Telecoms Package Diff COD 2007 0248 Commission Amended Proposal Parliament First Reading Council Common Position

De La Quadrature du Net


Telecoms Package: Comparison Proposal for a Directive of the European Parliament and of the Council amending Directive 2002/22/EC on universal service and users' rights relating to electronic communications networks, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on consumer protection cooperation (COD/2007/0248)


European Commission Amended Proposal / European Parliament First Reading / Council of European Union Common Position − 2008-11-06 / 2008-09-24 / 2009-02-09

Directive on universal service and users' rights relating to electronic communications networks and services (Universal Service 2002/22/EC)

Article 20

European Commission Amended Proposal European Parliament First Reading Council of European Union Common Position
Article 20 − Contracts Article 20 − Contracts Article 20 − Contracts
2. Member States shall ensure that, where subscribing to services providing connection to a public communications network and/or electronic communications services, consumers and other end-users so requesting have a right to a contract with an undertaking or undertakings providing such services and/or connection. The contract shall specify in a clear, comprehensive and easily accessible form at least: 2. Member States shall ensure that, where subscribing to services providing connection to a public communications network and/or electronic communications services, consumers and other end-users so requesting have a right to a contract with an undertaking or undertakings providing such services and/or connection. The contract shall specify in a clear, comprehensive and easily accessible form at least: 1. Member States shall ensure that, when subscribing to services providing connection to a public communications network and/or publicly available electronic communications services, consumers, and other end-users so requesting, have a right to a contract with an undertaking or undertakings providing such connection and/or services. The contract shall specify in a clear, comprehensive and easily accessible form at least:
(a) the identity and address of the supplier; (a) the identity and address of the supplier; (a) the identity and address of the supplier;
(b) services provided, including in particular:
(b) services provided, including in particular: - where access to emergency services and caller location information is to be provided under Article 26, the level of reliability of such access, where relevant, and whether access is provided in the whole of the national territory, (b) the services provided, including in particular,
- information on any restrictions imposed by the provider regarding a subscriber's ability to access, use or distribute lawful content or run lawful applications and services, - information on any restrictions imposed by the provider regarding a subscriber's ability to access, use or distribute lawful content or run lawful applications and services, - information on any restrictions imposed by the provider's traffic management policies,
- the service quality levels, with reference to any parameters specified under Article 22(2) as appropriate, - the service quality levels, with reference to any parameters specified under Article 22(2) as appropriate, - the minimum service quality levels offered, namely the time for the initial connection and, where appropriate, other quality of service parameters, as defined by the national regulatory authorities,
- types of maintenance and customer support services offered, as well as how to contact customer support, - types of maintenance and customer support services offered, as well as how to contact customer support, - the types of maintenance service offered and customer support services provided, as well as the means of contacting these services,
- the time for the initial connection, and - the time for the initial connection, and - the time for the initial connection, and
- any restrictions on the use of terminal equipment imposed by the provider; - any restrictions on the use of terminal equipment imposed by the provider; - any restrictions imposed by the provider on the use of terminal equipment supplied;
(c) the subscriber's decision as to whether or not to include his or her personal data in a directory, and the data concerned; (c) the subscriber's decision as to whether or not to include his or her personal data in a directory, and the data concerned; (c) where an obligation exists under Article 25, the subscriber's options as to whether or not to include his or her personal data in a directory, and the data concerned;
(d) particulars of prices and tariffs, the means by which up-to-date information on all applicable tariffs and maintenance charges may be obtained, payment methods offered and any differences in costs due to payment method; (d) particulars of prices and tariffs, the means by which up-to-date information on all applicable tariffs and maintenance charges may be obtained, payment methods offered and any differences in costs due to payment method; (d) details of prices and tariffs, the means by which up-to-date information on all applicable tariffs and maintenance charges may be obtained, payment methods offered and any differences in costs due to payment method;
(e) the duration of the contract and the conditions for renewal and termination of services and of the contract, including (e) the duration of the contract and the conditions for renewal and termination of services and of the contract, including (e) the duration of the contract and the conditions for renewal and termination of services and of the contract, including:
- conditions regarding minimum contract duration related to promotions,
- any charges related to portability of numbers and other identifiers; and - any charges related to portability of numbers and other identifiers; and - any charges related to portability of numbers and other identifiers,
- any charges due on termination of the contract, including any cost recovery with respect to terminal equipment; - any charges due on termination of the contract, including any cost recovery with respect to terminal equipment; - any charges due on termination of the contract, including any cost recovery with respect to terminal equipment;
(f) any compensation and the refund arrangements which apply if contracted service quality levels are not met; (f) any compensation and the refund arrangements which apply if contracted service quality levels are not met; (f) any compensation and the refund arrangements which apply if contracted service quality levels are not met;
(g) the method of initiating procedures for settlement of disputes in accordance with Article 34; (g) the method of initiating procedures for settlement of disputes in accordance with Article 34; (g) the means of initiating procedures for the settlement of disputes in accordance with Article 34;
(h) the type of action that might be taken by the undertaking providing connection and/or services in reaction to security or integrity incidents or threats and vulnerabilities, as well as any compensation arrangements which apply if security or integrity incidents occur. (h) the type of action that might be taken by the undertaking providing connection and/or services in reaction to security or integrity incidents or threats and vulnerabilities, as well as any compensation arrangements which apply if security or integrity incidents occur. (h) the type of action that might be taken by the undertaking providing connection and/or services in reaction to security or integrity incidents or threats and vulnerabilities.
