39 Amendments of Helga STEVENS related to 2017/0003(COD)
Amendment 139 #
Proposal for a regulation
Recital 2
Recital 2
(2) The content of electronic communications may reveal highly sensitive information about the natural persons involved in the communication, from personal experiences and emotions to medical conditions, sexual preferences and political views, the disclosure of which could result in personal and social harm, economic loss or embarrassment. Similarly, metadata derived from electronic communications may also reveal very sensitive and personal information. These metadata includes the numbers called, the websites visited, geographical location, the time, date and duration when an individual made a call etc., allowing precise conclusions to be drawn regarding the private lives of the persons involved in the electronic communication, such as their social relationships, their habits and activities of everyday life, their interests, tastes etc.
Amendment 151 #
Proposal for a regulation
Recital 5
Recital 5
(5) The provisions of this Regulation particularise and complement the general rules on the protection of personal data laid down in Regulation (EU) 2016/679 as regards electronic communications data that qualify as personal data and do not go beyond or contradict the high level of protection set down in Regulation (EU) 2016/679. This Regulation therefore does not lower the level of protection enjoyed by natural persons under Regulation (EU) 2016/679. Processing of electronic communications data by providers of electronic communications services should only be permitted in accordance with this Regulation.
Amendment 154 #
Proposal for a regulation
Recital 6
Recital 6
(6) While the principles and main provisions of Directive 2002/58/EC of the European Parliament and of the Council22 remain generally sound, that Directive has not fully kept pace with the evolution of technological and market reality, resulting in insufficient clarity and inconsistent or insufficient effectivenforcement of the protection of privacy and confidentiality in relation to electronic communications. Those developments include the entrance on the market of electronic communications services that from a consumer perspective are substitutable to traditional services, but do not have to comply with the same set of rules. Another development concernsor new techniques that allow for tracking of online behaviour of end-users, both of which are not covered by Directive 2002/58/EC. Directive 2002/58/EC should therefore be repealed and replaced by this RegulationRegulation (EU) 2016/679. _________________ 22 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p.37).
Amendment 199 #
Proposal for a regulation
Recital 16
Recital 16
(16) The prohibition of storage of communications during transmission is not intended to prohibit any automatic, intermediate and transient storage of this information insofar as this takes place for the sole purpose of carrying out the transmission in the electronic communications network. The processing of pseudonymised data, should be incentivised as the act of psedonymisation dramatically reduces any privacy and security risk associated with processing of data related to transmission. It should not prohibit either the processing of electronic communications data to ensure the security and continuity of the electronic communications services, including checking security threats such as the presence of malware or the processing of metadata to ensure the necessaryappropriate quality of service requirements, such as latency, jitter etc.
Amendment 205 #
Proposal for a regulation
Recital 17
Recital 17
(17) The processing of electronic communications metadata can be useful for businesses, consumers and society as a whole. Vis-à-vis Directive 2002/58/EC, this Regulation broadens the possibilities for providers of electronic communications services to process electronic communications metadata, based on end- users consentin accordance with Article 6(1) and 6(4) of Regulation (EU) No 2016/679. However, end-users attach great importance to the confidentiality of their communications, including their online activities, and that they want to control the use of electronic communications data for purposes other than conveying the communication. Therefore, this Regulation should require providers of electronic communications services to comply with Regulation (EU) No 2016/679 when processing electronic communications metadata, which should include data on the location of the device. As an exception from obtaining end- users’ consent, tohe processing of electronic communications metadata, which should include data on the location of the device for purposes other than those for which the personal data were initially collected should be allowed in cases where further processing is compatible in accordance with Article 6 (4) and Article 6 (1) of Regulation (EU) 2016/679 generated for the purposes of granting and maintaining access and connection to the service. Location data that is generated other than in the context of providing electronic communications services should not be considered as metadata. Examples of commercial usages of electronic communications metadata by providers of electronic communications services may include the provision of heatmaps; a graphical representation of data using colors to indicate the presence of individuals. To display the traffic movements in certain directions during a certain period of time, an identifier is necessary to link the positions of individuals at certain time intervals. This identifier would be missing if anonymous data were to be used and such movement could not be displayed. Therefore, whenever the purpose(s) of further processing cannot be achieved by processing data that is made anonymous, pseudonymisation of data should be allowed. Such usage of electronic communications metadata could, for example, benefit public authorities and public transport operators to define where to develop new infrastructure, based on the usage of and pressure on the existing structure. Where a type of processing of electronic communications metadata, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, a data protection impact assessment and, as the case may be, a consultation of the supervisory authority should take place prior to the processing, in accordance with Articles 35 and 36 of Regulation (EU) 2016/679.
