BETA

Activities of Cornelia ERNST related to 2017/0003(COD)

Shadow reports (1)

REPORT on the proposal for a regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications)
2017/10/23
Committee: LIBE
Dossiers: 2017/0003(COD)
Documents: PDF(1 MB) DOC(310 KB)
Authors: [{'name': 'Birgit SIPPEL', 'mepid': 96932}]

Amendments (76)

Amendment 137 #
Proposal for a regulation
Recital 1
(1) Article 7 of the Charter of Fundamental Rights of the European Union (“the Charter”) protects the fundamental right of everyone to the respect for his or her private and family life, home and communications. Respect for the privacy of one’s communications is an essential dimension of this right. Confidentiality of electronic communications ensures that information exchanged between parties and the external elements of such communication, including information regarding when the information has been sent, from where, to whom, is not to be revealed to anyone other than to the parties involved in a communicationg parties. The principle of confidentiality should apply to current and future means of communication, including calls, internet access, instant messaging applications, e-mail, internet phone calls and personal messaging provided through social media.
2017/07/14
Committee: LIBE
Amendment 145 #
Proposal for a regulation
Recital 3
(3) Electronic communications data may also reveal information concerning legal entities, such as business secrets or other sensitive information that has economic value. Therefore, thecertain provisions of this Regulation should apply to both natural and legal persons. Furthermore, this Regulation should ensure that provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council21, also apply to end-users who are legal persons. This includes the confidentiality and security of their communications data and the definition of consent under Regulation (EU) 2016/679. When reference is made to consent by an end-user, including legal persons, this definition should apply. In addition, legal persons should have the same rights as end-users that are natural persons regarding the supervisory authorities; furthermore, supervisory authorities under this Regulationestablished on the basis of Regulation (EU) 2016/679 should also be responsible for monitoring the application of this Regulation regarding legal persons. _________________ 21 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1–88).
2017/07/14
Committee: LIBE
Amendment 149 #
Proposal for a regulation
Recital 4
(4) Pursuant to Article 8(1) of the Charter and Article 16(1) of the Treaty on the Functioning of the European Union, everyone has the right to the protection of personal data concerning him or her. Regulation (EU) 2016/679 lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. Electronic communications data may includgenerally are personal data as defined in Regulation (EU) 2016/679.
2017/07/14
Committee: LIBE
Amendment 153 #
Proposal for a regulation
Recital 5
(5) The provisions of this Regulation particularise and complement the general rules on the protection of personal data laid down in Regulation (EU) 2016/679 as regards electronic communications data that qualify as personal data. This Regulation therefore does not lower the level of protection enjoyed by natural persons under Regulation (EU) 2016/679. Processing of electronic communications data by providers of electronic communications services should only be permitted in accordance with this Regulation.
2017/07/14
Committee: LIBE
Amendment 156 #
Proposal for a regulation
Recital 6
(6) While the principles and main provisions of Directive 2002/58/EC of the European Parliament and of the Council22 remain generally sound, that Directive has not fully kept pace with the evolution of technological and market reality, resulting in an inconsistent or insufficient effective protection of privacy and confidentiality in relation to electronic communications. Those developments include the entrance on the market of electronic communications services that from a consumer perspective are substitutable to traditional services, but do not have to comply with the same set of rules. Another development concerns new techniques that allow for tracking of online behaviour of end-users, which are not covered by Directive 2002/58/EC. Directive 2002/58/EC should therefore be repealed and replaced by this Regulation. _________________ 22 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p.37).
2017/07/14
Committee: LIBE
Amendment 157 #
Proposal for a regulation
Recital 7
(7) The Member States should be allowed, within the limits of this Regulation, to maintain or introduce national provisions to further specify and clarify the application of the rules of this Regulation in order to ensure an effective application and interpretation of those rules. Therefore, the margin of discretion, which Member States have in this regard, should maintain a balance between the protection of private life and personal data and the free movement of electronic communications data.deleted
2017/07/14
Committee: LIBE
Amendment 163 #
Proposal for a regulation
Recital 8
(8) This Regulation should apply to providers of electronic communications services, to providers of publicly available directories, and to software providers of equipment permitting electronic communications, including the retrieval and presentation of information on the internet. This Regulation should also apply to natural and legal persons who use electronic communications services to send direct marketing commercial communications or collectprocess information related to or stored in end-users’ terminal equipment.
2017/07/14
Committee: LIBE
Amendment 166 #
Proposal for a regulation
Recital 9
(9) This Regulation should apply to electronic communications data processed in connection with the provision and use of electronic communications services in the Union, regardless of whether or not the processing takes place in the Union. Moreover, in order not to deprive end-users in the Union of effective protection, this Regulation should also apply to electronic communications data processed in connection with the provision of electronic communications services from outside the Union to end-users in the Union. This Regulation shall apply to electronic communications data processed in connection with the provision and use of electronic communications services, both paid and free of charge.
