BETA

96 Amendments of Michel REIMON related to 2017/0003(COD)

Proposal for a regulation
Recital 2

(2) ~~The content of e~~Electronic communications may reveal highly sensitive information about the natural persons involved in the communication, from personal experiences and emotions to medical conditions, sexual preferences and political views, the disclosure of which could result in personal and social harm, economic loss or embarrassment. ~~Similarly, metadata derived from electronic communications may also reveal very sensitive and personal information. These metadata includ~~These data include text, voice, videos, images, sounds, IP and MAC addresses, the numbers called, the websites visited, geographical location, the time, date and duration when an individual made a call etc., allowing precise conclusions to be drawn regarding the private lives of the persons involved in the electronic communication, such as their social relationships, their habits and activities of everyday life, their interests, tastes etc.

2017/06/28
Committee: ITRE

Proposal for a regulation
Recital 4

(4) Pursuant to Article 8(1) of the Charter and Article 16(1) of the Treaty on the Functioning of the European Union, everyone has the right to the protection of personal data concerning him or her. Regulation (EU) 2016/679 lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. Electronic communications data may include personal data as defined in Regulation (EU) 2016/679 while in the case of natural persons electronic communications data is always personal data.

2017/06/28
Committee: ITRE

Proposal for a regulation
Recital 7

(7) The Member States should be allowed, within the limits of this Regulation, to maintain or introduce national provisions to further specify and clarify the application of the rules of this Regulation in order to ensure an effective application and interpretation of those rules. Therefore, the margin of discretion, which Member States have in this regard, should maintain a balance between the protection of private life and personal data and the free movement of electronic communications data.deleted

2017/06/28
Committee: ITRE

Proposal for a regulation
Recital 8

(8) This Regulation should apply to providers of electronic communications services, to providers of publicly available directories, and to software providers permitting electronic communications, including the retrieval and presentation of information on the internet. This Regulation should also apply to natural and legal persons who use electronic communications services to send direct marketing commercial communications or collect information related to, using the input/output, the communication and processing capabilities or stored in end- users’ terminal equipment.

2017/06/28
Committee: ITRE

Proposal for a regulation
Recital 13

(13) The development of fast and efficient wireless technologies has fostered the increasing availability for the public of internet access via wireless networks accessible by anyone in public and semi- private spaces such as 'hotspots' situated at different places within a city, department stores, shopping malls and hospitals. To the extent that those communications networks are provided to an undefined group of end-users, the confidentiality of the communications transmitted through such networks should be protected. The fact that wireless electronic communications services may be ancillary to other services should not stand in the way of ensuring the protection of confidentiality of communications data and application of this Regulation. Therefore, this Regulation should apply to electronic communications data using electronic communications services and ~~public~~ communications networks~~. In contrast, this Regulation should not apply to closed groups of end-users such as corporate~~ irrespective of whether these services and networks, a~~ccess to which is limited to members of the corporation~~re publicly available or not.

2017/06/28
Committee: ITRE

Proposal for a regulation
Recital 14

(14) Electronic communications data should be defined in a sufficiently broad and technology neutral way so as to encompass any information concerning the content transmitted or exchanged (electronic communications content) and the information concerning an end-user of electronic communications services processed for the purposes of transmitting, distributing or enabling the exchange of electronic communications content; including data to trace and identify the source and destination of a communication, geographical location and the date, time, duration and the type of communication. Whether such signals and the related data are conveyed by wire, radio, optical or electromagnetic means, including satellite networks, cable networks, fixed (circuit- and packet-switched, including internet) and mobile terrestrial networks, electricity cable systems, the data related to such signals should be considered as electronic communications metadata and therefore be subject to the provisions of this Regulation. Data generated, processed or transmitted by interpersonal communications services for the purpose of sending, transmitting or receiving such communications should be considered as electronic communications metadata from the perspective of the providers of these services but should still be considered as electronic communications content from the perspective of Internet access providers. Electronic communications metadata may include information that is part of the subscription to the service when such information is processed for the purposes of transmitting, distributing or exchanging electronic communications content.

2017/06/28
Committee: ITRE

Proposal for a regulation
Recital 15

(15) Electronic communications data should be treated as confidential. This means that any interference with the ~~transmission of~~ electronic communications data, whether directly by human intervention or through the intermediation of automated processing by machines, without the consent of all the communicating parties should be prohibited. ~~The prohibition of interception of communications data should apply during~~ For the purpose of this act, interfering means the processing of electronic communications for any purpose not requested by all end-users concerned, whetheir ~~conveyance, i.e. until re~~such process is carried out before, during or after the transmission of communications and includes the interceipt ~~of the content of the electronic communication by the intended addressee. Interception of~~ion. The prohibition of interference, including interception of communications data should apply at all levels and steps of the communication, including the storage of communication data. . Interference with electronic communications data may occur, for example, when someone other than the communicating parties, listens to calls, reads, scans or stores the content of electronic communications, or the associated metadata for purposes other than the exchange of communications. Inter~~ception~~ ference also occurs when third parties monitor websites visited, timing of the visits, interaction with others, etc., without the consent of the end-user concerned. As technology evolves, the technical ways to engage in inter~~ception~~ference have also increased. Such ways may range from the installation of equipment that gathers data from terminal equipment over targeted areas, such as the so-called IMSI (International Mobile Subscriber Identity) catchers, to programs and techniques that, for example, surreptitiously monitor browsing habits for the purpose of creating end-user profiles. Other examples of inter~~ception~~ference include capturing payload data or content data from unencrypted wireless networks and routers, including browsing habits without the end-users' consent.

