The Proposal for a Regulation on Privacy and Electronic Communications (E-Privacy Proposal) Promoting the European data economy: striking the right balance between privacy and innovation
The E-Privacy Proposal (EPR) risks to severely limit the potential of a data-driven digital economy, a key objective of the Digital Single Market (DSM) strategy. If the draft proposal is maintained, full alignment with the General Data Protection Regulation (GPDR) and other existing or upcoming legislation, such as the European Electronic Communications Code (Code) should be ensured. With this in mind, AmCham EU issues a number of recommendations:
- On the scope, the EPR should remain as closely aligned with the Code as possible. AmCham EU suggests not to include services based on ancillary features and ensure that machine-to-machine (M2M) services are excluded. Furthermore, in line with the intent of the Code, the EPR should clarify that it applies mainly to consumers and micro and small businesses if they so request. Finally, the EPR should define rules only for devices that were placed on the market in the EU.
- The EPR should clearly identify the minimum principles and safeguards of due process that should be respected by national legislations on law enforcement access to electronic communications data. Furthermore, any law enforcement access requirements cannot undermine the security and resilience of services.
- On confidentiality, there is no clear reason why processing of electronic communications should be prohibited or severely limited under the EPR. The processing of electronic communication data should be allowed under the same condition as personal data under Article 6 of the GDPR. The scope of Articles 5 and 6 should be narrowed to focus on the interception of communications by parties other than the ECS provider and authorised third-party partners.
- On consent for permitted processing, the EPR must refrain from redefining basic concepts of the GDPR. If consent is required, the robust criteria established in the GDPR shall suffice. Additional requirements turning consent into a ‘consent +++’ as outlined in Article 6 of the proposal should not be introduced.
- Storage and erasure are already adequately addressed by existing GDPR principles of purpose specificity, data minimisation, storage limitation. The GDPR also provides for the right of erasure. Thus, the EPR does not need to introduce additional requirements or restrictions on these specific points. Article 7 unnecessarily increases obstacles to data-centric services and should therefore be deleted.
- The rules on terminal equipment, consent and privacy settings are in direct conflict with the GDPR and need significant revision. By targeting methodologies used in specific products and suggesting reoccurring notifications, the proposed rules are neither truly technology-neutral nor future-proof. What has so far been known as the ‘cookie rule’ effectively applies to all types of data that relate to end-users’ devices – hence covering virtually all types of processing operations in the modern world.
- On security requirements, the EPR now requires ECSs under Art. 17 to inform end-users of security risks that ‘may compromise the security of networks and services’. This is very broad and needs to be further clarified to avoid misinterpretations. The approach in the GDPR is more reasonable and therefore the article should be deleted.