2017/07/14
Committee: LIBE
Amendment 175 #
Proposal for a regulation
Recital 11
(11) The services used for communications purposes, and the technical means of their delivery, have evolved considerably. End-users increasingly replace traditional voice telephony, text messages (SMS) and electronic mail conveyance services in favour of functionally equivalent online services such as Voice over IP, messaging services and web-based e-mail services. In order toThis Regulation should ensure an effective and equal protection of end-users when using functionally equivalent services, this Regulation uses the definition of electronic communications services set forth in the [Directive of the European Parliament and of the Council establishing the European Elethe confidentiality of communications of end-users, and their privacy, when using functrionic Communications Code24 ]ally equivalent services. That definition encompasses not only internet access services and services consisting wholly or partly in the conveyance of signals but also interpersonal communications services, which may or may not be number-based, such as for example, Voice over IP, messaging services and web-based e-mail services. The protection of confidentiality of communications is crucial also as regards interpersonal communications services that are ancillary to another service; therefore, such type of services also having a communication functionality should be covered by this Regulation. _________________ 24 the European Parliament and of the Council establishing the European Electronic Communications Code (Recast) (COM/2016/0590 final - 2016/0288 (COD))., such as internal messaging, newsfeeds, closed groups, timelines and similar functions in online services where messages are exchanged with other users within or outside that service; therefore, such type of services also having a communication functionality should be covered by this Regulation. Commission proposal for a Directive of
2017/07/14
Committee: LIBE
Amendment 186 #
Proposal for a regulation
Recital 13
(13) The development of fast and efficient wireless technologies has fostered the increasing availability for the public of internet access via wireless networks accessible by anyone in public and semi- private spaces such as ‘hotspots’ situated at different places within a city, department stores, shopping malls and hospitals. To the extent that those communications networks are provided to an undefined group of end-users, twireless internet access points. The confidentiality of the communications transmitted through such networks should be protected. The fact that wireless electronic communications services may be ancillary to other services should not stand in the way of ensuring the protection of confidentiality of communications data and application of this Regulation. Therefore, this Regulation should apply to electronic communications data using electronic communications services and public communications networks. This regulation should also apply to closed social media profiles and groups that the users have defined as private. In contrast, this Regulation should not apply to closed groups of end-users such as corporate networks, access to which is limited to members of the corporan organisation.
2017/07/14
Committee: LIBE
Amendment 188 #
Proposal for a regulation
Recital 14
(14) Electronic communications data should be defined in a sufficiently broad and technology neutral way so as to encompass any information concerning the content transmitted or exchanged (electronic communications content) and the information concerning an end-user of electronic communications services processed for the purposes of transmitting, distributing or enabling the exchange of electronic communications content; including data to trace and identify the source and destination of a communication, geographical location and the date, time, duration and the type of communication. It should also include location data, such as the location of the terminal equipment from or to which a phone call or an internet connection has been made or the wireless access points that a device is connected to. It should also include data necessary to identify users’ terminal equipment and data emitted by terminal equipment when searching for access points or other equipment. Whether such signals and the related data are conveyed by wire, radio, optical or electromagnetic means, including satellite networks, cable networks, fixed (circuit- and packet- switched, including internet) and mobile terrestrial networks, electricity cable systems, the data related to such signals should be considered as electronic communications metadata and therefore be subject to the provisions of this Regulation. Electronic communications metadata may include information that is part of the subscription to the service when such information is processed for the purposes of transmitting, distributing or exchanging electronic communications content. The exclusion of services providing “content transmitted using electronic communications networks” from the definition of “electronic communications service” in Article 4 of this Regulation does not mean that service providers who offer both electronic communications services and content services are outside the scope of the provisions of the Regulation which applies to the providers of electronic communications services.
2017/07/14
Committee: LIBE
Amendment 193 #
Proposal for a regulation
Recital 15
(15) Electronic communications data should be treated as confidential. This means that any processing of electronic communications data or any interference with the transmission of electronic communications data, whether directly by human intervention or through the intermediation of automated processing by machines, without the consent of the user requesting a specific service or of all the communicating parties should be prohibited. The prohibition of interception of communications data should apply during their conveyance, i.e. until receipt of the content of the electronic communication by the intended addresseeWhen the processing is allowed under this Regulation, any other processing on the basis of Article 6 of Regulation (EU) 2016/679 should be considered as prohibited, including processing for another purpose on the basis of Article 6(4) of that Regulation. The prohibition of processing of communications data should apply during their conveyance and when they are stored afterwards, in order to reflect the growing trend that subscribers do not store all communications data on their own terminal equipment, but use cloud-based storage space of the communications provider or other parties. Interception of electronic communications data may occur, for example, when someone other than the communicating parties, listens to calls, reads, scans or stores the content of electronic communications, or the associated metadata for purposes other than the exchange of communications. Interception also occurs when third parties monitor websites visited, timing of the visits, interaction with others, etc., without the consent of the end-user concerned. As technology evolves, the technical ways to engage in interception have also increased. Such ways may range from the installation of equipment that gathers data from terminal equipment over targeted areas, such as the so-called IMSI (International Mobile Subscriber Identity) catchers, to programs and techniques that, for example, surreptitiously monitor browsing habits for the purpose of creating end-user profiles. Other examples of interception include capturing payload data or content data from unencrypted wireless networks and routers, and analysis of customers’ traffic data, including browsing habits without the end-users’ consent.
2017/07/14
Committee: LIBE
Amendment 203 #
Proposal for a regulation
Recital 16
(16) The prohibition of storage of communications is not intended to prohibit any automatic, intermediate and transient storage of this information insofar as this takes place for the sole purpose of carrying out the transmission in the electronic communications network. It should not prohibit either the processing of electronic communications data to ensure the security and continuity of the electronic communications services, including checking security threats such as the presence of malware or the processing of metadata to ensure the necessary quality of service requirements, such as latency, jitter etc.
2017/07/14
Committee: LIBE
Amendment 210 #
Proposal for a regulation
Recital 17
(17) The processing of electronic communications data can be useful for businesses, consumers and society as a whole. Vis-à-vis Directive 2002/58/EC, this Regulation broadens the possibilities for providers of electronic communications services to process electronic communications metadata, based on end-users consent. However, end-users attach great importance to the confidentiality of their communications, including their online activities, and that they want to control the use of electronic communications data for purposes other than conveying the communication. Therefore, this Regulation should require providers of electronic communications services to obtain end-users’ consent to process electronic communications metadata, which should include data on the location of the device generated for the purposes of granting and maintaining access and connection to the service. Location data that is generated other than in the context of providing electronic communications services should not be considered as metadata. Examples of commercial usages of electronic communications metadata by providers of electronic communications services may include the provision of heatmaps; a graphical representation of data using colors to indicate the presence of individuals. To display the traffic movements in certain directions during a certain period of time, an identifier ismay be necessary to link the positions of individuals at certain time intervals. This identifier would be missing if anonymous data were to be used and such movement could not be displayed. Such usage of electronic communications metadata could, for example, benefit public authorities and public transport operators to define where to develop new infrastructure, based on the usage of and pressure on the existing structure. Where a type of processing of electronic communications metadata, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural personss envisaged, a data protection impact assessment and, as the case may be, a consultation of the supervisory authority should take place prior to the processing, in accordance with Articles 35 and 36 of Regulation (EU) 2016/679.
