European Parliament 2014-2019 Committee on Civil Liberties, Justice and Home Affairs 2017/0003(COD) 9.6.2017 ***I DRAFT REPORT on the proposal for a regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) (COM(2017)0010 – C8-0009/2017 – 2017/0003(COD)) Committee on Civil Liberties, Justice and Home Affairs Rapporteur: Marju Lauristin PR\1127393EN.docx EN PE606.011v01–00 United in diversity EN PR_COD_1amCom Symbols for procedures * *** ***I ***II ***III Consultation procedure Consent procedure Ordinary legislative procedure (first reading) Ordinary legislative procedure (second reading) Ordinary legislative procedure (third reading) (The type of procedure depends on the legal basis proposed by the draft act.) Amendments to a draft act Amendments by Parliament set out in two columns Deletions are indicated in bold italics in the left-hand column. Replacements are indicated in bold italics in both columns. New text is indicated in bold italics in the right-hand column. The first and second lines of the header of each amendment identify the relevant part of the draft act under consideration. If an amendment pertains to an existing act that the draft act is seeking to amend, the amendment heading includes a third line identifying the existing act and a fourth line identifying the provision in that act that Parliament wishes to amend. Amendments by Parliament in the form of a consolidated text New text is highlighted in bold italics. Deletions are indicated using either the ▌symbol or strikeout. Replacements are indicated by highlighting the new text in bold italics and by deleting or striking out the text that has been replaced. By way of exception, purely technical changes made by the drafting departments in preparing the final text are not highlighted. PE606.011v01–00 EN 2/90 PR\1127393EN.docx CONTENTS Page DRAFT EUROPEAN PARLIAMENT LEGISLATIVE RESOLUTION ................................. 5 EXPLANATORY STATEMENT............................................................................................ 84 ANNEX: LIST OF ENTITIES FROM WHOM THE RAPPORTEUR HAS RECEIVED INPUT ...................................................................................................................................... 89 PR\1127393EN.docx 3/90 PE606.011v01–00 EN PE606.011v01–00 EN 4/90 PR\1127393EN.docx DRAFT EUROPEAN PARLIAMENT LEGISLATIVE RESOLUTION on the proposal for a regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) (COM(2017)0010 – C8-0009/2017 – 2017/0003(COD)) (Ordinary legislative procedure: first reading) The European Parliament, – having regard to the Commission proposal to Parliament and the Council (COM(2017)0010), – having regard to Article 294(2) and Articles 16 and 114 of the Treaty on the Functioning of the European Union, pursuant to which the Commission submitted the proposal to Parliament (C8-0009/2017), – having regard to Article 294(3) of the Treaty on the Functioning of the European Union, – having regard to the contributions submitted by the Czech Chamber of Deputies, the Czech Senate, the Spanish Parliament, the Netherlands Senate and the Portuguese Parliament on the draft legislative act, – having regard to the opinion of the European Economic and Social Committee1; – having regard to Rules 59 of its Rules of Procedure, – having regard to the report of the Committee on Civil Liberties, Justice and Home Affairs and the opinions of the Committee on Industry, Research and Energy, the Committee on the Internal Market and Consumer Protection and the Committee on Legal Affairs (A8-0000/2017), 1. Adopts its position at first reading hereinafter set out; 2. Calls on the Commission to refer the matter to Parliament again if it replaces, substantially amends or intends to substantially amend its proposal; 2. Instructs its President to forward its position to the Council, the Commission and the national parliaments. 1 PR\1127393EN.docx 5/90 PE606.011v01–00 EN Amendment 1 Proposal for a regulation Recital 1 Text proposed by the Commission Amendment (1) Article 7 of the Charter of Fundamental Rights of the European Union ("the Charter") protects the fundamental right of everyone to the respect for his or her private and family life, home and communications. Respect for the privacy of one’s communications is an essential dimension of this right. Confidentiality of electronic communications ensures that information exchanged between parties and the external elements of such communication, including when the information has been sent, from where, to whom, is not to be revealed to anyone other than to the parties involved in a communication. The principle of confidentiality should apply to current and future means of communication, including calls, internet access, instant messaging applications, e-mail, internet phone calls and personal messaging provided through social media. (1) Article 7 of the Charter of Fundamental Rights of the European Union ("the Charter") protects the fundamental right of everyone to the respect for his or her private and family life, home and communications. Respect for the privacy of one’s communications is an essential dimension of this right. Confidentiality of electronic communications ensures that information exchanged between parties and the external elements of such communication, including when the information has been sent, from where, to whom, is not to be revealed to anyone other than to the parties involved in a communication. The principle of confidentiality should apply to current and future means of communication, including calls, internet access, instant messaging applications, e-mail, internet phone calls and messaging provided through social media. Or. en Amendment 2 Proposal for a regulation Recital 2 Text proposed by the Commission Amendment (2) The content of electronic communications may reveal highly sensitive information about the natural persons involved in the communication, from personal experiences and emotions to medical conditions, sexual preferences and political views, the disclosure of which could result in personal and social harm, (2) Electronic communications may reveal highly sensitive information about the natural persons involved in the communication, from personal experiences and emotions to medical conditions, sexual preferences and political views, the disclosure of which could result in personal and social harm, economic loss or PE606.011v01–00 EN 6/90 PR\1127393EN.docx economic loss or embarrassment. Similarly, metadata derived from electronic communications may also reveal very sensitive and personal information. These metadata includes the numbers called, the websites visited, geographical location, the time, date and duration when an individual made a call etc., allowing precise conclusions to be drawn regarding the private lives of the persons involved in the electronic communication, such as their social relationships, their habits and activities of everyday life, their interests, tastes etc. embarrassment. Metadata derived from electronic communications may also reveal very sensitive and personal information. These metadata includes the numbers called, the websites visited, geographical location, the time, date and duration when an individual made a call etc., allowing precise conclusions to be drawn regarding the private lives of the persons involved in the electronic communication, such as their social relationships, their habits and activities of everyday life, their interests, tastes etc. The protection of confidentiality of communications is also an essential condition for the respect of other related fundamental rights and freedoms, such as the protection of freedom of thought, conscience and religion, and freedom of expression and information. Or. en Amendment 3 Proposal for a regulation Recital 4 Text proposed by the Commission Amendment (4) Pursuant to Article 8(1) of the Charter and Article 16(1) of the Treaty on the Functioning of the European Union, everyone has the right to the protection of personal data concerning him or her. Regulation (EU) 2016/679 lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. Electronic communications data may include personal data as defined in Regulation (EU) 2016/679. (4) Pursuant to Article 8(1) of the Charter and Article 16(1) of the Treaty on the Functioning of the European Union, everyone has the right to the protection of personal data concerning him or her. Regulation (EU) 2016/679 lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. Electronic communications data are generally personal data as defined in Regulation (EU) 2016/679. Or. en PR\1127393EN.docx 7/90 PE606.011v01–00 EN Amendment 4 Proposal for a regulation Recital 5 Text proposed by the Commission Amendment (5) The provisions of this Regulation particularise and complement the general rules on the protection of personal data laid down in Regulation (EU) 2016/679 as regards electronic communications data that qualify as personal data. This Regulation therefore does not lower the level of protection enjoyed by natural persons under Regulation (EU) 2016/679. Processing of electronic communications data by providers of electronic communications services should only be permitted in accordance with this Regulation. (5) The provisions of this Regulation particularise and complement the general rules on the protection of personal data laid down in Regulation (EU) 2016/679 as regards electronic communications data that qualify as personal data. This Regulation therefore should not lower the level of protection enjoyed by natural persons under Regulation (EU) 2016/679. On the contrary, it aims to provide additional, and complementary, safeguards taking into account the need for additional protection as regards the confidentiality of communications. Processing of electronic communications data by providers of electronic communications services should only be permitted in accordance with, and on a legal ground specifically provided for under, this Regulation. Or. en Amendment 5 Proposal for a regulation Recital 6 Text proposed by the Commission Amendment (6) While the principles and main provisions of Directive 2002/58/EC of the European Parliament and of the Council22 remain generally sound, that Directive has not fully kept pace with the evolution of technological and market reality, resulting in an inconsistent or insufficient effective protection of privacy and confidentiality in relation to electronic communications. Those developments include the entrance (6) While the principles and main provisions of Directive 2002/58/EC of the European Parliament and of the Council22 remain generally sound, that Directive has not fully kept pace with the evolution of technological and market reality, resulting in an inconsistent or insufficient effective protection of privacy and confidentiality in relation to electronic communications. Those developments include the entrance PE606.011v01–00 EN 8/90 PR\1127393EN.docx on the market of electronic communications services that from a consumer perspective are substitutable to traditional services, but do not have to comply with the same set of rules. Another development concerns new techniques that allow for tracking of online behaviour of end-users, which are not covered by Directive 2002/58/EC. Directive 2002/58/EC should therefore be repealed and replaced by this Regulation. on the market of electronic communications services that from a consumer perspective are substitutable to traditional services, but do not have to comply with the same set of rules. Another development concerns new techniques that allow for tracking of online behaviour of users. Directive 2002/58/EC should therefore be repealed and replaced by this Regulation. __________________ __________________ 22 22 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p.37). Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p.37). Or. en Amendment 6 Proposal for a regulation Recital 7 Text proposed by the Commission Amendment (7) The Member States should be allowed, within the limits of this Regulation, to maintain or introduce national provisions to further specify and clarify the application of the rules of this Regulation in order to ensure an effective application and interpretation of those rules. Therefore, the margin of discretion, which Member States have in this regard, should maintain a balance between the protection of private life and personal data and the free movement of electronic communications data. deleted Or. en PR\1127393EN.docx 9/90 PE606.011v01–00 EN Amendment 7 Proposal for a regulation Recital 8 Text proposed by the Commission Amendment (8) This Regulation should apply to providers of electronic communications services, to providers of publicly available directories, and to software providers permitting electronic communications, including the retrieval and presentation of information on the internet. This Regulation should also apply to natural and legal persons who use electronic communications services to send direct marketing commercial communications or collect information related to or stored in end-users’ terminal equipment. (8) This Regulation should apply to providers of electronic communications services, to providers of publicly available directories, and to software providers permitting electronic communications, including the retrieval and presentation of information on the internet. This Regulation should also apply to natural and legal persons who use electronic communications services to send direct marketing, commercial communications or collect information related to, processed by or stored in end-users’ terminal equipment. Or. en Justification This amendment clarifies the scope of the Regulation. It takes into account the recommendations of the EDPS, Art 29 Working party, scholars and several stakeholders. Amendment 8 Proposal for a regulation Recital 9 Text proposed by the Commission Amendment (9) This Regulation should apply to electronic communications data processed in connection with the provision and use of electronic communications services in the Union, regardless of whether or not the processing takes place in the Union. Moreover, in order not to deprive end-users in the Union of effective protection, this Regulation should also apply to electronic communications data processed in connection with the provision of electronic (9) This Regulation should apply to electronic communications data processed in connection with the provision and use of electronic communications services in the Union, regardless of whether or not the processing takes place in the Union. Moreover, in order not to deprive end-users in the Union of effective protection, this Regulation should also apply to electronic communications data processed in connection with the provision of electronic PE606.011v01–00 EN 10/90 PR\1127393EN.docx communications services from outside the Union to end-users in the Union. communications services from outside the Union to end-users in the Union. This should be the case irrespective of whether the electronic communications are connected to a payment or not. Or. en Justification Alignment with the General Data Protection Regulation (“GDPR”). Amendment 9 Proposal for a regulation Recital 11 Text proposed by the Commission Amendment (11) The services used for communications purposes, and the technical means of their delivery, have evolved considerably. End-users increasingly replace traditional voice telephony, text messages (SMS) and electronic mail conveyance services in favour of functionally equivalent online services such as Voice over IP, messaging services and web-based e-mail services. In order to ensure an effective and equal protection of end-users when using functionally equivalent services, this Regulation uses the definition of electronic communications services set forth in the [Directive of the European Parliament and of the Council establishing the European Electronic Communications Code24 ]. That definition encompasses not only internet access services and services consisting wholly or partly in the conveyance of signals but also interpersonal communications services, which may or may not be number-based, such as for example, Voice over IP, messaging services and web-based e-mail services. The protection of confidentiality of communications is crucial also as (11) The services used for communications purposes, and the technical means of their delivery, have evolved considerably. End-users increasingly replace traditional voice telephony, text messages (SMS) and electronic mail conveyance services in favour of functionally equivalent online services such as Voice over IP, messaging services and web-based e-mail services. This Regulation aims at ensuring an effective and equal protection of end-users when using functionally equivalent services, so as to ensure the protection of confidentiality, irrespective of the technological medium chosen. Electronic communications services encompass not only internet access services and services consisting wholly or partly in the conveyance of signals but also interpersonal communications services, which may or may not be number-based, such as for example, Voice over IP, messaging services and web-based e-mail services. The protection of confidentiality of communications is crucial also as regards interpersonal communications services that are ancillary to another PR\1127393EN.docx 11/90 PE606.011v01–00 EN regards interpersonal communications services that are ancillary to another service; therefore, such type of services also having a communication functionality should be covered by this Regulation. service; therefore, such type of services also having a communication functionality should be covered by this Regulation. __________________ __________________ 24 24 Commission proposal for a Directive of the European Parliament and of the Council establishing the European Electronic Communications Code (Recast) (COM/2016/0590 final - 2016/0288 (COD)). Commission proposal for a Directive of the European Parliament and of the Council establishing the European Electronic Communications Code (Recast) (COM/2016/0590 final - 2016/0288 (COD)). Or. en Justification This amendment clarifies the scope of the Regulation to ensure an equal protection regardless of the technological means used for communications as this Regulation should be technologically neutral. Amendment 10 Proposal for a regulation Recital 12 Text proposed by the Commission Amendment (12) Connected devices and machines increasingly communicate with each other by using electronic communications networks (Internet of Things). The transmission of machine-to-machine communications involves the conveyance of signals over a network and, hence, usually constitutes an electronic communications service. In order to ensure full protection of the rights to privacy and confidentiality of communications, and to promote a trusted and secure Internet of Things in the digital single market, it is necessary to clarify that this Regulation should apply to the transmission of machine-to-machine communications. Therefore, the principle of confidentiality enshrined in this Regulation should also (12) Connected devices and machines increasingly communicate with each other by using electronic communications networks (Internet of Things). The transmission of machine-to-machine communications involves the conveyance of signals over a network and, hence, usually constitutes an electronic communications service. In order to ensure full protection of the rights to privacy and confidentiality of communications, and to promote a trusted and secure Internet of Things in the digital single market, it is necessary to clarify that this Regulation should apply also to the machine-tomachine communications whenever these are related to users. Therefore, the principle of confidentiality enshrined in