on the internet, would need to offer users the option to prevent third parties from storing or processing information (e.g. cookies) on the user's terminal equipment by including privacy settings. These settings would be set when the browser is installed[2] and would then apply to all the websites the user views using the software. For example, a user would be able to choose between never accepting cookies, rejecting third-party cookies and only accepting first-party cookies.



《电子隐私法规》草案中与垃圾邮件相关的规定,扩大 了《电子隐私指令》当前所作的限制,将禁止任何类型 的未得到接收人事先同意的未经请求通信(包括通过 SMS、MMS和蓝牙)。该扩大的范围还将继续涵盖直接 电话营销。《电子隐私指令》中关于现存客户的例外规 则将继续保留,但会进一步细化。

The provisions of the ePR that relate to spam propose to expand the current limitations of the ePD to prohibit all types of unsolicited communications (including via SMS, MMS and Bluetooth) without the recipient's prior consent. The extended scope would continue to cover direct marketing phone calls. The exception contained in the ePD for pre-existing customers would remain but would be further refined.



负责监督《通用数据保护条例》遵守情况的国家数据保 护机关,将负责监督《电子隐私法规》的适用。他们将 被授权处以高达全球年营业额4%的行政罚款,此处体现 了《通用数据保护条例》下的最高额罚款。

National data protection authorities responsible for monitoring compliance with the GDPR would be responsible for monitoring the application of the ePR. They would be empowered to impose administrative fines of up to 4% of total worldwide annual turnover, reflecting the maximum GDPR fines.


Next Steps

该草案尚在欧盟议会和(欧盟成员国)理事会的审议 中。欧盟已提议及时通过《电子隐私法规》以使其也能 在2018年5月25日,即《通用数据保护条例》将生效的 日期生效。这是一个雄心勃勃的目标,因为各行业和消 费者权益组织都对《电子隐私法规》草案的各项规定表 达了诸多关切。

The proposal will now be reviewed by the European Parliament and Council (EU Member States). The EU Commission has proposed the adoption of the ePR in time for it to come into force on 25 May 2018, the date on which the GDPR will become enforceable. This is an ambitious objective given the range of concerns that both industry and consumer rights groups have already voiced with regard to various provisions of the draft ePR.