2017/07/14
Committee: LIBE
Amendment 216 #
Proposal for a regulation
Recital 18
(18) End-uUsers may consent to the processing of their metaelectronic communications data to receive specific services requested by them, such as protection services against fraudulent activities (by analysing usage data, location and customer account in real time). In the digital economy, services are often supplied against counter-performance other than moneymalware, unsolicited communication, or fraudulent activities. Consent for processing electronic communications data will not be valid if the data subject has no genuine and free choice, for instance by end- users being exposed to advertises unable to refuse or withdraw consent without detriments. For the purposes of this Regulation, consent of an end-user, regardless of whether the latter is a natural or a legal person, should have the same meaning and be subject to the same conditions as the data subject’s consent under Regulation (EU) 2016/679. Basic broadband internet access and voice communications services are to be considered as essential services for individuals to be able to communicate and participate to the benefits of the digital economy. Consent for processing data from internet or voice communication usage will not be valid if the data subject has no genuine and free choice, or is unable to refuse orWithout prejudice to Article 7 of Regulation (EU) 2016/679, consent should not be considered as freely given if it is required to access any service or obtained through insisting and repetitive requests. In order to prevent such abusive requests, users should be able to order service providers to remember their choice not to consent and to adhere to technical specifications signalling not to consent, withdrawal of consent without detriment, or an objection.
2017/07/14
Committee: LIBE
Amendment 220 #
Proposal for a regulation
Recital 19
(19) The content of electronic communications pertains to the essence of the fundamental right to respect for private and family life, home and communications protected under Article 7 of the Charter. Any interference with the content of electronic communications should be allowed only under very clear defined conditions, for specific purposes and be subject to adequate safeguards against abuse. This Regulation provides for the possibility of providers of electronic communications services to process electronic communications data in transit, with the informed consent of all the end- users concerned. For example, providers may offer services that entail the scanning of emails to remove certain pre-defined material. Given the sensitivity of the content of communications, this Regulation sets forth a presumption that the processing of such content data will result in high risks to the rights and freedoms of natural persons. When processing such type of data, the provider of the electronic communications service should always consult the supervisory authority prior to the processing. Such consultation should be in accordance with Article 36 (2) and (3) of Regulation (EU) 2016/679. The presumption does not encompass the processing of content data to provide a service requested by the end-user where the end-user has consented to such processing and it is carried out for the purposes and duration strictly necessary and proportionate for such servicearry out an impact assessment as provided for in Regulation (EU) 2016/679 and if necessary under that Regulation, consult the supervisory authority prior to the processing. After electronic communications content has been sent by the end-user and received by the intended end-user or end-users, it may be recorded or stored by the end-user, end- users or by a third party entrusted by them to record or store such data. Any processing of such data must comply with Regulation (EU) 2016/679.
2017/07/14
Committee: LIBE
Amendment 243 #
Proposal for a regulation
Recital 22
(22) The methods used for providing information and obtaining end-user’s consent should be as user-friendly as possible. Given the ubiquitous use of tracking cookies and other tracking techniques, end-users are increasingly requested to provide consent to store such tracking cookies in their terminal equipment. As a result, end-users are overloaded with requests to provide consent. This Regulation should prevent the use of so-called “cookie walls” and “cookie banners” that do not help users to maintain control over their personal information and privacy or become informed about their rights. The use of technical means to provide consent, for example, through transparent and user- friendly settings, may address this problem. Therefore, this Regulation should provide for the possibility to express consent by using the appropriate settings of a browser or other application. The choices made by end- users when establishing its general privacy settings of a browser or oor withdraw consent and to object by technical specifications using automated means, such as ther application should be bindropriate settings on, and enforceable against, any third parties. Web browsers are a type of software application thatf a hardware or software permitsting the retrieval and presentation of information on the internet. Other types of applications, such as the ones that permit calling and messagingThose settings should include choices concerning the use orf provide route guidance, have also the samcessing and storage capabilities. Web brow of the users mediate much of what occurs between the end- user and the website. From this perspective, they are in a privileged position to play an active role to help the end-user to control the flow of information to and from the terminal equipment. More particularly web browsers may be used as gatekeeperterminal equipment as well as a signal sent by the hardware or software indicating the user’s preferences to other parties. The choices made by users when establishing its general privacy settings should be binding on, and enforceable against, any third parties. Web browsers, applications or mobile operating systems may be used as a user’s personal privacy assistant communicating the user’s choices, thus helping end-users to prevent information fromrelated to or processed by their terminal equipment (for example smart phone, tablet or computer) from being accessed, processed or stored.
2017/07/14
Committee: LIBE
Amendment 252 #
Proposal for a regulation
Recital 23
(23) The principles of data protection by design and by default were codified under Article 25 of Regulation (EU) 2016/679. Currently, the default settings for cookies are set in most current browsers to ‘accept all cookies’. Therefore providers of hardware or software enabling the retrieval and presentation of information on the internet should have an obligation to configure the software so that it offers the option to prevent third parties fromand activates as default the option to prevent the cross-domain tracking and storing information on the terminal equipment by other parties; this is often presented as ‘reject third party cookies’. End-users should be offered a set of privacy setting options, ranging from higher (for example, ‘never accept cookies’) to lower (for example, ‘always accept cooktrackers and cookies’. Such privacy settings should be presented in an easily visible and intelligible manner. Information provided should not dissuade users from selecting higher privacy settings and should include relevant information about the risks associated to allowing cross-domain trackers, including the compilation of long-term records of individuals’ browsing histories’) and intermediate (for example, ‘reject third party cookies’ or ‘only accept first party cookies’). Such privacy settings should be presented in an easily visiblthe use of such records to send targeted advertising or sharing with more third parties. In case of no active choice, or action from the user, the settings shall be set by default in a manner that rejects and blocks trackers, including cookies, that are not strictly necessary in order to provide and intelligible mannformation society service specifically requested by the user.