2017/06/28
Committee: ITRE

Proposal for a regulation
Recital 17

(17) The processing of electronic communications data can be useful for businesses, consumers and society as a whole. Vis-à-vis Directive 2002/58/EC, this Regulation broadens the possibilities for providers of electronic communications services to process electronic communications metadata, based on end-users consent. However, end-users attach great importance to the confidentiality of their communications, including their online activities, and that they want to control the use of electronic communications data for purposes other than conveying the communication. Therefore, this Regulation should require providers of electronic communications services to obtain end- users' consent to process electronic communications metadata, which should include data on the location of the device generated for the purposes of granting and maintaining access and connection to the service. Location data that is generated other than in the context of providing electronic communications services should not be considered as metadata. Examples of commercial usages of electronic communications metadata by providers of electronic communications services may include the provision of heatmaps; a graphical representation of data using colors to indicate the presence of individuals. To display the traffic movements in certain directions during a certain period of time, an identifier is necessary to link the positions of individuals at certain time intervals. This identifier would be missing if anonymous data were to be used and such movement could not be displayed. Such usage of electronic communications metadata could, for example, benefit public authorities and public transport operators to define where to develop new infrastructure, based on the usage of and pressure on the existing structure. Where a type of processing of electronic communications metadata, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, a data protection impact assessment and, as the case may be, a consultation of the supervisory authority should take place prior to the processing, in accordance with Articles 35 and 36 of Regulation (EU) 2016/679.

2017/06/28
Committee: ITRE

Proposal for a regulation
Recital 18

(18) End-users may consent to the processing of their ~~meta~~data to receive specific services ~~such as protection services against fraudulent activities (by analysing usage data, location and customer account in real time)~~. In the digital economy, services are often supplied against counter- performance other than money, for instance by end-users being exposed to advertisements. For the purposes of this Regulation, consent of an end-user, regardless of whether the latter is a natural or a legal person, should have the same meaning and be subject to the same conditions as the data subject's consent under Regulation (EU) 2016/679. Basic broadband internet access and voice communications services are to be considered as essential services for individuals to be able to communicate and participate to the benefits of the digital economy. Consent for processing data from internet or voice communication usage will not be valid if the data subject has no genuine and free choice, or is unable to refuse or withdraw consent without detrimConsent for processing data will not be valid if the data subject has no genuine and free choice, or is unable to refuse or withdraw consent without detriment. As provided by article 7 of the Regulation (EU) 2016/679, consent is not freely given if it is required to access any service or obtained through insisting and repetitive requests. In order to prevent such abusive requests, end- users shall be able to order service providers to remember their choice not to consent.

2017/06/28
Committee: ITRE

Proposal for a regulation
Recital 19

(19) ~~The content of e~~Electronic communications pertains to the essence of the fundamental right to respect for private and family life, home and communications protected under Article 7 of the Charter. Any interference with the ~~content of~~ electronic communications data should be allowed only under very clear defined conditions, for specific purposes and be subject to adequate safeguards against abuse. This Regulation provides for the possibility of providers of electronic communications services to process electronic communications data in transit, with the informed consent of all the end- users concerned. For example, providers may offer services that entail the scanning of emails to remove certain pre-defined material. Given the sensitivity of ~~the content of~~electronic communications data, this Regulation sets forth a presumption that the processing of such content data will result in high risks to the rights and freedoms of natural persons. When processing such type of data, the provider of the electronic communications service should always consult the supervisory authority prior to the processing. Such consultation should be in accordance with Article 36 (2) and (3) of Regulation (EU) 2016/679. The presumption does not encompass the processing of content data to provide a service requested by the end- user where the end-user has consented to such processing and it is carried out for the purposes and duration strictly necessary and proportionate for such service. After electronic communications ~~content~~data has been sent by the end-user and received by the intended end- user or end- users, it may be recorded or stored by the end-user, end-users or by a third party entrusted by them to record or store such data. Any processing of such data must comply with Regulation (EU) 2016/679.Where communications data are stored by a third party, this third party shall protect with state of the art security measures applied from end to end, such as encryption, any information whose processing is not necessary to provide the service requested by the end-user.