PE606.011v01–00 EN 12/90 PR\1127393EN.docx apply to the transmission of machine-tomachine communications. Specific safeguards could also be adopted under sectorial legislation, as for instance Directive 2014/53/EU. this Regulation should also apply to the transmission of machine-to-machine communications. Specific safeguards could also be adopted under sectorial legislation, as for instance Directive 2014/53/EU. Or. en Amendment 11 Proposal for a regulation Recital 13 Text proposed by the Commission Amendment (13) The development of fast and efficient wireless technologies has fostered the increasing availability for the public of internet access via wireless networks accessible by anyone in public and semiprivate spaces such as 'hotspots' situated at different places within a city, department stores, shopping malls and hospitals. To the extent that those communications networks are provided to an undefined group of end-users, the confidentiality of the communications transmitted through such networks should be protected. The fact that wireless electronic communications services may be ancillary to other services should not stand in the way of ensuring the protection of confidentiality of communications data and application of this Regulation. Therefore, this Regulation should apply to electronic communications data using electronic communications services and public communications networks. In contrast, this Regulation should not apply to closed groups of end-users such as corporate networks, access to which is limited to members of the corporation. (13) The development of fast and efficient wireless technologies has fostered the increasing availability for the public of internet access via wireless networks accessible by anyone in public and semiprivate spaces such as Wi-Fi access points situated at different places within a city, for example department stores, shopping malls and hospitals, as well as airports, hotels and restaurants. Those Wi-Fi access points might require a login or provide a password and might be provided also by public administrations. To the extent that those communications networks are provided to users, the confidentiality of the communications transmitted through such networks should be protected. The fact that wireless electronic communications services may be ancillary to other services should not stand in the way of ensuring the protection of confidentiality of communications data and application of this Regulation. Therefore, this Regulation should apply to electronic communications data using electronic communications services and public communications networks. In addition, this Regulation should apply to closed social media profiles and groups that the user has restricted or defined as private. In contrast, this Regulation should not apply to closed groups of end-users such as PR\1127393EN.docx 13/90 PE606.011v01–00 EN corporate intranet networks, access to which is limited to members of an organisation. Or. en Amendment 12 Proposal for a regulation Recital 14 Text proposed by the Commission Amendment (14) Electronic communications data should be defined in a sufficiently broad and technology neutral way so as to encompass any information concerning the content transmitted or exchanged (electronic communications content) and the information concerning an end-user of electronic communications services processed for the purposes of transmitting, distributing or enabling the exchange of electronic communications content; including data to trace and identify the source and destination of a communication, geographical location and the date, time, duration and the type of communication. Whether such signals and the related data are conveyed by wire, radio, optical or electromagnetic means, including satellite networks, cable networks, fixed (circuitand packet-switched, including internet) and mobile terrestrial networks, electricity cable systems, the data related to such signals should be considered as electronic communications metadata and therefore be subject to the provisions of this Regulation. Electronic communications metadata may include information that is part of the subscription to the service when such information is processed for the purposes of transmitting, distributing or exchanging electronic communications content. (14) Electronic communications data should be defined in a sufficiently broad and technology neutral way so as to encompass any information concerning the content transmitted or exchanged (electronic communications content) and the information concerning an end-user of electronic communications services processed for the purposes of transmitting, distributing or enabling the exchange of electronic communications content; including data to trace and identify the source and destination of a communication, geographical location and the date, time, duration and the type of communication. It should also include specific location data, such as for example, the location of the terminal equipment from or to which a phone call or an internet connection has been made or the Wi-Fi access points that a device is connected to, as well as data necessary to identify users' terminal equipment. Whether such signals and the related data are conveyed by wire, radio, optical or electromagnetic means, including satellite networks, cable networks, fixed (circuit- and packetswitched, including internet) and mobile terrestrial networks, electricity cable systems, the data related to such signals should be considered as electronic communications metadata and therefore be subject to the provisions of this Regulation. Electronic communications metadata may PE606.011v01–00 EN 14/90 PR\1127393EN.docx include information that is part of the subscription to the service when such information is processed for the purposes of transmitting, distributing or exchanging electronic communications content. Or. en Amendment 13 Proposal for a regulation Recital 15 Text proposed by the Commission Amendment (15) Electronic communications data should be treated as confidential. This means that any interference with the transmission of electronic communications data, whether directly by human intervention or through the intermediation of automated processing by machines, without the consent of all the communicating parties should be prohibited. The prohibition of interception of communications data should apply during their conveyance, i.e. until receipt of the content of the electronic communication by the intended addressee. Interception of electronic communications data may occur, for example, when someone other than the communicating parties, listens to calls, reads, scans or stores the content of electronic communications, or the associated metadata for purposes other than the exchange of communications. Interception also occurs when third parties monitor websites visited, timing of the visits, interaction with others, etc., without the consent of the end-user concerned. As technology evolves, the technical ways to engage in interception have also increased. Such ways may range from the installation of equipment that gathers data from terminal equipment over targeted areas, such as the so-called IMSI (International (15) Electronic communications should be treated as confidential. This means that any interference with the transmission of electronic communications, whether directly by human intervention or through the intermediation of automated processing by machines, without the consent of all the communicating parties should be prohibited. When the processing is allowed under any exception to the prohibitions under this Regulation, any other processing on the basis of Article 6 of Regulation (EU) 2016/679 should be considered as prohibited, including processing for another purpose on the basis of Article 6(4) of that Regulation. This should not prevent requesting additional consent for new processing operations. The prohibition of interception of communications should apply also during their conveyance, i.e. until receipt of the content of the electronic communication by the intended addressee, and to any temporary files in the network after receipt. Interception of electronic communications may occur, for example, when someone other than the communicating parties, listens to calls, reads, scans or stores the content of electronic communications, or the associated metadata for purposes other than the exchange of communications. PR\1127393EN.docx 15/90 PE606.011v01–00 EN Mobile Subscriber Identity) catchers, to programs and techniques that, for example, surreptitiously monitor browsing habits for the purpose of creating end-user profiles. Other examples of interception include capturing payload data or content data from unencrypted wireless networks and routers, including browsing habits without the end-users' consent. Interception also occurs when other parties monitor websites visited, timing of the visits, interaction with others, etc., without the consent of the user concerned. As technology evolves, the technical ways to engage in interception have also increased. Such ways may range from the installation of equipment that gathers data from terminal equipment over targeted areas, such as the so-called IMSI (International Mobile Subscriber Identity) catchers, to programs and techniques that, for example, surreptitiously monitor browsing habits for the purpose of creating user profiles. Other examples of interception include capturing payload data or content data from unencrypted wireless networks and routers, and analysis of customers' traffic data, including browsing habits without the users' consent. Or. en Amendment 14 Proposal for a regulation Recital 16 Text proposed by the Commission Amendment (16) The prohibition of storage of communications is not intended to prohibit any automatic, intermediate and transient storage of this information insofar as this takes place for the sole purpose of carrying out the transmission in the electronic communications network. It should not prohibit either the processing of electronic communications data to ensure the security and continuity of the electronic communications services, including checking security threats such as the presence of malware or the processing of metadata to ensure the necessary quality of service requirements, such as latency, jitter etc. (16) The prohibition of storage of communications is not intended to prohibit any automatic, intermediate and transient storage of this information insofar as this takes place for the sole purpose of carrying out the transmission. It should not prohibit either the processing of electronic communications data to ensure the security and continuity of the electronic communications services, including checking security threats such as the presence of malware, spam or distributed denial-of-service attacks, or the processing of metadata to ensure the necessary quality of service requirements, such as latency, jitter etc. PE606.011v01–00 EN 16/90 PR\1127393EN.docx Or. en Amendment 15 Proposal for a regulation Recital 16 a (new) Text proposed by the Commission Amendment (16a) It should be possible to oblige providers of electronic communications services to ensure a certain quality of service by, for example, ensuring that the service does not suffer degradation or that the traffic is not unduly slowed down. In this regard, it may be necessary, in some limited circumstances, to analyse metadata in real time and respond to fluctuations in traffic. Certain electronic communications metadata are necessary to enable providers to correctly bill endusers for the services used and to allow end-users to verify that the cost incurred corresponds to their actual usage. The processing and storage of such data for these purposes should therefore be permitted without requiring consent by the end-user concerned. This processing includes possible processing for customer service purposes. Metadata may also be processed to detect fraudulent use, or abusive use pursuant to Directive (EU) 2013/0309. Where a type of processing of electronic communications metadata, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, a data protection impact assessment and, as the case may be, a consultation of the supervisory authority should take place prior to the processing, in accordance with Articles 35 and 36 of Regulation (EU) 2016/679. Moreover, the parties involved in the processing of location data and other metadata should make public PR\1127393EN.docx 17/90 PE606.011v01–00 EN their methods of anonymisation and further aggregation, without prejudice to secrecy obligations safeguarded by law. The anonymisation method should, once the defined purposes of the processing have been fulfilled, technically prevent all parties from singling out a user within a set of data or from linking new data collected from the users' device to the existing set of data. Or. en Amendment 16 Proposal for a regulation Recital 17 Text proposed by the Commission Amendment (17) The processing of electronic communications data can be useful for businesses, consumers and society as a whole. Vis-à-vis Directive 2002/58/EC, this Regulation broadens the possibilities for providers of electronic communications services to process electronic communications metadata, based on end-users consent. However, end-users attach great importance to the confidentiality of their communications, including their online activities, and that they want to control the use of electronic communications data for purposes other than conveying the communication. Therefore, this Regulation should require providers of electronic communications services to obtain end-users' consent to process electronic communications metadata, which should include data on the location of the device generated for the purposes of granting and maintaining access and connection to the service. Location data that is generated other than in the context of providing electronic communications services should not be considered as metadata. Examples of (17) The processing of electronic communications data can be useful for businesses, consumers and society as a whole. Examples of such usages of electronic communications metadata by providers of electronic communications services may include the provision of heatmaps; a graphical representation of data using colours to indicate the presence of individuals. To display the traffic movements in certain directions during a certain period of time, an identifier is necessary to link the positions of individuals at certain time intervals, provided that the data are immediately anonymised or anonymisation techniques are used where the user is mixed with others. Such usage of electronic communications metadata could, for example, benefit public authorities and public transport operators to define where to develop new infrastructure, based on the usage of and pressure on the existing structure. PE606.011v01–00 EN 18/90 PR\1127393EN.docx commercial usages of electronic communications metadata by providers of electronic communications services may include the provision of heatmaps; a graphical representation of data using colors to indicate the presence of individuals. To display the traffic movements in certain directions during a certain period of time, an identifier is necessary to link the positions of individuals at certain time intervals. This identifier would be missing if anonymous data were to be used and such movement could not be displayed. Such usage of electronic communications metadata could, for example, benefit public authorities and public transport operators to define where to develop new infrastructure, based on the usage of and pressure on the existing structure. Where a type of processing of electronic communications metadata, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, a data protection impact assessment and, as the case may be, a consultation of the supervisory authority should take place prior to the processing, in accordance with Articles 35 and 36 of Regulation (EU) 2016/679. Or. en Amendment 17 Proposal for a regulation Recital 17 a (new) Text proposed by the Commission Amendment (17a) This Regulation broadens the possibilities for providers of electronic communications services to process electronic communications metadata based on users' informed consent. PR\1127393EN.docx 19/90 PE606.011v01–00 EN However, users attach great importance to the confidentiality of their communications, including their online activities, and they want to control the use of their electronic communications data for purposes other than conveying the communication. Therefore, this Regulation should require providers of electronic communications services to obtain users' consent to process electronic communications metadata, which should include data on the location of the device generated for the purposes of granting and maintaining access and connection to the service. For the purposes of this Regulation, the consent of an end-user, regardless of whether the latter is a natural or legal person, should have the same meaning and be subject to the same conditions as the consent of the data subject under Regulation (EU) 2016/679. The end-users should have the right to withdraw their consent from an additional service without breaching the contract for the basic service. Consent for processing data from internet or voice communications usage should not be valid if the user has no genuine and free choice, or is unable to refuse or withdraw consent without detriment. Or. en Amendment 18 Proposal for a regulation Recital 18 Text proposed by the Commission Amendment (18) End-users may consent to the processing of their metadata to receive specific services such as protection services against fraudulent activities (by analysing usage data, location and customer account in real time). In the digital economy, services are often PE606.011v01–00 EN deleted 20/90 PR\1127393EN.docx supplied against counter-performance other than money, for instance by endusers being exposed to advertisements. For the purposes of this Regulation, consent of an end-user, regardless of whether the latter is a natural or a legal person, should have the same meaning and be subject to the same conditions as the data subject's consent under Regulation (EU) 2016/679. Basic broadband internet access and voice communications services are to be considered as essential services for individuals to be able to communicate and participate to the benefits of the digital economy. Consent for processing data from internet or voice communication usage will not be valid if the data subject has no genuine and free choice, or is unable to refuse or withdraw consent without detriment. Or. en Amendment 19 Proposal for a regulation Recital 19 Text proposed by the Commission Amendment (19) The content of electronic communications pertains to the essence of the fundamental right to respect for private and family life, home and communications protected under Article 7 of the Charter. Any interference with the content of electronic communications should be allowed only under very clear defined conditions, for specific purposes and be subject to adequate safeguards against abuse. This Regulation provides for the possibility of providers of electronic communications services to process electronic communications data in transit, with the informed consent of all the endusers concerned. For example, providers (19) The content of electronic communications pertains to the essence of the fundamental right to respect for private and family life, home and communications protected under Article 7 of the Charter. This Regulation provides for the possibility of providers of electronic communications services to process electronic communications data at rest or in transit, with the informed consent of all the users concerned. For