BETA

124 Amendments of Michał BONI related to 2017/0003(COD)

Amendment 48 #
Proposal for a regulation
Recital 7
(7) The Member States should be allowed, within the limits of this Regulation, to maintain or introduce national provisions to further specify andEuropean Data Protection Board should, where necessary, issue guidance and opinions within the limits of this Regulation, to further clarify the application of the rules of this Regulation in order to ensure an effective application and interpretation of those rules. Therefore, the margin of discretion, which Member States hase guidance and opinions should take into account the dual objective inof this rRegard,ulation, therefore they should maintain a balance between the protection of private life and personal data and the free movement of electronic communications data.
2017/06/28
Committee: ITRE
Amendment 51 #
Proposal for a regulation
Recital 9 a (new)
(9a) For the purpose of this Regulation, where the provider of an electronic communications service is not established in the Union, it shall designate a representative in the Union. The representative should be designated in writing. The representative may be the same as the one designated under Article 27 of Regulation (EU) 2016/679.
2017/06/28
Committee: ITRE
Amendment 52 #
Proposal for a regulation
Recital 11
(11) The services used for communications purposes, and the technical means of their delivery, have evolved considerably. End-users increasingly replace traditional voice telephony, text messages (SMS) and electronic mail conveyance services in favour of functionally equivalent online services such as Voice over IP, messaging services and web-based e-mail services. In order to ensure an effective and equal protection of end-users when using functionally equivalent services, this Regulation uses the definition of electronic communications services set forth in the [Directive of the European Parliament and of the Council establishing the European Electronic Communications Code24 ]. That definition encompasses not only internet access services and services consisting wholly or partly in the conveyance of signals but also interpersonal communications services, which may or may not be number-based, such as for example, Voice over IP, messaging services and web-based e-mail services. The protection of confidentiality of communications is crucial also as regards interpersonal communications services that are ancillary to another service; therefore, such type of services also having a communication functionality should be covered by this Regulation. _________________ 24 Commission proposal for a Directive of the European Parliament and of the Council establishing the European Electronic Communications Code (Recast) (COM/2016/0590 final - 2016/0288 (COD)).
2017/06/28
Committee: ITRE
Amendment 55 #
Proposal for a regulation
Recital 12
(12) Connected devices and machines increasingly communicate with each other by using electronic communications networks (Internet of Things). The transmission of machine-to-machine communications involves the conveyance of signals over a network and, hence, usually constitutes an electronic communications service. In order to ensure full protection of the rights to privacy and confidentiality of communications, and to promote a trusted and secure Internet of Things in the digital single market, it is necessary to clarify that this Regulation should apply to the transmission of machine-to- machine communications. Therefore, the principle of confidentiality enshrined in this Regulation should also apply to the transmission of machine-to-machine communications. Specific safeguards could also be adopted under sectorial legislation, as for instance Directive 2014/53/EU.deleted
2017/06/28
Committee: ITRE
Amendment 60 #
Proposal for a regulation
Recital 13
(13) The development of fast and efficient wireless technologies has fostered the increasing availability for the public of internet access via wireless networks accessible by anyone in public and semi- private spaces such as 'hotspots' situated at different places within a city, department stores, shopping malls and hospitals. To the extent that those communications networks are provided to an undefined group of end-users, the confidentiality of the communications transmitted through such networks should be protected. The fact that wireless electronic communications services may be ancillary to other services should not stand in the way of ensuring the protection of confidentiality of communications data and application of this Regulation. Therefore, this Regulation should apply to electronic communications data using electronic communications services and public communications networks. It should apply to social media groups even if restricted by the user, as long as the social media service as a whole is publicly available. In contrast, this Regulation should not apply to closed groups of end-users such as corporate networks, access to which is limited to members of the corporation.
2017/06/28
Committee: ITRE
Amendment 67 #
Proposal for a regulation
Recital 15
(15) Electronic communications data should be treated as confidential. This means that any interference with the transmission of electronic communications data, whether directly by human intervention or through the intermediation of automated processing by machines, without the consent of all the communicating parties should be prohibited. The prohibition of interception of communications data should apply during their conveyance, i.e. until receipt of the content of the electronic communication by the intended addressee. Interception of electronic communications data may occur, for example, when someone other than the communicating parties, listens to calls, reads, scans or stores the content of electronic communications, or the associated metadata for purposes other than the exchange of communications. Interception also occurs when third parties monitor websites visited, timing of the visits, interaction with others, etc., without the consent of the end-user concerned. As technology evolves, the technical ways to engage in interception have also increased. Such ways may range from the installation of equipment that gathers data from terminal equipment over targeted areas, such as the so-called IMSI (International Mobile Subscriber Identity) catchers, to programs and techniques that, for example, surreptitiously monitor browsing habits for the purpose of creating end-user profiles. Other examples of interception include capturing payload data or content data from unencrypted wireless networks and routers, including browsing habits without the end-users' consent.
2017/06/28
Committee: ITRE
Amendment 72 #
Proposal for a regulation
Recital 16
(16) The prohibition of storage of communications is not intended to prohibit any automatic, intermediate and transient storage of this information insofar as this takes place for the sole purpose of carrying out the transmission in the electronic communications network. It should not prohibit either the processing of electronic communications data to ensure the security, confidentiality, integrity, availability, authenticity and continuity of the electronic communications services and networks, including checking security threats such as the presence of malware or the processing of metadata to ensure the necessary quality of service requirements, such as latency, jitter etc.
2017/06/28
Committee: ITRE
Amendment 74 #
Proposal for a regulation
Recital 17
(17) The processing of electronic communications data can be useful for businesses, consumers and society as a whole. Vis-à-vis Directive 2002/58/EC, this Regulation broadens the possibilities for providers of electronic communications services to process electronic communications metadata, based on end- users consent. However, end-users attach great importance to the confidentiality of their communications, including their online activities, and that they want to control the use of electronic communications data for purposes other than conveying the communication. Therefore, this Regulation should require providers of electronic communications services to obtain end-users' consent to process electronic communications metadata, which should include data on the location of the device generated for the purposes of granting and maintaining access and connection to the service. Location data that is generated other than in the context of providing electronic communications services should not be considered as metadata. Examples of commercial usages of electronic communications metadata by providers of electronic communications services may include the provision of heatmaps; a graphical representation of data using colours to indicate the presence of individuals. To display the traffic movements in certain directions during a certain period of time, an identifier is necessary to link the positions of individuals at certain time intervals. This identifier would be missing if anonymous data were to be used and such movement could not be displayed. Such usage of electronic communications metadata could, for example, benefit public authorities and public transport operators to define where to develop new infrastructure, based on the usage of and pressure on the existing structure. Where a type of processing of electronic communications metadata, in particular using new technologies, As an exemption from obtaining end-user´s consent, the processing of metadata for purposes other thand taking into account the nature, scope, context and purposes ofhose for which they were initially collected should be allowed in cases where the processing, is likely to result in a high risk to the rights and freedoms of natural persons, a data protection impact assessment and, as the case may be, a conscompatible and is subject to specific safeguards, especially pseudonymisation as set forth in point (4) of Article 6 of Regulation (EU) 2016/679, as well as if it is necessary in accordance with Article 6 (1) (f) of Regultation of the supervisory authority should take place prior to the processing, in accordance with(EU) 2016/679 for the purpose of legitimate interest, provided that the data protection impact assessment was carried out, as prescribed in Articles 35 and 36 of Regulation (EU) 2016/679.
2017/06/28
Committee: ITRE
Amendment 78 #
Proposal for a regulation
Recital 19
(19) The content of electronic communications pertains to the essence of the fundamental right to respect for private and family life, home and communications protected under Article 7 of the Charter. Any interference with the content of electronic communications should be allowed only under very clear defined conditions, for specific purposes and be subject to adequate safeguards against abuse. This Regulation provides for the possibility of providers of electronic communications services to process electronic communications data in transit, with the informed consent of all the end- users concerned. For example, providers may offer services that entail the scanning of emails to remove certain pre-defined material. Given the sensitivity of the content of communications, this Regulation sets forth a presumption that the processing of such content data will result in high risks to the rights and freedoms of natural persons. When processing such type of data, the provider of the electronic communications service should always consult the supervisory authority prior to the processing. Such consultation should be in accordance with Article 36 (2) and (3) of Regulation (EU) 2016/679. The presumption does not encompass the processing of content data to provide a service requested by the end-user where the end-user has consented to such processing and it is carried out for the purposes and duration strictly necessary and proportionate for such service, for example text to voice service, organisation of the mailbox or SPAM filter service. After electronic communications content has been sent by the end-user and received by the intended end-user or end-users, it may be recorded or stored by the end-user, end- users or by a third party entrusted by them to record or store such data. Any processing of such data must comply with Regulation (EU) 2016/679.