2017/06/28
Committee: ITRE

Proposal for a regulation
Recital 23

(23) The principles of data protection by design and by default were codified under Article 25 of Regulation (EU) 2016/679. Currently, the default settings for cookies are set in most current browsers to ‘'accept all cookies’', which prevents end-users from providing informed and freely given consent, overloading them with requests. Therefore providers of software enabling the retrieval and presentation of information on the internet should have an obligation to configure the software so that ~~it offers the option to prevent~~by default prevents cross-domain and cross-devices tracking and third parties from storing information on the terminal equipment or requesting end-users' consent for that; this is often presented as ‘'reject third party trackers and cookies’'. End-users should be offered a set of privacy setting options, ranging from higher (for example, ‘'never accept ~~cookies’~~trackers and cookies but always reject them') to lower (for example, ‘'always a~~ccept~~sk whether to accept trackers and cookies’') and intermediate (for example, ‘'reject ~~third party cookies’ or ‘only accept first party cookies~~all trackers and cookies that are not strictly necessary in order to provide a service explicitly requested by the user’ or ‘reject all cross-domain tracking’). Such privacy settings should be presented in a ann objective, easily visible and intelligible manner.

2017/06/28
Committee: ITRE

Proposal for a regulation
Recital 24

(24) For web browsers to be able to obtain end-users’ consent as defined under Regulation (EU) 2016/679, for example, to the storage of third party tracking cookies, they should, among others, require a clear affirmative action from the end-user of terminal equipment to signify his or her freely given, specific informed, and unambiguous agreement to the storage and access of such cookies in and from the terminal equipment. Such action may be considered to be affirmative, for example, if end-users are required to actively select ‘accept third party cookies’ to confirm their agreement and are given the necessary information to make the choice. To this end, it is necessary to require providers of software enabling access to internet that, at the moment of installation, end-users are informed about the possibility to choose the privacy settings among the various options and ask them to make a choice. Information provided should not dissuade end-users from selecting higher privacy settings and should include relevant information about the risks associated to allowing third party cookies to be stored in the computer, including the compilation of long-term records of individuals' browsing histories and the use of such records to send targeted advertising. Web browsers are encouraged to provide easy ways for end-users to change the privacy settings at any time during use and to allow the user to make exceptions for or to whitelist certain websites or to specify for which websites (third) party cookies are always or never allowed.deleted

2017/06/28
Committee: ITRE

Proposal for a regulation
Recital 26

(26) When the processing of electronic communications data by providers of electronic communications services falls within its scope, this Regulation sis withouldt pr~~ovide for~~ejudice to the possibility for the Union or Member States under specific conditions to restrict by law certain obligations and rights ~~when such a restriction~~set under this Regulation when such a restriction is targeted to suspects, requires prior judicial authorisation, and constitutes a necessary and proportionate measure in a democratic society to safeguard specific public interests, including national security, defence, public security and the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security and other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, or a monitoring, inspection or regulatory functioof the Union or of a Member State. Those restrictions should be in accordance with the requirements set out in the Charter and in the European cCon~~nected to the exercise of official authority for such interest~~vention for the Protection of Human Rights and Fundamental Freedoms. Therefore, this Regulation should not affect the ability of Member States to carry out lawful interception of electronic communications or take other measures, if necessary and proportionate to safeguard the public interests mentioned above, in accordance with the Charter of Fundamental Rights of the European Union and the European Convention for the Protection of Human Rights and Fundamental Freedoms, as interpreted by the Court of Justice of the European Union and of the European Court of Human Rights. Providers of electronic communications services should provide for appropriate procedures to facilitate legitimate requests of competent authorities, where relevant also taking into account the role of the representative designated pursuant to Article 3(3).

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 2 – paragraph 1

1. This Regulation applies to : (a) the processing of electronic communications data carried out in connection with the provision and the use of electronic communications services ~~and to~~, irrespective of whether a payment of the end-user is required; (b) the processing of information related to or processed by the terminal equipment of end-users. ; (d) the provision of publicly available directories of users of electronic communication;

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 2 – paragraph 2 – point c

~~(c) electronic communications services which are not publicly available;~~deleted

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 2 – paragraph 3

3. The processing of electronic communications data by the Union institutions, bodies, offices and agencies insofar as they are not publicly available, originating or having as destination public networks is governed by Regulation (EU) 00/0000 [new Regulation replacing Regulation 45/2001].

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 3 – paragraph 1 – introductory part

1. This Regulation applies to: the activities referred to in Article 2 where the user or end-user is in the Union or where the communications services, hardware, software, directories, or direct marketing commercial electronic communications are provided to users or end-users in the Union.

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 3 – paragraph 1 – point a

~~(a) the provision of electronic communications services to end-users in the Union, irrespective of whether a payment of the end-user is required;~~deleted

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 3 – paragraph 1 – point b

~~(b) the use of such services;~~deleted

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 3 – paragraph 1 – point c

~~(c) the protection of information related to the terminal equipment of end- users located in the Union.~~deleted

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 3 – paragraph 4

4. The representative shall have the power to answer questions and provide information in addition to or instead of the provider it represents, in particular, to supervisory authorities, and end-users, on all issues related to ~~processing electronic communications data~~the activities referred to in Article 2 for the purposes of ensuring compliance with this Regulation.

