45 Amendments of Eva MAYDELL related to 2017/0003(COD)
Amendment 72 #
Proposal for a regulation
Recital 11
Recital 11
(11) The services used for communications purposes, and the technical means of their delivery, have evolved considerably. End-users increasingly replace traditional voice telephony, text messages (SMS) and electronic mail conveyance services in favour of functionally equivalent online services such as Voice over IP, messaging services and web-based e-mail services. In order to ensure an effective and equal protection of end-users when using functionally equivalent services, this Regulation uses the definition of electronic communications services set forth in the [Directive of the European Parliament and of the Council establishing the European Electronic Communications Code24 ]. That definition encompasses not only internet access services and services consisting wholly or partly in the conveyance of signals but also interpersonal communications services, which may or may not be number-based, such as for example, Voice over IP, messaging services and web-based e-mail services. The protection of confidentiality of communications is crucial also as regards interpersonal communications services that are ancillary to another service; therefore, such type of services also having a communication functionality should be covered by this Regulation. _________________ 24 Commission proposal for a Directive of the European Parliament and of the Council establishing the European Electronic Communications Code (Recast) (COM/2016/0590 final - 2016/0288 (COD)).
Amendment 75 #
Proposal for a regulation
Recital 12
Recital 12
(12) Connected devices and machines increasingly communicate with each other by using electronic communications networks (Internet of Things). The transmission of machine-to-machine communications involves the conveyance of signals over a network and, hence, usually constitutes an electronic communications service. In order to ensure full protection of the rights to privacy and confidentiality of communications, and to promote a trusted and secure Internet of Things in the digital single market, it is necessary to clarify that this Regulation should apply to the transmission of machine-to-machine communications. Therefore, the principle of confidentiality enshrined in this Regulation should also apply to the transmission of machine-to- machine communications. Specific safeguards could also be adopted under sectorial legislation, as for instance Directive 2014/53/EU. Regulation shall not apply to machine-to-machine communications which are not provided as a service targeting the general public. Moreover, the provision of machine-to- machine platforms shall not be considered to be an electronic communications service solely by the inclusion of service other than the mere conveyance of communication data (such as collecting and making machine-to-machine data available to end-users via (i) the platform, (ii) offering functions to analyse the machine-to-machine data via the platform or (iii) transfer signals to operate and control the machines via the platform).
Amendment 90 #
Proposal for a regulation
Recital 16
Recital 16
(16) The prohibition of storage of communications is not intended to prohibit any automatic, intermediate and transient storage of this information insofar as this takes place for the sole purpose of carrying out the transmission in the electronic communications network. ItThe processing of anonymous data by providers, and making data anonymous, should be incentivised as the act of anonymization dramatically reduces the risk from a privacy and security perspective associated with processing of data related to transmission. This Regulation also should not prohibit either the processing of electronic communications data to ensure the security, confidentiality, integrity, availability, authenticity and continuity of the electronic communications services and networks, including checking security threats such as the presence of malware or the processing of metadata to ensure the necessary quality of service requirements, such as latency, jitter etc.
Amendment 93 #
Proposal for a regulation
Recital 16 a (new)
Recital 16 a (new)
(16a) Regulation 2016/679 explicitly recognises the need to provide additional protection to children, given that they may be less aware of the risks and consequences associated with the processing of their personal data. This Regulation should also grant special attention to the protection of children's privacy. They are among the most active internet users and their exposure to profiling and behaviourally targeted advertising techniques should be prohibited.