Amendment 217 #
Proposal for a regulation
Recital 18
Recital 18
(18) End-users may consent to the processing of their metadata to receive specific services such as protection services against fraudulent activities (by analysing usage data, location and customer account in real time). In the digital economy, services are often supplied against counter-performance other than money, for instance by end-users being exposed to advertisements. For the purposes of this Regulation, consent of an end-user, regardless of whether the latter is a natural or a legal person, should have the same meaning and be subject to the same conditions as the data subject’s consent or another basis for processing under Regulation (EU) 2016/679. Basic broadband internet access and voice communications services are to be considered as essential services for individuals to be able to communicate and participate to the benefits of the digital economy. Consent for processing data from internet or voice communication usage will not be valid if the data subject has no genuine and free choice, or is unable to refuse or withdraw consent without detriment.
Amendment 221 #
Proposal for a regulation
Recital 19
Recital 19
(19) The content of electronic communications pertains to the essence of the fundamental right to respect for private and family life, home and communications protected under Article 7 of the Charter. Any interference with the content of electronic communications should be allowed only under very clear defined conditions, for specific purposes and be subject to adequate safeguards against abuse provided in Regulation (EU) 2016/679. This Regulation provides for the possibility of providers of electronic communications services to process electronic communications data in transit, with the informed consent of all the end- users concernedlectronic communication service provider’s end- user. For example, providers may offer services that entail the scanning of emails to remove certain pre-defined material. Given the sensitivity of the content of communications, this Regulation sets forth a presumption that the processing of such content data will result in high risks to the rights and freedoms of natural persons. When processing such type of data, the provider of the electronic communications service should always consult the supervisory authority prior to the processing. Such consultation should be in accordance with Article 36 (2) and (3) of Regulation (EU) 2016/679. The presumption does not encompass the processing of content data to provide a service requested by the end-user where the end-user has consented to such processing and it is carried out for the purposes and duration strictly necessary and proportionate for such service, for example text to voice service, organization of the mailbox or spam filter services. After electronic communications content has been sent by the end-user and received by the intended end-user or end-users, it may be recorded or stored by the end-user, end- users or by a third party entrusted by them to record or store such data. Any processing of such data must comply with Regulation (EU) 2016/679.
Amendment 229 #
Proposal for a regulation
Recital 20
Recital 20
(20) Terminal equipment of end-users of electronic communications networks and any information relating to the usage of such terminal equipment, whether in particular is stored in or emitted by such equipment, requested from or processed in order to enable it to connect to another device and or network equipment, are part of the private sphere of the end-users requiring protection under the Charter of Fundamental Rights of the European Union and the European Convention for the Protection of Human Rights and Fundamental Freedoms. Given that such equipment contains or processes information that may reveal details of an individual’s emotional, political, social complexities, including the content of communications, pictures, the location of individuals by accessing the device’s GPS capabilities, contact lists, and other information already stored in the device, the information related to such equipment requires enhanced privacy protection. Furthermore, the so-called spyware, web bugs, hidden identifiers, tracking cookies and other similaand other unwanted tracking tools can enter end- user’s terminal equipment without their knowledge in order to gain access to information, to store hidden information and to trace the activities. Information related to the end-user’s device may also be collected remotely for the purpose of identification and tracking, using techniques such as the so-called ‘device fingerprinting’, often without the knowledge of the end-user, and may seriously intrude upon the privacy of these end-users. Techniques that surreptitiously monitor the actions of end-users, for example by tracking their activities online or the location of their terminal equipment, or subvert the operation of the end-users’ terminal equipment pose a serious threat to the privacy of end-users. Therefore, any such interference with the end-user’s terminal equipment should be allowed only with the end-user’s consent and for specific and transparent purposes.