example, providers may offer services that entail the scanning of emails to remove certain pre-defined material. Given the sensitivity of the content of communications, this Regulation sets forth a presumption that the processing PR\1127393EN.docx 21/90 PE606.011v01–00 EN may offer services that entail the scanning of emails to remove certain pre-defined material. Given the sensitivity of the content of communications, this Regulation sets forth a presumption that the processing of such content data will result in high risks to the rights and freedoms of natural persons. When processing such type of data, the provider of the electronic communications service should always consult the supervisory authority prior to the processing. Such consultation should be in accordance with Article 36 (2) and (3) of Regulation (EU) 2016/679. The presumption does not encompass the processing of content data to provide a service requested by the end-user where the end-user has consented to such processing and it is carried out for the purposes and duration strictly necessary and proportionate for such service. After electronic communications content has been sent by the end-user and received by the intended end-user or end-users, it may be recorded or stored by the end-user, endusers or by a third party entrusted by them to record or store such data. Any processing of such data must comply with Regulation (EU) 2016/679. of such content data will result in high risks to the rights and freedoms of natural persons. When processing such type of data, the provider of the electronic communications service should always consult the supervisory authority prior to the processing. Such consultation should be in accordance with Article 36 (2) and (3) of Regulation (EU) 2016/679. The presumption does not encompass the processing of content data to provide a service requested by the user where the user has consented to such processing and it is carried out for the purposes and duration strictly necessary and proportionate for such service. After electronic communications content has been sent by the user and received by the intended user or users, it may be recorded or stored by the user, users or by another party entrusted by them to record or store such data. Any processing of such data must comply with Regulation (EU) 2016/679. Or. en Amendment 20 Proposal for a regulation Recital 19 a (new) Text proposed by the Commission Amendment (19a) It should be possible to process electronic communications data for the purposes of providing services explicitly requested by a user for personal or personal work-related purposes such as search or keyword indexing functionality, virtual assistants, text-to-speech engines and translation services, including PE606.011v01–00 EN 22/90 PR\1127393EN.docx picture-to-voice or other automated content processing used as accessibility tools by persons with disabilities. This should be possible without the consent of all users but may only take place with the consent of the user requesting the service. Such specific consent also precludes the provider from processing those data for different purposes. Or. en Amendment 21 Proposal for a regulation Recital 20 Text proposed by the Commission Amendment (20) Terminal equipment of end-users of electronic communications networks and any information relating to the usage of such terminal equipment, whether in particular is stored in or emitted by such equipment, requested from or processed in order to enable it to connect to another device and or network equipment, are part of the private sphere of the end-users requiring protection under the Charter of Fundamental Rights of the European Union and the European Convention for the Protection of Human Rights and Fundamental Freedoms. Given that such equipment contains or processes information that may reveal details of an individual's emotional, political, social complexities, including the content of communications, pictures, the location of individuals by accessing the device’s GPS capabilities, contact lists, and other information already stored in the device, the information related to such equipment requires enhanced privacy protection. Furthermore, the so-called spyware, web bugs, hidden identifiers, tracking cookies and other similar unwanted tracking tools can enter end-user's terminal equipment (20) Terminal equipment of users of electronic communications networks and any information relating to the usage of such terminal equipment, whether in particular is stored in or emitted by such equipment, requested from or processed in order to enable it to connect to another device and or network equipment, are part of the private sphere of the users requiring protection under the Charter of Fundamental Rights of the European Union and the European Convention for the Protection of Human Rights and Fundamental Freedoms. Given that such equipment contains or processes very sensitive data that may reveal details of the behaviour, psychological features, emotional condition and political and social preferences of an individual, including the content of communications, pictures, the location of individuals by accessing the GPS capabilities of their device, contact lists, and other information already stored in the device, the information related to such equipment requires enhanced privacy protection. Information related to the user’s device may also be collected remotely for the PR\1127393EN.docx 23/90 PE606.011v01–00 EN purpose of identification and tracking, using techniques such as the so-called ‘device fingerprinting’, often without the knowledge of the user, and may seriously intrude upon the privacy of these users. Furthermore, so-called spyware, web bugs, hidden identifiers and unwanted tracking tools can enter users' terminal equipment without their knowledge in order to gain access to information or to store hidden information. Techniques that surreptitiously monitor the actions of users, for example by tracking their activities online or the location of their terminal equipment, or subvert the operation of the users’ terminal equipment pose a serious threat to the privacy of users. Therefore, any such interference with the user's terminal equipment should be allowed only with the user's consent and for specific and transparent purposes. Users should receive all relevant information about the intended processing in clear and easily understandable language. Such information should be provided separately from the terms and conditions of the service. without their knowledge in order to gain access to information, to store hidden information and to trace the activities. Information related to the end-user’s device may also be collected remotely for the purpose of identification and tracking, using techniques such as the so-called ‘device fingerprinting’, often without the knowledge of the end-user, and may seriously intrude upon the privacy of these end-users. Techniques that surreptitiously monitor the actions of end-users, for example by tracking their activities online or the location of their terminal equipment, or subvert the operation of the end-users’ terminal equipment pose a serious threat to the privacy of end-users. Therefore, any such interference with the end-user's terminal equipment should be allowed only with the end-user's consent and for specific and transparent purposes. Or. en Amendment 22 Proposal for a regulation Recital 21 Text proposed by the Commission Amendment (21) Exceptions to the obligation to obtain consent to make use of the processing and storage capabilities of terminal equipment or to access information stored in terminal equipment should be limited to situations that involve no, or only very limited, intrusion of privacy. For instance, consent should not be requested for authorizing the technical (21) Exceptions to the obligation to obtain consent to make use of the processing and storage capabilities of terminal equipment or to access information stored in terminal equipment should be limited to situations that involve no, or only very limited, intrusion of privacy. For instance, consent should not be requested for authorizing the technical PE606.011v01–00 EN 24/90 PR\1127393EN.docx storage or access which is strictly necessary and proportionate for the legitimate purpose of enabling the use of a specific service explicitly requested by the end-user. This may include the storing of cookies for the duration of a single established session on a website to keep track of the end-user’s input when filling in online forms over several pages. Cookies can also be a legitimate and useful tool, for example, in measuring web traffic to a website. Information society providers that engage in configuration checking to provide the service in compliance with the end-user's settings and the mere logging of the fact that the end-user’s device is unable to receive content requested by the enduser should not constitute access to such a device or use of the device processing capabilities. storage or access which is strictly necessary and proportionate for the legitimate purpose of enabling the use of a specific service explicitly requested by the user. This may include the storing of information (such as cookies and identifiers) for the duration of a single established session on a website to keep track of the user’s input when filling in online forms over several pages. Tracking techniques, if implemented with appropriate privacy safeguards, can also be a legitimate and useful tool, for example, in measuring web traffic to a website. Information society providers could engage in configuration checking in order to provide the service in compliance with the user's settings and the mere logging revealing the fact that the user’s device is unable to receive content requested by the user, should not constitute illegitimate access. Or. en Amendment 23 Proposal for a regulation Recital 22 Text proposed by the Commission Amendment (22) The methods used for providing information and obtaining end-user's consent should be as user-friendly as possible. Given the ubiquitous use of tracking cookies and other tracking techniques, end-users are increasingly requested to provide consent to store such tracking cookies in their terminal equipment. As a result, end-users are overloaded with requests to provide consent. The use of technical means to provide consent, for example, through transparent and user-friendly settings, may address this problem. Therefore, this Regulation should provide for the (22) The methods used for providing information and obtaining end-user's consent should be as user-friendly as possible. Given the ubiquitous use of tracking cookies and other tracking techniques, users are increasingly requested to provide consent to store such tracking cookies in their terminal equipment. As a result, users are overloaded with requests to provide consent. The use of technical means to provide consent, for example, through transparent and user-friendly settings, may address this problem. Therefore, this Regulation should prevent the use of so- PR\1127393EN.docx 25/90 PE606.011v01–00 EN possibility to express consent by using the appropriate settings of a browser or other application. The choices made by endusers when establishing its general privacy settings of a browser or other application should be binding on, and enforceable against, any third parties. Web browsers are a type of software application that permits the retrieval and presentation of information on the internet. Other types of applications, such as the ones that permit calling and messaging or provide route guidance, have also the same capabilities. Web browsers mediate much of what occurs between the end-user and the website. From this perspective, they are in a privileged position to play an active role to help the end-user to control the flow of information to and from the terminal equipment. More particularly web browsers may be used as gatekeepers, thus helping end-users to prevent information from their terminal equipment (for example smart phone, tablet or computer) from being accessed or stored. called "cookie walls" and "cookie banners" that do not help users to maintain control over their personal information and privacy or become informed about their rights. This Regulation should provide for the possibility to express consent by technical specifications, for instance by using the appropriate settings of a browser or other application. Those settings should include choices concerning the storage of information on the user's terminal equipment as well as a signal sent by the browser or other application indicating the user's preferences to other parties. The choices made by users when establishing the general privacy settings of a browser or other application should be binding on, and enforceable against, any third parties. Web browsers are a type of software application that permits the retrieval and presentation of information on the internet. Other types of applications, such as the ones that permit calling and messaging or provide route guidance, have also the same capabilities. Web browsers mediate much of what occurs between the user and the website. From this perspective, they are in a privileged position to play an active role to help the user to control the flow of information to and from the terminal equipment. More particularly, web browsers, applications or mobile operating systems may be used as the executor of a user's choices, thus helping users to prevent information from their terminal equipment (for example smart phone, tablet or computer) from being accessed or stored. Or. en Amendment 24 Proposal for a regulation Recital 23 PE606.011v01–00 EN 26/90 PR\1127393EN.docx Text proposed by the Commission Amendment (23) The principles of data protection by design and by default were codified under Article 25 of Regulation (EU) 2016/679. Currently, the default settings for cookies are set in most current browsers to ‘accept all cookies’. Therefore providers of software enabling the retrieval and presentation of information on the internet should have an obligation to configure the software so that it offers the option to prevent third parties from storing information on the terminal equipment; this is often presented as ‘reject third party cookies’. End-users should be offered a set of privacy setting options, ranging from higher (for example, ‘never accept cookies’) to lower (for example, ‘always accept cookies’) and intermediate (for example, ‘reject third party cookies’ or ‘only accept first party cookies’). Such privacy settings should be presented in a an easily visible and intelligible manner. (23) The principles of data protection by design and by default were codified under Article 25 of Regulation (EU) 2016/679. Currently, the default settings for cookies are set in most current browsers to ‘accept all cookies’. Therefore providers of software enabling the retrieval and presentation of information on the internet should have an obligation to configure the software so that it offers the option to prevent by default the cross-domain tracking and storing of information on the terminal equipment by other parties; this is often presented as ‘reject third party trackers and cookies’. Users should be offered, by default, a set of privacy setting options, ranging from higher (for example, ‘never accept tracker and cookies’) to lower (for example, ‘always accept trackers and cookies’) and intermediate (for example, ‘reject all trackers and cookies that are not strictly necessary to provide a service explicitly requested by the user’ or ‘reject all cross-domain tracking’). These options may also be more fine-grained. Privacy settings should also include options to allow the user to decide for example, whether Flash, JavaScript or similar software can be executed, if a website can collect geolocation data from the user, or if it can access specific hardware such as a webcam or microphone. Such privacy settings should be presented in an easily visible, objective and intelligible manner. Or. en Amendment 25 Proposal for a regulation Recital 24 PR\1127393EN.docx 27/90 PE606.011v01–00 EN Text proposed by the Commission Amendment (24) For web browsers to be able to obtain end-users’ consent as defined under Regulation (EU) 2016/679, for example, to the storage of third party tracking cookies, they should, among others, require a clear affirmative action from the end-user of terminal equipment to signify his or her freely given, specific informed, and unambiguous agreement to the storage and access of such cookies in and from the terminal equipment. Such action may be considered to be affirmative, for example, if end-users are required to actively select ‘accept third party cookies’ to confirm their agreement and are given the necessary information to make the choice. To this end, it is necessary to require providers of software enabling access to internet that, at the moment of installation, end-users are informed about the possibility to choose the privacy settings among the various options and ask them to make a choice. Information provided should not dissuade end-users from selecting higher privacy settings and should include relevant information about the risks associated to allowing third party cookies to be stored in the computer, including the compilation of long-term records of individuals' browsing histories and the use of such records to send targeted advertising. Web browsers are encouraged to provide easy ways for end-users to change the privacy settings at any time during use and to allow the user to make exceptions for or to whitelist certain websites or to specify for which websites (third) party cookies are always or never allowed. deleted Or. en PE606.011v01–00 EN 28/90 PR\1127393EN.docx Amendment 26 Proposal for a regulation Recital 25 Text proposed by the Commission Amendment (25) Accessing electronic communications networks requires the regular emission of certain data packets in order to discover or maintain a connection with the network or other devices on the network. Furthermore, devices must have a unique address assigned in order to be identifiable on that network. Wireless and cellular telephone standards similarly involve the emission of active signals containing unique identifiers such as a MAC address, the IMEI (International Mobile Station Equipment Identity), the IMSI etc. A single wireless base station (i.e. a transmitter and receiver), such as a wireless access point, has a specific range within which such information may be captured. Service providers have emerged who offer tracking services based on the scanning of equipment related information with diverse functionalities, including people counting, providing data on the number of people waiting in line, ascertaining the number of people in a specific area, etc. This information may be used for more intrusive purposes, such as to send commercial messages to end-users, for example when they enter stores, with personalized offers. While some of these functionalities do not entail high privacy risks, others do, for example, those involving the tracking of individuals over time, including repeated visits to specified locations. Providers engaged in such practices should display prominent notices located on the edge of the area of coverage informing end-users prior to entering the defined area that the technology is in operation within a given perimeter, the purpose of the tracking, the person responsible for it and the existence of any measure the end-user of the terminal (25) Accessing electronic communications networks requires the regular emission of certain data packets in order to discover or maintain a connection with the network or other devices on the network. Furthermore, devices must have a unique address assigned in order to be