Amendment 116 #
Proposal for a regulation
Recital 21
Recital 21
(21) Exceptions to the obligation to obtain consent to make use of the processing and storage capabilities of terminal equipment or to access information stored in terminal equipment should be limited to situations that involve no, or only very limited, intrusion of privacy. For instance, consent should not be requested for authorizing the technical storage or access which is strictly necessary and proportionate for the legitimate purpose of enabling the use of a specific service explicitly requested by the end-user. This may include the storing of cookies for the duration of a single established session on a website to keep track of the end-user’s input when filling in online forms over several pages. Consent should also not be necessary if the information processed or stored is necessary to protect privacy, security or safety of the end-user, or to protect confidentiality, integrity, availability and authenticity of the terminal equipment. Cookies can also be a legitimate and useful tool, for example, in measuring web traffic to a website. Information society providers that engage in configuration checking to provide the service in compliance with the end-user's settings and the mere logging of the fact that the end-user’s device is unable to receive content requested by the end- user should not constitute access to such a device or use of the device processing capabilities. As an exemption from obtaining end-user´s consent, the processing of information and data that are or are rendered pseudonymous or anonymous should be allowed or for purposes other than those for which they were initially collected in cases where the processing is compatible and is subject to specific safeguards, especially pseudonymisation as set forth in point (4) of Article 6 of Regulation (EU) 2016/679
Amendment 123 #
Proposal for a regulation
Recital 22
Recital 22
(22) The methods used for providing information and obtaining end-user's consent should be as user-friendly as possible. Given the ubiquitous use of tracking cookies and other tracking techniques, end-users are increasingly requested to provide consent to store such tracking cookies in their terminal equipment. As a result, end-users are overloaded with requests to provide consent. The use of technical means to provide consent, for example, through transparent and user-friendly settings, may address this problem. Therefore, this Regulation should provide for the possibility to express consent by using the appropriate settings of a browser or other application. The choices made by end- users when establishing its general privacy settings of a browser or other application should be binding on, and enforceable against, any third parties, provided that there is no separate specific consent given by the end-user. Web browsers are a type of software application that permits the retrieval and presentation of information on the internet. Other types of applications, such as the ones that permit calling and messaging or provide route guidance, have also the same capabilities. Web browsers mediate much of what occurs between the end-user and the website. From this perspective, they are in a privileged position to play an active role to help the end-user to control the flow of information to and from the terminal equipment. More particularly web browsers may be used as gatekeepers, thus helping end-users to prevent information from their terminal equipment (for example smart phone, tablet or computer) from being accessed or stored.
Amendment 129 #
Proposal for a regulation
Recital 23
Recital 23
(23) The principles of data protection by design and by default were codified under Article 25 of Regulation (EU) 2016/679. Currently, the default settings for cookies are set in most current browsers to ‘'accept all cookies’'. Therefore providers of software enabling the retrieval and presentation of information on the internet should have an obligation to configure the software so that it offers the optioninform the end-user about the possibility to express his or her consent using appropriate technical settings. The end-user should be offered multiple options to choose from, including to prevent third parties from storing information on the terminal equipment; this is often presented as ‘reject third party cookies’. End-users should be offered a set of privacy setting options, ranging from, higher (for example, ‘never accept cookies’) to lower (for example, ‘always accept cookies’) and intermediate (for example, ‘reject third party cookies’ or ‘only accept first party cookies’)rejecting tracking that is not necessary for the functionality of the website or other software to, for example, accepting tracking necessary for the functionality of the website or other software as well as for other purposes or, for example, accepting tracking necessary for the functionality of the website or other software and tracking for other purposes by parties that demonstrate the compliance with the EU data protection and privacy legislation, for instance in line with Article 40 and 42 of Regulation (EU) 2016/679. Such privacy settings should be presented in a an easily visible and intelligible manner.
Amendment 147 #
Proposal for a regulation
Recital 25
Recital 25
(25) Accessing electronic communications networks requires the regular emission of certain data packets in order to discover or maintain a connection with the network or other devices on the network. Furthermore, devices must have a unique address assigned in order to be identifiable on that network. Wireless and cellular telephone standards similarly involve the emission of active signals containing unique identifiers such as a MAC address, the IMEI (International Mobile Station Equipment Identity), the IMSI etc. A single wireless base station (i.e. a transmitter and receiver), such as a wireless access point, has a specific range within which such information may be captured. Service providers have emerged who offer tracking services based on the scanning of equipment related information with diverse functionalities, including people counting, providing data on the number of people waiting in line, ascertaining the number of people in a specific area, etc. This information may be used for more intrusive purposes, such as to send commercial messages to end-users, for example when they enter stores, with personalized offers. While some of these functionalities do not entail high privacy risks, others do, for example, those involving the tracking of individuals over time, including repeated visits to specified locations. Providers engaged in such practices should ask for the end-user´s consent or should carry out data protection impact assessment and in this case the data collected is or is rendered pseudonymous or anonymous. Where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk, prior consultation with the supervisory authority, as prescribed in Article 36 of Regulation (EU) 2016/679, should be carried out. Providers should display prominent notices located on the edge of the area of coverage informing end-users prior to entering the defined area that the technology is in operation within a given perimeter, the purpose of the tracking, the person responsible for it and the existence of any measure the end-user of the terminal equipment can take to minimize or stop the collection. Additional information should be provided where personal data are collected pursuant to Article 13 of Regulation (EU) 2016/679.