2017/06/28
Committee: ITRE
Amendment 79 #
Proposal for a regulation
Recital 20
(20) Terminal equipment of end-users of electronic communications networks and any information relating to the usage of such terminal equipment, whether in particular is stored in or emitted by such equipment, requested from or processed in order to enable it to connect to another device and or network equipment, are part of the private sphere of the end-users requiring protection under the Charter of Fundamental Rights of the European Union and the European Convention for the Protection of Human Rights and Fundamental Freedoms. Given that such equipment contains or processes information that may reveal details of an individual's emotional, political, social complexities, including the content of communications, pictures, the location of individuals by accessing the device’s GPS capabilities, contact lists, and other information already stored in the device, the information related to such equipment requires enhanced privacy protection. Furthermore, the so-called spyware, web bugs, hidden identifiers, tracking cookies and other similar unwanted tracking tools can enter end-user's terminal equipment without their knowledge in order to gain access to information, to store hidden information and to trace the activities. Information related to the end-user’s device may also be collected remotely for the purpose of identification and tracking, using techniques such as the so-called ‘device fingerprinting’, often without the knowledge of the end-user, and may seriously intrude upon the privacy of these end-users. Techniques that surreptitiously monitor the actions of end-users, for example by tracking their activities online or the location of their terminal equipment, or subvert the operation of the end-users’ terminal equipment pose a serious threat to the privacy of end-users. Therefore, any such interference with the end-user's terminal equipment should be allowed only with the end-user's consent or for clearly defined exceptions and for specific and transparent purposes.
2017/06/28
Committee: ITRE
Amendment 81 #
Proposal for a regulation
Recital 21
(21) Exceptions to the obligation to obtain consent to make use of the processing and storage capabilities of terminal equipment or to access information stored in terminal equipment should be limited to situations that involve no, or only very limited, intrusion of privacy. For instance, consent should not be requested for authorizing the technical storage or access which is strictly necessary and proportionate for the legitimate purpose of enabling the use of a specific service explicitly requested by the end-user. This may include the storing of cookies for the duration of a single established session on a website to keep track of the end-user’s input when filling in online forms over several pages. Consent should also not be necessary if the information processed or stored is necessary to protect privacy, security or safety of the end-user, or to protect confidentiality, integrity, availability and authenticity of the terminal equipment. Cookies can also be a legitimate and useful tool, for example, in measuring web traffic to a website. Information society providers that engage in configuration checking to provide the service in compliance with the end-user's settings and the mere logging of the fact that the end-user’s device is unable to receive content requested by the end- user should not constitute access to such a device or use of the device processing capabilities. As an exemption from obtaining end-user´s consent, the processing of information and data that are or are rendered pseudonymous or anonymous should be allowed or for purposes other than those for which they were initially collected in cases where the processing is compatible and is subject to specific safeguards, especially pseudonymisation as set forth in point (4) of Article 6 of Regulation (EU) 2016/679, as well as if it is necessary in accordance with Article 6 (1) (f) of Regulation (EU) 2016/679 for the purpose of legitimate interest, provided that the data protection impact assessment was carried out, as prescribed in Article 35 of Regulation (EU) 2016/679. Adherence to the data protection certification mechanisms, seals or marks, as defined respectively in Article 40 and Article 42 of Regulation (EU) 2016/679, shall be encouraged and promoted, especially to demonstrate compliance with the Regulation in case of exceptions concerning compatible processing and legitimate interests as described above.
2017/06/28
Committee: ITRE
Amendment 83 #
Proposal for a regulation
Recital 22
(22) The methods used for providing information and obtaining end-user's consent should be as user-friendly as possible. Given the ubiquitous use of tracking cookies and other tracking techniques, end-users are increasingly requested to provide consent to store such tracking cookies in their terminal equipment. As a result, end-users are overloaded with requests to provide consent. The use of technical means to provide consent, for example, through transparent and user-friendly settings, may address this problem. Therefore, this Regulation should provide for the possibility to express consent by using the appropriate technical settings of a browser or other application. The choices made by end- users when establishing its general privacy settings of a browser or other application should be binding on, and enforceable against, any third parties. Web browsers are a type of software application that permits the retrieval and presentation of information on the internet. Other types of applications, such as the ones that permit calling and messaging or provide route guidance, have also the same capabilities. Web browsers mediate much of what occurs between the end-user and the website. From this perspective, they are in a privileged position to play an active role to help the end-user to control the flow of information to and from the terminal equipment. More particularly web browsers may be used as gatekeepers, thus helping end-users to prevent information from their terminal equipment (for example smart phone, tablet or computer) from being accessed or stored.
2017/06/28
Committee: ITRE
Amendment 87 #
Proposal for a regulation
Recital 23
(23) The principles of data protection by design and by default were codified under Article 25 of Regulation (EU) 2016/679. Currently, the default settings for cookies are set in most current browsers to ‘accept all cookies’. Therefore providers of software enabling the retrieval and presentation of information on the internet should have an obligation to configure the software so that it offers the optioninform the end-user about the possibility to express his or her consent using appropriate technical settings. The end-user should be offered multiple options to choose from, including to prevent third parties from storing information on the terminal equipment; this is often presented as ‘reject third party cookies’. End-users should be offered a set of privacy setting options, ranging from, higher (for example, ‘never accept cookies’) to lower (for example, ‘always accept cookies’) and intermediate (for example, ‘reject third party cookies’ or ‘only accept first party cookies’)rejecting tracking that is not necessary for the functionality of the website or other software to, for example, accepting tracking necessary for the functionality of the website or other software as well as for other purposes or, for example, accepting tracking necessary for the functionality of the website or other software and tracking for other purposes by parties that demonstrate the compliance with the EU data protection and privacy legislation, for instance in line with Article 40 and 42 of Regulation (EU) 2016/679. Such privacy settings should be presented in a an easily visible and intelligible manner.
2017/06/28
Committee: ITRE
Amendment 92 #
Proposal for a regulation
Recital 24
(24) For web browsers to be able to obtain end-users’ consent as defined under Regulation (EU) 2016/679, for example, to the storage of third party tracking cookies, they should, among others, require a clear affirmative action from the end-user of terminal equipment to signify his or her freely given, specific informed, and unambiguous agreement to the storage and access of such cookies or other tracking mechanisms in and from the terminal equipment. Such action may be considered to be affirmative, for example, if end-users are required to actively select ‘accept third party cookies’one of the offered options to confirm their agreement and are given the necessary information to make the choice. To this end, it is necessary to require providers of software enabling access to internet that, at the moment of installation, end-users are informed about the possibility to choose the privacy settings among the various options and ask them to make a choice. Information provided should not dissuade end-users from selecting higher privacy settings and should include relevant information about the risks associated to allowing third party cookies or other tracking mechanism to be stored in the computer, including the compilation of long-term records of individuals' browsing histories and the use of such records to send targeted advertising. Web browsers are encouraged to provide easy ways for end-users to change the privacy settings at any time during use and to. Web browsers shall allow the end-user to make exceptions for or to whitelist certain websites or to specify for which websites (third) party cookies are always or never allowed. customise his or her privacy settings for each individual website visited. The website shall be able to communicate to the end-user the fact that their privacy settings may influence his or her customer experience or access to all functionalities of the website and shall be allowed to offer end-user information how to change his or her settings, request consent from the end-user or offer him or her alternative options, such as i.e. subscription or paid access. The choice of end user for specific websites shall be respected by web browsers.
2017/06/28
Committee: ITRE
Amendment 96 #
Proposal for a regulation
Recital 25
(25) Accessing electronic communications networks requires the regular emission of certain data packets in order to discover or maintain a connection with the network or other devices on the network. Furthermore, devices must have a unique address assigned in order to be identifiable on that network. Wireless and cellular telephone standards similarly involve the emission of active signals containing unique identifiers such as a MAC address, the IMEI (International Mobile Station Equipment Identity), the IMSI etc. A single wireless base station (i.e. a transmitter and receiver), such as a wireless access point, has a specific range within which such information may be captured. Service providers have emerged who offer tracking services based on the scanning of equipment related information with diverse functionalities, including people counting, providing data on the number of people waiting in line, ascertaining the number of people in a specific area, etc. This information may be used for more intrusive purposes, such as to send commercial messages to end-users, for example when they enter stores, with personalized offers. While some of these functionalities do not entail high privacy risks, others do, for example, those involving the tracking of individuals over time, including repeated visits to specified locations. Providers engaged in such practices should ask for the end-user´s consent or should carry out data protection impact assessment and in this case the data collected is or is rendered pseudonymous or anonymous. Where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk, prior consultation with the supervisory authority, as prescribed in Article 36 of Regulation (EU) 2016/679, shall be carried out. Providers should display prominent notices located on the edge of the area of coverage informing end-users prior to entering the defined area that the technology is in operation within a given perimeter, the purpose of the tracking, the person responsible for it and the existence of any measure the end-user of the terminal equipment can take to minimize or stop the collection. Additional information should be provided where personal data are collected pursuant to Article 13 of Regulation (EU) 2016/679.