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 3 – paragraph 5

5. The designation of a representative pursuant to paragraph 2 shall be without prejudice to legal actions, which could be initiated against a natural or legal person who ~~processes electronic communications data in connection with the provision of electronic communications services from outside the Union to end-users in~~undertake the activities referred to in Article 2 from outside the Union.

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 4 – paragraph 2

2. For the purposes of point (b) of paragraph 1, the definition of ‘interpersonal communications service’ shall include services which enable interpersonal and interactive communication merely as a minor ancillary feature that is intrinsically linked to another service.:

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 4 – paragraph 3 – point b

(b) ‘'electronic communications content’' means the content transmitted, distributed or exchanged by means of electronic communications services, such as text, voice, videos, images, and sound, including electronic communications metadata of other electronic communications services or protocols that are transmitted by using the respective service;

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 4 – paragraph 3 – point c

(c) ‘'electronic communications metadata’' means data ~~processed in an electronic communications network~~generated, transmitted or processed for the purposes of transmitting, distributing or exchanging electronic communications content;, including data used to trace and identify the source and destination of a communication~~, data on the lo~~; electronic identifiers and other data broadcasted or emitted by the terminal equipment to identify users' communication ofr t~~he device generated in the context of providing electronic communications services, and the date, time, duration and the type of communication~~o enable it to connect to an electronic communications service or to another terminal equipment, data on the location of the terminal equipment processed in the context of providing electronic communications services, and the date, time, duration and the type of communication; where metadata of other electronic communications services or protocols are transmitted, distributed or exchanged by using the respective service, they shall be considered electronic communications content for the respective service;

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 4 – paragraph 3 – point f

(f) ‘'direct marketing communications’' means any form of advertising, whether in written, audio, video, oral or~~al, sent~~ any other format, sent, broadcast, served or presented to one or more identified or identifiable end-users of electronic communications services, including the use of automated calling and communication systems with or without human interaction, electronic mail, SMS, etc.;

2017/06/28
Committee: ITRE

Proposal for a regulation
Chapter 2 – title

PROTECTION OF ELECTRONIC COMMUNICATIONS OF NATURAL AND LEGAL PERSONS AND OF INFORMATION ~~STORED IN~~PROCESSED BY AND RELATED TO THEIR TERMINAL EQUIPMENT

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 5 – title

Confidentiality of electronic communications ~~data~~

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 5 – paragraph 1

Electronic communications ~~data~~ shall be confidential. Any processing of electronic communications data, including any interference with electronic communications data, such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance ~~or processing~~ of electronic communications data, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation. This includes electronic communications data that is stored after the transmission has been completed.

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 5 – paragraph 1 a (new)

Confidentiality of electronic communications shall also apply to data related to or processed by terminal equipment and to machine-to-machine communication.

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 6 – paragraph 1 – introductory part

1. Providers of electronic communications networks and services may process electronic communications data only if:

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 6 – paragraph 1 – point a

(a) it is technically and strictly necessary to achieve the transmission of the communication, for the duration necessary for that purpose; or

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 6 – paragraph 1 – point b

(b) it is technically and strictly necessary to maintain or restore the ~~security of~~availability, integrity and confidentiality of the respective electronic communications network~~s and~~ or services, or to detect technical faults and/or errors in the transmission of electronic communications, for the duration necessary for that purpose.; or

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 6 – paragraph 1 – point b a (new)

(ba) the users concerned have given their consent to the processing of his or her electronic communications data, provided that it is technically and strictly necessary for the provision of an information society service explicitly requested by a user for his or her purely individual usage, solely for the provision of the explicitly requested service and only for the duration necessary for that purpose and without the consent of all users, only where such processing produces effects solely in relation to the user who requested the service and does not adversely affect the fundamental rights of other users.

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 6 – paragraph 1 a (new)

1 a. Before processing electronic communications data, the provider shall carry out a data protection impact assessment pursuant to Article 35 of Regulation (EU) 2016/679, and if necessary a prior consultation with the supervisory authority pursuant to Article 36 of Regulation (EU) 2016/679.

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 6 – paragraph 2 – introductory part

2. Providers of electronic communications services may process electronic communications metadata only if:

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 6 – paragraph 2 – point a

(a) it is technically and strictly necessary to meet mandatory quality of service requirements pursuant to [Directive establishing the European Electronic Communications Code] or Regulation (EU) 2015/212028 for the duration necessary for that purpose; or _________________ 28 Regulation (EU) 2015/2120 of the European Parliament and of the Council of 25 November 2015 laying down measures concerning open internet access and amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services and Regulation (EU) No 531/2012 on roaming on public mobile communications networks within the Union (OJ L 310, 26.11.2015, p. 1–18).