Amendment 152 #
Proposal for a regulation
Recital 27
Recital 27
(27) As regards calling line identification, it is necessary to protect the right of the calling party to withhold the presentation of the identification of the line from which the call is being made and the right of the called party to reject calls from unidentified lines. Certain end-users, in particular help lines, and similar organisations, have an interest in guaranteeing the anonymity of their callers. As regards connected line identification, it is necessary to protect the right and the legitimate interest of the called party to withhold the presentation of the identification of the line to which the calling party is actually connected. These requirements make sense in the context of two-way voice communication services conducted on a one-to-one basis. They do not make sense, and are not technically feasible, in the context of other publicly available interpersonal communication services such as SMS text applications, or multi-party and multimedia communication platforms, enabling concurrent communications in the form of voice, video, messaging and document sharing for multiple participants. Given there are multiple parties involved it is not possible for each of them to exercise the right to prevent caller identification without impinging on the rights of the other parties for such identification not to be suppressed.
Amendment 153 #
Proposal for a regulation
Recital 28
Recital 28
(28) There is justification for overriding the elimination of calling line identification presentation in specific cases. End-usConsumers' rights to privacy with regard to calling line identification should be restricted where this is necessary to trace nuisance calls and with regard to calling line identification and location data where this is necessary to allow emergency services, such as eCall, to carry out their tasks as effectively as possible.
Amendment 154 #
Proposal for a regulation
Recital 29
Recital 29
(29) Technology exists that enables providers of certain publicly available electronic communications services to limit the reception of unwanted calls by end-usconsumers in different ways, including blocking silent calls and other fraudulent and nuisance calls. PWhere technically feasible and economically viable, providers of publicly available number-based interpersonalvoice communications services should deploy this technology and protect end-usconsumers against nuisance calls and free of charge. Providers should ensure that end-usconsumers are aware of the existence of such functionalities, for instance, by publicising the fact on their webpage.
Amendment 158 #
Proposal for a regulation
Recital 30
Recital 30
(30) Publicly available directories of end-users of electronic communications services are widely distributed. Publicly available directories means any directory or service containing end-users information such as phone numbers (including mobile phone numbers), email address contact details and includes inquiry services. The right to privacy and to protection of the personal data of a natural person requires that end-users that are natural persons are asked for consent before their personal data are included in a directory. The legitimate interest of legal entities requires that end- users that are legal entities have the right to object to the data related to them being included in a directory. The consent should be collected by the electronic communications service provider at the moment of signing the contract for such service.
Amendment 163 #
Proposal for a regulation
Recital 32
Recital 32
(32) In this Regulation, direct marketing refers to any form of advertising by which a natural or legal person sends direct marketing communications directly to one or more identified or identifiable end-usconsumers using electronic communications services. In addition to the offering of products and services for commercial purposes, this should also include messages sent by political parties that contact natural persons via electronic communications services in order to promote their parties. The same should apply to messages sent by other non-profit organisations to support the purposes of the organisation.