2017/06/28
Committee: ITRE
Amendment 100 #
Proposal for a regulation
Recital 26
(26) When the processing of electronic communications data by providers of electronic communications services falls within its scope, this Regulation should provide for the possibility for the Union or Member States under specific conditions to restrict by law certain obligations and rights when such a restriction constitutes a necessary and proportionate measure in a democratic society to safeguard specific public interests, including national security, defence, public security and the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security and other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interests. Therefore, this Regulation should not affect the ability of Member States to carry out lawful interception of electronic communications or take other measures, if necessary and proportionate to safeguard the public interests mentioned above, in accordance with the Charter of Fundamental Rights of the European Union and the European Convention for the Protection of Human Rights and Fundamental Freedoms, as interpreted by the Court of Justice of the European Union and of the European Court of Human Rights. Providers of electronic communications services should provide for appropriate procedures to facilitate legitimate requests of competent authorities, where relevant also taking into account the role of the representative designated pursuant to Article 3(3).
2017/06/28
Committee: ITRE
Amendment 104 #
Proposal for a regulation
Recital 30
(30) Publicly available directories of end-users of electronic communications services are widely distributed. Publicly available directories means any directory or service containing end-users information such as phone numbers (including mobile phone numbers), email address contact details and includes inquiry services. The right to privacy and to protection of the personal data of a natural person requires that end-users that are natural persons are asked for consent before their personal data are included in a directory. The legitimate interest of legal entities requires that end- users that are legal entities have the right to object to the data related to them being included in a directory. The consent shall be collected by the electronic communications service provider at the moment of signing the contract for such service.
2017/06/28
Committee: ITRE
Amendment 106 #
Proposal for a regulation
Recital 31
(31) If end-users that are natural persons give their consent to their data being included in such directories, they should be able to determine on a consent basis which categories of personal data are included in the directory (for example name, email address, home address, user name, phone number). In addition, providers of publicly available directorieupon giving their consent the end-users should be inform the end-usersed of the purposes of the directory and of the search functions of the directory before including them in that directory. End-users should be able to determine by consent on the basis of which categories of personal data their contact details can be searched. The categories of personal data included in the directory and the categories of personal data on the basis of which the end-user's contact details can be searched should not necessarily be the same. The providers of publicly available directories shall provide information about the search options, as well as if new options and functions of the directories are available in the publicly available directories.
2017/06/28
Committee: ITRE
Amendment 109 #
Proposal for a regulation
Recital 33
(33) Safeguards should be provided to protect end-users against unsolicited communications for direct marketing purposes, which intrude into the private life of end-users. The degree of privacy intrusion and nuisance is considered relatively similar independently of the wide range of technologies and channels used to conduct these electronic communications, whether using automated calling and communication systems, instant messaging applications, emails, SMS, MMS, Bluetooth, etc. It is therefore justified to require that consent of the end-user is obtained before commercial electronic communications for direct marketing purposes are sent to end-users in order to effectively protect individuals against the intrusion into their private life as well as the legitimate interest of legal persons. Legal certainty and the need to ensure that the rules protecting against unsolicited electronic communications remain future- proof justify the need to define a single set of rules that do not vary according to the technology used to convey these unsolicited communications, while at the same time guaranteeing an equivalent level of protection for all citizens throughout the Union. However, it is reasonable to allow the use of e-mail contact details within the context of an existing customer relationship for the offering of similar products or services. Such possibility should only apply to the same company that has obtained the electronic contact details in accordance with Regulation (EU) 2016/679.
2017/06/28
Committee: ITRE
Amendment 110 #
Proposal for a regulation
Recital 37
(37) Service providers who offer electronic communications services should inform end- users of measures they can take to protect the security of their communications for instance by using specific types of software or encryption technologies. The requirement to inform end-users of particular security risks does not discharge a service provider from the obligation to take, at its own costs, appropriate and immediate measures to remedy any new, unforeseen security risks and restore the normal security level of the service. The provision of information about security risks to the subscriber should be free of charge. Security is appraised in the light of Article 32 of Regulation (EU) 2016/679all comply with the security obligations as prescribed in Article 32 of Regulation (EU) 2016/679 and Article 40 of [European Electronic Communications Code].
2017/06/28
Committee: ITRE
Amendment 133 #
2. For the purposes of point (b) of paragraph 1, the definition of ‘interpersonal communications service’ shall include services which enable interpersonal and interactive communication merely as a minor ancillary feature that is intrinsically linked to another service.deleted
2017/06/28
Committee: ITRE
Amendment 152 #
Proposal for a regulation
Article 5 – paragraph 1
Electronic communications data shall be confidential. Any interference with electronic communications data, such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, or surveillance or processing of electronic communications data, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation.
2017/06/28
Committee: ITRE
Amendment 155 #
Proposal for a regulation
Article 6 – paragraph 1 – introductory part
1. Providers of electronic communications networks and services may process electronic communications data if: it is necessary to achieve the transmission of the communication, for the duration necessary for that purpose.
2017/06/28
Committee: ITRE
Amendment 157 #
Proposal for a regulation
Article 6 – paragraph 1 – point a
(a) it is necessary to achieve the transmission of the communication, for the duration necessary for that purpose; ordeleted
2017/06/28
Committee: ITRE
Amendment 160 #
Proposal for a regulation
Article 6 – paragraph 1 – point b
(b) it is necessary to maintain or restore the security of electronic communications networks and services, or detect technical faults and/or errors in the transmission of electronic communications, for the duration necessary for that purpose.deleted
2017/06/28
Committee: ITRE
Amendment 161 #
Proposal for a regulation
Recital 7
(7) The Member States should be allowed, within the limits of this Regulation, to maintain or introduce national provisions to further specify andEuropean Data Protection Board should, where necessary, issue guidance and opinions within the limits of this Regulation, to further clarify the application of the rules of this Regulation in order to ensure an effective application and interpretation of those rules. Therefore, the margin of discretion, which Member States hase guidance and opinions should take into account the dual objective inof this rRegard,ulation, therefore they should maintain a balance between the protection of private life and personal data and the free movement of electronic communications data.
2017/07/14
Committee: LIBE
Amendment 165 #
Proposal for a regulation
Article 6 – paragraph 1 a (new)
1a. Providers of electronic communication networks and services and third parties may process electronic communication data to the extent strictly necessary and proportionate for the purpose of ensuring security of network and information if it is necessary to protect, maintain or restore the confidentiality, integrity, availability, authenticity of electronic communications, protect the privacy and safety of end-users or of third parties or detect technical faults and/or errors in the transmission of electronic communications, for the duration necessary for that purpose.
2017/06/28
Committee: ITRE
Amendment 169 #
Proposal for a regulation
Article 6 – paragraph 2 – introductory part
2. Providers of electronic communications networks and services may process electronic communications metadata if:
2017/06/28
Committee: ITRE
Amendment 170 #
Proposal for a regulation
Recital 9 a (new)
(9a) For the purpose of this Regulation, where the provider of an electronic communications service is not established in the Union, it shall designate a representative in the Union. The representative should be designated in writing. The representative may be the same as the one designated under Article 27 of Regulation (EU) 2016/679.
2017/07/14
Committee: LIBE
Amendment 173 #
Proposal for a regulation
Recital 11
(11) The services used for communications purposes, and the technical means of their delivery, have evolved considerably. End-users increasingly replace traditional voice telephony, text messages (SMS) and electronic mail conveyance services in favour of functionally equivalent online services such as Voice over IP, messaging services and web-based e-mail services. In order to ensure an effective and equal protection of end-users when using functionally equivalent services, this Regulation uses the definition of electronic communications services set forth in the [Directive of the European Parliament and of the Council establishing the European Electronic Communications Code24 ]. That definition encompasses not only internet access services and services consisting wholly or partly in the conveyance of signals but also interpersonal communications services, which may or may not be number-based, such as for example, Voice over IP, messaging services and web-based e-mail services. The protection of confidentiality of communications is crucial also as regards interpersonal communications services that are ancillary to another service; therefore, such type of services also having a communication functionality should be covered by this Regulation. _________________ 24 Commission proposal for a Directive of the European Parliament and of the Council establishing the European Electronic Communications Code (Recast) (COM/2016/0590 final - 2016/0288 (COD)).