Amendment 236 #
Proposal for a regulation
Recital 21
Recital 21
(21) Exceptions to the obligation to obtain consent to make use of the processing and storage capabilities of terminal equipment or to access information stored in terminal equipment should be limited to situations that involve no, or only very limited, intrusion of privacy. For instance, consent should not be requested for authorizing the technical storage or access which is strictly necessary and proportionate for the legitimate purpose of enabling the use of a specific service explicitly requested by the end-user. This may include the storing of cookies for the duration of a single established session on a website to keep track of the end-user’s input when filling in online forms over several pages. This may also cover situations where end-users use a service across devices for the purpose of service personalisation and content recommendation. Cookies can also be a legitimate and useful tool, for example, in measuring web traffic to a website. Information society providers that engage in configuration checking to provide the service in compliance with the end-user’s settings and the mere logging of the fact that the end-user’s device is unable to receive content requested by the end- user should not constitute access to such a device or use of the device processing capabilities.
Amendment 240 #
Proposal for a regulation
Recital 22
Recital 22
(22) The methods used for providing information and obtaining end-user’s consent should be as user-friendly as possible. Given the ubiquitous use of tracking cookies and other tracking techniques, end-users are increasingly requested to provide consent to store such tracking cookies in their terminal equipment. As a result, end-users are overloaded with requests to provide consent. The use of technical means to provide consent, for example, through transparent and user-friendly settings, may address this problem. Therefore, this Regulation should provide for the possibility to express consent by using the appropriate settings of a browser or other application. The choices made by end- users when establishing its general privacy settings of a browser or other application should be binding on, and enforceable against, any third parties. Web browsers are a type of software application that permits the retrieval and presentation of information on the internet. Other types of applications, such as the ones that permit calling and messaging or provide route guidance, have also the same capabilities. Web browsers mediate much of what occurs between the end-user and the website. From this perspective, they are in a privileged position to play an active role to help the end-user to control the flow of information to and from the terminal equipment. More particularly web browsers may be used as gatekeepers, thus helping end-users to prevent information from their terminal equipment (for example smart phone, tablet or computer) from being accessed or storedtechnical settings.
Amendment 254 #
Proposal for a regulation
Recital 23
Recital 23
(23) The principles of data protection by design and by default were codified under Article 25 of Regulation (EU) 2016/679. Currently, the default settings for cookies are set in most current browsers to ‘accept all cookies’. Therefore providers of software enabling the retrieval and presentation of information on the internet should have an obligation to configure the software so that it offers the option to prevent third parties from storing information on the terminal equipment; this is often presented as ‘reject third party cookies’. End-users should be offered a set of privacy setting options, ranging from higher (for example, ‘never accept cookies’) to lower (for example, ‘always accept cookies’) and intermediate (for example, ‘reject third party cookies’ or ‘only accept first party cookies’)Therefore providers of software enabling publically available electronic communications services and permitting the retrieval and presentation of information on the internet should have an obligation to configure the software so that it offers end-users a set of privacy setting options in order that end-users may actively select a preferred option after being given the necessary information to make the choice. Such privacy settings should be presented in an easily visible and intelligible manner.
Amendment 257 #
Proposal for a regulation
Recital 24
Recital 24
Amendment 283 #
Proposal for a regulation
Recital 30
Recital 30
(30) Publicly available directories of end-users of electronic communications services are widely distributed. Publicly available directories means any directory or service containing end-users information such as phone numbers (including mobile phone numbers), email address contact details and includes inquiry services. The right to privacy and to protection of the personal data of a natural person acting out of their business capacity requires that end-users that are natural persons are asked for consprovided, upon request, with transparent beinfore their personalmation about the data arebeing included in athe directory and the means to verify, correct, update, supplement and delete data relating to them free of charge. The legitimate interest of legal entities requires that end-users that are legal entities have the right to object to the data related to them being included in a directory.
Amendment 288 #
Proposal for a regulation
Recital 31
Recital 31
(31) If end-users that are natural persons give their consent to their data being included in suchdo not object to the inclusion of their data from providers of number-based interpersonal communication services and electronic communication providers in public directories, they should be able to determine on a consent basis which categories of personal data are included in the directory (for example name, email address, home address, user name, phone number). In addition, providers of publicly available directories should inform the end-users of the purposes of the directory and of the search functions of the directory before including them in that directory. End-users should be able to determine by consent on the basis of which categories of personal data their contact details can be searched. The categories of personal data included in the directory and the categories of personal data on the basis of which the end-user’s contact details can be searched should not necessarily be the same.