identifiable on that network. Wireless and cellular telephone standards similarly involve the emission of active signals containing unique identifiers such as a MAC address, the IMEI (International Mobile Station Equipment Identity), the IMSI etc. A single wireless base station (i.e. a transmitter and receiver), such as a wireless access point, has a specific range within which such information may be captured. Service providers have emerged who offer tracking services based on the scanning of equipment related information with diverse functionalities, including people counting, providing data on the number of people waiting in line, ascertaining the number of people in a specific area, etc. This information may be used for more intrusive purposes, such as to send commercial messages to users, for example when they enter stores, with personalised offers. While some of these functionalities do not entail high privacy risks, others do, for example, those involving the tracking of individuals over time, including repeated visits to specified locations. Providers engaged in such practices should display prominent notices located on the edge of the area of coverage informing users prior to entering the defined area that the technology is in operation within a given perimeter, the purpose of the tracking, the person responsible for it and the existence of any measure the user of the terminal equipment PR\1127393EN.docx 29/90 PE606.011v01–00 EN equipment can take to minimize or stop the collection. Additional information should be provided where personal data are collected pursuant to Article 13 of Regulation (EU) 2016/679. can take to minimize or stop the collection. Additional information should be provided where personal data are collected pursuant to Article 13 of Regulation (EU) 2016/679. In addition, such providers should either obtain the user's consent or anonymise the data immediately while limiting the purpose to mere statistical counting within a limited time and space and offering effective opt-out possibilities. Or. en Amendment 27 Proposal for a regulation Recital 26 Text proposed by the Commission Amendment (26) When the processing of electronic communications data by providers of electronic communications services falls within its scope, this Regulation should provide for the possibility for the Union or Member States under specific conditions to restrict by law certain obligations and rights when such a restriction constitutes a necessary and proportionate measure in a democratic society to safeguard specific public interests, including national security, defence, public security and the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security and other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interests. Therefore, this Regulation should not affect the ability of Member States to carry (26) When the processing of electronic communications data by providers of electronic communications services falls within its scope, this Regulation is without prejudice to the possibility for the Union or Member States under specific conditions to restrict by law certain obligations and rights set out in this Regulation when such a restriction is targeted at persons suspected of having committed a criminal offence and constitutes a necessary and proportionate measure in a democratic society to safeguard specific public interests, including national security, defence, public security and the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. Therefore, this Regulation should not affect the ability of Member States to carry out lawful interception of electronic communications or take other measures, if necessary and proportionate to safeguard the public interests mentioned above, in accordance with the Charter of Fundamental Rights of PE606.011v01–00 EN 30/90 PR\1127393EN.docx out lawful interception of electronic communications or take other measures, if necessary and proportionate to safeguard the public interests mentioned above, in accordance with the Charter of Fundamental Rights of the European Union and the European Convention for the Protection of Human Rights and Fundamental Freedoms, as interpreted by the Court of Justice of the European Union and of the European Court of Human Rights. Providers of electronic communications services should provide for appropriate procedures to facilitate legitimate requests of competent authorities, where relevant also taking into account the role of the representative designated pursuant to Article 3(3). the European Union and the European Convention for the Protection of Human Rights and Fundamental Freedoms, as interpreted by the Court of Justice of the European Union and of the European Court of Human Rights. Or. en Amendment 28 Proposal for a regulation Recital 29 Text proposed by the Commission Amendment (29) Technology exists that enables providers of electronic communications services to limit the reception of unwanted calls by end-users in different ways, including blocking silent calls and other fraudulent and nuisance calls. Providers of publicly available number-based interpersonal communications services should deploy this technology and protect end-users against nuisance calls and free of charge. Providers should ensure that endusers are aware of the existence of such functionalities, for instance, by publicising the fact on their webpage. (29) Technology exists that enables providers of electronic communications services to limit the reception of unwanted calls by end-users in different ways, including blocking silent calls, other fraudulent and nuisance calls or marketing calls with a specific code or prefix. Providers of publicly available numberbased interpersonal communications services should deploy this technology and protect end-users against nuisance calls and should do so free of charge. Providers should ensure that end-users are aware of the existence of such functionalities, for instance, by publicising the fact on their webpage. Or. en PR\1127393EN.docx 31/90 PE606.011v01–00 EN Amendment 29 Proposal for a regulation Recital 30 Text proposed by the Commission Amendment (30) Publicly available directories of end-users of electronic communications services are widely distributed. Publicly available directories means any directory or service containing end-users information such as phone numbers (including mobile phone numbers), email address contact details and includes inquiry services. The right to privacy and to protection of the personal data of a natural person requires that end-users that are natural persons are asked for consent before their personal data are included in a directory. The legitimate interest of legal entities requires that endusers that are legal entities have the right to object to the data related to them being included in a directory. (30) Publicly available directories of end-users of electronic communications services are widely distributed. Publicly available directories means any directory or service containing end-users information such as phone numbers (including mobile phone numbers), e-mail address contact details and includes inquiry services. The right to privacy and to protection of the personal data of a natural person requires that users are asked for consent before their personal data are included in a directory. The legitimate interest of legal entities requires that end-users have the right to object to the data related to them being included in a directory. Or. en Amendment 30 Proposal for a regulation Recital 31 Text proposed by the Commission Amendment (31) If end-users that are natural persons give their consent to their data being included in such directories, they should be able to determine on a consent basis which categories of personal data are included in the directory (for example name, email address, home address, user name, phone number). In addition, providers of publicly available directories should inform the end-users of the purposes of the directory and of the search (31) If users give their consent to their data being included in such directories, they should be able to determine on a consent basis which categories of personal data are included in the directory (for example name, e-mail address, home address, user name, phone number). In addition, providers of publicly available directories or electronic communications service providers should inform the endusers of the purposes of the directory and PE606.011v01–00 EN 32/90 PR\1127393EN.docx functions of the directory before including them in that directory. End-users should be able to determine by consent on the basis of which categories of personal data their contact details can be searched. The categories of personal data included in the directory and the categories of personal data on the basis of which the end-user's contact details can be searched should not necessarily be the same. of the search functions of the directory before including them in that directory. Users should be able to determine by consent on the basis of which categories of personal data their contact details can be searched. The categories of personal data included in the directory and the categories of personal data on the basis of which the user's contact details can be searched should not necessarily be the same. Or. en Amendment 31 Proposal for a regulation Recital 32 Text proposed by the Commission Amendment (32) In this Regulation, direct marketing refers to any form of advertising by which a natural or legal person sends direct marketing communications directly to one or more identified or identifiable end-users using electronic communications services. In addition to the offering of products and services for commercial purposes, this should also include messages sent by political parties that contact natural persons via electronic communications services in order to promote their parties. The same should apply to messages sent by other non-profit organisations to support the purposes of the organisation. (32) In this Regulation, direct marketing refers to any form of advertising by which a natural or legal person sends direct marketing communications directly to one or more identified or identifiable end-users using electronic communications services, regardless of the form it takes. In addition to the offering of products and services for commercial purposes, this should also include messages sent by political parties that contact natural persons via electronic communications services in order to promote their parties. The same should apply to messages sent by other non-profit organisations to support the purposes of the organisation. Or. en Amendment 32 Proposal for a regulation Recital 33 PR\1127393EN.docx 33/90 PE606.011v01–00 EN Text proposed by the Commission Amendment (33) Safeguards should be provided to protect end-users against unsolicited communications for direct marketing purposes, which intrude into the private life of end-users. The degree of privacy intrusion and nuisance is considered relatively similar independently of the wide range of technologies and channels used to conduct these electronic communications, whether using automated calling and communication systems, instant messaging applications, emails, SMS, MMS, Bluetooth, etc. It is therefore justified to require that consent of the end-user is obtained before commercial electronic communications for direct marketing purposes are sent to end-users in order to effectively protect individuals against the intrusion into their private life as well as the legitimate interest of legal persons. Legal certainty and the need to ensure that the rules protecting against unsolicited electronic communications remain futureproof justify the need to define a single set of rules that do not vary according to the technology used to convey these unsolicited communications, while at the same time guaranteeing an equivalent level of protection for all citizens throughout the Union. However, it is reasonable to allow the use of e-mail contact details within the context of an existing customer relationship for the offering of similar products or services. Such possibility should only apply to the same company that has obtained the electronic contact details in accordance with Regulation (EU) 2016/679. (33) Safeguards should be provided to protect end-users against unsolicited communications or direct marketing, which intrude into the private life of endusers. The degree of privacy intrusion and nuisance is considered relatively similar independently of the wide range of technologies and channels used to conduct these electronic communications, whether using automated calling and communication systems, instant messaging applications, e-mails, SMS, MMS, Bluetooth, etc. It is therefore justified to require that consent of the end-user is obtained before commercial electronic communications for direct marketing purposes are sent to end-users in order to effectively protect individuals against the intrusion into their private life as well as the legitimate interest of legal persons. Legal certainty and the need to ensure that the rules protecting against unsolicited electronic communications remain futureproof and justify the need to define a single set of rules that do not vary according to the technology used to convey these unsolicited communications, while at the same time guaranteeing an equivalently high level of protection for all individuals throughout the Union. However, it is reasonable to allow the use of e-mail contact details within the context of an existing customer relationship for the offering of similar products or services. Such possibility should only apply to the same company that has obtained the electronic contact details in accordance with Regulation (EU) 2016/679. Or. en PE606.011v01–00 EN 34/90 PR\1127393EN.docx Amendment 33 Proposal for a regulation Recital 34 Text proposed by the Commission Amendment (34) When end-users have provided their consent to receiving unsolicited communications for direct marketing purposes, they should still be able to withdraw their consent at any time in an easy manner. To facilitate effective enforcement of Union rules on unsolicited messages for direct marketing, it is necessary to prohibit the masking of the identity and the use of false identities, false return addresses or numbers while sending unsolicited commercial communications for direct marketing purposes. Unsolicited marketing communications should therefore be clearly recognizable as such and should indicate the identity of the legal or the natural person transmitting the communication or on behalf of whom the communication is transmitted and provide the necessary information for recipients to exercise their right to oppose to receiving further written and/or oral marketing messages. (34) When end-users have provided their consent to receiving unsolicited communications for direct marketing purposes, they should still be able to withdraw their consent at any time in an easy manner. To facilitate effective enforcement of Union rules on unsolicited messages for direct marketing, it is necessary to prohibit the masking of the identity and the use of false identities, false return addresses or numbers while sending unsolicited commercial communications for direct marketing purposes. Or. en Amendment 34 Proposal for a regulation Recital 35 Text proposed by the Commission Amendment (35) In order to allow easy withdrawal of consent, legal or natural persons conducting direct marketing communications by email should present a link, or a valid electronic mail address, which can be easily used by end-users to withdraw their consent. Legal or natural (35) In order to allow easy withdrawal of consent, legal or natural persons conducting direct marketing communications by e-mail should present a link, or a valid electronic mail address, which can be easily used by end-users to withdraw their consent. Legal or natural PR\1127393EN.docx 35/90 PE606.011v01–00 EN persons conducting direct marketing communications through voice-to-voice calls and through calls by automating calling and communication systems should display their identity line on which the company can be called or present a specific code identifying the fact that the call is a marketing call. persons conducting direct marketing communications through voice-to-voice calls and through calls by automating calling and communication systems should display their identity line on which the company can be called or present a specific code identifying the fact that the call is a marketing call. Or. en Amendment 35 Proposal for a regulation Recital 36 Text proposed by the Commission Amendment (36) Voice-to-voice direct marketing calls that do not involve the use of automated calling and communication systems, given that they are more costly for the sender and impose no financial costs on end-users. Member States should therefore be able to establish and or maintain national systems only allowing such calls to end-users who have not objected. (36) Voice-to-voice direct marketing calls that do not involve the use of automated calling and communication systems, given that they are more costly for the sender and impose no financial costs on end-users, justify the possibility for Member States to establish and or maintain national systems only allowing such calls to end-users who have not objected. Or. en Amendment 36 Proposal for a regulation Recital 37 Text proposed by the Commission Amendment (37) Service providers who offer electronic communications services should inform end- users of measures they can take to protect the security of their communications for instance by using specific types of software or encryption technologies. The requirement to inform (37) Service providers who offer electronic communications services should process electronic communications data in such a way as to prevent unauthorised access, disclosure or alteration, ensure that such unauthorised access, disclosure or alteration is capable of being PE606.011v01–00 EN 36/90 PR\1127393EN.docx end-users of particular security risks does not discharge a service provider from the obligation to take, at its own costs, appropriate and immediate measures to remedy any new, unforeseen security risks and restore the normal security level of the service. The provision of information about security risks to the subscriber should be free of charge. Security is appraised in the light of Article 32 of Regulation (EU) 2016/679. ascertained, and also ensure that such electronic communications data are protected by using specific types of software and encryption technologies. The requirement to inform end-users of particular security risks does not discharge a service provider from the obligation to take, at its own costs, appropriate and immediate measures to remedy any new, unforeseen security risks and restore the normal security level of the service. The provision of information about security risks to the subscriber should be free of charge. Security is appraised in the light of Article 32 of Regulation (EU) 2016/679. The obligations of Article 40 of the [European Electronic Communications Code] should apply to all services within the scope of this Regulation as regards the security of networks and services and related security obligations thereto. Or. en Amendment 37 Proposal for a regulation Recital 38 Text proposed by the Commission Amendment (38) To ensure full consistency with Regulation (EU) 2016/679, the enforcement of the provisions of this Regulation should be entrusted to the same authorities responsible for the enforcement of the provisions Regulation (EU) 2016/679 and this Regulation relies on the consistency mechanism of Regulation (EU) 2016/679. Member States should be able to have more than one supervisory authority, to reflect their constitutional, organisational