Amendment 165 #
Proposal for a regulation
Recital 33
Recital 33
(33) Safeguards should be provided to protect end-usconsumers against unsolicited communications for direct marketing purposes, which intrude into the private life of end-usconsumers. The degree of privacy intrusion and nuisance is considered relatively similar independently of the wide range of technologies and channels used to conduct these electronic communications, whether using automated calling and communication systems, instant messaging applications, emails, SMS, MMS, Bluetooth, etc. It is therefore justified to require that consent of the end-usconsumers is obtained before commercial electronic communications for direct marketing purposes are sent to end-usconsumers in order to effectively protect individuals against the intrusion into their private life as well as the legitimate interest of legal persons. Legal certainty and the need to ensure that the rules protecting against unsolicited electronic communications remain future- proof justify the need to define a single set of rules that do not vary according to the technology used to convey these unsolicited communications, while at the same time guaranteeing an equivalent level of protection for all citizens throughout the Union. However, it is reasonable to allow the use of e-mail contact details within the context of an existing customer relationship for the offering of similar products or services. Such possibility should only apply to the same company that has obtained the electronic contact details in accordance with Regulation (EU) 2016/679.
Amendment 167 #
Proposal for a regulation
Recital 33
Recital 33
(33) Safeguards should be provided to protect end-users against unsolicited communications for direct marketing purposes, which intrude into the private life of end-users. The degree of privacy intrusion and nuisance is considered relatively similar independently of the wide range of technologies and channels used to conduct these electronic communications, whether using automated calling and communication systems, instant messaging applications, emails, SMS, MMS, Bluetooth, etc. It is therefore justified to require that consent of the end-user is obtained before commercial electronic communications for direct marketing purposes are sent to end-users in order to effectively protect individuals against the intrusion into their private life as well as the legitimate interest of legal persons. Legal certainty and the need to ensure that the rules protecting against unsolicited electronic communications remain future- proof justify the need to define a single set of rules that do not vary according to the technology used to convey these unsolicited communications, while at the same time guaranteeing an equivalent level of protection for all citizens throughout the Union. However, it is reasonable to allow the use of e-mail contact details within the context of an existing customer relationship for the offering of similar products or services. Such possibility should only apply to the same company that has obtained the electronic contact details in accordance with Regulation (EU) 2016/679.
Amendment 177 #
Proposal for a regulation
Recital 40
Recital 40
(40) In order to strengthen the enforcement of the rules of this Regulation, each supervisory authority should have the power to impose penalties including administrative fines for any infringement of this Regulation, in addition to, or instead of any other appropriate measures pursuant to this Regulation. This Regulation should indicate infringements and the upper limit and criteria for setting the related administrative fines, which should be determined by the competent supervisory authority in each individual case, taking into account all relevant circumstances of the specific situation, with due regard in particular to the nature, gravity and duration of the infringement and of its consequences and the measures taken to ensure compliance with the obligations under this Regulation and to prevent or mitigate the consequences of the infringement. For the purpose of setting a fine under this Regulation, an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 of the Treaty. Double penalties resulting from the infringement of both this Regulation and Regulation (EU) 2016/679 should be avoided.
Amendment 182 #
Proposal for a regulation
Article 1 – paragraph 1
Article 1 – paragraph 1
1. This Regulation lays down rules regarding the protection of fundamental rights and freedoms of natural and legal persons in the provision and use of electronic communications services, and in particular, the rights to respect for private life and communications and the protection of natural persons with regard to the processing of personal data.
Amendment 184 #
Proposal for a regulation
Article 1 – paragraph 2
Article 1 – paragraph 2
2. This Regulation ensures free movement of electronic communications data and electronic communications services within the Union, which shall be neither restricted nor prohibited for reasons related to the respect for the private life and communications of natural and legal persons and the protection of natural persons with regard to the processing of personal data.
Amendment 188 #
Proposal for a regulation
Article 1 – paragraph 2
Article 1 – paragraph 2
2. This Regulation ensures free movement of electronic communications data and electronic communications services within the Union, which shall be neither restricted nor prohibited for reasons related to the respect for the private life and communications of natural and legal persons and the protection of natural persons with regard to the processing of personal data.