The contract shall also include information provided by the relevant public authorities on the use of electronic communications networks and services to engage in unlawful activities or to disseminate harmful content, and on the means of protection against risks to personal security, privacy and personal data referred to in Article 21(4a) and relevant to the service provided. The contract shall also include any information provided by the relevant public authorities on the use of electronic communications networks and services to engage in unlawful activities or to disseminate harmful content, and on the means of protection against risks to personal security, privacy and personal data referred to in Article 21(4a) and relevant to the service provided. Member States may also require that the contract include any information which may be provided by the relevant public authorities for this purpose on the use of electronic communications networks and services to engage in unlawful activities or to disseminate harmful content, and on the means of protection against risks to personal security, privacy and personal data, referred to in Article 21(4)(a) and relevant to the service provided.
4. Member States shall ensure that where contracts are concluded between subscribers and undertakings providing electronic communications services that allow voice communication, subscribers are clearly informed whether or not access to emergency services is provided. Providers of electronic communications services shall ensure that customers are clearly informed of the lack of access to emergency services in advance of the conclusion of a contract and regularly thereafter. 4. Member States shall ensure that where contracts are concluded between subscribers and undertakings providing electronic communications services that allow voice communication, subscribers are clearly informed whether or not access to emergency services is provided. Providers of electronic communications services shall ensure that customers are clearly informed of the lack of access to emergency services in advance of the conclusion of a contract and regularly thereafter. 2. Member States shall ensure that where contracts are concluded between subscribers and undertakings providing electronic communications services that allow voice communication, subscribers are clearly informed as to whether or not access to emergency services and caller location information is provided. Providers of electronic communications services shall ensure that customers are clearly informed of the lack of access to emergency services in advance of the conclusion of a contract of any limitation on access to emergency services, and of any change to access to emergency services.
7. Subscribers shall have a right to withdraw from their contracts without penalty upon notice of modifications in the contractual conditions proposed by operators. Subscribers shall be given adequate notice, not shorter than one month, ahead of any such modifications and shall be informed at the same time of their right to withdraw, without penalty, from such contracts, if they do not accept the new conditions. 7. Subscribers shall have a right to withdraw from their contracts without penalty upon notice of modifications in the contractual conditions proposed by operators. Subscribers shall be given adequate notice, not shorter than one month, ahead of any such modifications and shall be informed at the same time of their right to withdraw, without penalty, from such contracts, if they do not accept the new conditions. 3. Member States shall ensure that subscribers have a right to withdraw from their contract without penalty upon notice of modification to the contractual conditions proposed by the undertakings providing electronic communications networks and/or services. Subscribers shall be given adequate notice, not shorter than one month, ahead of any such modification, and shall be informed at the same time of their right to withdraw, without penalty, from their contract if they do not accept the new conditions. Member States shall ensure that national regulatory authorities are able to specify the format of such notifications.