2017/07/14
Committee: LIBE
Amendment 258 #
Proposal for a regulation
Recital 24
(24) For web browsers to be able to obtain end-users’ consent as defined under Regulation (EU) 2016/679, for example, to the storage of third party tracking cookies, they should, among others, require a clear affirmative action from the end-user of terminal equipment to signify his or her freely given, specific informed, and unambiguous agreement to the storage and access of such cookies in and from the terminal equipment. Such action may be considered to be affirmative, for example, if end-users are required to actively select ‘accept third party cookies’ to confirm their agreement and are given the necessary information to make the choice. To this end, it is necessary to require providers of software enabling access to internet that, at the moment of installation, end-users are informed about the possibility to choose the privacy settings among the various options and ask them to make a choice. Information provided should not dissuade end-users from selecting higher privacy settings and should include relevant information about the risks associated to allowing third party cookies to be stored in the computer, including the compilation of long-term records of individuals’ browsing histories and the use of such records to send targeted advertising. Web browsers are encouraged to provide easy ways for end-users to change the privacy settings at any time during use and to allow the user to make exceptions for or to whitelist certain websites or to specify for which websites (third) party cookies are always or never allowed.deleted
2017/07/14
Committee: LIBE
Amendment 265 #
Proposal for a regulation
Recital 25
(25) Accessing electronic communications networks requires the regular emission of certain data packets in order to discover or maintain a connection with the network or other devices on the network. Furthermore, devices must have a unique address assigned in order to be identifiable on that network. Wireless and cellular telephone standards similarly involve the emission of active signals containing unique identifiers such as a MAC address, the IMEI (International Mobile Station Equipment Identity), the IMSI etc. A single wireless base station (i.e. a transmitter and receiver), such as a wireless access point, has a specific range within which such information may be captured. Service providers have emerged who offer tracking services based on the scanning of equipment related information with diverse functionalities, including people counting, providing data on the number of people waiting in line, ascertaining the number of people in a specific area, etc. This information may be used for more intrusive purposes, such as to send commercial messages to end-users, for example when they enter stores, with personalized offers. While some of these functionalities do not entail high privacy risks, others do, for example, those involving the tracking of individuals over time, including repeated visits to specified locations. Providers engaged in such practices should display prominent notices located on the edge of the area of coverage informing end-users prior to entering the defined area that the technology is in operation within a given perimeter, the purpose of the tracking, the person responsible for it and the existence of any measure the end-user of the terminal equipment can take to minimize or stop the collection. Additional information should be provided where personal data are collected pursuant to Article 13 of Regulation (EU) 2016/679only be permitted to process such electronic communications metadata based on the consent of the users concerned.
2017/07/14
Committee: LIBE
Amendment 271 #
Proposal for a regulation
Recital 26
(26) When the processing of electronic communications data by providers of electronic communications services falls within its scope, this Regulation should provide for the possibility for the Union or Member States under specific conditions to temporarily restrict by law certain obligations and rights when such a restriction constitutes a necessary and proportionate measure in a democratic society to safeguard specific public interests, including national security, defence, public security and the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security and other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interests. Therefore, this Regulation should not affect the ability ofprohibit Member States tofrom carrying out lawful interception of electronic communications or take other measures, if necessary and proportionate to safeguard the public interests mentioned above, in accordance with the Charter of Fundamental Rights of the European Union and the European Convention for the Protection of Human Rights and Fundamental Freedoms, as interpreted by the Court of Justice of the European Union and of the European Court of Human Rights. Providers of electronic communications services should provide for appropriate procedures to facilitate legitimate requests of competent authorities, where relevant also taking into account the role of the representative designated pursuant to Article 3(3)not be obliged by Union or Member States competent authorities to weaken any measures that ensure the integrity and confidentiality of electronic communications.
2017/07/14
Committee: LIBE
Amendment 277 #
Proposal for a regulation
Recital 26 a (new)
(26a) In its judgment C-293/12 the Court of Justice held that the bulk collection of communications data, in particular when done without any differentiation, limitation or exception, constitutes a wide- ranging and particularly serious interference with the rights enshrined in Articles 7 and 8 of the Charter, without such an interference being precisely circumscribed to ensure that it is actually limited to what is strictly necessary.
2017/07/14
Committee: LIBE
Amendment 302 #
Proposal for a regulation
Recital 33
(33) Safeguards should be provided to protect end-users against unsolicited communications, including for direct marketing purposes, which intrude into the private life of end-users. The degree of privacy intrusion and nuisance is considered relatively similar independently of the wide range of technologies and channels used to conduct these electronic communications, whether using automated calling and communication systems, instant messaging applications, emails, SMS, MMS, Bluetooth, etc. It is therefore justified to require that consent of the end-user is obtained before commercial electronic communications for direct marketing purposes are sent to end-users in order to effectively protect individuals against the intrusion into their private life as well as the legitimate interest of legal persons. Legal certainty and the need to ensure that the rules protecting against unsolicited electronic communications remain future- proof justify the need to define a single set of rules that do not vary according to the technology used to convey these unsolicited communications, while at the same time guaranteeing an equivalent level of protection for all citizens throughout the Union. However, it is reasonable to allow the use of e-mail contact details within the context of an existing customer relationship for the offering of similar products or services. Such possibility should only apply to the same company that has obtained the electronic contact details in accordance with Regulation (EU) 2016/679.