Amendment 305 #
Proposal for a regulation
Recital 34
Recital 34
(34) When end-users have provided their consent to receiving unsolicited communications for direct marketing purposes, they should still be able to withdraw their consent at any time in an easy manner. To facilitate effective enforcement of Union rules on unsolicited messages for direct marketing, it is necessary to prohibit the masking of the identity and the use of false identities, false return addresses or numbers while sending unsolicited commercial communications for direct marketing purposes. Unsolicited marketing communications should therefore be clearly recognizable as such and should indicate the identity of the legal or the natural person transmitting the communication or on behalf of whom the communication is transmitted and provide the necessary information for recipients to exercise their right to oppose to receiving further written and/or oral marketing messages.
Amendment 307 #
Proposal for a regulation
Recital 35
Recital 35
(35) In order to allow easy withdrawal of consent, legal or natural persons conducting direct marketing communications by email should present a link, or a valid electronic mail address, which can be easily used by end-users to withdraw their consent. Legal or natural persons conducting direct marketing communications through voice-to-voice calls and through calls by automating calling and communication systems should display their identity line on which the company can be called or present a specific code identifying the fact that the call is a marketing call.
Amendment 314 #
Proposal for a regulation
Recital 37
Recital 37
(37) Service providers who offer electronic communications services should inform end- users of measures they can take to protect the security of their communications for instance by using specific types of software or encryption technologies. The requirement to inform end-users of particular security risks does not discharge a service provider from the obligation to take, at its own costs, appropriate and immediate measures to remedy any new, unforeseen security risks and restore the normal security level of the service. The provision of information about security risks to the subscriber should be free of charge. Security is appraised in the light ofall comply with the security obligations prescribed in Article 32 of Regulation (EU) 2016/679.
Amendment 322 #
Proposal for a regulation
Recital 41
Recital 41
(41) In order to fulfil the objectives of this Regulation, namely to protect the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data and to ensure the free movement of personal data within the Union, the power to adopt acts in accordance with Article 290 of the Treaty should be delegated to the Commission to supplement this Regulation. In particular, delegated acts should be adopted in respect of the information to be presented, including by means of standardised icons in order to give an easily visible and intelligible overview of the collection of information emitted by terminal equipment, its purpose, the person responsible for it and of any measure the end-user of the terminal equipment can take to minimise the collection. Delegated acts are also necessary to specify a code to identify direct marketing calls including those made through automated calling and communication systems. It is of particular importance that the Commission carries out appropriate consultations and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement on Better Law-Making of 13 April 201625 . In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States’ experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts. Furthermore, in order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission when provided for by this Regulation. Those powers should be exercised in accordance with Regulation (EU) No 182/2011. _________________ 25 Interinstitutional Agreement between the European Parliament, the Council of the European Union and the European Commission on Better Law-Making of 13 April 2016 (OJ L 123, 12.5.2016, p. 1–14).
Amendment 330 #
Proposal for a regulation
Article 1 – paragraph 3
Article 1 – paragraph 3
Amendment 341 #
Proposal for a regulation
Article 2 – paragraph 2 – point c
Article 2 – paragraph 2 – point c
(c) electronic communications services which are not publicly availableintended for closed groups or are not publicly available pursuant to Article 2 (2) (c) of Regulation (EU) No 2016/679;
Amendment 475 #
Proposal for a regulation
Article 6 – paragraph 2 – point c a (new)
Article 6 – paragraph 2 – point c a (new)
(c a) processing is allowed pursuant to Articles 6(1) or 6(4) of Regulation (EU) 2016/679.
Amendment 491 #
Proposal for a regulation
Article 6 – paragraph 3 – point b
Article 6 – paragraph 3 – point b
(b) if all end-users concerned have given theirthe service provider's end-user has consented to the processing of their electronic communications content for one or more specified purposes that cannot be fulfilled by processing information that is made anonymous, and the provider has consulted the supervisory authority. Points (2) and (3) of Article 36 of Regulation (EU) 2016/679 shall apply to the consultation of the supervisory authoritypursuant to Regulation (EU) 2016/679.
Amendment 574 #
Proposal for a regulation
Article 8 – paragraph 1 – point d e (new)
Article 8 – paragraph 1 – point d e (new)
(d e) it is necessary for compliance with a legal obligation.
Amendment 576 #
Proposal for a regulation
Article 8 – paragraph 1 a (new)
Article 8 – paragraph 1 a (new)
1 a. Wherever a clearly formulated declaration of consent is presented before use of a service or access to online content, and if absence of consent for processing prevents a provider from collecting remuneration through their usual means, the provider shall not be obliged to provide the full access to the service or content.