and administrative structure. The supervisory authorities should also be responsible for monitoring the application of this Regulation regarding electronic communications data for legal entities. (38) To ensure full consistency with Regulation (EU) 2016/679, the enforcement of the provisions of this Regulation should be entrusted to the same authorities responsible for the enforcement of the provisions Regulation (EU) 2016/679 and this Regulation relies on the consistency mechanism of Regulation (EU) 2016/679. Member States should be able to have more than one supervisory authority, to reflect their constitutional, organisational and administrative structure. The supervisory authorities should also be responsible for monitoring the application of this Regulation regarding electronic communications data for legal entities. PR\1127393EN.docx 37/90 PE606.011v01–00 EN Such additional tasks should not jeopardise the ability of the supervisory authority to perform its tasks regarding the protection of personal data under Regulation (EU) 2016/679 and this Regulation. Each supervisory authority should be provided with the additional financial and human resources, premises and infrastructure necessary for the effective performance of the tasks under this Regulation. Where more than one supervisory authority is established in a Member State, such authorities should cooperate with each other. They should also cooperate with the authorities appointed to enforce the European Electronic Communications Code and other relevant enforcement authorities, such as the authorities tasked with consumer protection. Such additional tasks should not jeopardise the ability of the supervisory authority to perform its tasks regarding the protection of personal data under Regulation (EU) 2016/679 and this Regulation. Each supervisory authority should be provided with the additional financial and human resources, premises and infrastructure necessary for the effective performance of the tasks under this Regulation. Or. en Amendment 38 Proposal for a regulation Recital 38 a (new) Text proposed by the Commission Amendment (38a) The enforcement of the provisions of this Regulation often requires cooperation between the national supervisory authorities of two or more Member States, for example in combating interferences with the confidentiality of the terminal equipment. In order to ensure a smooth and rapid cooperation in such cases, the procedures of the cooperation and consistency mechanism established under Regulation 2016/679/EU should apply to Chapter II of this Regulation. Therefore, the European Data Protection Board should contribute to the consistent application of this Regulation throughout the Union, in particular by issuing opinions in the PE606.011v01–00 EN 38/90 PR\1127393EN.docx context of the consistency mechanisms or by adopting binding decisions in the context of dispute resolution as provided in Article 65 of Regulation 2016/679/EU, as regards Chapter II of this Regulation. Or. en Amendment 39 Proposal for a regulation Recital 39 Text proposed by the Commission Amendment (39) Each supervisory authority should be competent on the territory of its own Member State to exercise the powers and to perform the tasks set forth in this Regulation. In order to ensure consistent monitoring and enforcement of this Regulation throughout the Union, the supervisory authorities should have the same tasks and effective powers in each Member State, without prejudice to the powers of prosecutorial authorities under Member State law, to bring infringements of this Regulation to the attention of the judicial authorities and engage in legal proceedings. Member States and their supervisory authorities are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation. (39) Each supervisory authority should be competent on the territory of its own Member State to exercise the powers and to perform the tasks, including adopting binding decisions, set forth in this Regulation. In order to ensure consistent monitoring and enforcement of this Regulation throughout the Union, the supervisory authorities should have the same tasks and effective powers in each Member State, including powers of investigation, corrective powers and sanctions, and authorisation and advisory powers, without prejudice to the powers of prosecutorial authorities under Member State law, to bring infringements of this Regulation to the attention of the judicial authorities and engage in legal proceedings. Member States and their supervisory authorities are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation. Or. en Amendment 40 Proposal for a regulation Recital 41 PR\1127393EN.docx 39/90 PE606.011v01–00 EN Text proposed by the Commission Amendment (41) In order to fulfil the objectives of this Regulation, namely to protect the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data and to ensure the free movement of personal data within the Union, the power to adopt acts in accordance with Article 290 of the Treaty should be delegated to the Commission to supplement this Regulation. In particular, delegated acts should be adopted in respect of the information to be presented, including by means of standardised icons in order to give an easily visible and intelligible overview of the collection of information emitted by terminal equipment, its purpose, the person responsible for it and of any measure the end-user of the terminal equipment can take to minimise the collection. Delegated acts are also necessary to specify a code to identify direct marketing calls including those made through automated calling and communication systems. It is of particular importance that the Commission carries out appropriate consultations and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement on Better Law-Making of 13 April 201625 . In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States' experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts. Furthermore, in order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission when provided for by this Regulation. Those powers should be exercised in accordance with Regulation (EU) No 182/2011. (41) In order to fulfil the objectives of this Regulation, namely to protect the fundamental rights and freedoms of natural persons in the provision and use of electronic communications services and in particular their right to respect of their private life and communications with regard to the processing of personal data and to ensure the free movement of personal data within the Union, the power to adopt acts in accordance with Article 290 of the Treaty should be delegated to the Commission to supplement this Regulation. In particular, delegated acts should be adopted in respect of the information to be presented, including by means of standardised icons in order to give an easily visible and intelligible overview of the collection of information emitted by terminal equipment, its purpose, the person responsible for it and of any measure the user of the terminal equipment can take to minimise the collection. It is of particular importance that the Commission carries out appropriate consultations and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement on Better Law-Making of 13 April 201625 . In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States' experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts. Furthermore, in order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission when provided for by this Regulation. For instance, implementing measures are necessary to specify a code to identify direct marketing calls including those made through automated calling and communication PE606.011v01–00 EN 40/90 PR\1127393EN.docx systems. Those powers should be exercised in accordance with Regulation (EU) No 182/2011. __________________ __________________ 25 25 Interinstitutional Agreement between the European Parliament, the Council of the European Union and the European Commission on Better Law-Making of 13 April 2016 (OJ L 123, 12.5.2016, p. 1–14). Interinstitutional Agreement between the European Parliament, the Council of the European Union and the European Commission on Better Law-Making of 13 April 2016 (OJ L 123, 12.5.2016, p. 1–14). Or. en Amendment 41 Proposal for a regulation Article 2 – paragraph 1 Text proposed by the Commission Amendment 1. This Regulation applies to the processing of electronic communications data carried out in connection with the provision and the use of electronic communications services and to information related to the terminal equipment of end-users. 1. This Regulation applies to the processing of electronic communications data carried out in connection with the provision and the use of electronic communications services and to information related to or processed by the terminal equipment of end-users. Or. en Amendment 42 Proposal for a regulation Article 3 – paragraph 1 – point c Text proposed by the Commission Amendment (c) the protection of information related to the terminal equipment of endusers located in the Union. (c) the protection of information related to or processed by the terminal equipment of end-users in the Union. Or. en PR\1127393EN.docx 41/90 PE606.011v01–00 EN Amendment 43 Proposal for a regulation Article 3 – paragraph 2 Text proposed by the Commission Amendment 2. Where the provider of an electronic communications service is not established in the Union it shall designate in writing a representative in the Union. 2. Where the provider of an electronic communications service, provider of a publicly available directory, software provider enabling electronic communications or person sending direct marketing commercial communications or collecting (other) information related to or stored in the end-users terminal equipment is not established in the Union it shall designate in writing a representative in the Union. Or. en Amendment 44 Proposal for a regulation Article 3 – paragraph 4 Text proposed by the Commission Amendment 4. The representative shall have the power to answer questions and provide information in addition to or instead of the provider it represents, in particular, to supervisory authorities, and end-users, on all issues related to processing electronic communications data for the purposes of ensuring compliance with this Regulation. 4. The representative shall have the power to answer questions and provide information in addition to or instead of the provider it represents, in particular, to supervisory authorities, courts, and endusers, on all issues related to processing electronic communications data for the purposes of ensuring compliance with this Regulation. Or. en Amendment 45 Proposal for a regulation Article 3 – paragraph 5 a (new) PE606.011v01–00 EN 42/90 PR\1127393EN.docx Text proposed by the Commission Amendment 5a. The representative may be the same as the one designated under Article 27 of Regulation (EU) 2016/679. Or. en Amendment 46 Proposal for a regulation Article 4 – paragraph 1 – point b Text proposed by the Commission Amendment (b) the definitions of ‘electronic communications network’, ‘electronic communications service’, ‘interpersonal communications service’, ‘number-based interpersonal communications service’, ‘number-independent interpersonal communications service’, ‘end-user’ and ‘call’ in points (1), (4), (5), (6), (7), (14) and (21) respectively of Article 2 of [Directive establishing the European Electronic Communications Code]; (b) the definition of ‘call’ in point (21) of Article 2 of [Directive establishing the European Electronic Communications Code]; Or. en Justification It is important to ensure that the definitions used in this Regulation are independent from the Electronic Communications Code proposal and that central terms are defined in this Regulation. Amendment 47 Proposal for a regulation Article 4 – paragraph 2 Text proposed by the Commission Amendment 2. For the purposes of point (b) of paragraph 1, the definition of ‘interpersonal communications service’ PR\1127393EN.docx deleted 43/90 PE606.011v01–00 EN shall include services which enable interpersonal and interactive communication merely as a minor ancillary feature that is intrinsically linked to another service. Or. en Amendment 48 Proposal for a regulation Article 4 – paragraph 3 – point -a (new) Text proposed by the Commission Amendment (-a) 'electronic communications network' means a transmission system, whether or not based on a permanent infrastructure or centralised administration capacity, and, where applicable, switching or routing equipment and other resources, including network elements which are not active, which permit the conveyance of signals by wire, radio, optical or other electromagnetic means, including satellite networks, electricity cable systems, to the extent that they are used for the purpose of transmitting signals, networks used for radio and television broadcasting, and cable television networks, irrespective of the type of information conveyed; Or. en Amendment 49 Proposal for a regulation Article 4 – paragraph 3 – point -a a (new) Text proposed by the Commission Amendment (-aa) 'electronic communications service' means a service provided via electronic communications networks, PE606.011v01–00 EN 44/90 PR\1127393EN.docx whether for remuneration or not, which encompasses one or more of the following: an 'internet access service' as defined in Article 2(2) or Regulation (EU) 2015/2120; an interpersonal communications service; a service consisting wholly or mainly in the conveyance of the signals, such as a transmission service used for the provision of a machine-to-machine service and for broadcasting, but excludes information conveyed as part of a broadcasting service to the public over an electronic communications network or service except to the extent that the information can be related to the identifiable subscriber or user receiving the information; Or. en Amendment 50 Proposal for a regulation Article 4 – paragraph 3 – point -a b (new) Text proposed by the Commission Amendment (-ab) 'interpersonal communications service' means a service, whether provided for remuneration or not, that enables direct interpersonal and interactive exchange of information between a finite number of persons whereby the persons initiating or participating in the communication determine the recipient(s); it includes services enabling interpersonal and interactive communication merely as a minor ancillary feature that is intrinsically linked to another service; Or. en PR\1127393EN.docx 45/90 PE606.011v01–00 EN Amendment 51 Proposal for a regulation Article 4 – paragraph 3 – point -a c (new) Text proposed by the Commission Amendment (-ac) 'number-based interpersonal communications service' means an interpersonal communications service which connects to the public switched telephone network, either by means of assigned numbering resources, i.e. number or numbers in national or international telephone numbering plans, or by enabling communication with a number or numbers in national or international telephone numbering plans; Or. en Amendment 52 Proposal for a regulation Article 4 – paragraph 3 – point -a d (new) Text proposed by the Commission Amendment (-ad) 'number-independent interpersonal communications service' means an interpersonal communications service which does not connect with the public switched telephone network, either by means of assigned numbering resources, i.e. a number or numbers in national or international telephone numbering plans, or by enabling communication with a number or numbers in national or international telephone numbering plans; Or. en PE606.011v01–00 EN 46/90 PR\1127393EN.docx Amendment 53 Proposal for a regulation Article 4 – paragraph 3 – point -a e (new) Text proposed by the Commission Amendment (-ae) 'end-user' means a legal entity or a natural person using or requesting a publicly available electronic communications service; Or. en Amendment 54 Proposal for a regulation Article 4 – paragraph 3 – point -a f (new) Text proposed by the Commission Amendment (-af) 'user' means any natural person using a publicly available electronic communications service, for private or business purposes, without necessarily having subscribed to this service; Or. en Amendment 55 Proposal for a regulation Article 4 – paragraph 3 – point c Text proposed by the Commission Amendment (c) ‘electronic communications metadata’ means data processed in an electronic communications network for the purposes of transmitting, distributing or exchanging electronic communications content; including data used to trace and identify the source and destination of a communication, data on the location of the device generated in the context of providing electronic communications (c) ‘electronic communications metadata’ means data related to a user or electronic communications service, processed for the purposes of transmitting, distributing or exchanging electronic communications content and any other communications related data processed for the provision of the service, which is not considered content; including data to trace and identify the source and PR\1127393EN.docx 47/90 PE606.011v01–00 EN destination of a communication, and the date, time, duration and the type of communication; it includes data broadcasted or emitted by the terminal equipment to identify users' communications and/or the terminal equipment or its location and enable it to connect to a network or to another device; services, and the date, time, duration and the type of communication; Or. en Justification This amendment serves to clarify the exact concept of metadata, as underlined by the Article 29 Working Party, scholars and case-law authorities. Amendment 56 Proposal for a regulation Article 4 – paragraph 3 – point f Text proposed by the Commission Amendment (f) ‘direct marketing communications’ means any form of advertising, whether written or oral, sent to one or more identified or identifiable end-users of electronic communications services, including the use of automated calling and communication systems with or without human interaction, electronic mail, SMS, etc.; (f) ‘direct marketing communications’ means any form of advertising, whether in written, oral or video format, sent, served or presented to one or more identified or identifiable end-users of electronic communications services, including the use of automated calling and communication systems with or without human interaction, electronic mail, SMS, etc.; Or. en Amendment 57 Proposal for a regulation Article 5 – title Text proposed by the Commission Amendment Confidentiality of electronic communications data PE606.011v01–00 EN Confidentiality of electronic communications 48/90 PR\1127393EN.docx Or. en Amendment 58 Proposal for a regulation Article 5 – paragraph 1 Text proposed by the Commission Amendment Electronic communications data shall be confidential. Any interference with electronic communications data, such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or processing of electronic communications data, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation. Electronic communications shall be confidential. Any interference, with electronic communications at rest or in transit, such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or any processing of electronic communications, by persons other than the users, shall be prohibited, except when permitted by this Regulation. Or. en Amendment 59 Proposal for a regulation Article 5 – paragraph 1 a (new) Text proposed by the Commission Amendment Confidentiality of electronic communications shall also include terminal equipment and machine-tomachine communications when related to a user. Or. en Amendment 60 Proposal for a regulation Article 6 – title PR\1127393EN.docx 49/90 PE606.011v01–00 EN Text proposed by the Commission Amendment Permitted