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 6 – paragraph 2 – point b

(b) it is strictly necessary for billing, calculating interconnection payments, detecting or stopping fraudulent~~, or abusive~~ use of, or subscription to, electronic communications services and the user has given his or hers consent to such processing; or

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 6 – paragraph 2 – point c

(c) ~~the end-~~all users concerned hasve given ~~his or her~~their specific consent to the processing of ~~his or~~ their communications metadata by the respective electronic communications service for one or more specified purposes, including for the provision of specific services to such end-users, provided that the purpose or purposes concerned could not be fulfilled by processing ~~information that is made anonymou~~data that is made anonymous, and the consent has not been a condition to access or use a service. Providers have to consult the supervisory authority before such processing occurs.

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 6 – paragraph 3 – introductory part

3. Providers of ~~the~~ electronic communications services may process electronic communications content only if:

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 6 – paragraph 3 – point a

~~(a)~~all users concerned have given their consent to the processing of his or her electronic communications content for the sole purpose of the ~~(a)~~ provision of a specific service ~~to an end- user, if the end-user or end-users concerned have given their consent to the processing of his or her electronic communications content and~~explicitly requested by the end-user, for the duration necessary for that purpose, provided that the provision of that specific service cannot be fulfilled without the processing of such content by the provider, and the consent has not been a condition to access or use a service; or

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 6 – paragraph 3 – point b

(b) if all ~~end-~~users concerned have given their consent to the processing of their electronic communications content for one or more specified purposes that cannot be fulfilled by processing information that is made anonymous, and the provider has consulted the supervisory authority. Points (2) and (3) of Article 36 of Regulation (EU) 2016/679 shall apply to the consultation of the supervisory authority.

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 7 – paragraph 1

1. Without prejudice to ~~point (b) of Article 6(1) and~~ points (ab) and (bc) of Article 6(31), the provider of the electronic communications service shall erase electronic communications content ~~or make that data anonymous~~ after receipt of electronic communication content by the intended recipient or recipients. Such data may be recorded or stored by the end-users or by a ~~third part~~party, which could be the provider of the electronic communication service, specifically entrusted by them end-user to record, store or otherwise process such data,. The end-user may further process the content in accordance with Regulation (EU) 2016/679, if applicable.

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 7 – paragraph 2

2. Without prejudice to point (b) and (c) of Article 6(1) and point~~s (a) and~~ (c) of Article 6(2), the provider of the electronic communications service shall erase electronic communications metadata ~~or make that data anonymous~~ when it is no longer needed for the purpose of the transmission of a communication.

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 7 – paragraph 3

3. Where the processing of electronic communications metadata takes place for the purpose of billing in accordance with point (b) of Article 6(2), ~~the relevant metadata may be kept until the end of the period during which a bill~~only the metadata that is strictly necessary for this purpose may lawfully be challenged or a payment may be pursued in accordance with national law.

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 8 – title

Protection of information stored in ~~and~~, related to and processed by end-users’' terminal equipment

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 8 – paragraph 1 – introductory part

1. The use of input, output, processing and storage capabilities of terminal equipment and the collection or processing of information from ~~end-~~users~~’ terminal equipment, including about~~' terminal equipment, or making information available through the terminal equipment, including information about and processed by its software and hardware, other than by the ~~end-~~user concerned shall be prohibited, except oning the following grounds:

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 8 – paragraph 1 – point a

(a) it is strictly and technically necessary for the sole purpose of carrying out the transmission of an electronic communication over an electronic communications ~~network~~service; or

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 8 – paragraph 1 – point b

(b) the ~~end-~~user has given his or her consent for a specific purpose, and the consent has not been a condition to access or use a service, for the duration necessary for that purpose; or

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 8 – paragraph 1 – point c

(c) it is strictly and technically necessary for providing an information society service specifically requested by the ~~end-us~~user, for the duration necessary for that provision of the service, provided that the provision of that specific service cannot be fulfilled without the processing of such content by the provider; or

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 8 – paragraph 1 – point d

~~(d) if it is necessary for web audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end-user.~~deleted

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 8 – paragraph 1 – point d a (new)

(da) it is strictly technically necessary for a security update, provided that: (i) such updates are discreetly packaged and do not in any way change the functionality of the hardware or software or the privacy settings chosen by the user; (ii) the user is informed in advance each time such an update is being installed; and (iii) the user has the possibility to postpone or turn off the automatic installation of such updates;

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 8 – paragraph 2 – subparagraph 1 – introductory part

The collection of information emitted by terminal equipment to enable it to connect to another device ~~and~~, or to network equipment shall be prohibited, except if:

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 8 – paragraph 2 – subparagraph 1 – point a

(a) it is done exclusively in order to, for the time necessary for, and for the purpose of establishing a connection, if this connection is requested by the user or the establishing of the connection is an integral part of the terminal equipment's functionality; or

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 8 – paragraph 2 – subparagraph 1 – point b