Amendment 226 #
Proposal for a regulation
Article 4 – paragraph 3 – point b
Article 4 – paragraph 3 – point b
(b) ‘'electronic communications content’' means the content exchangtransmitted by means of publicly available electronic communications services, such as text, voice, videos, images, and sound;
Amendment 254 #
Proposal for a regulation
Article 6 – title
Article 6 – title
Amendment 255 #
Proposal for a regulation
Article 6 – paragraph 1 – introductory part
Article 6 – paragraph 1 – introductory part
1. Providers of public electronic communications networks and publicly available electronic communications services may process electronic communications data if:
Amendment 258 #
Proposal for a regulation
Article 6 – paragraph 1 – point a
Article 6 – paragraph 1 – point a
(a) it is necessary to achieve the transmission of the communication, for the duration necessary for that purpose; or it is necessary for providing an electronic communications service requested by the consumer.
Amendment 261 #
(a a) the data is anonymous or made anonymous before any other processing; or
Amendment 262 #
Proposal for a regulation
Article 6 – paragraph 1 – point a a (new)
Article 6 – paragraph 1 – point a a (new)
(a a) the data is anonymous or made anonymous before any other processing; or
Amendment 265 #
Proposal for a regulation
Article 6 – paragraph 1 – point b
Article 6 – paragraph 1 – point b
(b) it is necessary to maintain or restore the security of electronic communications networks and services and users of these networks and services, or detect technical faults and/or errors in the transmission of electronic communications, for the duration necessary for that purpose.o stop fraudulent or abusive use of the service;
Amendment 269 #
Proposal for a regulation
Article 6 – paragraph 1 – point b a (new)
Article 6 – paragraph 1 – point b a (new)
(b a) it is necessary for the purpose of the legitimate interests of the provider except where such interests are overridden by the interests or fundamental rights and freedoms of the consumers concerned;
Amendment 271 #
Proposal for a regulation
Article 6 – paragraph 1 a (new)
Article 6 – paragraph 1 a (new)
1 a. Electronic communications data that is generated in the context of an electronic communications service designed particularly for children or directly targeted at children shall not be used for profiling or behaviourally targeted advertising purposes.
Amendment 275 #
Proposal for a regulation
Article 6 – paragraph 2 – point a
Article 6 – paragraph 2 – point a
(a) it is necessary to meefor quality of service purposes, including network management mandatory quality of service requirements pursuant to [Directive establishing the European Electronic Communications Code] or Regulation (EU) 2015/212028 for the duration necessary for that purpose; or _________________ 28 Regulation (EU) 2015/2120 of the European Parliament and of the Council of 25 November 2015 laying down measures concerning open internet access and amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services and Regulation (EU) No 531/2012 on roaming on public mobile communications networks within the Union (OJ L 310, 26.11.2015, p. 1–18).
Amendment 288 #
Proposal for a regulation
Article 6 – paragraph 3 – introductory part
Article 6 – paragraph 3 – introductory part
3. Providers of the electronic communications services may process electronic communications content only:in accordance with Article 6 of Regulation (EU) 2016/679 and to the extent the processing of all end-users electronic communications content for one or more specified purposes cannot be fulfilled by processing information that is made anonymous
Amendment 323 #
Proposal for a regulation
Article 8 – paragraph 1 – point b a (new)
Article 8 – paragraph 1 – point b a (new)
(b a) the information is or is rendered pseudonymous or anonymous; or
Amendment 324 #
Proposal for a regulation
Article 8 – paragraph 1 – point c
Article 8 – paragraph 1 – point c
(c) it is necessary for providing an information society service requested by the end-user; or
Amendment 343 #
Proposal for a regulation
Article 8 – paragraph 1 – point d
Article 8 – paragraph 1 – point d
(d) if it is necessary for web audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end-user. or another party acting on their behalf
Amendment 345 #
Proposal for a regulation
Article 8 – paragraph 1 – point d a (new)
Article 8 – paragraph 1 – point d a (new)
(d a) a clear and prominent notice is displayed to the public informing of, at least, the modalities of the collection, its purpose, the person responsible for it and the other information required under Article 13 of Regulation 2016/679/EU where personal data are collected, as well as any measure the end-user of the terminal equipment can take to stop or minimize the collection. The collection of such information shall be conditional on the application of appropriate technical and organization measures to ensure that the collection and processing of information is limited to what is necessary in relation to the purposes of processing and to ensure a level of security appropriate to the risks, as set out in Article 32 of Regulation 2016/679/EU, have been applied, which may inter alia include pseudonymisation of the information collected as set out in Art. 4 (5) of Regulation (EU) 2016/679
Amendment 347 #
Proposal for a regulation
Article 8 – paragraph 1 – point d a (new)
Article 8 – paragraph 1 – point d a (new)
(d a) it is necessary to protect privacy, security or safety of the end-user, or to protect confidentiality, integrity, availability, authenticity of the terminal equipment; or
Amendment 352 #
Proposal for a regulation
Article 8 – paragraph 1 – point d b (new)
Article 8 – paragraph 1 – point d b (new)
(d b) it is necessary to maintain or restore the security of electronic communications networks and services and their users, or detect technical faults and/or errors in the transmission of electronic communications, for the duration necessary for that purpose; or
Amendment 354 #
Proposal for a regulation
Article 8 – paragraph 1 – point d b (new)
Article 8 – paragraph 1 – point d b (new)
(d b) it is necessary to measure the effectiveness, reach and quality of an information society service delivered to the end-user or about terminal equipment functionality, and it has no or little impact on the privacy of the end-user concerned.