processing of electronic communications data Lawful processing of electronic communications data Or. en Amendment 61 Proposal for a regulation Article 6 – paragraph 1 – introductory part Text proposed by the Commission Amendment 1. Providers of electronic communications networks and services may process electronic communications data if: 1. Providers of electronic communications networks and services may process electronic communications data only if: Or. en Amendment 62 Proposal for a regulation Article 6 – paragraph 1 – point a Text proposed by the Commission Amendment (a) it is necessary to achieve the transmission of the communication, for the duration necessary for that purpose; or (a) it is technically strictly necessary to achieve the transmission of the communication, for the duration necessary for that purpose; or Or. en Amendment 63 Proposal for a regulation Article 6 – paragraph 1 – point b Text proposed by the Commission (b) it is necessary to maintain or restore PE606.011v01–00 EN Amendment (b) 50/90 it is technically strictly necessary to PR\1127393EN.docx the security of electronic communications networks and services, or detect technical faults and/or errors in the transmission of electronic communications, for the duration necessary for that purpose. maintain or restore the security of electronic communications networks and services, or detect technical faults and/or errors in the transmission of electronic communications, for the duration technically necessary for that purpose. Or. en Amendment 64 Proposal for a regulation Article 6 – paragraph 2 – introductory part Text proposed by the Commission Amendment 2. Providers of electronic communications services may process electronic communications metadata if: 2. Providers of electronic communications services may process electronic communications metadata only if: Or. en Amendment 65 Proposal for a regulation Article 6 – paragraph 2 – point a Text proposed by the Commission Amendment (a) it is necessary to meet mandatory quality of service requirements pursuant to [Directive establishing the European Electronic Communications Code] or Regulation (EU) 2015/212028 for the duration necessary for that purpose; or (a) it is strictly necessary to meet mandatory quality of service requirements pursuant to [Directive establishing the European Electronic Communications Code] or Regulation (EU) 2015/212028 for the duration technically necessary for that purpose; or __________________ __________________ 28 28 Regulation (EU) 2015/2120 of the European Parliament and of the Council of 25 November 2015 laying down measures concerning open internet access and amending Directive 2002/22/EC on universal service and users’ rights relating PR\1127393EN.docx Regulation (EU) 2015/2120 of the European Parliament and of the Council of 25 November 2015 laying down measures concerning open internet access and amending Directive 2002/22/EC on universal service and users’ rights relating 51/90 PE606.011v01–00 EN to electronic communications networks and services and Regulation (EU) No 531/2012 on roaming on public mobile communications networks within the Union (OJ L 310, 26.11.2015, p. 1–18). to electronic communications networks and services and Regulation (EU) No 531/2012 on roaming on public mobile communications networks within the Union (OJ L 310, 26.11.2015, p. 1–18). Or. en Amendment 66 Proposal for a regulation Article 6 – paragraph 2 – point b Text proposed by the Commission Amendment (b) it is necessary for billing, calculating interconnection payments, detecting or stopping fraudulent, or abusive use of, or subscription to, electronic communications services; or (b) it is strictly necessary for billing, calculating interconnection payments, detecting or stopping fraudulent use, or abusive use of electronic communications services; or Or. en Amendment 67 Proposal for a regulation Article 6 – paragraph 2 – point c Text proposed by the Commission Amendment (c) the end-user concerned has given his or her consent to the processing of his or her communications metadata for one or more specified purposes, including for the provision of specific services to such endusers, provided that the purpose or purposes concerned could not be fulfilled by processing information that is made anonymous. (c) after receiving all relevant information about the intended processing in clear and easily understandable language, provided separately from the terms and conditions of the provider, the user or users concerned have given their specific consent to the processing of their communications metadata for one or more specified purposes, including for the provision of specific services to such users, provided that the purpose or purposes concerned could not be fulfilled without the processing of such metadata. PE606.011v01–00 EN 52/90 PR\1127393EN.docx Or. en Amendment 68 Proposal for a regulation Article 6 – paragraph 2 a (new) Text proposed by the Commission Amendment (2a) For the purposes of point (c) of paragraph 2, where a type of processing of electronic communications metadata, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, Articles 35 and 36 of Regulation (EU) 2016/679 shall apply. Or. en Amendment 69 Proposal for a regulation Article 6 – paragraph 3 – point a Text proposed by the Commission Amendment (a) for the sole purpose of the provision of a specific service to an enduser, if the end-user or end-users concerned have given their consent to the processing of his or her electronic communications content and the provision of that service cannot be fulfilled without the processing of such content; or (a) for the sole purpose of the provision of a specific service requested by the user, if the users concerned have given their specific consent to the processing of their electronic communications content and the provision of that specific service cannot be fulfilled without the processing of such content; or Or. en Amendment 70 Proposal for a regulation Article 6 – paragraph 3 – point b PR\1127393EN.docx 53/90 PE606.011v01–00 EN Text proposed by the Commission Amendment (b) if all end-users concerned have given their consent to the processing of their electronic communications content for one or more specified purposes that cannot be fulfilled by processing information that is made anonymous, and the provider has consulted the supervisory authority. Points (2) and (3) of Article 36 of Regulation (EU) 2016/679 shall apply to the consultation of the supervisory authority. (b) if all users concerned have given their consent to the processing of their electronic communications content for one or more specified purposes that cannot be fulfilled by processing information that is made anonymous, and the provider has consulted the supervisory authority. Points (2) and (3) of Article 36 of Regulation (EU) 2016/679 shall apply to the consultation of the supervisory authority. Or. en Amendment 71 Proposal for a regulation Article 6 – paragraph 3 a (new) Text proposed by the Commission Amendment 3a. For the provision of a service explicitly requested by a user of an electronic communications service for their purely individual or individual workrelated usage, the provider of the electronic communications service may process electronic communications data solely for the provision of the explicitly requested service and without the consent of all users only where such requested processing produces effects solely in relation to the user who requested the service and does not adversely affect the fundamental rights of another user or users. Such a specific consent by the user shall preclude the provider from processing these data for any other purpose. Or. en PE606.011v01–00 EN 54/90 PR\1127393EN.docx Amendment 72 Proposal for a regulation Article 6 – paragraph 3 b (new) Text proposed by the Commission Amendment 3b. Neither providers of electronic communications services, nor any other party, shall further process electronic communications data collected on the basis of this Regulation. Or. en Amendment 73 Proposal for a regulation Article 7 – paragraph 1 Text proposed by the Commission Amendment 1. Without prejudice to point (b) of Article 6(1) and points (a) and (b) of Article 6(3), the provider of the electronic communications service shall erase electronic communications content or make that data anonymous after receipt of electronic communication content by the intended recipient or recipients. Such data may be recorded or stored by the end-users or by a third party entrusted by them to record, store or otherwise process such data, in accordance with Regulation (EU) 2016/679. 1. Without prejudice to point (b) of Article 6(1) and points (a) and (b) of Article 6(3), the provider of the electronic communications service shall erase electronic communications content after receipt of electronic communication content by the intended recipient or recipients. Such data may be recorded or stored by the users or by a specific other party entrusted by them to record, store or otherwise process such data. Or. en Amendment 74 Proposal for a regulation Article 7 – paragraph 3 Text proposed by the Commission 3. Amendment Where the processing of electronic PR\1127393EN.docx 3. 55/90 Where the processing of electronic PE606.011v01–00 EN communications metadata takes place for the purpose of billing in accordance with point (b) of Article 6(2), the relevant metadata may be kept until the end of the period during which a bill may lawfully be challenged or a payment may be pursued in accordance with national law. communications metadata takes place for the purpose of billing in accordance with point (b) of Article 6(2), strictly necessary metadata may be kept until the end of the period during which a bill may lawfully be challenged or a payment may be pursued in accordance with national law. Or. en Amendment 75 Proposal for a regulation Article 8 – title Text proposed by the Commission Amendment Protection of information stored in and related to end-users’ terminal equipment Protection of information stored in and related to users’ terminal equipment Or. en Amendment 76 Proposal for a regulation Article 8 – paragraph 1 – introductory part Text proposed by the Commission Amendment 1. The use of processing and storage capabilities of terminal equipment and the collection of information from end-users’ terminal equipment, including about its software and hardware, other than by the end-user concerned shall be prohibited, except on the following grounds: 1. The use of processing and storage capabilities of terminal equipment and the collection of information from users’ terminal equipment, or making information available through the terminal equipment, including information about or generated by its software and hardware, other than by the user concerned shall be prohibited, except on the following grounds: Or. en PE606.011v01–00 EN 56/90 PR\1127393EN.docx Amendment 77 Proposal for a regulation Article 8 – paragraph 1 – point a Text proposed by the Commission Amendment (a) it is necessary for the sole purpose of carrying out the transmission of an electronic communication over an electronic communications network; or (a) it is strictly technically necessary for the sole purpose of carrying out the transmission of an electronic communication over an electronic communications network; or Or. en Amendment 78 Proposal for a regulation Article 8 – paragraph 1 – point b Text proposed by the Commission Amendment (b) the end-user has given his or her consent; or (b) the user has given his or her specific consent, which shall not be mandatory to access the service; or Or. en Amendment 79 Proposal for a regulation Article 8 – paragraph 1 – point c Text proposed by the Commission Amendment (c) it is necessary for providing an information society service requested by the end-user; or (c) it is strictly technically necessary for providing an information society service requested by the user; or Or. en PR\1127393EN.docx 57/90 PE606.011v01–00 EN Amendment 80 Proposal for a regulation Article 8 – paragraph 1 – point d Text proposed by the Commission Amendment (d) if it is necessary for web audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end-user. (d) if it is technically necessary for web audience measuring of the information society service requested by the user, provided that such measurement is carried out by the provider, or on behalf of the provider, or by an independent web analytics agency acting in the public interest or for scientific purpose; and further provided that no personal data is made accessible to any other party and that such web audience measurement does not adversely affect the fundamental rights of the user; Or. en Amendment 81 Proposal for a regulation Article 8 – paragraph 1 – point d a (new) Text proposed by the Commission Amendment (da) if it is necessary for a security update, provided that: (i) security updates are discreetly packaged and do not in any way change the privacy settings chosen by the user; (ii) the user is informed in advance each time an update is being installed; and (iii) the user has the possibility to turn off the automatic installation of these updates; Or. en PE606.011v01–00 EN 58/90 PR\1127393EN.docx Amendment 82 Proposal for a regulation Article 8 – paragraph 1 – point d b (new) Text proposed by the Commission Amendment (db) if it is necessary in the context of employment relationships, where: (i) the employer provides certain equipment; (ii) the employee is the user of this equipment; and (iii) the interference is strictly necessary for the functioning of the equipment by the employee. Or. en Amendment 83 Proposal for a regulation Article 8 – paragraph 1 a (new) Text proposed by the Commission Amendment 1a. No user shall be denied access to any information society service or functionality, regardless of whether this service is remunerated or not, on grounds that he or she has not given his or her consent under Article 8(1)(b) to the processing of personal information and/or the use of storage capabilities of his or her terminal equipment that is not necessary for the provision of that service or functionality. Or. en Amendment 84 Proposal for a regulation Article 8 – paragraph 2 – subparagraph 1 – point a PR\1127393EN.docx 59/90 PE606.011v01–00 EN Text proposed by the Commission Amendment (a) it is done exclusively in order to, for the time necessary for, and for the purpose of establishing a connection; or (a) it is done exclusively in order to, for the time necessary for, and for the sole purpose of establishing a connection requested by the user; or Or. en Amendment 85 Proposal for a regulation Article 8 – paragraph 2 – subparagraph 1 – point a a (new) Text proposed by the Commission Amendment (aa) the user has been informed and has given consent; or Or. en Amendment 86 Proposal for a regulation Article 8 – paragraph 2 – subparagraph 1 – point a b (new) Text proposed by the Commission Amendment (ab) the data are anonymised and the risks are adequately mitigated. Or. en Amendment 87 Proposal for a regulation Article 8 – paragraph 2 – subparagraph 1 – point b Text proposed by the Commission Amendment (b) a clear and prominent notice is displayed informing of, at least, the modalities of the collection, its purpose, PE606.011v01–00 EN deleted 60/90 PR\1127393EN.docx the person responsible for it and the other information required under Article 13 of Regulation (EU) 2016/679 where personal data are collected, as well as any measure the end-user of the terminal equipment can take to stop or minimise the collection. Or. en Amendment 88 Proposal for a regulation Article 8 – paragraph 2 – subparagraph 2 Text proposed by the Commission Amendment The collection of such information shall be conditional on the application of appropriate technical and organisational measures to ensure a level of security appropriate to the risks, as set out in Article 32 of Regulation (EU) 2016/679, have been applied. deleted Or. en Amendment 89 Proposal for a regulation Article 8 – paragraph 2 a (new) Text proposed by the Commission Amendment 2a. For the purpose of point (ab) of paragraph 2, the following controls shall be implemented to mitigate the risks: (a) the purpose of the data collection from the terminal equipment shall be restricted to mere statistical counting; and (b) the tracking shall be limited in time and space to the extent strictly necessary for this purpose; and (c) PR\1127393EN.docx 61/90 the data shall be deleted or PE606.011v01–00 EN anonymised immediately after the purpose is fulfilled; and (d) the users shall be given effective opt-out possibilities. Or. en Amendment 90 Proposal for a regulation Article 8 – paragraph 2 b (new) Text proposed by the Commission Amendment 2b. The information referred to in points (aa) and (ab) of paragraph 2 shall be conveyed in a clear and prominent notice setting out, at the least, details of how the information will be collected, the purpose of collection, the person responsible for it and other information required under Article 13 of Regulation (EU) 2016/679, where personal data are collected. The collection of such information shall be conditional on the application of appropriate technical and organisational measures to ensure a level of security appropriate to the risks, as set out in Article 32 of Regulation (EU) 2016/679. Or. en Amendment 91 Proposal for a regulation Article 8 – paragraph 3 Text proposed by the Commission Amendment 3. The information to be provided pursuant to point (b) of paragraph 2 may be provided in combination with standardized icons in order to give a meaningful overview of the collection in PE606.011v01–00 EN 3. The information to be provided pursuant to points (aa) and (ab) of paragraph 2 may be provided in combination with standardized icons in order to give a meaningful overview of the 62/90 PR\1127393EN.docx an easily visible, intelligible and clearly legible manner. collection in an easily visible, intelligible and clearly legible manner. Or. en Amendment 92 Proposal for a regulation Article 9 – paragraph 2 Text proposed by the Commission Amendment 2. Without prejudice to paragraph 1, where technically possible and feasible, for the purposes of point (b) of Article 8(1), consent may be expressed by using the appropriate technical settings of a software application enabling access to the internet. 2. Without prejudice to paragraph 1, where technically possible and feasible, for the purposes of point (b) of Article 8(1), consent may be expressed by using technical specifications of electronic communications services. When such technical specifications are used by the user, they shall be binding on, and enforceable against, any other party. Or. en Amendment 93 Proposal for a regulation Article 9 – paragraph 3 Text proposed by the Commission Amendment 3. End-users who have consented to the processing of electronic communications data as set out in point (c) of Article 6(2) and points (a) and (b) of Article 6(3) shall be given the possibility to withdraw their consent at any time as set forth under Article 7(3) of Regulation (EU) 2016/679 and be reminded of this possibility at periodic intervals of 6 months, as long as the processing continues. 3. Users who have consented to the processing of electronic communications data as set out in point (c) of Article 6(2) and points (a) and (b) of Article 6(3), point (b) of Article 8(1) and point (aa) of Article 8(2) shall be given the possibility to withdraw their consent at any time as set forth under Article 7(3) of Regulation (EU) 2016/679 and be reminded of this possibility at periodic intervals of 6 months, as long as the processing continues. Or. en PR\1127393EN.docx 63/90 PE606.011v01–00 EN Amendment 94 Proposal for a regulation Article 10 – paragraph 1 Text proposed by the Commission Amendment 1. Software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, shall offer the option to prevent third parties from storing information on the terminal equipment of an end-user or processing information already stored on that equipment. 