(b) a clear and prominent notice is displayed informing of, at least, the modalities of the collection, its purpose, the person responsible for it and the other information required under Article 13 of Regulation (EU) 2016/679 where personal data are collected, as well as any measure the end-user of the terminal equipment can take to stop or minimise the collection.deleted

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 8 – paragraph 2 – subparagraph 1 – point b a (new)

(b a) the data are immediately anonymised in a way that they cannot be linked to the terminal equipment anymore or used to single out users based on their terminal equipment, and is only further processed for statistical purposes that generate aggregate information;

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 8 – paragraph 2 – subparagraph 2

The collection of such information shall be conditional on the application of appropriate technical and organisational measures to ensure a level of security appropriate to the risks, as set out in Article 32 of Regulation (EU) 2016/679~~, have been applied~~.

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 8 – paragraph 3

3. The information to be provided pursuant to point (b) of paragraph 2 may be provided in combination with standardized icons in order to give a meaningful overview of the collection in an easily visible, intelligible and clearly legible manner.deleted

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 8 – paragraph 4

~~4. The Commission shall be empowered to adopt~~ delegated ~~acts in accordance with Article 27 determining the information to be presented by the standardized icon and the procedures for providing standardized icons.~~

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 9 – paragraph 2

2. Without prejudice to paragraph 1, where technically possible and feasible, for the purposes of point (b) of Article 8(1), consent may be expressed by using the appropriate technical s~~ettings of a software application enabling access to the internet~~pecifications for electronic communications services or information society services which allow for specific consent for specific purposes. When such technical specifications are used by the user, they shall be binding on, and enforceable against any other party. Access to a service shall not be denied to an end-user for the sole reason that he or she has refused to give his or her consent to processing which are not strictly necessary for the provision of this service.

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 9 – paragraph 3

3. ~~End-u~~Users who have ~~consented to the processing of electronic communications data as set out in point (c) of Article 6(2) and points (a) and (b) of~~ given their consent pursuant to Article 6 or Article ~~6(3)~~8 shall be given the possibility to withdraw their consent at any time as set forth under Article 7(3) of Regulation (EU) 2016/679 and be reminded of this possibility at periodic intervals of 6 months, as long as the processing continues.

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 9 – paragraph 3 a (new)

3 a. A user shall not be denied access to any electronic communications service, information society service or functionality of a terminal equipment, regardless of whether this is remunerated or not, on the mere grounds that he or she has not given his or her consent to (a) the processing of electronic communications data, metadata or content pursuant to Article 6;or (b) the use of input, output, processing and storage capabilities of terminal equipment and the collection of information from the users' terminal equipment, or making information available through the terminal equipment, including information about and processed by its software and hardware, pursuant to Article 8(1);or (c) the collection of information emitted by terminal equipment pursuant to Article 8(2) that is technically not necessary for the provision of that service or functionality.

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 10 – title

~~Information and options for p~~Privacy settings and signals to be provided

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 10 – paragraph 1

1. SHardware and software placed on the market ~~permitting electronic communications, including the retrieval and presentation~~that enable the access to and use of electronic communications services or the access to and use of information ~~on the internet, shall offer the option~~society services shall be able to prevent oth~~ird~~er parties from ~~storing~~the use of input, output, processing and storage capabilities of terminal equipment and the collection of information ~~on the~~from users' terminal equipment, o~~f an end-user or processing information already stored on that equipment~~r making information available through the terminal equipment, including information about and processed by its software and hardware.

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 10 – paragraph 2

2. ~~Upon installation, the software shall inform the end-user about the privacy settings options and, to continue with the installation, requi~~By default, such hardware or software shall have, enabled by default, privacy settings that prevent other parties from exercising the activities referred to in paragraph 1. If the hardware or software allows for deviating settings, the user shall be informed about the privacy settings options during first use or installation and shall be offered the ~~end-user to consent to a setting.~~ possibility to change or confirm them.

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 10 – paragraph 2 a (new)

2 a. For the purposes of (a) giving consent pursuant to Article 9(2) of this Regulation, and (b) objecting to the processing of personal data pursuant to Article 21(5) of Regulation (EU) 2017/679, the settings shall lead to a signal based on technical specifications which is sent to the other parties to inform them about the user's intentions with regard to consent or objection. This signal shall be legally valid and be binding on, and enforceable against, any other party. The European Data Protection Board shall issue guidelines to determine which technical specifications and signalling methods fulfil the conditions for consent and objection pursuant to points (a) and (b).

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 10 – paragraph 3

3. In the case of software which has already been installed on 25 May 2018, the requirements under paragraphs 1, 2 and 23 shall be complied with at the time of the first update of the software, but no later than 25 August 2018.