2017/07/14
Committee: LIBE
Amendment 311 #
(36) Voice-to-voice direct marketing calls that do not involve the use of automated calling and communication systems, given that they are more costly for the sender and impose no financial costs on end-users. Member States should therefore be able to establish and or maintain national systems only allowing such calls to end-users who have not objected.deleted
2017/07/14
Committee: LIBE
Amendment 317 #
Proposal for a regulation
Recital 37
(37) Service providers who offer electronic communications services should process electronic communications data in such a way as to prevent unauthorised processing, including access, disclosure or alteration. They should ensure that such unauthorised access, disclosure or alteration can be detected, and also ensure that electronic communications data are protected by using state of the art technologies. Service providers should also inform end- users of measures they can take to protect the security of their communications for instance by using specific types of software or encryption technologies. The requirement to inform end-users of particular security risks does not discharge a service provider from the obligation to take, at its own costs, appropriate and immediate measures to remedy any new, unforeseen security risks and restore the normal security level of the service. The provision of information about security risks to the subscriber should be free of charge. Security is appraised in the light of Article 32 of Regulation (EU) 2016/679.
2017/07/14
Committee: LIBE
Amendment 321 #
Proposal for a regulation
Recital 41
(41) In order to fulfil the objectives of this Regulation, namely to protect the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data and to ensure the free movement of personal data within the Union, the power to adopt acts in accordance with Article 290 of the Treaty should be delegated to the Commission to supplement this Regulation. In particular, delegated acts should be adopted in respect of the information to be presented, including by means of standardised icons in order to give an easily visible and intelligible overview of the collection of information emitted by terminal equipment, its purpose, the person responsible for it and of any measure the end-user of the terminal equipment can take to minimise the collection. Delegated acts are also necessary to specify a code to identify direct marketing calls including those made through automated calling and communication systemsThe power to adopt acts in accordance with Article 290 of the Treaty should be delegated to the Commission to supplement this Regulation. It is of particular importance that the Commission carries out appropriate consultations and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement on Better Law-Making of 13 April 201625 . In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States’ experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts. Furthermore, in order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission when provided for by this Regulation. Those powers should be exercised in accordance with Regulation (EU) No 182/2011. _________________ 25 Interinstitutional Agreement between the European Parliament, the Council of the European Union and the European Commission on Better Law-Making of 13 April 2016 (OJ L 123, 12.5.2016, p. 1–14).
2017/07/14
Committee: LIBE
Amendment 343 #
Proposal for a regulation
Article 2 – paragraph 3
3. The processing of electronic communicationspersonal data by the Union institutions, bodies, offices and agencies is governed by Regulation (EU) 00/0000 [new Regulation replacing Regulation 45/2001]. This Regulation complements and particularizes Regulation (EU) 00/0000 [new Regulation replacing Regulation 45/2001with regard to the confidentiality of electronic communication services.
2017/07/14
Committee: LIBE
Amendment 349 #
Proposal for a regulation
Article 3 – paragraph 1 – point a
(a) the provision of electronic communications services to end-users in the Union, irrespective of whether the provider is located inside the EU, and irrespective of whether a payment of the end-user is required;
2017/07/14
Committee: LIBE
Amendment 352 #
Proposal for a regulation
Article 3 – paragraph 1 – point c
(c) the protection of information related to or processed by the terminal equipment of end- users located in the Union.
2017/07/14
Committee: LIBE
Amendment 364 #
Proposal for a regulation
Article 4 – paragraph 1 – point b
(b) the definitions of ‘electronic communications network’, ‘electronic communications service’, ‘interpersonal communications service’, ‘number-based interpersonal communications service’, ‘number-independent interpersonal communications service’, ‘end-user’ and ‘call’ in points (1), (4), (5), (6), (7), (14) and (21) respectively'call' in point (21) of Article 2 of [Directive establishing the European Electronic Communications Code];
2017/07/14
Committee: LIBE
Amendment 368 #
Proposal for a regulation
Article 4 – paragraph 2
2. For the purposes of point (b) of paragraph 1, the definition of ‘interpersonal communications service’ shall include services which enable interpersonal and interactive communication merely as a minor ancillary feature that is intrinsically linked to another service.deleted
2017/07/14
Committee: LIBE
Amendment 370 #
Proposal for a regulation
Article 4 – paragraph 3 – point –a (new)
(-a) 'electronic communications network' means a transmission system, whether or not based on a permanent infrastructure or centralised administration capacity, and, where applicable, switching or routing equipment and other resources, including network elements which are not active, which permit the conveyance of signals by wire, radio, optical or other electromagnetic means, including satellite networks, electricity cable systems, to the extent that they are used for the purpose of transmitting signals, networks used for radio and television broadcasting, and cable television networks, irrespective of the type of information conveyed;
2017/07/14
Committee: LIBE
Amendment 371 #
Proposal for a regulation
Article 4 – paragraph 3 – point –a a (new)
(-a a) 'electronic communications service' means a service provided via electronic communications networks, whether for remuneration or not, which encompasses one or more of the following:an 'internet access service' as defined in Article 2(2) or Regulation (EU) 2015/2120;an interpersonal communications service;a service consisting wholly or mainly in the conveyance of the signals, such as a transmission service used for the provision of a machine-to-machine service and for broadcasting, but excludes information conveyed as part of a broadcasting service to the public over an electronic communications network or service except to the extent that the information can be related to the identifiable subscriber or user receiving the information;
2017/07/14
Committee: LIBE
Amendment 372 #
Proposal for a regulation
Article 4 – paragraph 3 – point –a b (new)
(-a b) 'interpersonal communications service' means a service, whether provided for remuneration or not, that enables direct interpersonal and interactive exchange of information between a finite number of persons whereby the persons initiating or participating in the communication determine the recipient(s);it includes services enabling interpersonal and interactive communication merely as a minor ancillary feature that is intrinsically linked to another service;