(12c) In order to address public interest issues with respect to the use of communications services, and to encourage protection of the rights and freedoms of others, the relevant national authorities should be able to produce and have disseminated, with the aid of providers, public interest information related to the use of communications services. This information should include public interest warnings regarding copyright infringement, other unlawful uses and dissemination of harmful content, and advice and means of protection against risks to personal security, which may for example arise from disclosure of personal information in certain circumstances, privacy and personal data. The information could be coordinated by way of the cooperation procedure established in Article 33(2a) of Directive 2002/22/EC. Such public interest information should be updated whenever necessary and it should be presented in easily comprehensible printed and electronic formats, as determined by each Member State, and on national public authority websites. National regulatory authorities should be able to oblige providers to disseminate this standardised information to all their customers in a manner deemed appropriate by the national regulatory authorities. Significant additional costs incurred by service providers for dissemination of such information should be agreed between the providers and the relevant authorities and met by those authorities. The information should also be included in contracts. (12c) In order to address public interest issues with respect to the use of communications services, and to encourage protection of the rights and freedoms of others, the relevant national authorities should be able to produce and have disseminated, with the aid of providers, public interest information related to the use of communications services. This information should include public interest warnings regarding copyright infringement, other unlawful uses and dissemination of harmful content, and advice and means of protection against risks to personal security, which may for example arise from disclosure of personal information in certain circumstances, privacy and personal data. The information could be coordinated by way of the cooperation procedure established in Article 33(2a) of Directive 2002/22/EC. Such public interest information should be updated whenever necessary and it should be presented in easily comprehensible printed and electronic formats, as determined by each Member State, and on national public authority websites. National regulatory authorities should be able to oblige providers to disseminate this standardised information to all their customers in a manner deemed appropriate by the national regulatory authorities. Significant additional costs incurred by service providers for dissemination of such information should be agreed between the providers and the relevant authorities and met by those authorities. The information should also be included in contracts. ''(20) In order to address public interest issues with respect to the use of communications services and to encourage protection of the rights and freedoms of others, the relevant national authorities should be able to produce and have disseminated, with the aid of providers, public interest information related to the use of communications services. This information could include public interest information regarding copyright infringement, other unlawful uses and the dissemination of harmful content, and advice and means of protection against risks to personal security, which may for example arise from disclosure of personal information in certain circumstances, as well as risks to privacy and personal data. The information could be coordinated by way of the cooperation procedure established in Article 33(3) of Directive 2002/22/EC (Universal Service Directive). Such public interest information should be updated whenever necessary and it should be presented in easily comprehensible printed and electronic formats, as determined by each Member State, and on national public authority websites. National regulatory authorities should be able to oblige providers to disseminate this standardised information to all their customers in a manner deemed appropriate by the national regulatory authorities. When required by Member States, the providers and the relevant authorities and met by those authorities. The information should also be included in contracts.
(14) End-users should decide what lawful content they want to be able to send and receive, and which services, applications, hardware and software they want to use for such purposes, without prejudice to the need to preserve the integrity and security of networks and services. A competitive market with transparent offerings as provided for in Directive 2002/22/EC should ensure that end-users are able to access and distribute any lawful content and to use any lawful applications and/or services of their choice, as stated in Article 8 of Directive 2002/21/EC. Given the increasing importance of electronic communications for consumers and businesses, users should in any case be fully informed of any restrictions and/or limitations imposed on the use of electronic communications services by the service and/or network provider. Such information should, at the option of the provider, specify the type of content, application or service concerned, individual applications or services, or both. Depending on the technology used and the type of restriction and/or limitation, such restrictions and/or limitations may require user consent under Directive 2002/58/EC (Privacy Directive). (14) End-users should decide what lawful content they want to be able to send and receive, and which services, applications, hardware and software they want to use for such purposes, without prejudice to the need to preserve the integrity and security of networks and services. A competitive market with transparent offerings as provided for in Directive 2002/22/EC should ensure that end-users are able to access and distribute any lawful content and to use any lawful applications and/or services of their choice, as stated in Article 8 of Directive 2002/21/EC. Given the increasing importance of electronic communications for consumers and businesses, users should in any case be fully informed of any restrictions and/or limitations imposed on the use of electronic communications services by the service and/or network provider. Such information should, at the option of the provider, specify the type of content, application or service concerned, individual applications or services, or both. Depending on the technology used and the type of restriction and/or limitation, such restrictions and/or limitations may require user consent under Directive 2002/58/EC (Privacy Directive). ''(22) Given the increasing importance of electronic communications for consumers and businesses, users should in any case be fully informed of any restrictions and/or limitations imposed on the traffic management policies of electronic communications services by the service and/or network provider with which they conclude the contract. Where there is a lack of effective competition, national regulatory authorities should use the remedies available to them under Directive 2002/19/EC (Access Directive) to ensure that users' access to particular types of content or application is not unreasonably restricted.''