1. Software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, shall: Or. en Amendment 95 Proposal for a regulation Article 10 – paragraph 1 – point a (new) Text proposed by the Commission Amendment (a) by default, offer privacy protective settings to prevent other parties from storing information on the terminal equipment of a user and from processing information already stored on that equipment; Or. en Amendment 96 Proposal for a regulation Article 10 – paragraph 1 – point b (new) PE606.011v01–00 EN 64/90 PR\1127393EN.docx Text proposed by the Commission Amendment (b) upon installation, inform and offer the user the possibility to change or confirm the privacy settings options defined in point (a) by requiring the user's consent to a setting; Or. en Amendment 97 Proposal for a regulation Article 10 – paragraph 1 – point c (new) Text proposed by the Commission Amendment (c) make the setting defined in points (a) and (b) easily accessible during the use of the software; and Or. en Amendment 98 Proposal for a regulation Article 10 – paragraph 1 – point d (new) Text proposed by the Commission Amendment (d) offer the user the possibility to express specific consent through the settings after the installation of the software. Or. en Amendment 99 Proposal for a regulation Article 10 – paragraph 1 a (new) PR\1127393EN.docx 65/90 PE606.011v01–00 EN Text proposed by the Commission Amendment 1a. For the purpose of points (a) and (b) of paragraph 1, the settings shall include a signal which is sent to the other parties to inform them about the user's privacy settings. These settings shall be binding on, and enforceable against, any other party. Or. en Amendment 100 Proposal for a regulation Article 10 – paragraph 2 Text proposed by the Commission Amendment 2. Upon installation, the software shall inform the end-user about the privacy settings options and, to continue with the installation, require the end-user to consent to a setting. deleted Or. en Amendment 101 Proposal for a regulation Article 11 Text proposed by the Commission Amendment Article 11 deleted Restrictions 1. Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 5 to 8 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to PE606.011v01–00 EN 66/90 PR\1127393EN.docx safeguard one or more of the general public interests referred to in Article 23(1)(a) to (e) of Regulation (EU) 2016/679 or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interests. 2. Providers of electronic communications services shall establish internal procedures for responding to requests for access to end-users’ electronic communications data based on a legislative measure adopted pursuant to paragraph 1. They shall provide the competent supervisory authority, on demand, with information about those procedures, the number of requests received, the legal justification invoked and their response. Or. en Amendment 102 Proposal for a regulation Article 11 a (new) Text proposed by the Commission Amendment Article 11a Restrictions on the rights of the user 1. Union or Member State law to which the provider is subject may restrict by way of a legislative measure the scope of the obligations and principles relating to processing of electronic communications data provided for in Articles 6, 7 and 8 of this Regulation in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22 of Regulation (EU) 2016/679, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or PR\1127393EN.docx 67/90 PE606.011v01–00 EN more of the general public interests referred to in Article 23(1)(a) to (d) of Regulation (EU) 2016/679. 2. In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, pursuant to Article 23(2) of Regulation (EU) 2016/679. Or. en Amendment 103 Proposal for a regulation Article 11 b (new) Text proposed by the Commission Amendment Article 11b Restrictions on confidentiality of communications 1. Union or Member State law may restrict by way of a legislative measure the scope of the rights provided for in Article 5 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the following general public interests: (a) national security; (b) defence; (c) public security; (d) the prevention, investigation, detection or prosecution of serious criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. Or. en PE606.011v01–00 EN 68/90 PR\1127393EN.docx Amendment 104 Proposal for a regulation Article 13 – paragraph 1 Text proposed by the Commission Amendment 1. Regardless of whether the calling end-user has prevented the presentation of the calling line identification, where a call is made to emergency services, providers of publicly available number-based interpersonal communications services shall override the elimination of the presentation of the calling line identification and the denial or absence of consent of an end-user for the processing of metadata, on a per-line basis for organisations dealing with emergency communications, including public safety answering points, for the purpose of responding to such communications. 1. Regardless of whether the calling end-user has prevented the presentation of the calling line identification, where a call is made to emergency services, providers of publicly available number-based interpersonal communications services shall override the elimination of the presentation of the calling line identification and the denial or absence of consent of a user for the processing of metadata, on a per-line basis for organisations dealing with emergency communications, including public safety answering points, for the purpose of responding to such communications. Or. en Amendment 105 Proposal for a regulation Article 14 – paragraph 1 – point a Text proposed by the Commission Amendment (a) to block incoming calls from specific numbers or from anonymous sources; (a) to block incoming calls from specific numbers, or numbers having a specific code or prefix identifying the fact that the call is a marketing call referred to in Article 16(3)(b), or from anonymous sources; Or. en Amendment 106 Proposal for a regulation Article 14 – paragraph 1 – point b PR\1127393EN.docx 69/90 PE606.011v01–00 EN Text proposed by the Commission Amendment (b) to stop automatic call forwarding by a third party to the end-user's terminal equipment. (b) to stop automatic call forwarding by a third party to the user's terminal equipment. Or. en Amendment 107 Proposal for a regulation Article 15 – paragraph 1 Text proposed by the Commission Amendment 1. The providers of publicly available directories shall obtain the consent of endusers who are natural persons to include their personal data in the directory and, consequently, shall obtain consent from these end-users for inclusion of data per category of personal data, to the extent that such data are relevant for the purpose of the directory as determined by the provider of the directory. Providers shall give end-users who are natural persons the means to verify, correct and delete such data. 1. The providers of publicly available directories or the electronic communication service providers shall obtain the consent of end-users who are natural persons to include their personal data in the directory and, consequently, shall obtain consent from these end-users for inclusion of data per category of personal data, to the extent that such data are relevant for the purpose of the directory. Providers shall give end-users who are natural persons the means to verify, correct and delete such data. Or. en Amendment 108 Proposal for a regulation Article 16 – paragraph 1 Text proposed by the Commission Amendment 1. Natural or legal persons may use electronic communications services for the purposes of sending direct marketing communications to end-users who are natural persons that have given their consent. 1. The use by natural or legal persons of electronic communications services, including voice-to-voice calls, automated calling and communications systems, including semi-automated systems that connect the call person to an individual, PE606.011v01–00 EN 70/90 PR\1127393EN.docx faxes, e-mail or other use of electronic communications services for the purposes of presenting unsolicited or direct marketing communications to end-users, shall be allowed only in respect of endusers who have given their prior consent. Or. en Amendment 109 Proposal for a regulation Article 16 – paragraph 3 – point a Text proposed by the Commission Amendment (a) present the identity of a line on which they can be contacted; or (a) present the identity of a line on which they can be contacted; and Or. en Amendment 110 Proposal for a regulation Article 16 – paragraph 3 a (new) Text proposed by the Commission Amendment 3a. Unsolicited marketing communications shall be clearly recognisable as such and shall indicate the identity of the legal or natural person transmitting the communication or on behalf of whom the communication is transmitted. Such communications shall provide the necessary information for recipients to exercise their right to refuse further written or oral marketing messages. Or. en PR\1127393EN.docx 71/90 PE606.011v01–00 EN Amendment 111 Proposal for a regulation Article 16 – paragraph 4 Text proposed by the Commission Amendment 4. Notwithstanding paragraph 1, Member States may provide by law that the placing of direct marketing voice-to-voice calls to end-users who are natural persons shall only be allowed in respect of endusers who are natural persons who have not expressed their objection to receiving those communications. 4. Notwithstanding paragraph 1, Member States may provide by law that the placing of direct marketing voice-to-voice calls to users shall only be allowed in respect of users who have not expressed their objection to receiving those communications. Member States shall provide that users can object to receiving the unsolicited communications via a national Do Not Call Register, thereby also ensuring that the user is only required to opt out once. Or. en Amendment 112 Proposal for a regulation Article 16 – paragraph 6 Text proposed by the Commission Amendment 6. Any natural or legal person using electronic communications services to transmit direct marketing communications shall inform end-users of the marketing nature of the communication and the identity of the legal or natural person on behalf of whom the communication is transmitted and shall provide the necessary information for recipients to exercise their right to withdraw their consent, in an easy manner, to receiving further marketing communications. 6. Any natural or legal person using electronic communications services to transmit direct marketing communications shall inform end-users of the marketing nature of the communication and the identity of the legal or natural person on behalf of whom the communication is transmitted and shall provide the necessary information for recipients to exercise their right to withdraw their consent, in a manner that is as easy as giving the consent and free of charge, to receiving further marketing communications. Or. en PE606.011v01–00 EN 72/90 PR\1127393EN.docx Amendment 113 Proposal for a regulation Article 16 – paragraph 7 Text proposed by the Commission Amendment 7. The Commission shall be empowered to adopt implementing measures in accordance with Article 26(2) specifying the code/or prefix to identify marketing calls, pursuant to point (b) of paragraph 3. 7. The Commission shall be empowered to adopt implementing measures in accordance with Article 26(1) specifying the code/or prefix to identify marketing calls, pursuant to point (b) of paragraph 3. Or. en Amendment 114 Proposal for a regulation Article 17 – title Text proposed by the Commission Amendment Information about detected security risks Integrity of the communications and information about security risks Or. en Amendment 115 Proposal for a regulation Article 17 – paragraph 1 Text proposed by the Commission Amendment In the case of a particular risk that may compromise the security of networks and electronic communications services, the provider of an electronic communications service shall inform end-users concerning such risk and, where the risk lies outside the scope of the measures to be taken by the service provider, inform end-users of any possible remedies, including an indication of the likely costs involved. PR\1127393EN.docx deleted 73/90 PE606.011v01–00 EN Or. en Amendment 116 Proposal for a regulation Article 17 – paragraph 1 a (new) Text proposed by the Commission Amendment The providers of electronic communications services shall ensure that there is sufficient protection in place against unauthorised access or alterations to the electronic communications data, and that the confidentiality and safety of the transmission are also guaranteed by the nature of the means of transmission used or by state-of-the-art end-to-end encryption of the electronic communications data. Furthermore, when encryption of electronic communications data is used, decryption, reverse engineering or monitoring of such communications shall be prohibited. Member States shall not impose any obligations on electronic communications service providers that would result in the weakening of the security and encryption of their networks and services. Or. en Amendment 117 Proposal for a regulation Article 17 – paragraph 1 b (new) Text proposed by the Commission Amendment In the case of a particular risk that may compromise the security of networks and electronic communications services, the relevant provider of an electronic communications service shall inform endusers of such a risk and, where the risk lies outside the scope of the measures to PE606.011v01–00 EN 74/90 PR\1127393EN.docx be taken by the service provider, inform end-users of any possible remedies. Or. en Amendment 118 Proposal for a regulation Article 17 – paragraph 1 c (new) Text proposed by the Commission Amendment As regards the security of networks and services and related security obligations, the obligations of Article 40 of the [European Electronic Communications Code] shall apply mutatis mutandis to all services in the scope of this Regulation. Or. en Amendment 119 Proposal for a regulation Article 19 – paragraph 1 – point b a (new) Text proposed by the Commission Amendment (ba) draw up guidelines for supervisory authorities concerning the application of Article 9(1) and the particularities of expression of consent by legal entities; Or. en Amendment 120 Proposal for a regulation Article 19 – paragraph 1 – point b b (new) Text proposed by the Commission Amendment (bb) PR\1127393EN.docx 75/90 issue guidelines, recommendations PE606.011v01–00 EN and best practices in accordance with point (b) of this paragraph for the purpose of further specifying the criteria and requirements for types of services that may be requested for purely individual or work-related usage as referred to in Article 6(3a); Or. en Amendment 121 Proposal for a regulation Article 19 – paragraph 1 – point b c (new) Text proposed by the Commission Amendment (bc) issue guidelines, recommendations and best practices in accordance with point (b) of this paragraph for the purpose of further specifying the criteria and requirements for: (i) web audience measuring referred to in Article 8(1)(d); (ii) security updates referred to in Article 8(1)(e); (iii) the interference in the context of employment relationships referred to in Article 8(1)(f); (iv) the collection of information emitted by the terminal equipment referred to in Article 8(2a) and (2b); and (v) software settings referred to in Article 10(1) and (2); Or. en Amendment 122 Proposal for a regulation Article 21 – paragraph 1 PE606.011v01–00 EN 76/90 PR\1127393EN.docx Text proposed by the Commission Amendment 1. Without prejudice to any other administrative or judicial remedy, every end-user of electronic communications services shall have the same remedies provided for in Articles 77, 78, and 79 of Regulation (EU) 2016/679. 1. Without prejudice to any other administrative or judicial remedy, every end-user of electronic communications services shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringements if the end-user considers that his or her rights under this Regulation have been infringed. Or. en Amendment 123 Proposal for a regulation Article 21 – paragraph 1 a (new) Text proposed by the Commission Amendment 1a. Without prejudice to any other administrative or non-judicial remedy, every end-user of electronic communications services shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning him or her. End-users shall also have such a right where the supervisory authority does not handle a complaint or does not inform the end- user within three months on the progress or outcome of the complaint lodged. Proceedings against a supervisory authority shall be brought before the court of the Member State where the supervisory authority is established. Or. en PR\1127393EN.docx 77/90 PE606.011v01–00 EN Amendment 124 Proposal for a regulation Article 21 – paragraph 1 b (new) Text proposed by the Commission Amendment 1b. Every end-user of the communications services shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed. Those proceedings against a provider of electronic communication service, the provider of a publicly available directory, software provider enabling electronic communication or persons sending direct marketing commercial communications or collecting information related to or stored in the end-users terminal equipment shall be brought before the courts of the Member State where they have an establishment. Alternatively, such proceedings shall be brought before the court of the Member State of the habitual residence of the enduser. Or. en Amendment 125 Proposal for a regulation Article 21 – paragraph 2 a (new) Text proposed by the Commission Amendment 2a. End-users shall have the right to mandate a not-for-profit body, organisation or association to lodge the complaint on their behalf, to exercise the right referred to in paragraphs 1, 1a and 1b of this Article on their behalf, and to exercise the right to receive compensation referred to in Article 22 on their behalf where provided for by Member State law. Such bodies, organisations or associations PE606.011v01–00 EN 78/90 PR\1127393EN.docx shall be properly constituted in accordance with the law of the Member State concerned, have statutory objectives which are in the public interest, and be active in the field of the protection of data subjects' rights and freedoms with regard to the protection of their personal data and the protection of privacy. Or. en Amendment 126 Proposal for a regulation Article 21 – paragraph 2 b (new) Text proposed by the Commission Amendment 2b. Member States may provide that, independently of an end-user’s mandate, a body, organisation or association has the right to lodge, in that Member State, a complaint with the supervisory authority which is competent pursuant to paragraph 1 and to exercise the rights referred to in paragraphs 1a and 1b if it considers that the rights of the end-user under this Regulation have been infringed. Or. en Amendment 127 Proposal for a regulation Article 22 – paragraph 1 Text proposed by the Commission Amendment Any end-user of electronic communications services who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the infringer for the damage suffered, unless the infringer proves that it is not in Any end-user of electronic communications services who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the infringer for the damage suffered, unless the infringer proves that it is not in PR\1127393EN.docx 79/90 PE606.011v01–00 EN any way responsible for the event giving rise to the damage in accordance with Article 82 of Regulation (EU) 2016/679. any way responsible for the event giving rise to the damage. Or. en Amendment 128 Proposal for a regulation Article 23 – paragraph 2 – point a Text proposed by the Commission Amendment (a) the obligations of any legal or natural person who process electronic communications data pursuant to Article 8; deleted Or. en Amendment 129 Proposal for a regulation Article 23 – paragraph 2 – point b a (new) Text proposed by the Commission Amendment (ba) the obligations of the providers of publicly available number-based interpersonal communication services pursuant to Article 12, 13 and 14; Or. en Amendment 130 Proposal for a regulation Article 23 – paragraph 2 – point d a (new) Text proposed by the Commission Amendment (da) the obligations of the provider of an electronic communications service PE606.011v01–00 EN 80/90 PR\1127393EN.docx pursuant to Article 17. Or. en Amendment 131 Proposal for a regulation Article 23 – paragraph 3 Text proposed by the Commission Amendment 3. Infringements of the principle of confidentiality of communications, permitted processing of electronic communications data, time limits for erasure pursuant to Articles 5, 6, and 7 shall, in accordance with paragraph 1 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. 