2017/07/14
Committee: LIBE
Amendment 178 #
Proposal for a regulation
Article 6 – paragraph 2 – point c
(c) the end-user concerned has given his or her consent to the processing of his or her communications metadata for one or more specified purposes, including for the provision of specific services to such end- users, provided that the purpose or purposes concerned could not be fulfilled by processing information that is made anonymous.; or
2017/06/28
Committee: ITRE
Amendment 179 #
Proposal for a regulation
Recital 12
(12) Connected devices and machines increasingly communicate with each other by using electronic communications networks (Internet of Things). The transmission of machine-to-machine communications involves the conveyance of signals over a network and, hence, usually constitutes an electronic communications service. In order to ensure full protection of the rights to privacy and confidentiality of communications, and to promote a trusted and secure Internet of Things in the digital single market, it is necessary to clarify that this Regulation should apply to the transmission of machine-to- machine communications. Therefore, the principle of confidentiality enshrined in this Regulation should also apply to the transmission of machine-to-machine communications. Specific safeguards could also be adopted under sectorial legislation, as for instance Directive 2014/53/EU.deleted
2017/07/14
Committee: LIBE
Amendment 180 #
Proposal for a regulation
Article 6 – paragraph 2 – point c a (new)
(c a) the processing of these data for another specified purpose is compatible with the purpose for which the data were initially collected and is subject to specific safeguards, especially pseudonymisation, as set forth in Article 6(4) of Regulation (EU) 2016/679;or
2017/06/28
Committee: ITRE
Amendment 181 #
Proposal for a regulation
Article 6 – paragraph 2 – point c b (new)
(cb) it is necessary, in accordance with Article 6(1)(f) of Regulation (EU) 2016/679, for the purposes of the legitimate interests pursued by the service provider or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
2017/06/28
Committee: ITRE
Amendment 182 #
Proposal for a regulation
Recital 13
(13) The development of fast and efficient wireless technologies has fostered the increasing availability for the public of internet access via wireless networks accessible by anyone in public and semi- private spaces such as ‘hotspots’ situated at different places within a city, department stores, shopping malls and hospitals. To the extent that those communications networks are provided to an undefined group of end-users, the confidentiality of the communications transmitted through such networks should be protected. The fact that wireless electronic communications services may be ancillary to other services should not stand in the way of ensuring the protection of confidentiality of communications data and application of this Regulation. Therefore, this Regulation should apply to electronic communications data using electronic communications services and public communications networks. It should apply to restricted-access services offered by social network services, such as user- created groups or private messaging, as long as the social network service as a whole is publicly available. In contrast, this Regulation should not apply to closed groups of end-users such as corporate networks, access to which is limited to members of the corporation.
2017/07/14
Committee: LIBE
Amendment 183 #
Proposal for a regulation
Article 6 – paragraph 2 a (new)
2a. For the purpose of point (cb) of paragraph 2, data protection impact assessment shall be carried out as prescribed in Article 35 of Regulation (EU) 2016/679.
2017/06/28
Committee: ITRE
Amendment 184 #
Proposal for a regulation
Article 6 – paragraph 3 – introductory part
3. PWithout prejudice to points (1) and (1a) of Article 6, providers of the electronic communications services may process electronic communications content only:
2017/06/28
Committee: ITRE
Amendment 188 #
Proposal for a regulation
Article 6 – paragraph 3 – point a
(a) for the sole purpose of the provision of a specific service to an end- user, if the end-user or end-users concerned haves given theihis or her consent to the processing of his or her electronic communications content and the provision of that service cannot be fulfilled without the processing of such content; or
2017/06/28
Committee: ITRE
Amendment 194 #
Proposal for a regulation
Article 7 – paragraph 1
1. Without prejudice to point (b) of Article 6(1a) and points (a) and (b) of Article 6(3), the provider of the electronic communications service shall erase electronic communications content or make that data anonymous after receipt of electronic communication content by the intended recipient or recipients. Such data may be recorded or stored by the end-users or by a third party entrusted by them to record, store or otherwise process such data, in accordance with Regulation (EU) 2016/679.
2017/06/28
Committee: ITRE
Amendment 196 #
Proposal for a regulation
Article 7 – paragraph 2
2. Without prejudice to point (b) of Article 6(1a) and points (a), (c), (ca) and (cb) of Article 6(2), the provider of the electronic communications service shall erase electronic communications metadata or make that data anonymous when it is no longer needed for the purpose of the transmission of a communication.
2017/06/28
Committee: ITRE
Amendment 196 #
Proposal for a regulation
Recital 15
(15) Electronic communications data should be treated as confidential. This means that any interference with the transmission of electronic communications data, whether directly by human intervention or through the intermediation of automated processing by machines, without the consent of all the communicating parties should be prohibited. The prohibition of interception of communications data should apply during their conveyance, i.e. until. For non-real- time electronic communication such as email or messaging, the transmission starts with the submission of the content for delivery and finishes with the receipt of the content of the electronic communication by the service provider of the intended addresseerecipient. Interception of electronic communications data may occur, for example, when someone other than the communicating parties, listens to calls, reads, scans or stores the content of electronic communications, or the associated metadata for purposes other than the exchange of communications. Interception also occurs when third parties monitor websites visited, timing of the visits, interaction with others, etc., without the consent of the end-user concerned. As technology evolves, the technical ways to engage in interception have also increased. Such ways may range from the installation of equipment that gathers data from terminal equipment over targeted areas, such as the so-called IMSI (International Mobile Subscriber Identity) catchers, to programs and techniques that, for example, surreptitiously monitor browsing habits for the purpose of creating end-user profiles. Other examples of interception include capturing payload data or content data from unencrypted wireless networks and routers, including browsing habits without the end-users’ consent.
2017/07/14
Committee: LIBE
Amendment 200 #
Proposal for a regulation
Recital 16
(16) The prohibition of storage of communications is not intended to prohibit any automatic, intermediate and transient storage of this information insofar as this takes place for the sole purpose of carrying out the transmission in the electronic communications network. It should not prohibit either the processing of electronic communications data to ensure the security, confidentiality, integrity, availability, authenticity and continuity of the electronic communications services and networks, including checking security threats such as the presence of malware or the processing of metadata to ensure the necessary quality of service requirements, such as latency, jitter etc.
2017/07/14
Committee: LIBE
Amendment 209 #
Proposal for a regulation
Article 8 – paragraph 1 – point b a (new)
(b a) the information is or is rendered pseudonymous or anonymous; or
2017/06/28
Committee: ITRE
Amendment 212 #
Proposal for a regulation
Recital 17
(17) The processing of electronic communications data can be useful for businesses, consumers and society as a whole. Vis-à-vis Directive 2002/58/EC, this Regulation broadens the possibilities for providers of electronic communications services to process electronic communications metadata, based on end- users consent. However, end-users attach great importance to the confidentiality of their communications, including their online activities, and that they want to control the use of electronic communications data for purposes other than conveying the communication. Therefore, this Regulation should require providers of electronic communications services to obtain end-users’ consent to process electronic communications metadata, which should include data on the location of the device generated for the purposes of granting and maintaining access and connection to the service. Location data that is generated other than in the context of providing electronic communications services should not be considered as metadata. Examples of commercial usages of electronic communications metadata by providers of electronic communications services may include the provision of heatmaps; a graphical representation of data using colors to indicate the presence of individuals. To display the traffic movements in certain directions during a certain period of time, an identifier is necessary to link the positions of individuals at certain time intervals. This identifier would be missing if anonymous data were to be used and such movement could not be displayed. Such usage of electronic communications metadata could, for example, benefit public authorities and public transport operators to define where to develop new infrastructure, based on the usage of and pressure on the existing structure. Where a type of processing of electronic communications metadata, in particular using new technologies, As an exemption from obtaining end-user´s consent, the processing of metadata for purposes other thand taking into account the nature, scope, context and purposes ofhose for which they were initially collected should be allowed in cases where the processing, is likely to result in a high risk to the rights and freedoms of natural persons, a data protection impact assessment and, as the case may be, a conscompatible and is subject to specific safeguards, especially pseudonymisation as set forth in point (4) of Article 6 of Regulation (EU) 2016/679, as well as if it is necessary in accordance with Article 6 (1) (f) of Regultation of the supervisory authority should take place prior to the processing, in accordance with(EU) 2016/679 for the purpose of legitimate interest, provided that the data protection impact assessment was carried out, as prescribed in Articles 35 and 36 of Regulation (EU) 2016/679.
2017/07/14
Committee: LIBE
Amendment 216 #
Proposal for a regulation
Article 8 – paragraph 1 – point d
(d) if it is necessary for web audience measuring, provided that such measurement is carried out by the providerto obtain information about technical quality or effectiveness of thean information society service requested by the end-user.that has been delivered or about terminal equipment functionality, and it has no or little impact on the privacy of the end-user concerned; or
2017/06/28
Committee: ITRE
Amendment 222 #
Proposal for a regulation
Article 8 – paragraph 1 – point d a (new)
(d a) it is necessary to protect privacy, security or safety of the end-user, or to protect confidentiality, integrity, availability, authenticity of the terminal equipment; or
2017/06/28
Committee: ITRE
Amendment 222 #
Proposal for a regulation
Recital 19
(19) The content of electronic communications pertains to the essence of the fundamental right to respect for private and family life, home and communications protected under Article 7 of the Charter. Any interference with the content of electronic communications should be allowed only under very clear defined conditions, for specific purposes and be subject to adequate safeguards against abuse. This Regulation provides for the possibility of providers of electronic communications services to process electronic communications data in transit, with the informed consent of all the end- users concerned. For example, providers may offer services that entail the scanning of emails to remove certain pre-defined material. Given the sensitivity of the content of communications, this Regulation sets forth a presumption that the processing of such content data will result in high risks to the rights and freedoms of natural persons. When processing such type of data, the provider of the electronic communications service should always consult the supervisory authority prior to the processing. Such consultation should be in accordance with Article 36 (2) and (3) of Regulation (EU) 2016/679. The presumption does not encompass the processing of content data to provide a service requested by the end-user where the end-user has consented to such processing and it is carried out for the purposes and duration strictly necessary and proportionate for such service, for example text to voice service, organisation of the mailbox, calendar assistants or SPAM filter service. After electronic communications content has been sent by the end-user and received by the intended end-user or end-users, it may be recorded or stored by the end-user, end- users or by a third party entrusted by them to record or store such data. Any processing of such data must comply with Regulation (EU) 2016/679.