(14b) In the absence of relevant rules of Community law, content, applications and services are deemed lawful or harmful in accordance with national substantive and procedural law. It is a task for the relevant authorities of the Member States, not for providers of electronic communications networks or services, to decide, in accordance with due process, whether content, applications or services are lawful or harmful or not. The Framework Directive and the Specific Directives are without prejudice to Directive 2000/31/EC (Directive on electronic commerce), which inter alia contains a "mere conduit" rule for intermediary service providers, as defined therein. The Framework Directive and the Specific Directives do not require providers to monitor information transmitted over their networks or to take punitive action or legal prosecution against their customers due to such information, nor does it make providers liable for the information. Responsibility for any such punitive action or legal prosecution remains with the relevant authorities. (14b) In the absence of relevant rules of Community law, content, applications and services are deemed lawful or harmful in accordance with national substantive and procedural law. It is a task for the relevant authorities of the Member States, not for providers of electronic communications networks or services, to decide, in accordance with due process, whether content, applications or services are lawful or harmful or not. The Framework Directive 2002/22/EC is without prejudice to Directive 2000/31/EC (Directive on electronic commerce), which inter alia contains a "mere conduit" rule for intermediary service providers. Directive 2002/22/EC does not require providers to monitor information transmitted over their networks or to take punitive action or legal prosecution against their customers due to such information, nor does it make providers liable for the information. Responsibility for any such punitive action or legal prosecution remains with the relevant law enforcement authorities. ''(23) In the absence of relevant rules of Community law, content, applications and services are deemed lawful or harmful in accordance with national substantive and procedural law. It is a task for the relevant authorities of the Member States, not for providers of electronic communications networks or services, to decide, in accordance with due process, whether content, applications or services are lawful or harmful. The Framework Directive and the Specific Directives are without prejudice to Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (Directive on electronic commerce)(OJ L 178, 17.7.2000, p. 1.), which, inter alia, contains a "mere conduit" rule for intermediary service providers, as defined therein.''
''(14c) Directive 2002/22/EC is without prejudice to reasonable and non-discriminatory network management by providers.''
(14d) Since inconsistent quality of service requirements will significantly impair the achievement of the internal market, the Commission should assess any measures adopted by national regulatory authorities for possible regulatory intervention across the Community and, if necessary, adopt technical implementing measures in order to achieve consistent application throughout the Community. (14d) Since inconsistent remedies will significantly impair the achievement of the internal market, the Commission should assess any guidelines or other measures adopted by national regulatory authorities for possible regulatory intervention across the Community and, if necessary, adopt technical implementing measures in order to achieve consistent application throughout the Community. (14d) Since inconsistent quality of service requirements will significantly impair the achievement of the internal market, the Commission should assess any measures adopted by national regulatory authorities for possible regulatory intervention across the Community and, if necessary, adopt technical implementing measures in order to achieve consistent application throughout the Community.

Article 21

European Commission Amended Proposal European Parliament First Reading Council of European Union Common Position
Article 21 − Transparency and publication of information Article 21 − Transparency and publication of information Article 21 − Transparency and publication of information
2. Member States shall ensure that undertakings providing connection to a public electronic communications network and/or electronic communications services publish transparent, comparable, adequate and up-to-date information on applicable prices and tariffs, any charges due on termination of a contract and information on standard terms and conditions, in respect of access and use of their services provided to end-users and consumers in accordance with Annex II. Such information shall be published in a clear, comprehensive and easily accessible form. National regulatory authorities may specify additional requirements regarding the form in which such information is to be published. 2. Member States shall ensure that undertakings providing connection to a public electronic communications network and/or electronic communications services publish transparent, comparable, adequate and up-to-date information on applicable prices and tariffs, any charges due on termination of a contract and information on standard terms and conditions, in respect of access and use of their services provided to end-users and consumers in accordance with Annex II. Such information shall be published in a clear, comprehensive and easily accessible form. National regulatory authorities may specify additional requirements regarding the form in which such information is to be published. 1. Member States shall ensure that national regulatory authorities are able to oblige undertakings providing connection to a public electronic communications networks and/or electronic communications services to publish transparent, comparable, adequate and up-to-date information, as set out in Annex II, on applicable prices and tariffs and information on standard terms and conditions in respect of access to, and use of, services provided by them to end-users and consumers. National regulatory authorities may specify additional requirements regarding the form in which such information is published to ensure transparency, comparability, clarity and accessibility for the benefit of consumers.