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 11

1. Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 5 to 8 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the general public interests referred to in Article 23(1)(a) to (e) of Regulation (EU) 2016/679 or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interests. 2. Providers of electronic communications services shall establish internal procedures for responding to requests for access to end-users’ electronic communications data based on a legislative measure adopted pursuant to paragraph 1. They shall provide the competent supervisory authority, on demand, with information about those procedures, the number of requests received, the legal justifArticle 11 deleted Restrication ~~invoked and their response.~~s

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 11 – paragraph 1

1. Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 5 to 8 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the general public interests referred to in Article 23(1)(a) to (e) of Regulation (EU) 2016/679 or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interests.deleted

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 11 – paragraph 2

2. Providers of electronic communications services shall establish internal procedures for responding to requests for access to end-users’ electronic communications data based on a legislative measure adopted pursuant to paragraph 1. They shall provide the competent supervisory authority, on demand, with information about those procedures, the number of requests received, the legal justification invoked and their response.deleted

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 11 a (new)

Article 11 a Restrictions on the rights of the user or end-user Union or Member State law to which the provider is subject may restrict by way of a legislative measure the scope of the obligations and principles relating to processing of electronic communications data provided for in Articles 6, 7 and 8 of this Regulation in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22 of Regulation (EU) 2016/679, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the following general public interests: (a) national security; (b) defence; (c) the prevention, investigation, detection or prosecution of serious criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 11 b (new)

Article 11 b Restrictions of the confidentiality of communications Union or Member State law to which the provider is subject may restrict by way of a legislative measure the scope of the rights provided for in Article 5 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the following general public interests: (a) national security; (b) defence; (c) the prevention, investigation, detection or prosecution of serious criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. (2) In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, pursuant to Article 23(2) of Regulation (EU) 2016/679 and will only be applied following a court order. (3) No legislative measure referred to in paragraph 1 may allow for the weakening of the integrity and confidentiality of electronic communications by mandating a manufacturer of hardware or software, including terminal equipment or software providing for the use of electronic communications, or a provider of electronic communications services, to create and build in backdoors that weaken the cryptographic methods used or the security and integrity of the terminal equipment.

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 11 c (new)

Article 11 c Transparency reporting Providers of electronic communications services and networks shall provide every year to the competent supervisory authority and to the public, a transparency report, providing the number of requests received pursuant to Articles 11a and 11b, from which authorities, the number of granted requests, and the numbers of end-users affected by the requests. Such transparency reporting shall also include information about privacy and data protection practices and policies, inform users about avenues for remedies in case of abuses and feature clear and easily understandable information about end- users rights protected under this Regulation.

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 13 – paragraph 1

1. Regardless of whether the calling user or end-user has prevented the presentation of the calling line identification, where a call is made to emergency services, providers of publicly available number-based interpersonal communications services shall override the elimination of the presentation of the calling line identification and the denial or absence of consent of a~~n end-~~ user for the processing of metadata, on a per-line basis for organisations dealing with emergency communications, including public safety answering points, for the purpose of responding to such communications.

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 13 – paragraph 2

2. ~~Member States shall~~The Commission shall be empowered to adopt implementing measures in accordance with Article 26(1) establishing more specific provisions with regard to the establishment of procedures and the circumstances where providers of publicly available number-based interpersonal communication services shall override the elimination of the presentation of the calling line identification on a temporary basis, where users or end-users request the tracing of malicious or nuisance calls.

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 14 – paragraph 1 – point a

(a) to block incoming calls from specific numbers or numbers having a specific code or prefix identifying the fact that the call is a marketing call referred to in Article 16(3)(b), or from anonymous sources;

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 15 – paragraph 1

1. The providers of publicly available directories or the electronic communication service providers shall obtain the consent of end- users who are natural persons to include their personal data in the directory and, consequently, shall obtain consent from these end-users for inclusion of data per category of personal data, to the extent that such data are ~~relevant~~necessary for the purpose of the ~~directory as determined by the provider of the~~ directory. Providers shall give end-users who are natural persons the means to verify, correct and delete such data.

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 16 – paragraph 1

1. Natural or legal persons may use electronic communications services for the purposes of sending direct marketing communications to end-users who are natural persons ~~that~~and have given their consent.

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 16 – paragraph 2

2. Where a natural or legal person obtains electronic contact details for electronic mail from its customer, in the context of the sale of a product or a service, in accordance with Regulation (EU) 2016/679, that natural or legal person may use these electronic contact details for direct marketing of its own similar products or services only if customers are clearly and distinctly given the opportunity to object, free of charge and in an easy manner, to such use. The customer shall be informed about the right to object and shall be given an easy way to exercise it at the time of collection and each time a message is sent.

2017/06/28
Committee: ITRE

(a) present the identity of a line on which they can be contacted; orand

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 16 – paragraph 3 a (new)

3 a. Unsolicited marketing communications shall be clearly recognisable as such and shall indicate the identity of the legal or natural person transmitting the communication or on behalf of whom the communication is transmitted.Such communications shall provide the necessary information for recipients to exercise their right to refuse further written or oral marketing messages.