2017/07/14
Committee: LIBE
Amendment 227 #
Proposal for a regulation
Article 8 – paragraph 1 – point d b (new)
(d b) the processing of these data and information for another specified purpose is compatible with the purpose for which the data were initially collected and is subject to specific safeguards, especially pseudonymisation, as set forth in Article 6(4) of Regulation (EU) 2016/679;or
2017/06/28
Committee: ITRE
Amendment 227 #
Proposal for a regulation
Recital 20
(20) Terminal equipment of end-users of electronic communications networks and any information relating to the usage of such terminal equipment, whether in particular is stored in or emitted by such equipment, requested from or processed in order to enable it to connect to another device and or network equipment, are part of the private sphere of the end-users requiring protection under the Charter of Fundamental Rights of the European Union and the European Convention for the Protection of Human Rights and Fundamental Freedoms. Given that such equipment contains or processes information that may reveal details of an individual’s emotional, political, social complexities, including the content of communications, pictures, the location of individuals by accessing the device’s GPS capabilities, contact lists, and other information already stored in the device, the information related to such equipment requires enhanced privacy protection. Furthermore, the so-called spyware, web bugs, hidden identifiers, tracking cookies and other similar unwanted tracking tools can enter end-user’s terminal equipment without their knowledge in order to gain access to information, to store hidden information and to trace the activities. Information related to the end-user’s device may also be collected remotely for the purpose of identification and tracking, using techniques such as the so-called ‘device fingerprinting’, often without the knowledge of the end-user, and may seriously intrude upon the privacy of these end-users. Techniques that surreptitiously monitor the actions of end-users, for example by tracking their activities online or the location of their terminal equipment, or subvert the operation of the end-users’ terminal equipment pose a serious threat to the privacy of end-users. Therefore, any such interference with the end-user’s terminal equipment should be allowed only with the end-user’s consent or for clearly defined exceptions and for specific and transparent purposes.
2017/07/14
Committee: LIBE
Amendment 230 #
Proposal for a regulation
Article 8 – paragraph 1 – point d c (new)
(d c) it is necessary, in accordance with Article 6(1)(f) of Regulation (EU) 2016/679 for the purposes of the legitimate interests pursued by the service provider or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
2017/06/28
Committee: ITRE
Amendment 232 #
Proposal for a regulation
Recital 21
(21) Exceptions to the obligation to obtain consent to make use of the processing and storage capabilities of terminal equipment or to access information stored in terminal equipment should be limited to situations that involve no, or only very limited, intrusion of privacy. For instance, consent should not be requested for authorizing the technical storage or access which is strictly necessary and proportionate for the legitimate purpose of enabling the use of a specific service explicitly requested by the end-user. This may include the storing of cookies for the duration of a single established session on a website to keep track of the end-user’s input when filling in online forms over several pages. Consent should also not be necessary if the information processed or stored is necessary to protect privacy, security or safety of the end-user, or to protect confidentiality, integrity, availability and authenticity of the terminal equipment. Cookies can also be a legitimate and useful tool, for example, in measuring web traffic to a website. Information society providers that engage in configuration checking to provide the service in compliance with the end-user’s settings and the mere logging of the fact that the end-user’s device is unable to receive content requested by the end- user should not constitute access to such a device or use of the device processing capabilities. As an exemption from obtaining end-user´s consent, the processing of information and data that are or are rendered pseudonymous or anonymous should be allowed or for purposes other than those for which they were initially collected in cases where the processing is compatible and is subject to specific safeguards, especially pseudonymisation as set forth in point (4) of Article 6 of Regulation (EU) 2016/679, as well as if it is necessary in accordance with Article 6 (1) (f) of Regulation (EU) 2016/679 for the purpose of legitimate interest, provided that the data protection impact assessment was carried out, as prescribed in Article 35 of Regulation (EU) 2016/679. Adherence to the data protection certification mechanisms, seals or marks, as defined respectively in Article 40 and Article 42 of Regulation (EU) 2016/679, shall be encouraged and promoted, especially to demonstrate compliance with the Regulation in case of exceptions concerning compatible processing and legitimate interests as described above.
2017/07/14
Committee: LIBE
Amendment 233 #
Proposal for a regulation
Article 8 – paragraph 1 a (new)
1a. For the purpose of points (ba), (db) and (dc) of paragraph 1, data protection impact assessment shall be carried out as prescribed in Article 35 of Regulation (EU) 2016/679.
2017/06/28
Committee: ITRE
Amendment 234 #
Proposal for a regulation
Article 8 – paragraph 1 b (new)
1 b. For the purpose of points (db) and (dc) of paragraph 1, in order to demonstrate the compliance with the Regulation, the adherence to the data protection certification mechanisms and of data protection seals and marks, as defined in Article 42 of Regulation (EU) 2016/679, especially on the Union level, shall be encouraged by the Member States, the supervisory authorities, the Board and the Commission.
2017/06/28
Committee: ITRE
Amendment 238 #
Proposal for a regulation
Article 8 – paragraph 2 – subparagraph 1 – point a a (new)
(aa) the end-user has given his or her consent;or
2017/06/28
Committee: ITRE
Amendment 241 #
Proposal for a regulation
Article 8 – paragraph 2 – subparagraph 1 – point b
(b) the information collected is or is rendered pseudonymous or anonymous and the data protection impact assessment and, if necessary, a prior consultation with the supervisory authority were carried out, as prescribed respectively in Article 35 and 36 of Regulation (EU) 2016/679, and a clear and prominent notice is displayed informing of, at least, the modalities of the collection, its purpose, the person responsible for it and the other information required under Article 13 of Regulation (EU) 2016/679 where personal data are collected, as well as any measure the end-user of the terminal equipment can take to stop or minimise the collection.
2017/06/28
Committee: ITRE
Amendment 241 #
Proposal for a regulation
Recital 22
(22) The methods used for providing information and obtaining end-user’s consent should be as user-friendly as possible. Given the ubiquitous use of tracking cookies and other tracking techniques, end-users are increasingly requested to provide consent to store such tracking cookies in their terminal equipment. As a result, end-users are overloaded with requests to provide consent. The use of technical means to provide consent, for example, through transparent and user-friendly settings, may address this problem. Therefore, this Regulation should provide for the possibility to express consent by using the appropriate technical settings of a browser or other application. The choices made by end- users when establishing its general privacy settings of a browser or other application should be binding on, and enforceable against, any third parties. Web browsers are a type of software application that permits the retrieval and presentation of information on the internet. Other types of applications, such as the ones that permit calling and messaging or provide route guidance, have also the same capabilities. Web browsers mediate much of what occurs between the end-user and the website. From this perspective, they are in a privileged position to play an active role to help the end-user to control the flow of information to and from the terminal equipment. More particularly web browsers may be used as gatekeepers, thus helping end-users to prevent information from their terminal equipment (for example smart phone, tablet or computer) from being accessed or stored.
2017/07/14
Committee: LIBE
Amendment 253 #
(23) The principles of data protection by design and by default were codified under Article 25 of Regulation (EU) 2016/679. Currently, the default settings for cookies are set in most current browsers to ‘accept all cookies’. Therefore providers of software enabling the retrieval and presentation of information on the internet should have an obligation to configure the software so that it offers the optioninform the end-user about the possibility to express his or her consent using appropriate technical settings. The end-user should be offered multiple options to choose from, including to prevent third parties from storing information on the terminal equipment; this is often presented as ‘reject third party cookies’. End-users should be offered a set of privacy setting options, ranging from, higher (for example, ‘never accept cookies’) to lower (for example, ‘always accept cookies’) and intermediarejecting tracking that is not necessary for the functionality of the website or other software to, for example, accepting tracking necessary for the functionality of the website (for example, ‘reject third party cookiother software as well as for other purposes or ‘only accept first p, for example, accepting tracking necessarty cookies’). Such privacy settings shouldfor the functionality of the website or other software and tracking for other purposes bey presented in an easily visible and intelligible mannerarties that demonstrate the compliance with the EU data protection and privacy legislation, for instance in line with Article 40 and 42 of Regulation (EU) 2016/679.