3. National regulatory authorities shall encourage the provision of comparable information to enable end-users and consumers to make an independent evaluation of the cost of alternative usage patterns, by means of interactive guides or similar techniques. Member States shall ensure that when such guides or similar techniques are not available on the market, free of charge or at a reasonable price, national regulatory authorities make them available themselves or through third parties. Third parties shall have a right to use without charge tariff information published by undertakings providing electronic communications networks and/or services, for the purposes of selling or making available such interactive guides or similar techniques. 3. National regulatory authorities shall encourage the provision of comparable information to enable end-users and consumers to make an independent evaluation of the cost of alternative usage patterns, by means of interactive guides or similar techniques. Member States shall ensure that national regulatory authorities make such guides or similar techniques are not available themselves or through third parties, free of charge or at a reasonable price. Third parties shall have a right to use free of charge the information published by undertakings providing electronic communications networks and/or services, for the purposes of selling or making available such interactive guides or similar techniques. 2. National regulatory authorities shall encourage the provision of comparable information to enable end-users and consumers to make an independent evaluation of the cost of alternative usage patterns, for instance by means of interactive guides or similar techniques. Member States shall ensure that national regulatory authorities may make such guides or similar techniques available, in particular where they are not available, on the market free of charge or at a reasonable price. Third parties shall have a right to use, free of charge, the information published by undertakings providing electronic communications networks and/or services for the purposes of selling or making available such interactive guides or similar techniques.
4. Member States shall ensure that national regulatory authorities are able to oblige undertakings providing connection to a public electronic communications network and/or electronic communications services to inter alia: 4. Member States shall ensure that national regulatory authorities are able to oblige undertakings providing connection to a public electronic communications network and/or electronic communications services to inter alia: 3. Member States shall ensure that national regulatory authorities are able to oblige undertakings providing connection to a public electronic communications network and/or electronic communications services to inter alia:
(a) provide applicable tariff information to subscribers regarding any number or service subject to particular pricing conditions; with respect to individual categories of services national regulatory authorities may require such information to be provided immediately prior to connecting the call; (a) provide applicable tariff information to subscribers regarding any number or service subject to particular pricing conditions; with respect to individual categories of services national regulatory authorities may require such information to be provided immediately prior to connecting the call; (a) provide applicable tariff information to subscribers regarding any number or service subject to particular pricing conditions; with respect to individual categories of services, national regulatory authorities may require such information to be provided immediately prior to connecting the call;
(b) regularly remind subscribers of any lack of reliable access to emergency services or caller location information in the service they have subscribed to; (b) regularly remind subscribers of any lack of reliable access to emergency services or caller location information in the service they have subscribed to; (b) regularly remind subscribers of any lack of reliable access to emergency services or caller location information in the service they have subscribed to;
(c) inform subscribers of any change to any restrictions imposed by the undertaking on their ability to access, use or distribute lawful content or run lawful applications and services of their choice; (c) inform subscribers of any change to any restrictions imposed by the undertaking on their ability to access, use or distribute lawful content or run lawful applications and services of their choice; (b) inform subscribers of any change to any restrictions imposed by the provider's traffic management policies;
(d) inform subscribers of their right to determine whether or not to include their personal data in a directory, and of the types of data concerned in accordance with Article 12 of the Directive on privacy and electronic communications; and (d) inform subscribers of their right to determine whether or not to include their personal data in a directory, and of the types of data concerned; and (c) inform subscribers of their right to determine whether or not to include their personal data in a directory, and of the types of data concerned, in accordance with Article 12 of the Directive 2002/58/EC (Directive on privacy and electronic communications); and
(e) regularly inform disabled subscribers of details of current products and services aimed at them. (e) regularly inform disabled subscribers of details of current products and services aimed at them. (d) regularly inform disabled subscribers of details of current products and services designed for them.
If deemed appropriate, national regulatory authorities may promote self- or co-regulatory measures prior to imposing any obligation. If deemed appropriate, national regulatory authorities may promote self- or co-regulatory measures prior to imposing any obligation. If deemed appropriate, national regulatory authorities may promote self- or co-regulatory measures prior to imposing any obligation.
4a. Member States shall ensure that national regulatory authorities oblige the undertakings referred to in paragraph 4 to distribute public interest information to existing and new subscribers where appropriate. Such information shall be produced by the relevant public authorities in a standardised format and shall inter alia cover the following topics: 4a. Member States shall ensure that national regulatory authorities oblige the undertakings referred to in paragraph 4 to distribute public interest information to existing and new subscribers where appropriate. Such information shall be produced by the relevant public authorities in a standardised format and shall inter alia cover the following topics: 4. Member States may require that national regulatory authorities oblige the undertakings referred to in paragraph 3 distribute public interest information free of charge to existing and new subscribers, where appropriate. In such a case, that information shall be provided by the relevant public authorities in a standardised format and shall, inter alia, cover the following topics:
(a) without prejudice to Directive 2000/31/EC on electronic commerce, the most common uses of electronic communications services to engage in unlawful activities or to disseminate harmful content, including infringements of copyright and related rights, and their legal consequences; and (a) without prejudice to Directive 2000/31/EC on electronic commerce, the most common uses of electronic communications services to engage in unlawful activities or to disseminate harmful content, particularly where it may prejudice respect for the rights and freedoms of others, including infringements of copyright and related right, and their legal consequences; and (a) without prejudice to Directive 2000/31/EC on electronic commerce, the most common uses of electronic communications services to engage in unlawful activities or to disseminate harmful content, particularly where it may prejudice respect for the rights and freedoms of others, including infringements of copyright and related rights, and their legal consequences; and
(b) means of protection against risks to personal security, privacy and personal data in using electronic communications services. (b) means of protection against risks to personal security, privacy and personal data in using electronic communications services. (b) the means of protection against risks to personal security, privacy and personal data when using electronic communications services.