2017/07/14
Committee: LIBE
Amendment 373 #
Proposal for a regulation
Article 4 – paragraph 3 – point –a c (new)
(-a c) 'number-based interpersonal communications service' means an interpersonal communications service which connects to the public switched telephone network, either by means of assigned numbering resources, i.e. number or numbers in national or international telephone numbering plans, or by enabling communication with a number or numbers in national or international telephone numbering plans;
2017/07/14
Committee: LIBE
Amendment 374 #
Proposal for a regulation
Article 4 – paragraph 3 – point –a d (new)
(-a d) 'number-independent interpersonal communications service' means an interpersonal communications service which does not connect with the public switched telephone network, either by means of assigned numbering resources, i.e. a number or numbers in national or international telephone numbering plans, or by enabling communication with a number or numbers in national or international telephone numbering plans;
2017/07/14
Committee: LIBE
Amendment 375 #
Proposal for a regulation
Article 4 – paragraph 3 – point –a e (new)
(-a e) 'end-user' means a legal entity or a natural person using or requesting a publicly available electronic communications service;
2017/07/14
Committee: LIBE
Amendment 376 #
Proposal for a regulation
Article 4 – paragraph 3 – point –a f (new)
(-a f) 'user' means any natural person using a publicly available electronic communications service, for private or business purposes, without necessarily having subscribed to this service;
2017/07/14
Committee: LIBE
Amendment 382 #
Proposal for a regulation
Article 4 – paragraph 3 – point c
(c) 'electronic communications metadata' means all data processed in an electronic communications network for the purposes of transmitting, distributing or exchanging electronic communications content; including data used to trace and identify the source and destination of a communication, electronic identifiers and any other data broadcasted or emitted by the terminal equipment, data on the location of the device generatterminal equipment processed in the context of providing electronic communications services, and the date, time, duration and the type of communication; where metadata of other electronic communications services or protocols are transmitted, distributed or exchanged by using the respective service, they shall be considered electronic communications content for the respective service;
2017/07/14
Committee: LIBE
Amendment 391 #
Proposal for a regulation
Chapter 2 – title
PROTECTION OF ELECTRONIC COMMUNICATIONS OF NATURAL AND LEGAL PERSONS AND OF INFORMATION STORED INPROCESSED BY AND RELATED TO THEIR TERMINAL EQUIPMENT
2017/07/14
Committee: LIBE
Amendment 400 #
Proposal for a regulation
Article 5 – paragraph 1
Electronic communications data shall be confidential. Any processing of electronic communications data, including any interference with electronic communications data, such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or processing of electronic communications data, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation. This includes electronic communications data that is stored after the transmission has been completed.
2017/07/14
Committee: LIBE
Amendment 416 #
Proposal for a regulation
Article 6 – paragraph 1 – introductory part
1. Providers of electronic communications networks and services may process electronic communications data only if:
2017/07/14
Committee: LIBE
Amendment 427 #
Proposal for a regulation
Article 6 – paragraph 1 – point b
(b) it is technically strictly necessary to maintain or restore the security ofavailability, integrity and confidentiality of the respective electronic communications networks and or services, or to detect technical faults and/or errors in the transmission of electronic communications, for the duration necessary for that purpose.; or
2017/07/14
Committee: LIBE
Amendment 438 #
Proposal for a regulation
Article 6 – paragraph 1 – point b a (new)
(b a) the user concerned has given his or her consent to the processing of his or her electronic communications data, provided that it is technically strictly necessary for the provision of a service explicitly requested by a user for his or her purely individual usage, solely for the provision of the explicitly requested service and only for the duration necessary for that purpose and without the consent of all users, only where such processing produces effects solely in relation to the user who requested the service and does not adversely affect the fundamental rights of other users.
2017/07/14
Committee: LIBE
Amendment 446 #
Proposal for a regulation
Article 6 – paragraph 1 a (new)
1 a. Before processing electronic communications data, the provider shall carry out a data protection impact assessment pursuant to Article 35 of Regulation (EU) 2016/679, and if necessary a prior consultation with the supervisory authority pursuant to Article 36 of Regulation (EU) 2016/679.
2017/07/14
Committee: LIBE
Amendment 452 #
Proposal for a regulation
Article 6 – paragraph 2 – introductory part
2. Providers of electronic communications services may process electronic communications metadata only if:
2017/07/14
Committee: LIBE
Amendment 465 #
Proposal for a regulation
Article 6 – paragraph 2 – point c
(c) the end-user or users concerned hasve given his or hertheir specific consent to the processing of his or their communications metadata by the respective electronic communications service for one or more specified purposes, including for the provision of specific services to such end-users, provided that the purpose or purposes concerned could not be fulfilled by processing informationdata that is made anonymous, and the consent has not been a condition to access or use a service.
2017/07/14
Committee: LIBE
Amendment 485 #
Proposal for a regulation
Article 6 – paragraph 3 – point a
(a) for the sole purpose of the provision of a specific service to an end- user, if the end-user or end-users concerned have given their consent to the processing of his or her electronic communications content andthe user concerned has given his or her consent to the processing of his or her electronic communications content for the sole purpose of the provision of a specific service explicitly requested by the user, for the duration necessary for that purpose, , provided that the provision of that specific service cannot be fulfilled without the processing of such content by the provider, and the consent has not been a condition to access or use a service; or
2017/07/14
Committee: LIBE
Amendment 500 #
Proposal for a regulation
Article 7 – paragraph 1
1. Without prejudice to point (b) of Article 6(1) and points (a) and (b) of Article 6(3), the provider of the electronic communications service shall erase electronic communications content or make that data anonymous after receipt of electronic communication contenafter receipt by the intended recipient or recipients. Such data may be recorded or stored by the end-users or by a third partparty, which could be the provider of the electronic communication service, specifically entrusted by them subscriber to record, store or otherwise process such data,. The subscriber may further process the data in accordance with Regulation (EU) 2016/679, if applicable.