2017/07/14
Committee: LIBE
Amendment 260 #
Proposal for a regulation
Article 9 – paragraph 3
3. End-users who have consented to the processing of electronic communications data as set out in point (c) of Article 6(2) and points (a) and (b) of Article 6(3) shall be given the possibility to withdraw their consent at any time as set forth under Article 7(3) of Regulation (EU) 2016/679 and be reminded of this possibility at periodic intervals of 6 months, as long as the processing continues.
2017/06/28
Committee: ITRE
Amendment 260 #
Proposal for a regulation
Recital 24
(24) For web browsers to be able to obtain end-users’ consent as defined under Regulation (EU) 2016/679, for example, to the storage of third party tracking cookies, they should, among others, require a clear affirmative action from the end-user of terminal equipment to signify his or her freely given, specific informed, and unambiguous agreement to the storage and access of such cookies or other tracking mechanisms in and from the terminal equipment. Such action may be considered to be affirmative, for example, if end-users are required to actively select ‘accept third party cookies’one of the offered options to confirm their agreement and are given the necessary information to make the choice. To this end, it is necessary to require providers of software enabling access to internet that, at the moment of installation, end-users are informed about the possibility to choose the privacy settings among the various options and ask them to make a choice. Information provided should not dissuade end-users from selecting higher privacy settings and should include relevant information about the risks associated to allowing third party cookies or other tracking mechanisms to be stored in the computer, including the compilation of long-term records of individuals’ browsing histories and the use of such records to send targeted advertising. Web browsers are encouraged to provide easy ways for end-users to change the privacy settings at any time during use and to. Web browsers shall allow the end-user to make exceptions for or to whitelist certain websites or to specify for which websites (third) party cookies are always or never allowedcustomise his or her privacy settings for each individual website visited. The website shall be able to communicate to the end-user the fact that their privacy settings may influence his or her customer experience or access to all functionalities of the website and shall be allowed to offer end-user information how to change his or her settings, request consent from the end-user or offer him or her alternative options, such as i.e. subscription or paid access. The choice of end user for specific websites shall be respected by web browsers.
2017/07/14
Committee: LIBE
Amendment 264 #
Proposal for a regulation
Recital 25
(25) Accessing electronic communications networks requires the regular emission of certain data packets in order to discover or maintain a connection with the network or other devices on the network. Furthermore, devices must have a unique address assigned in order to be identifiable on that network. Wireless and cellular telephone standards similarly involve the emission of active signals containing unique identifiers such as a MAC address, the IMEI (International Mobile Station Equipment Identity), the IMSI etc. A single wireless base station (i.e. a transmitter and receiver), such as a wireless access point, has a specific range within which such information may be captured. Service providers have emerged who offer tracking services based on the scanning of equipment related information with diverse functionalities, including people counting, providing data on the number of people waiting in line, ascertaining the number of people in a specific area, etc. This information may be used for more intrusive purposes, such as to send commercial messages to end-users, for example when they enter stores, with personalized offers. While some of these functionalities do not entail high privacy risks, others do, for example, those involving the tracking of individuals over time, including repeated visits to specified locations. Providers engaged in such practices should ask for the end-user´s consent or should carry out data protection impact assessment and in this case the data collected is or is rendered pseudonymous or anonymous. Where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk, prior consultation with the supervisory authority, as prescribed in Article 36 of Regulation (EU) 2016/679, shall be carried out. Providers should display prominent notices located on the edge of the area of coverage informing end-users prior to entering the defined area that the technology is in operation within a given perimeter, the purpose of the tracking, the person responsible for it and the existence of any measure the end-user of the terminal equipment can take to minimize or stop the collection. Additional information should be provided where personal data are collected pursuant to Article 13 of Regulation (EU) 2016/679.
2017/07/14
Committee: LIBE
Amendment 272 #
Proposal for a regulation
Article 10 – paragraph 1
1. Software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, shall offer the option to prevent third parties from storing information on the terminal equipment of an end-user or processing information already stored on that equipmappropriate technical settings referred to in Article 9 (2) for end-user to express consent.
2017/06/28
Committee: ITRE
Amendment 273 #
Proposal for a regulation
Recital 26
(26) When the processing of electronic communications data by providers of electronic communications services falls within its scope, this Regulation should provide for the possibility for the Union or Member States under specific conditions to restrict by law certain obligations and rights when such a restriction constitutes a necessary and proportionate measure in a democratic society to safeguard specific public interests, including national security, defence, public security and the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security and other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interests. Therefore, this Regulation should not affect the ability of Member States to carry out lawful interception of electronic communications or take other measures, if necessary and proportionate to safeguard the public interests mentioned above, in accordance with the Charter of Fundamental Rights of the European Union and the European Convention for the Protection of Human Rights and Fundamental Freedoms, as interpreted by the Court of Justice of the European Union and of the European Court of Human Rights. Providers of electronic communications services should provide for appropriate procedures to facilitate legitimate requests of competent authorities, where relevant also taking into account the role of the representative designated pursuant to Article 3(3).
2017/07/14
Committee: LIBE
Amendment 278 #
Proposal for a regulation
Article 10 – paragraph 2
2. Upon installation, the software shall inform the end-user about the privacy settings options and, to continue with the installation, require the end-user to consent to a setting. The technical settings shall consist of multiple options for end- user to choose from, including an option to prevent other parties from storing information on the terminal equipment of an end-user and from processing information already stored on that equipment. These settings should be easily accessible during the use of the software.
2017/06/28
Committee: ITRE
Amendment 284 #
Proposal for a regulation
Recital 30
(30) Publicly available directories of end-users of electronic communications services are widely distributed. Publicly available directories means any directory or service containing end-users information such as phone numbers (including mobile phone numbers), email address contact details and includes inquiry services. The right to privacy and to protection of the personal data of a natural person requires that end-users that are natural persons are asked for consent before their personal data are included in a directory. The legitimate interest of legal entities requires that end- users that are legal entities have the right to object to the data related to them being included in a directory. The consent should be collected by the electronic communications service provider at the moment of signing the contract for such service.
2017/07/14
Committee: LIBE
Amendment 285 #
Proposal for a regulation
Article 10 – paragraph 2 a (new)
2 a. The software permitting end-user to access individual websites shall enable end-user to customise his or her privacy settings according to the website visited.
2017/06/28
Committee: ITRE
Amendment 286 #
Proposal for a regulation
Article 10 – paragraph 3
3. In the case of software which has already been installed on 25 May 2018, the requirements under paragraphs 1 and 2 shall be complied with at the time of the first update of the software, but no later than 25 August 2018.deleted
2017/06/28
Committee: ITRE
Amendment 290 #
Proposal for a regulation
Recital 31
(31) If end-users that are natural persons give their consent to their data being included in such directories, they should be able to determine on a consent basis which categories of personal data are included in the directory (for example name, email address, home address, user name, phone number). In addition, providers of publicly available directorieupon giving their consent the end-users should be inform the end-usersed of the purposes of the directory and of the search functions of the directory before including them in that directory. End-users should be able to determine by consent on the basis of which categories of personal data their contact details can be searched. The categories of personal data included in the directory and the categories of personal data on the basis of which the end-user’s contact details can be searched should not necessarily be the same. The providers of publicly available directories shall provide information about the search options, as well as if new options and functions of the directories are available in the publicly available directories.
2017/07/14
Committee: LIBE
Amendment 295 #
Proposal for a regulation
Article 11 – paragraph 1
1. Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 5 to 8 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the general public interests referred to in Article 23(1)(a) to (ed) of Regulation (EU) 2016/679 or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interests.
2017/06/28
Committee: ITRE
Amendment 303 #
Proposal for a regulation
Recital 33
(33) Safeguards should be provided to protect end-users against unsolicited communications for direct marketing purposes, which intrude into the private life of end-users. The degree of privacy intrusion and nuisance is considered relatively similar independently of the wide range of technologies and channels used to conduct these electronic communications, whether using automated calling and communication systems, instant messaging applications, emails, SMS, MMS, Bluetooth, etc. It is therefore justified to require that consent of the end-user is obtained before commercial electronic communications for direct marketing purposes are sent to end-users in order to effectively protect individuals against the intrusion into their private life as well as the legitimate interest of legal persons. Legal certainty and the need to ensure that the rules protecting against unsolicited electronic communications remain future- proof justify the need to define a single set of rules that do not vary according to the technology used to convey these unsolicited communications, while at the same time guaranteeing an equivalent level of protection for all citizens throughout the Union. However, it is reasonable to allow the use of e-mail contact details within the context of an existing customer relationship for the offering of similar products or services. Such possibility should only apply to the same company that has obtained the electronic contact details in accordance with Regulation (EU) 2016/679.
2017/07/14
Committee: LIBE
Amendment 305 #
Proposal for a regulation
Article 15 – paragraph 1
1. The providers of publicly available directorielectronic communication services shall obtain the consent of end- users who are natural persons to includshare their personal data in the directory and, consequently, shall obtain consent from these end-users forwith the providers of publicly available directories to include them in the directory and, consequently, shall provide end-users who are natural persons with information about inclusion of data per category of personal data, to the extent that such data are relevant for the purpose of the directory as determined by the provider of the directory. Providers shall give end- users who are natural persons the means to verify, correct and delete such data.