Significant additional costs incurred by an undertaking in complying with these obligations shall be reimbursed by the relevant public authorities. Significant additional costs incurred by an undertaking in complying with these obligations shall be reimbursed by the relevant public authorities. Significant additional costs incurred by an undertaking in complying with these obligations shall be reimbursed by the relevant public authorities.
6. In order to ensure that end-users can benefit from a consistent approach to tariff transparency, as well as to the provision of information in accordance with Article 20(5) in the Community, the Commission may, having consulted the European Electronic Communications Market Authority (hereinafter referred to as “the Authority”), take the appropriate technical implementing measures in this area, such as specify the methodology or procedures. Those measures designed to amend non-essential elements of this Directive by supplementing it shall be adopted in accordance with the regulatory procedure with scrutiny referred to in Article 37(2). On imperative grounds of urgency, the Commission may use the urgency procedure referred to in Article 37(3). 6. In order to ensure that end-users can benefit from a consistent approach to tariff transparency, as well as to the provision of information in accordance with Article 20(5) in the Community, the Commission may, having consulted the European Electronic Communications Market Authority (hereinafter referred to as “the Authority”), take the appropriate technical implementing measures in this area, such as specify the methodology or procedures. Those measures designed to amend non-essential elements of this Directive by supplementing it shall be adopted in accordance with the regulatory procedure with scrutiny referred to in Article 37(2). On imperative grounds of urgency, the Commission may use the urgency procedure referred to in Article 37(3). 6. In order to ensure that end-users can benefit from a consistent approach to tariff transparency, as well as to the provision of information in accordance with Article 20(5) in the Community, the Commission may, having consulted the European Electronic Communications Market Authority (hereinafter referred to as “the Authority”), take the appropriate technical implementing measures in this area, such as specify the methodology or procedures. Those measures designed to amend non-essential elements of this Directive by supplementing it shall be adopted in accordance with the regulatory procedure with scrutiny referred to in Article 37(2). On imperative grounds of urgency, the Commission may use the urgency procedure referred to in Article 37(3).

Article 22

European Commission Amended Proposal European Parliament First Reading Council of European Union Common Position
Article 22 − Quality of service Article 22 − Quality of service Article 22 − Quality of service
1. Member States shall ensure that national regulatory authorities are able, after taking account of the views of interested parties, to require undertakings that provide publicly available electronic communications networks and/or services to publish comparable, adequate and up-to-date information for end-users on the quality of their services and on measures taken to ensure equivalent access for disabled end-users. The information shall, on request, also be supplied to the national regulatory authority in advance of its publication. 1. Member States shall ensure that national regulatory authorities are able, after taking account of the views of interested parties, to require undertakings that provide publicly available electronic communications networks and/or services to publish comparable, adequate and up-to-date information for end-users on the quality of their services and on measures taken to ensure equivalent access for disabled end-users. The information shall, on request, also be supplied to the national regulatory authority in advance of its publication. 1. Member States shall ensure that national regulatory authorities are, after taking account of the views of interested parties, able to require undertakings that provide publicly available electronic communications networks and/or services to publish comparable, adequate and up-to-date information for end-users on the quality of their services and on measures taken to ensure comparable access for disabled end-users. That information shall, on request, also be supplied to the national regulatory authority in advance of its publication.
