The European Data Protection Supervisor (EDPS) has released further recommendations on specific aspects of the proposed e-Privacy Regulation.
As covered in our previous update, the EDPS advised on the proposed e-Privacy Regulation in its earlier 'Opinion on the Proposal for a Directive on certain aspects concerning contracts for the supply of digital content'. Through its further recommendations, the EDPS aims to offer clarifications on some specific issues, supplementing its earlier opinion.
Key points raised in the recommendations
With the focus being placed on the need to ensure legal certainty and a high level of privacy and data protection, the recommendations discuss various aspects of the e-Privacy Regulation including the following:
- Legal grounds for data processing – The EDPS welcomes amendments to Article 6 of the e-Privacy Regulation stating that electronic communications data may only be processed in accordance with the legal grounds specified in the Regulation. According to the EDPS, this should apply to providers of electronic communications services as well as any other parties.
- Legitimate interest as a legal ground - Legal grounds under the e-Privacy Regulation must not include legitimate interest. This recommendation is in line with the current e-Privacy Directive and the proposed e-Privacy Regulation and aims to protect the fundamental right to communications secrecy. The EDPS considers that an additional exemption to the confidentiality of communications based on legitimate interest (as some amendments to the e-Privacy Regulation currently suggest) would risk taking that protection away.
- Confidentiality of electronic communications data – This provision, enshrined in Article 5 and Recital 15 of the proposed e-Privacy Regulation, covers electronic communications data while in transit (i.e. until receipt of the content of the communication by the intended addressee). The EDPS considers that the provision should be extended to cover communication when stored by the provider or any other party (such communication would, for example, be the content of emails stored in the "cloud").
- Securing a high level of protection of data related to terminal equipment – The EDPS considers that data related to terminal equipment should be afforded a high level of protection in line with the principle of confidentiality of communications and the protection provided by the e-Privacy Directive and the General Data Protection Regulation (GDPR). While the EDPS welcomes relevant amendments including the requirement to obtain the consent of the user for the processing of such data, it considers that the addition of detailed legal grounds to the e-Privacy Regulation to provide further specific exceptions to the processing of such data should not be encouraged.
- Ensuring that consent is given the same meaning as in the GDPR – The EDPS supports amendments clarifying that all provisions related to consent (including the requirement for consent to be freely given and specific) should apply also for the purposes of the e-Privacy Regulation. It also welcomes clarifications requiring technical and privacy settings to enable the user to express and withdraw consent in an easy manner and amendments clarifying that access to services and functionalities should not be made conditional to consenting to the processing of data related to the terminal equipment of end-users.
The EDPS recommendations can be found here.
Although the opinions issued by EU regulators are non-binding, they may influence the reformation of the existing legal framework should they be taken on board by the Parliament and Council in the course of the legislative procedure.
It remains to be seen whether the proposed e-Privacy Regulation will come into effect in May 2018 along with the GDPR as originally suggested by the proposed e-Privacy Regulation and whether the concerns raised by the EDPS will be addressed in the final Regulation. Organisations should keep a close eye on the developments of the e-Privacy Regulation to ensure that they are in the best position to comply once it is finalised.