2017/06/28
Committee: ITRE
Amendment 314 #
Proposal for a regulation
Article 15 – paragraph 3
3. The providers of electronic communication services or providers of publicly available directories shall provide end-users that are legal persons with the possibility to object to data related to them being included in the directory. Providers shall give such end-users that are legal persons the means to verify, correct and delete such data.
2017/06/28
Committee: ITRE
Amendment 315 #
Proposal for a regulation
Recital 37
(37) Service providers who offer electronic communications services should inform end- users of measures they can take to protect all comply withe security of their communications for instance by using specific types of software or encryption technologies. The requirement to inform end-users of particular security risks does not discharge a service provider from the obligation to take, at its own costs, appropriate and immediate measures to remedy any new, unforeseen security risks and restore the normal security level of the service. The provision of information about security risks to the subscriber should be free of charge. Security is appraised in the light of Article 32 of Regulation (EU) 2016/679bligations as prescribed in Article 32 of Regulation (EU) 2016/679 and Article 40 of [European Electronic Communications Code].
2017/07/14
Committee: LIBE
Amendment 316 #
Proposal for a regulation
Article 15 – paragraph 4
4. The possibility for end-users not to be included in a publicly available directory, or to verify, correct and delete any data related to them shall be provided free of charge and in an easily accessible manner by the party that collected the consent or directly from the provider of publicly available directory.
2017/06/28
Committee: ITRE
Amendment 325 #
Proposal for a regulation
Article 16 – paragraph 2
2. Where a natural or legal person obtains electronic contact details for electronic mail from its customer, in the context of the sale of a product or a service, in accordance with Regulation (EU) 2016/679, that natural or legal person may use these electronic contact details for direct marketing of its own similar products or services only if customers are clearly and distinctly given the opportunity to object, free of charge and in an easy manner, to such use. The right to object shall be given at the time of collection and each time a message is sent.
2017/06/28
Committee: ITRE
Amendment 328 #
Proposal for a regulation
Article 16 – paragraph 3 – introductory part
3. Without prejudice to paragraphs 1 and 2, natural or legal persons using electronic communications services for the purposes of placing direct marketing calls shall: present the identity of a line on which they can be contacted; or present a specific code or prefix identifying the fact that the call is a marketing call.
2017/06/28
Committee: ITRE
Amendment 329 #
Proposal for a regulation
Article 16 – paragraph 3 – point a
(a) present the identity of a line on which they can be contacted; ordeleted
2017/06/28
Committee: ITRE
Amendment 331 #
Proposal for a regulation
Article 16 – paragraph 3 – point b
(b) present a specific code/or prefix identifying the fact that the call is a marketing call.deleted
2017/06/28
Committee: ITRE
Amendment 337 #
Proposal for a regulation
Article 17 – title
Information about detected security riskSecurity obligations
2017/06/28
Committee: ITRE
Amendment 340 #
Proposal for a regulation
Article 17 – paragraph 1
In the case of a particular risk that may compromise the security of networks andProvider of electronic communications services, the provider of an electronic communications service shall inform end-users concerning such risk and, where the risk lies outside the scope of the measures to be taken by the service provider, inform end-users of any possible remedies, including an indication of the likely costs involved shall comply with the security obligations as prescribed Regulation (EU) 2016/679 and [European Electronic Communications Code].
2017/06/28
Committee: ITRE
Amendment 355 #
Proposal for a regulation
Article 27 – paragraph 1
1. Directive 2002/58/EC is repealed with effect from 25 May 2018[1 year after entering into force of this Regulation].
2017/06/28
Committee: ITRE
Amendment 357 #
Proposal for a regulation
Article 28 – paragraph 1
By 1 January 2018[the date of entry into force of this Regulation] at the latest, the Commission shall establish a detailed programme for monitoring the effectiveness of this Regulation.
2017/06/28
Committee: ITRE
Amendment 359 #
Proposal for a regulation
Article 29 – paragraph 2 – subparagraph 1
It shall apply from 25 May 2018[1 year after entering into force of this Regulation].
2017/06/28
Committee: ITRE
Amendment 367 #
Proposal for a regulation
Article 4 – paragraph 2
2. For the purposes of point (b) of paragraph 1, the definition of ‘interpersonal communications service’ shall include services which enable interpersonal and interactive communication merely as a minor ancillary feature that is intrinsically linked to another service.deleted
2017/07/14
Committee: LIBE
Amendment 405 #
Proposal for a regulation
Article 5 – paragraph 1
Electronic communications data shall be confidential. Any interference with electronic communications data, such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, or surveillance or processing of electronic communications data, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation.
2017/07/14
Committee: LIBE
Amendment 414 #
Proposal for a regulation
Article 6 – paragraph 1 – introductory part
1. Providers of electronic communications networks and services may process electronic communications data if: it is necessary to achieve the transmission of the communication, for the duration necessary for that purpose.
2017/07/14
Committee: LIBE
Amendment 419 #
Proposal for a regulation
Article 6 – paragraph 1 – point a
(a) it is necessary to achieve the transmission of the communication, for the duration necessary for that purpose; ordeleted
2017/07/14
Committee: LIBE
Amendment 425 #
Proposal for a regulation
Article 6 – paragraph 1 – point b
(b) it is necessary to maintain or restore the security of electronic communications networks and services, or detect technical faults and/or errors in the transmission of electronic communications, for the duration necessary for that purpose.deleted
2017/07/14
Committee: LIBE
Amendment 444 #
Proposal for a regulation
Article 6 – paragraph 1 a (new)
1 a. Providers of electronic communication networks and services and third parties may process electronic communication data to the extent strictly necessary for the purpose of ensuring security of network and information if it is necessary to protect, maintain or restore the confidentiality, integrity, availability, authenticity of electronic communications, protect the privacy and safety of end-users or of third parties or detect technical faults and/or errors in the transmission of electronic communications, for the duration necessary for that purpose.
2017/07/14
Committee: LIBE
Amendment 448 #
Proposal for a regulation
Article 6 – paragraph 2 – introductory part
2. Providers of electronic communications networks and services may process electronic communications metadata if:
2017/07/14
Committee: LIBE
Amendment 468 #
Proposal for a regulation
Article 6 – paragraph 2 – point c
(c) the end-user concerned has given his or her consent to the processing of his or her communications metadata for one or more specified purposes, including for the provision of specific services to such end- users, provided that the purpose or purposes concerned could not be fulfilled by processing information that is made anonymous.;or
2017/07/14
Committee: LIBE
Amendment 472 #
Proposal for a regulation
Article 6 – paragraph 2 – point c a (new)
(c a) the processing of these data for another specified purpose is compatible with the purpose for which the data were initially collected and is subject to specific safeguards, especially pseudonymisation, as set forth in Article 6(4) of Regulation (EU) 2016/679;or
2017/07/14
Committee: LIBE
Amendment 476 #
Proposal for a regulation
Article 6 – paragraph 2 – point c b (new)
(c b) it is necessary, in accordance with Article 6(1)(f) of Regulation (EU) 2016/679, for the purposes of the legitimate interests pursued by the service provider or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
2017/07/14
Committee: LIBE
Amendment 477 #
Proposal for a regulation
Article 6 – paragraph 2 a (new)
2 a. For the purpose of point (cb) of paragraph 2, data protection impact assessment shall be carried out as prescribed in Article 35 of Regulation (EU) 2016/679.
2017/07/14
Committee: LIBE
Amendment 481 #
Proposal for a regulation
Article 6 – paragraph 3 – introductory part
3. PWithout prejudice to points (1) and (1a) of Article 6, providers of the electronic communications services may process electronic communications content only:
2017/07/14
Committee: LIBE
Amendment 489 #
Proposal for a regulation
Article 6 – paragraph 3 – point a
(a) for the sole purpose of the provision of a specific service to an end- user, if the end-user or end-users concerned haves given theihis or her consent to the processing of his or her electronic communications content and the provision of that service cannot be fulfilled without the processing of such content; or
2017/07/14
Committee: LIBE
Amendment 502 #
Proposal for a regulation
Article 7 – paragraph 1
1. Without prejudice to point (b) of Article 6(1a) and points (a) and (b) of Article 6(3), the provider of the electronic communications service shall erase electronic communications content or make that data anonymous after receipt of electronic communication content by the intended recipient or recipients. Such data may be recorded or stored by the end-users or by a third party entrusted by them to record, store or otherwise process such data, in accordance with Regulation (EU) 2016/679.
2017/07/14
Committee: LIBE
Amendment 505 #
Proposal for a regulation
Article 7 – paragraph 2
2. Without prejudice to point (b) of Article 6(1a) and points (a), (c), (ca) and (cb) of Article 6(2), the provider of the electronic communications service shall erase electronic communications metadata or make that data anonymous when it is no longer needed for the purpose of the transmission of a communication.