2. National regulatory authorities may specify, inter alia, the quality of service parameters to be measured, and the content, form and manner of information to be published, including possible quality certification mechanisms, in order to ensure that end-users, including disabled end-users, have access to comprehensive, comparable, reliable and user-friendly information. Where appropriate, the parameters, definitions and measurement methods given in Annex III could be used. 2. National regulatory authorities may specify, inter alia, the quality of service parameters to be measured, and the content, form and manner of information to be published, including possible quality certification mechanisms, in order to ensure that end-users, including disabled end-users, have access to comprehensive, comparable, reliable and user-friendly information. Where appropriate, the parameters, definitions and measurement methods given in Annex III could be used. 2. National regulatory authorities may specify, inter alia, the quality of service parameters to be measured and the content, form and manner of the information to be published, including possible quality certification mechanisms, in order to ensure that end-users have access to comprehensive, comparable, reliable and user-friendly information. Where appropriate, the parameters, definitions and measurement methods set out in Annex III may be used.
3. A national regulatory authority may set minimum quality of service requirements in order to prevent degradation of service and slowing of traffic over networks. Such requirements shall take due account of any standards issued under Article 17 of Directive 2002/21/EC (Framework Directive). 3. A national regulatory authority may issue guidelines setting minimum quality of service requirements, and, if appropriate, take other measures, in order to prevent degradation of service and slowing of traffic over networks, and to ensure that the ability of users to access or distribute content or to run applications and services of their choice is not unreasonably restricted. Those guidelines or measures shall take due account of any standards issued under Article 17 of Directive 2002/21/EC (Framework Directive). 3. In order to prevent the degradation of service and the hindering or slowing down of traffic over networks, Member States shall ensure that national regulatory authorities are able to set minimum quality of service requirements on an undertaking or undertakings providing public communications networks.
The Commission may, having examined such requirements and consulted [xxx], adopt technical implementing measures if it considers that the requirements set at national level may create a barrier to the internal market. Such measures, designed to amend non-essential elements of this Directive by supplementing it, shall be adopted in accordance with the regulatory procedure with scrutiny referred to in Article 37(2). The Commission may, having examined such guidelines or measures and consulted [xxx], adopt technical implementing measures in that regard if it considers that the guidelines or measures may create a barrier to the internal market. Those measures designed to amend non-essential elements of this Directive by supplementing it shall be adopted in accordance with the regulatory procedure with scrutiny referred to in Article 37(2). The Commission may, having examined such requirements and consulted [xxx], adopt technical implementing measures if it considers that the requirements set at national level may create a barrier to the internal market. Such measures, designed to amend non-essential elements of this Directive by supplementing it, shall be adopted in accordance with the regulatory procedure with scrutiny referred to in Article 37(2).
(14a) A competitive market should also ensure that users are able to have the quality of service they require, but in particular cases it may be necessary to ensure that public communications networks attain minimum quality levels so as to prevent degradation of service, usage restrictions and/or limitations and the slowing of traffic. Where there is a lack of effective competition, national regulatory authorities should use the remedies available to them under the Directives establishing the regulatory framework for electronic communications networks and services to ensure that users" access to particular types of content or applications is not unreasonably restricted. It should also be possible for national regulatory authorities to set minimum quality of service requirements under Directive 2002/22/EC, with regard to the interests of users and all other relevant circumstances. (14a) A competitive market should also ensure that users are able to have the quality of service they require, but in particular cases it may be necessary to ensure that public communications networks attain minimum quality levels so as to prevent degradation of service, usage restrictions and/or limitations and the slowing of traffic. Where there is a lack of effective competition, national regulatory authorities should use the remedies available to them under the Directives establishing the regulatory framework for electronic communications networks and services to ensure that users" access to particular types of content or applications is not unreasonably restricted. It should also be possible for national regulatory authorities to issue guidelines setting minimum quality of service requirements under Directive 2002/22/EC and to take other measures where such other remedies have, in their judgement, not been effective with regard to the interests of users and all other relevant circumstances. Such guidelines or measures could include the provision of a basic tier of unrestricted services.'' ''(26) A competitive market should also ensure that users enjoy the quality of service they require, but in particular cases it may be necessary to ensure that public communications networks attain minimum quality levels so as to prevent degradation of service, usage restrictions and/or limitations and the blocking of traffic. Where there is a lack of effective competition, national regulatory authorities should use the remedies available to them under the Directives establishing the regulatory framework for electronic communications networks and services to ensure that users" access and the slowing of traffic over networks.''