2017/07/14
Committee: LIBE
Amendment 512 #
Proposal for a regulation
Article 8 – title
Protection of information stored in and, related to end-, and processed by users' terminal equipment
2017/07/14
Committee: LIBE
Amendment 516 #
Proposal for a regulation
Article 8 – paragraph 1 – introductory part
1. The use of input, output, processing and storage capabilities of terminal equipment and the collectionprocessing of information from end-users’ terminal equipment, including about' terminal equipment, or making information available through the terminal equipment, including information about and processed by its software and hardware, other than by the end-user concerned shall be prohibited, except on the following grounds:
2017/07/14
Committee: LIBE
Amendment 524 #
Proposal for a regulation
Article 8 – paragraph 1 – point b
(b) the end-user has given his or her consent for a specific purpose, and the consent has not been a condition to access or use a service or use a terminal equipment, for the duration strictly technically necessary for that purpose; or
2017/07/14
Committee: LIBE
Amendment 540 #
Proposal for a regulation
Article 8 – paragraph 1 – point d
(d) if it is necessary for web audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end-user.deleted
2017/07/14
Committee: LIBE
Amendment 584 #
Proposal for a regulation
Article 8 – paragraph 2
2. The collection of information emitted by terminal equipment to enable it to connect to another device and, or to network equipment shall be prohibited, except if: (a) it is done exclusively in order to, for the time necessary for, and for the purpose of establishing a connection; or (b) a clear and prominent notice is displayed informing of, at least, the modalities of the collection, its purpose, the person responsible for it and the other information required under Article 13 of Regulation (EU) 2016/679 where personal data are collected, as well as any measure the end-user of the terminal equipment can take to stop or minimise the collection. The collection of such information shall be conditional on the application of appropriate technical and organisational measures to ensure a level of security appropriate to the risks, as set out in Article 32 of Regulation (EU) 2016/679, have been applied.deleted
2017/07/14
Committee: LIBE
Amendment 599 #
Proposal for a regulation
Article 8 – paragraph 3
3. The information to be provided pursuant to point (b) of paragraph 2 may be provided in combination with standardized icons in order to give a meaningful overview of the collection in an easily visible, intelligible and clearly legible manner.deleted
2017/07/14
Committee: LIBE
Amendment 606 #
Proposal for a regulation
Article 8 – paragraph 4
4. The Commission shall be empowered to adopt delegated acts in accordance with Article 27 determining the information to be presented by the standardized icon and the procedures for providing standardized icons.
2017/07/14
Committee: LIBE
Amendment 615 #
Proposal for a regulation
Article 9 – paragraph 1
1. The definition of and conditions for consent provided for under Articles 4(11), 7 and 78 of Regulation (EU) 2016/679/EU shall apply.
2017/07/14
Committee: LIBE
Amendment 621 #
Proposal for a regulation
Article 9 – paragraph 2
2. Without prejudice to paragraph 1, where technically possible and feasible, for the purposes of point (b) of Article 8(1), consent may be expressed and withdrawn by using the appropriate technical settings of a software application enabling access to the internetpecifications for electronic communications services or information society services which allow for specific consent for specific purposes and with regard to specific service providers selected by the user. When such technical specifications are used by the user's terminal equipment or the software running on it, they shall be binding on, and enforceable against, any other party.
2017/07/14
Committee: LIBE
Amendment 640 #
Proposal for a regulation
Article 10 – paragraph 1
1. Software placed on the market permitting electronic communications, including the retrieval and presentationHardware and software that enable the access to and use of electronic communications services or the access to, and use of, information on the internet, shall offer the optionsociety services shall be able to prevent othirder parties from storing information on the terminal equipment of an end-user or processing information already stored on that equipmentusing input, output, processing and storage capabilities of terminal equipment and the processing of information related to, or processed by, a user's terminal equipment, or making information available through the terminal equipment, including information about, and processed by, its software and hardware.
2017/07/14
Committee: LIBE
Amendment 657 #
Proposal for a regulation
Article 10 – paragraph 2
2. Upon installation, the software shall inform the end-user abouBy default, such hardware or software shall be set theo privacy settings options and, to continue with the installation, require the end-user to consent to a settingevent other parties from exercising the activities referred to in paragraph 1.
2017/07/14
Committee: LIBE
Amendment 664 #
Proposal for a regulation
Article 10 – paragraph 3
3. In the case of software which has already been installed on 25 May 2018, the requirements under paragraphs 1 and 2 shall be complied with at the time of the first update of the software, but no later than 25 August 2018.deleted
2017/07/14
Committee: LIBE
Amendment 669 #
Proposal for a regulation
Article 11
1. Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 5 to 8 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the general public interests referred to in Article 23(1)(a) to (e) of Regulation (EU) 2016/679 or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interests. 2. Providers of electronic communications services shall establish internal procedures for responding to requests for access to end-users’ electronic communications data based on a legislative measure adopted pursuant to paragraph 1. They shall provide the competent supervisory authority, on demand, with information about those procedures, the number of requests received, the legal justification invoked and their response.Article 11 deleted Restrictions
2017/07/14
Committee: LIBE
Amendment 679 #
Proposal for a regulation
Article 11 a (new)
Article 11 a Restrictions on the rights of the user or subscriber 1.Union or Member State law to which the provider is subject may temporarily restrict by way of a legislative measure the scope of the obligations and principles relating to processing of electronic communications data provided for in Articles 6, 7 and 8 of this Regulation in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22 of Regulation (EU) 2016/679, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the following general public interests: (a) national security; (b) defence; (c) the prevention, investigation, detection or prosecution of serious criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. 2.In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, pursuant to Article 23(2) of Regulation (EU) 2016/679.
2017/07/14
Committee: LIBE
Amendment 680 #
Proposal for a regulation
Article 11 b (new)
Article 11 b Restrictions of the confidentiality of communications 1.Union or Member State law to which the provider is subject may temporarily restrict by way of a legislative measure the scope of the rights provided for in Article 5 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the following general public interests: (a) national security; (b) defence; (c) the prevention, investigation, detection or prosecution of serious criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. 2.In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, pursuant to Article 23(2) of Regulation (EU) 2016/679.It shall also require prior judicial authorisation for any access to content or metadata. 3.No legislative measure referred to in paragraph 1 may allow for the weakening of the integrity and confidentiality of electronic communications by mandating a manufacturer of hardware or software, including terminal equipment or software providing for the use of electronic communications, or a provider of electronic communications services, to create and build in backdoors that weaken the cryptographic methods used or the security and integrity of the terminal equipment.