2017/07/14
Committee: LIBE
Amendment 528 #
Proposal for a regulation
Article 8 – paragraph 1 – point b a (new)
(b a) the information is or is rendered pseudonymous or anonymous;or
2017/07/14
Committee: LIBE
Amendment 541 #
Proposal for a regulation
Article 8 – paragraph 1 – point d
(d) if it is necessary for web audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end-user.to obtain information about technical quality or effectiveness of an information society service that has been delivered, to understand and optimize web usage or about terminal equipment functionality, and it has no or little impact on the privacy of the end-user concerned; or
2017/07/14
Committee: LIBE
Amendment 557 #
Proposal for a regulation
Article 8 – paragraph 1 – point d a (new)
(d a) it is necessary to protect privacy, security or safety of the end-user, or to protect confidentiality, integrity, availability, authenticity of the terminal equipment;or
2017/07/14
Committee: LIBE
Amendment 565 #
Proposal for a regulation
Article 8 – paragraph 1 – point d b (new)
(d b) the processing of these data and information for another specified purpose is compatible with the purpose for which the data were initially collected and is subject to specific safeguards, especially pseudonymisation, as set forth in Article 6(4) of Regulation (EU) 2016/679;or
2017/07/14
Committee: LIBE
Amendment 568 #
Proposal for a regulation
Article 8 – paragraph 1 – point d c (new)
(d c) it is necessary, in accordance with Article 6(1)(f) of Regulation (EU) 2016/679 for the purposes of the legitimate interests pursued by the service provider or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
2017/07/14
Committee: LIBE
Amendment 579 #
Proposal for a regulation
Article 8 – paragraph 1 a (new)
1 a. For the purpose of points (ba), (db) and (dc) of paragraph 1, data protection impact assessment shall be carried out as prescribed in Article 35 of Regulation (EU) 2016/679
2017/07/14
Committee: LIBE
Amendment 581 #
Proposal for a regulation
Article 8 – paragraph 1 b (new)
1 b. For the purpose of points (db) and (dc) of paragraph 1, in order to demonstrate the compliance with the Regulation, the adherence to the data protection certification mechanisms and of data protection seals and marks, as defined in Article 42 of Regulation (EU) 2016/679, especially on the Union level, shall be encouraged by the Member States, the supervisory authorities, the Board and the Commission.
2017/07/14
Committee: LIBE
Amendment 586 #
Proposal for a regulation
Article 8 – paragraph 2 – subparagraph 1 – point a a (new)
(a a) the end-user has given his or her consent;or
2017/07/14
Committee: LIBE
Amendment 589 #
Proposal for a regulation
Article 8 – paragraph 2 – subparagraph 1 – point b
(b) the information collected is or is rendered pseudonymous or anonymous and the data protection impact assessment and, if necessary, a prior consultation with the supervisory authority were carried out, as prescribed respectively in Article 35 and 36 of Regulation (EU) 2016/679, and a clear and prominent notice is displayed informing of, at least, the modalities of the collection, its purpose, the person responsible for it and the other information required under Article 13 of Regulation (EU) 2016/679 where personal data are collected, as well as any measure the end-user of the terminal equipment can take to stop or minimise the collection.
2017/07/14
Committee: LIBE
Amendment 631 #
Proposal for a regulation
Article 9 – paragraph 3
3. End-users who have consented to the processing of electronic communications data as set out in point (c) of Article 6(2) and points (a) and (b) of Article 6(3) shall be given the possibility to withdraw their consent at any time as set forth under Article 7(3) of Regulation (EU) 2016/679 and be reminded of this possibility at periodic intervals of 6 months, as long as the processing continues.
2017/07/14
Committee: LIBE
Amendment 644 #
Proposal for a regulation
Article 10 – paragraph 1
1. Software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, shall offer the option to prevent third parties from storing information on the terminal equipment of an end-user or processing information already stored on that equipmappropriate technical settings referred to in Article 9 (2) for end-user to express consent.
2017/07/14
Committee: LIBE
Amendment 654 #
Proposal for a regulation
Article 10 – paragraph 2
2. Upon installation, the software shall inform the end-user about the privacy settings options and, to continue with the installation, require the end-user to consent to a setting. The technical settings shall consist of multiple options for end- user to chose from, including an option to prevent other parties from storing information on the terminal equipment of a n end-user and from processing information already stored on that equipment. These settings should be easily accessible during the use of the software.
2017/07/14
Committee: LIBE
Amendment 660 #
Proposal for a regulation
Article 10 – paragraph 2 a (new)
2 a. The software permitting the end- user to access individual websites shall enable the end-user to customise his or her privacy settings according to the website visited.
2017/07/14
Committee: LIBE
Amendment 663 #
Proposal for a regulation
Article 10 – paragraph 3
3. In the case of software which has already been installed on 25 May 2018, the requirements under paragraphs 1 and 2 shall be complied with at the time of the first update of the software, but no later than 25 August 2018.deleted
2017/07/14
Committee: LIBE
Amendment 672 #
Proposal for a regulation
Article 11 – paragraph 1
1. Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 5 to 8 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the general public interests referred to in Article 23(1)(a) to (ed) of Regulation (EU) 2016/679 or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interests.
2017/07/14
Committee: LIBE
Amendment 698 #
Proposal for a regulation
Article 15 – paragraph 1
1. The providers of publicly available directorielectronic communication services shall obtain the consent of end- users who are natural persons to include share their personal data in the directory and, consequently, shall obtain consent from these end-users forwith the providers of publicly available directories to include them in the directory and, consequently, shall provide end-users who are natural persons with information about inclusion of data per category of personal data, to the extent that such data are relevant for the purpose of the directory as determined by the provider of the directory. Providers shall give end- users who are natural persons the means to verify, correct and delete such data.
2017/07/14
Committee: LIBE
Amendment 720 #
Proposal for a regulation
Article 15 – paragraph 3
3. The providers of electronic communication services or providers of publicly available directories shall provide end-users that are legal persons with the possibility to object to data related to them being included in the directory. Providers shall give such end-users that are legal persons the means to verify, correct and delete such data.
2017/07/14
Committee: LIBE
Amendment 722 #
Proposal for a regulation
Article 15 – paragraph 4
4. The possibility for end-users not to be included in a publicly available directory, or to verify, correct and delete any data related to them shall be provided free of charge and in an easily accessible manner by the party that collected the consent or directly from the provider of publicly available directory.
2017/07/14
Committee: LIBE
Amendment 742 #
Proposal for a regulation
Article 16 – paragraph 2
2. Where a natural or legal person obtains electronic contact details for electronic mail from its customer, in the context of the sale of a product or a service, in accordance with Regulation (EU) 2016/679, that natural or legal person may use these electronic contact details for direct marketing of its own similar products or services only if customers are clearly and distinctly given the opportunity to object, free of charge and in an easy manner, to such use. The right to object shall be given at the time of collection and each time a message is sent.
2017/07/14
Committee: LIBE
Amendment 743 #
Proposal for a regulation
Article 16 – paragraph 3 – introductory part
3. Without prejudice to paragraphs 1 and 2, natural or legal persons using electronic communications services for the purposes of placing direct marketing calls shall: present the identity of a line on which they can be contacted; or present a specific code/or prefix identifying the fact that the call is a marketing call.
2017/07/14
Committee: LIBE
Amendment 746 #
Proposal for a regulation
Article 16 – paragraph 3 – point a
(a) present the identity of a line on which they can be contacted; ordeleted
2017/07/14
Committee: LIBE
Amendment 749 #
Proposal for a regulation
Article 16 – paragraph 3 – point b
(b) present a specific code/or prefix identifying the fact that the call is a marketing call.deleted
2017/07/14
Committee: LIBE
Amendment 769 #
Proposal for a regulation
Article 17 – title
Information about detected security riskSecurity obligations
2017/07/14
Committee: LIBE
Amendment 773 #
Proposal for a regulation
Article 17 – paragraph 1
In the case of a particular risk that may compromise the security of networks andProvider of electronic communications services, the provider of an electronic communications service shall inform end-users concerning such risk and, where the risk lies outside the scope of the measures to be taken by the service provider, inform end-users of any possible remedies, including an indication of the likely costs involved shall comply with the security obligations as prescribed Regulation (EU) 2016/679 and [European Electronic Communications Code].
2017/07/14
Committee: LIBE
Amendment 818 #
Proposal for a regulation
Article 27 – paragraph 1
1. Directive 2002/58/EC is repealed with effect from 25 May 2018[1 year after entering into force of this Regulation].
2017/07/14
Committee: LIBE
Amendment 822 #
Proposal for a regulation
Article 28 – paragraph 1
By 1 January 2018[the date of entry into force of this Regulation] at the latest, the Commission shall establish a detailed programme for monitoring the effectiveness of this Regulation.
2017/07/14
Committee: LIBE
Amendment 824 #
Proposal for a regulation
Article 29 – paragraph 2 – subparagraph 1
It shall apply from 25 May 2018[1 year after entering into force of this Regulation].
2017/07/14
Committee: LIBE