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 16 – paragraph 4

4. Notwithstanding paragraph 1, Member States may provide by law that the placing of direct marketing voice-to-voice calls to end-users who are natural persons shall only be allowed in respect of end- users who are natural persons who have not expressed their objection or have consented to receiving those communications. Member States shall provide that users can object to receiving the unsolicited communications via a national Do Not Call Register, thereby also ensuring that the user is only required to opt out once

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 16 – paragraph 6

6. Any natural or legal person using electronic communications services to transmit direct marketing communications shall inform end-users of the marketing nature of the communication and the identity of the legal or natural person on behalf of whom the communication is transmitted and shall provide the necessary information for recipients to exercise their right to withdraw their consent~~, in an easy manner~~ or to object, in a manner that is as easy as giving the consent and free of charge, to receiving further marketing communications.

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 17 – title

Integrity of the communications and information about ~~detected~~ security risks

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 17 – paragraph 1

In the case of a particular risk that may compromise the security of networks and electronic communications services, the provider of an electronic communications service shall inform end-users concerning such risk and, where the risk lies outside the scope of the measures to be taken by the service provider, inform end-users of any possible remedies, including an indication of the likely costs involved.deleted

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 17 – paragraph 1 a (new)

The providers of electronic communications services shall ensure that there is sufficient protection in place against unauthorised access or alterations to the electronic communications data, and that the confidentiality and integrity of the communication in transmission or stored are also guaranteed by technical measures according to the state of the art, including end-to-end encryption of the electronic communications data. When encryption of electronic communications data is used, decryption by anybody else than the user shall be prohibited. Member States shall not impose any obligations on electronic communications service providers that would result in the weakening of the confidentiality and integrity of their networks and services, including the encryption methods used.

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 17 – paragraph 1 b (new)

In the case of a particular risk that may compromise the security of networks, electronic communications services, or terminal equipment, the relevant provider or manufacturer shall inform end-users of such a risk and, take all possible measures to remove it and where the risk lies outside the scope of the measures to be taken by the service provider, inform end-users of any possible remedies. It shall also inform the relevant manufacturer and service provider.

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 18 – paragraph 1

1. The independent supervisory authority or authorities responsible for monitoring the application of Regulation (EU) 2016/679 shall also be responsible for monitoring the application of this Regulation. Chapter VI and VII of Regulation (EU) 2016/679 shall apply mutatis mutandis. The tasks and powers of the supervisory authorities shall be exercised with regard to users and end- users.

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 19 – paragraph 1 – point a a (new)

(a a) (a) issue guidelines, recommendations and best practices in accordance with point (b) of this paragraph for the purpose of further specifying the criteria and requirements for: (i) security updates referred to in Article 8(1)(e); (ii) the interference in the context of employment relationships referred to in Article 8(1)(f); (iv) the collection of information emitted by the terminal equipment referred to in Article 8(2)(c); (v) technical specifications and signalling methods that fulfil the conditions for consent and objection pursuant to Article 8(2a). (vi) software settings referred to in Article 10(1) and (2);and (vii) technical measures according to ensure confidentiality and integrity of the communication pursuant to Article 17(1).

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 19 – paragraph 1 – point b a (new)

(ba) draw up guidelines for supervisory authorities concerning the application of Article 9(1) and the particularities of expression of consent by legal entities;

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 19 – paragraph 1 – point b b (new)

(bb) issue guidelines, recommendations and best practices in accordance with point (b) of this paragraph for the purpose of further specifying the criteria and requirements for types of services that may be requested for purely individual or work-related usage as referred to in Article 6(3a);

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 21 – paragraph 1

1. Without prejudice to this text or any other administrative or judicial remedy, every user and end-user of electronic communications services shall have at least the same remedies provided for in Articles 77, 78, 79, and 7980 of Regulation (EU) 2016/679.

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 21 – paragraph 2 a (new)

2a. An end-user or a group of end- users shall have the right to mandate a non-for-profit body, organisation or association which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest, and is active in the field of protection of their personal data and the protection of privacy to lodge the complaint on his or her behalf, to exercise the rights referred to in paragraphs 1 and 2 of this Article on his or her behalf, and to exercise the right to receive compensation referred to in Article 22 on his or her behalf where provided for by Member State law.

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 21 – paragraph 2 b (new)

2b. A body, organisation or association independently of the end- user's mandate, shall have the right to lodge, in the Member State where it is registered, a complaint with the supervisory authority which is competent pursuant to paragraph 1 of this Article and to exercise the rights referred to in paragraph 2 of this Article if it considers that the rights of the end-user under this Regulation have been infringed.

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 23 – paragraph 2 – point a

~~(a) the obligations of any legal or natural person who process electronic communications data pursuant to Article 8;~~deleted

2017/06/28
Committee: ITRE

Proposal for a regulation
Article 23 – paragraph 3

3. Infringements of the principle of confidentiality of communications, permitted processing of electronic communications data, time limits for erasure pursuant to Articles 5, 6, 7 and 78 shall, in accordance with paragraph 1 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

2017/06/28
Committee: ITRE