3. Infringements of the principle of confidentiality of communications, permitted processing of electronic communications data, time limits for erasure pursuant to Articles 5 to 8 shall, in accordance with paragraph 1 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. Or. en Amendment 132 Proposal for a regulation Article 23 – paragraph 4 Text proposed by the Commission Amendment 4. Member States shall lay down the rules on penalties for infringements of Articles 12, 13, 14, and 17. deleted Or. en Amendment 133 Proposal for a regulation Article 25 – paragraph 6 PR\1127393EN.docx 81/90 PE606.011v01–00 EN Text proposed by the Commission Amendment 6. A delegated act adopted pursuant to Article 8(4) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of two months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or of the Council. 6. A delegated act adopted pursuant to Article 8(4) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of three months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by three months at the initiative of the European Parliament or of the Council. Or. en Amendment 134 Proposal for a regulation Article 26 – title Text proposed by the Commission Amendment Committee Committee procedure Or. en Amendment 135 Proposal for a regulation Article 26 – paragraph 1 Text proposed by the Commission Amendment 1. The Commission shall be assisted by the Communications Committee established under Article 110 of the [Directive establishing the European Electronic Communications Code]. That committee shall be a committee within the meaning of Regulation (EU) No 182/201129 . 1. The Commission shall be assisted by the Committee established under Article 93 of the Regulation (EU) 2016/679. That committee shall be a committee within the meaning of Regulation (EU) No 182/201129 . PE606.011v01–00 EN 82/90 PR\1127393EN.docx __________________ __________________ 29 29 Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13–18). Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13–18). Or. en PR\1127393EN.docx 83/90 PE606.011v01–00 EN EXPLANATORY STATEMENT Introduction The Charter of Fundamental Rights of the European Union, legally binding since the entry into force of the Treaty of Lisbon, establishes in its Article 7 the right of private life: “Everyone has the right to respect for his or her private and family life, home and communications”. Article 8 establishes the right to the protection of personal data in the following terms “1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data, which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority.” Article 16 of the Treaty on the Functioning of the European Union provides the legal basis for the adoption of Union legal instruments relating to the protection of personal data. On 10 January 2017 the Commission has presented a proposal for a Regulation concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC) (ePrivacy Regulation). The ePrivacy Directive (2002/58/EC) has set forth rules guaranteeing the protection of privacy in the electronic communications sector. It aimed to ensure that the protection of confidentiality of communications, in line with the fundamental right to the respect of private and family life enshrined in Article 7 of the EU Charter of Fundamental Rights, is guaranteed. The rules it established complemented and particularised those of Directive 95/46/EC (i.e. the Data Protection Directive) which had set out the general legal framework for the protection of personal data in the Union. Since then, the Union has engaged in a profound review of the Union data protection legal framework in order to create a modern, robust and overall framework ensuring a high level of protection of individuals granting them the control over their personal data and at the same time cutting red tape for entities processing personal data. Regulation (EU) 2016/679 (the General Data Protection Regulation) (GDPR) establishes the Union legal framework for data protection. It will be applicable as of 25 May 2018. PE606.011v01–00 EN 84/90 PR\1127393EN.docx The ePrivacy regulation proposal The present ePrivacy proposal seeks to achieve the modernisation of the Union data protection legal framework commenced by the GDPR. It repeals the current ePrivacy Directive 2002/58/EC in order to align its rules to those of the GDPR and to establish a legal framework, which takes account of the important technological and economic developments in the electronic communication sector since the adoption of the ePrivacy Directive in 2002. Today new services of interpersonal communications (Over-The-Top (OTT) providers etc.), as well as machine-to-machine communications and “Internet of Things” (IoT) coexist in parallel with traditional communication services presenting new challenges and risks concerning the privacy and the protection of personal data of individuals. These new services were not covered in the scope of the Directive 2002/58, resulting therefore in a gap of protection. The new proposal takes into account the experience gathered over the years regarding cookies and other tools enabling tracking of individuals that seriously affect the private life and confidentiality of communications. Finally, it takes stock of the recent case law of the Court of Justice. The Commission states that this proposal is a key element of the completion of the Digital Single Market Strategy, as it would increase trust and security of digital services, which is a precondition to the achievement of the Digital Single Market Strategy. The ePrivacy proposal, lex specialis to the GDPR Similarly, to the articulation between the ePrivacy Directive 2002/58/EC and the Directive 95/46/EC, the proposed ePrivacy Regulation particularises and complements the General Data Protection Regulation 2016/679. The e-Privacy proposal is a lex specialis to the GDPR as regards electronic communications data that are personal data. The e-privacy also seeks to ensure and protect the right to the confidentiality of communications, enshrined in Article 7 of the Charter and Article 8 of the European Convention of Human Rights, which have been the object of an extensive and detailed case law by both the ECJ and the ECtHR. The ECJ has confirmed the importance of the confidentiality of communications in its cases “Digital rights Ireland” and “Tele 2 and Watson”. ePrivacy Regulation should ensure a high level of protection The rules of the ePrivacy Regulation should not lower the level of protection afforded by the General Data Protection Regulation. However, the opinions of data protection authorities (EDPS, WP29), as well as numerous scholars and stakeholders consulted by your rapporteur for the preparation of this report, allow to conclude that several provisions of the Commission’s proposal would actually lower the level of protection currently afforded by Union law. Communications data (both content and metadata) are extremely sensitive as they reveal sensitive aspects of the private life of individuals (sexual orientation, philosophical or political beliefs, freedom of expression and information, financial situation, health condition), therefore they deserve a high level of protection. Your rapporteur considers that for this reason, the Commission’s proposal, in order not to lower the high level of protection ensured PR\1127393EN.docx 85/90 PE606.011v01–00 EN by the GDPR, needs to be amended in order to ensure that it will deliver a high level of protection corresponding at least to that offered by the GDPR. The scope of the ePrivacy proposal The ePrivacy proposal expands its scope to cover the new forms of electronic communications and ensure the same level of protection of individuals regardless of the communication service used (OTTs, Internet of Things and machine-to-machine interaction). Your rapporteur supports the Commission’s proposal of extending the scope to cover these new channels and forms of electronic communications. She deems it necessary to clarify that the proposal should apply to the use of electronic communications services and to information related to and processed by the terminal equipment of end-users, as well as to the software permitting end-users’ electronic communications, but also sending direct marketing commercial communications or collecting (other) information related to or stored in end users terminal equipment by other parties. The e-Privacy should also be a stand alone instrument and contain all the relevant provisions avoiding dependence from the Electronic Communications Code (ECC). The definitions of the ECC are included in the proposal, when necessary adapted in order to take account of the subject matter of the proposal; (i.e. the protection of the rights of confidentiality of communications and of data protection). Likewise a definition of “user”, inspired by the current e-Privacy Directive is included in order to protect the rights of the individual actually using a publicly available electronic communications service without necessarily being a subscriber. Your Rapporteur also wishes to keep the definition of end-user, as proposed by the Commission, in order to clarify the situations where also legal entities are covered by the protection of this Regulation. The definition of electronic communications metadata is also amended in order to clarify this concept. Confidentiality of communications (Articles 5- 7) The proposal follows the current ePrivacy Directive, and stresses the confidentiality of electronic communications. It recognises a long standing and fundamental right of individuals, enshrined in the ECHR and the EU Charter. The amendments proposed seek to take account of technological development since the adoption of the ePrivacy Directive. Today electronic communications remain stored with service providers even after receipt. Hence, it is proposed to make it clear that the confidentiality of communications is also ensured with regard communications stored or processed by the terminal equipment or other equipment (e.g. cloud storage) as well as communications in the IoT environment (machineto-machine), when it is related to a user. Since the right to confidentiality of communications is a fundamental right recognised by the Charter, legally binding upon the EU and the Member States, any interference with it, must be limited to what is strictly necessary and proportionate in a democratic society. Your rapporteur proposes several amendments to Article 6, providing for the conditions allowing the lawful interference with the right of confidentiality of communication in order to process PE606.011v01–00 EN 86/90 PR\1127393EN.docx electronic communications data in specific circumstances and under specific conditions. Protection of information stored in and related to users’ terminal equipment The rapporteur welcomes the objective of the proposal of the Commission to protect the information stored in the user’s terminal equipment from accessing it or installing or placing software or information without the consent of the user (Article 8). However, you rapporteur is of the view that the regime proposed by the Commission does not fully ensure a high level of protection, on the contrary it would even lower that afforded by the GDPR. Since information processed or stored in terminal equipment or processed during connection to another device or network equipment (eg free Wi-Fi, hotspots) may reveal very sensitive details of an individual, the processing of this information would be subject to very strict conditions under the GDPR. Therefore, the amendments tabled should ensure legal consistency with the GDPR. In this regard, the conditions allowing access to user’s terminal equipment or to information emitted by it are better framed (Article 8(1)). The so-called “tracking walls” are forbidden (Article 8(1) 1b)), and the conditions for user’s consent is brought in line with the GDPR. Moreover, the use of analytics tools for web audience measuring is clearly defined to take account of the actual techniques used and to ensure that this information is exclusively used for this specific purpose. Article 8(2) is also amended to ensure that tracking of the location of the terminal equipment that happens for instance on the basis of Wi-Fi or Bluetooth signals is brought into line with the GDPR. Article 10 of the proposal refers to options for privacy settings of tools and software used to enable users to prevent other parties from storing information on terminal equipment, or processing information stored on the equipment (Do-Not-Track mechanisms -DNTs-). The rapporteur shares the objective of the proposal but she considers that, in order to reflect the essential core principles of Union data protection law (privacy by design and by default), it must be amended. Indeed, these basic principles are not efficiently integrated in the ePrivacy proposal of the Commission. Therefore it is proposed first, that DNTs are technologically neutral to cover different kinds of technical equipment and software and, second, that DNTs, by default must configure their settings in a manner that prevents other parties from storing information on the terminal equipment or processing information stored on the equipment without the consent of the user, at the same time users should be granted the possibility to change or confirm the default privacy settings options at any moment upon installation. The settings should allow for granulation of consent by the user, taking into account the functionality of cookies and tracking techniques and DNTs should send signals to the other parties informing them of the user’s privacy settings. Compliance with these settings should be legally binding and enforceable against all other parties. Presentation of calls, directories of subscribers and direct marketing (Articles 12-16) Your rapporteur broadly supports the provisions of the proposal relating to the presentation of calls, incoming call blocking and publicly available directories. Regarding unsolicited communications for direct marketing purposes (Article 16), the amendments tabled clarify the scope of the provision to cover the different kinds of means or PR\1127393EN.docx 87/90 PE606.011v01–00 EN techniques used for direct marketing; the use of direct marketing should be allowed only with regard to natural or legal persons who have given their prior consent. Moreover, withdrawal of consent or objecting to direct marketing communications should be possible at any time and free of charge for the user. Article 16(3) frames conditions for placing unsolicited direct marketing calls and strengthens the safeguards for individuals. Unsolicited communications shall be clearly recognisable as such and shall indicate the identity of the person or entity transmitting the communication or on behalf of whom the communication is transmitted and provide the necessary information for recipient to exercise their right to oppose to receiving further marketing messages. Supervisory authorities Your rapporteur fully agrees with the Commission’s proposal stating that the independent supervisory authorities for ensuring compliance with the ePrivacy Regulation be the data protection authorities in charge of the supervision of the GDPR. Since the ePrivacy Regulation complements and particularises the GDPR, entrusting to the same independent authorities the tasks of supervision and enforcing compliance of this Regulation will ensure consistency. Cooperation with national regulatory authorities established pursuant to the Electronic Communications Code (ECC) for monitoring the compliance with the rules set forth in this instrument within their respective task shall be ensured. The regime of fines and sanctions is also amended to cover infringements of the e-Privacy Regulation in line with the GDPR. Conclusion The rapporteur supports the objective of this proposal of establishing a modern comprehensive and technologically neutral framework for electronic communications in the Union, which ensures a high level of protection of individuals with regard to their fundamental rights of private life and data protection. Yet she considers that some aspects must be strengthened in order to guarantee a high level of protection as afforded by Regulation (EU) 2016/679, the Charter of Fundamental Rights and the ECHR. The achievement of a Digital Single Market builds on a reliable legal framework for electronic communications that will increase trust of individuals on digital economy and will also allow businesses to pursue their activities in full respect of fundamental rights. In the preparation of this report, your rapporteur has conducted extensive and thorough discussions with the following stakeholders representing various interests. The rapporteur expects her proposals to form a good basis for swift agreement in the European Parliament and negotiations with the Council in order to ensure that the legal framework is in place by 25 May 2018. PE606.011v01–00 EN 88/90 PR\1127393EN.docx ANNEX: LIST OF ENTITIES FROM WHOM THE RAPPORTEUR HAS RECEIVED INPUT Access Now American Chamber of Commerce App Developers Alliance Apple Article 29 Working Party Association of Commercial Television in EU AT&T Bitkom Bla Bla Car Booking.com Bouygues Europe Business Europe CENTR Cisco CNIL, the French Data Protection Authority Computer and Communications Industry Association (ccia) Confederation of Industry of Czech Republic Cullen International Deutsche Telekom Digital Europe Dropbox Dutch Data Protection Authority EBU EGTA EMMA ENPA Etno EU Tech Alliance Eurocommerce European Association of Communications Agencies European Commission European Consumer Organisation (BEUC) European Data Protection Supervisor European Digital Media Association European Digital Rights (EDRI) European eCommerce and Omni-channel Trade Association European Publishers Council EYE/O Facebook Federation of European Direct and Interactive Marketing PR\1127393EN.docx 89/90 PE606.011v01–00 EN Federation of German Consumer Organisations (VZBV) Finnish Federation of Commerce German Advertising Federation Google IAB Industry Coalition for Data Protection Interactive Software Federation of Europe King KPN La quadrature du net Microfost Mozilla Nielsen Open Xchange Pagefair Permanent Representation of Germany Permanent Representation of Spain Permanent Representation of Sweden Privasee Qualcomm Rakuten Samsung Seznam Siinda Spotify Swedish Trade Federation Symantec Syndika Telefonica The software Alliance (BSA) Verizon Video Gaming Industry Vodafone World Federation of Advertisers PE606.011v01–00 EN 90/90 PR\1127393EN.docx