Amendment 356 #
Proposal for a regulation
Article 8 – paragraph 1 – point d c (new)
Article 8 – paragraph 1 – point d c (new)
(d c) it is necessary for the purpose of the legitimate interests of the provider of the terminal equipment and its operating software, an electronic communications service or an information society service, except where such interests are overridden by the interests or fundamental rights and freedoms of the end-user.
Amendment 370 #
Proposal for a regulation
Article 8 – paragraph 2 – subparagraph 1 – point b
Article 8 – paragraph 2 – subparagraph 1 – point b
(b) a clear and prominent noticeinformation is displayed or available taking account of the normal means a consumer interacts with such a terminal equipment, informing of, at least, the modalities of the collection, its purpose, the person responsible for it and the other information required under Article 13 of Regulation (EU) 2016/679 where personal data are collected, as well as any measure the end-usconsumer of the terminal equipment can take to stop or minimise the collection. The collection of such information shall be conditional on the application of appropriate technical and organisational measures to ensure a level of security appropriate to the risks, as set out in Article 32 of Regulation (EU) 2016/679, has been applied.
Amendment 383 #
Proposal for a regulation
Article 8 – paragraph 4 a (new)
Article 8 – paragraph 4 a (new)
4 a. Terminal equipment that is intended particularly for children's use shall implement specific measures to prevent access to the equipment's storage and processing capabilities for the purpose of profiling of its users or tracking their behaviour with commercial intent.
Amendment 425 #
Proposal for a regulation
Article 10 – paragraph 2
Article 10 – paragraph 2
2. Upon installation, the software shall inform the end-user about the privacy settings options and, to continue with the installation, require the end-user to consent to a setting, except when the software already has built-in solution that prevents third parties from storing information on the terminal equipment.
Amendment 428 #
Proposal for a regulation
Article 10 – paragraph 3
Article 10 – paragraph 3
Amendment 436 #
Proposal for a regulation
Article 11 – paragraph 1
Article 11 – paragraph 1
1. Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 5 to 8 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the general public interests referred to in Article 23(1)(a) to (e) of Regulation (EU) 2016/679 or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interestsnational security (i.e. state security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences..
Amendment 462 #
Proposal for a regulation
Article 15 – paragraph 4 a (new)
Article 15 – paragraph 4 a (new)
4 a. This article shall not apply to data which are provided by end users themselves, nor to data information published in other publicly accessible sources.
Amendment 473 #
Proposal for a regulation
Article 16 – paragraph 2
Article 16 – paragraph 2
2. Where a natural or legal person obtains electronic contact details for electronic mail from its customer, in the context of the sale of a product or a service, in accordance with Regulation (EU) 2016/679, that natural or legal person may use these electronic contact details for direct marketing of its own similar products or services only if customers are clearly and distinctly given the opportunity to object, free of charge and in an easy manner, to such use. The right to object shall be given at the time of collection and each time a message is sent.