2017/07/14
Committee: LIBE
Amendment 682 #
Proposal for a regulation
Article 11 c (new)
Article 11 c Documentation and reporting of restrictions 1.Providers of electronic communications services shall keep documentation about requests made by competent authorities to access communications content or metadata pursuant to Article 11b(2).This documentation shall include for each request: (a) the in-house staff member who handled the request; (b) the identity of the body making the request; (c) the purpose for which the information was sought; (d) the date and time of the request; (e) the legal basis and authority for the request, including the identity and status or function of the official submitting the request; (f) the judicial authorisation of the request; (g) the number of subscribers to whose data the request related; (h) the data provided to the requesting authority;and (i) the period covered by the data. The documentation shall be made available to the competent supervisory authority upon request. 2.Providers of electronic communications services shall publish once per year a report with statistical information about data access requests by law enforcement authorities pursuant to Articles 11a and 11b.The report shall include, at least (a) the number of requests; (b) the categories of purposes for the request; (b) the categories of data requested; (c) the legal basis and authority for the request; (d) the number of subscribers to whose data the request related; (e) the period covered by the data; (f) the number of negative and positive responses to those requests. 3.Member States' competent authorities shall publish once per year a report with statistical information per month about data access requests pursuant to Articles 11a and 11b, including requests that were not authorised by a judge, including, but not limited to, the following points: (a) the number of requests; (b) the categories of purposes for the request; (b) the categories of data requested; (c) the legal basis and authority for the request; (d) the number of subscribers to whose data the request related; (e) the period covered by the data; (f) the number of negative and positive responses to those requests. The reports shall also contain statistical information per month about any other restrictions pursuant to Articles 11a and 11b.
2017/07/14
Committee: LIBE
Amendment 737 #
Proposal for a regulation
Article 16 – paragraph 1
1. Natural or legal persons may use electronic communications services for the purposes of sendingpresenting or sending unsolicited or direct marketing communications to end-ussubscribers who are natural persons thatonly if these have given their explicit consent.
2017/07/14
Committee: LIBE
Amendment 752 #
Proposal for a regulation
Article 16 – paragraph 4
4. Notwithstanding paragraph 1, Member States may provide by law that the placing of direct marketing voice-to- voice calls to end-users who are natural persons shall only be allowed in respect of end-users who are natural persons who have not expressed their objection to receiving those communications.deleted
2017/07/14
Committee: LIBE
Amendment 771 #
Proposal for a regulation
Article 17 – paragraph 1
In the case of a particular risk that may compromise the security of networks and electronic communications services, the provider of an electronic communications service shall inform end-users concerning such risk and, where the risk lies outside the scope of the measures to be taken by the service provider, inform end-users of any possible remedies, including an indication of the likely costs involved.deleted
2017/07/14
Committee: LIBE
Amendment 777 #
Proposal for a regulation
Article 17 – paragraph 1 a (new)
The providers of electronic communications services shall ensure that there is sufficient protection in place against unauthorised access or alterations to the electronic communications data, and that the confidentiality and safety of the transmission are also guaranteed by the nature of the means of transmission used or by state-of-the-art end-to-end encryption of the electronic communications data. Furthermore, when encryption of electronic communications data is used, decryption, reverse engineering or monitoring of such communications shall be prohibited. Member States shall not impose any obligations on electronic communications service providers that would result in the weakening of the security and encryption of their networks and services.
2017/07/14
Committee: LIBE
Amendment 779 #
Proposal for a regulation
Article 17 – paragraph 1 b (new)
In the case of a particular risk that may compromise the security of networks and electronic communications services, the relevant provider of an electronic communications service shall inform end- users of such a risk and, where the risk lies outside the scope of the measures to be taken by the service provider, inform end-users of any possible remedies.
2017/07/14
Committee: LIBE
Amendment 800 #
Proposal for a regulation
Article 23 – paragraph 2 – point a
(a) the obligations of any legal or natural person who process electronic communications data pursuant to Article 8;deleted
2017/07/14
Committee: LIBE
Amendment 803 #
Proposal for a regulation
Article 23 – paragraph 2 – point a a (new)
(a a) the obligations of providers pursuant to Article 11c;
2017/07/14
Committee: LIBE
Amendment 804 #
Proposal for a regulation
Article 23 – paragraph 2 – point b
(b) the obligations of the provider of software enabling electronic communications, pursuant to Article 10;deleted
2017/07/14
Committee: LIBE
Amendment 807 #
Proposal for a regulation
Article 23 – paragraph 3
3. Infringements of the principle of confidentiality of communications, permitted processing of electronic communications data, time limits for erasure pursuant to Articles 5, 6, and 7following provisions of this Regulation shall, in accordance with paragraph 1 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.:
2017/07/14
Committee: LIBE
Amendment 809 #
Proposal for a regulation
Article 23 – paragraph 3 – subparagraph 1 (new)
(a) the principle of confidentiality of communications pursuant to Article 5; (b) the permitted processing of electronic communications data, pursuant to Article 6, (c) the time limits for erasure and the confidentiality obligations pursuant to Article 7; (d) the obligations of any legal or natural person who process electronic communications data pursuant to Article 8; (e) the requirements for consent pursuant to Article 9; (f) the obligations of the provider of software or hardware enabling electronic communications, pursuant to Article 10; (g) the obligations of the providers of electronic communications services, of the providers of information society services, or of the manufacturers of hardware and software permitting the retrieval and presentation of information on the internet pursuant to Article 17.
2017/07/14
Committee: LIBE
Amendment 812 #
Proposal for a regulation
Article 23 – paragraph 4
4. Member States shall lay down the rules on penalties for infringements of Articles 12, 13, 14, and 17.deleted
2017/07/14
Committee: LIBE