Amendment 596 #
Proposal for a regulation
Article 8 – paragraph 2 – subparagraph 2
Article 8 – paragraph 2 – subparagraph 2
The collection of such information shall be conditional on the application of appropriate technical and organisational measures to ensure a level of security appropriate to the risks, as set out in Article 32 of Regulation (EU) 2016/679, have been applied, for example by means of pseudonymisation of information collected pursuant to Article 4 (5) of Regulation (EU) No 2016/679.
Amendment 607 #
Proposal for a regulation
Article 8 – paragraph 4
Article 8 – paragraph 4
Amendment 617 #
Proposal for a regulation
Article 9 – paragraph 2
Article 9 – paragraph 2
Amendment 629 #
Proposal for a regulation
Article 9 – paragraph 3
Article 9 – paragraph 3
3. End-users who have consented to the processing of electronic communications data as set out in point (c) of Article 6(2) and points (a) and (b) of Article 6(3) shall be given the possibility to withdraw their consent at any time as set forth under Article 7(3) of Regulation (EU) 2016/679 and be reminded of this possibility at periodic intervals of 6 months, as long as the processing continues.
Amendment 637 #
Proposal for a regulation
Article 10
Article 10
Amendment 667 #
Proposal for a regulation
Article 10 a (new)
Article 10 a (new)
Article 10 a Article 25 of Regulation (EU) No 2016/679 shall apply.
Amendment 704 #
Proposal for a regulation
Article 15 – paragraph 1
Article 15 – paragraph 1
1. The providers of publicly available directories shall obtain the consentelectronic information, communication and telecommunication services shall collect the data of end- users who are natural persons in order to include their personal data in the directory and, consequently, shall obtain consent from these end-users for inclusion of data per category of personal data, to the extent that such data are relevapublicly accessible directories. Upon the request of an end-user who is natural person the directory providers shall provide the end-user with transparent infor the purpose of the directory as determined by the provider of the directory. Providers shall give end-users who are natural personsmation about the data being included in the directory and the means to verify, correct, update, supplement and delete such data.
Amendment 706 #
Proposal for a regulation
Article 15 – paragraph 2
Article 15 – paragraph 2
2. The providers of a publicly available directory shall inform end-users who are natural persons and acting out of their business capacity whose personal data are in the directory of the available search functions of the directory and obtain end-users’ consent before enabling such. Providers of number-based interpersonal communications services and electronic communications service providers shall inform end-users when new search functions arelated to their own data made available.
Amendment 718 #
Proposal for a regulation
Article 15 – paragraph 3
Article 15 – paragraph 3
3. The providers of publicly available directories shall provide end-users that are legal personselectronic information, communication and telecommunication services shall provide end-users that are legal persons or natural persons acting in their business capacity with the possibility to object to data related to them being included in the directory. Providers shall give such end-users that are legal persons the means to verify, correct, update, supplement and delete such data.
Amendment 725 #
Proposal for a regulation
Article 15 – paragraph 4
Article 15 – paragraph 4
4. The possibility for end-users not to be included in a publicly available directory, or to verify, correct, update, supplement and delete any data related to them shall be provided free of charge.
Amendment 740 #
Proposal for a regulation
Article 16 – paragraph 2
Article 16 – paragraph 2
2. Where a natural or legal person obtains electronic contact details for electronic mail or phone number from its customer, in the context of the sale of a product or a service, in accordance with Regulation (EU) 2016/679, that natural or legal person may use these electronic contact details for direct marketing of its own similar products or services only if customers are clearly and distinctly given the opportunity to object, free of charge and in an easy manner, to such use. The right to object shall be given at the time of collection and each time a message is sent.
Amendment 744 #
Proposal for a regulation
Article 16 – paragraph 3 – introductory part
Article 16 – paragraph 3 – introductory part
3. Without prejudice to paragraphs 1 and 2, natural or legal persons using electronic communications services for the purposes of placing direct marketing calls shall: present the identity of a line on which the can be contacted.
Amendment 745 #
Proposal for a regulation
Article 16 – paragraph 3 – point a
Article 16 – paragraph 3 – point a
Amendment 750 #
Proposal for a regulation
Article 16 – paragraph 3 – point b
Article 16 – paragraph 3 – point b
Amendment 763 #
Proposal for a regulation
Article 16 – paragraph 7
Article 16 – paragraph 7