Article 28

European Commission Amended Proposal European Parliament First Reading Council of European Union Common Position
Article 28 − Access to numbers and services Article 28 − Access to numbers and services Article 28 − Access to numbers and services
1. Member States shall ensure that national regulatory authorities take all necessary steps to ensure that: 1. Member States shall ensure that, where technically and economically feasible, and except where a called subscriber has chosen for commercial reasons to limit access by calling parties located in specific geographical areas, national regulatory authorities take all necessary steps to ensure that: 1. Member States shall ensure that, where technically and economically feasible, and except where a called subscriber has chosen for commercial reasons to limit access by calling parties located in specific geographical areas, relevant national regulatory authorities take all necessary steps to ensure that end-users are able to:
(a) end-users are able to access and use services, including information society services, provided within the Community; and (a) end-users are able to access and use services, including information society services, provided within the Community; and (a) end-users are able to access and use services using non-geographic numbers within the Community; and
(b) end-users are able to access all numbers provided in the Community regardless of the technology and devices used by the operator, including those in the national numbering plans of Member States, those from the European Telephone Numbering Space and Universal International Freephone Numbers; and (b) end-users are able to access all numbers provided in the Community regardless of the technology and devices used by the operator, including those in the national numbering plans of Member States, those from the European Telephone Numbering Space and Universal International Freephone Numbers; and (b) end-users are able to access all numbers provided in the Community, including those in the national numbering plans of Member States, those from the ETNS and Universal International Freephone Numbers (UIFN).
(ba) connection services are provided for text telephones, video telephones and products which help to enable elderly people or people with disabilities to communicate, at least as regards emergency calls.
National regulatory authorities shall be able to block on a case-by-case basis access to numbers or services where this is justified by reasons of fraud or misuse, and to ensure that in such cases, including where an investigation is pending, providers of electronic communications services may withhold relevant interconnection or other service revenues. National regulatory authorities shall be able to block on a case-by-case basis access to numbers or services where this is justified by reasons of fraud or misuse, and to ensure that in such cases, including where an investigation is pending, providers of electronic communications services may withhold relevant interconnection or other service revenues. 2. Member States shall ensure that the relevant authorities are able to require undertakings providing public communications networks and/or publicly available electronic communications services to block, on a case-by-case basis, access to numbers or services where this is justified by reasons of fraud or misuse and to require that in such cases providers of electronic communications services may withhold relevant interconnection or other service revenues.
2. In order to ensure that end users have effective access to numbers and services in the Community, the Commission may adopt technical implementing measures. Those measures, designed to amend non-essential elements of this Directive by supplementing it, shall be adopted in accordance with the regulatory procedure with scrutiny referred to in Article 37(2). 2. In order to ensure that end users have effective access to numbers and services in the Community, the Commission may adopt technical implementing measures. Those measures, designed to amend non-essential elements of this Directive by supplementing it, shall be adopted in accordance with the regulatory procedure with scrutiny referred to in Article 37(2). 2. In order to ensure that end users have effective access to numbers and services in the Community, the Commission may adopt technical implementing measures. Those measures, designed to amend non-essential elements of this Directive by supplementing it, shall be adopted in accordance with the regulatory procedure with scrutiny referred to in Article 37(2).
Any such technical implementing measure may be periodically reviewed to take account of market and technological developments. Any such technical implementing measure may be periodically reviewed to take account of market and technological developments. Any such technical implementing measure may be periodically reviewed to take account of market and technological developments.
2a. Member States shall ensure that national regulatory authorities are able to require undertakings providing public communications networks to provide information regarding the management of their networks in connection with any limitations or restrictions on end-user access to or use of services, content or applications. Member States shall ensure that national regulatory authorities have all the powers necessary to investigate cases in which undertakings have imposed limitations on end-user access to services, content or applications.
(22) A single market implies that end-users are able to access all numbers included in the national numbering plans of other Member States, and to access services, including Information Society services, using non-geographic numbers within the Community, including, among others, freephone and and premium-rate numbers and directory enquiry services. End-users should also be able to access numbers from the European Telephone Numbering Space (ETNS) and Universal International Freephone Numbers (UIFN). This will facilitate cross-border exchanges between end-users, regardless of the operator they choose. Cross-border access to numbering resources and to the associated service should not be prevented except in objectively justified cases, such as when this is necessary to combat fraud, and abuse e.g. in connection with certain premium-rate services, or when the number is defined as having a national scope only (e.g. national short code). Users should be fully informed in advance in a clear manner of any charges applicable to freephone numbers, such as international call charges for numbers accessible through standard international dialling codes. In order to ensure that end-users have effective access to numbers and services in the Community, the Commission should be able to adopt implementing measures. (22) A single market implies that end-users are able to access all numbers included in the national numbering plans of other Member States, and to access services, including Information Society services, using non-geographic numbers within the Community, including among others freephone and premium rate numbers. End-users should also be able to access numbers from the European Telephone Numbering Space (ETNS) and universal international freephone numbers (UIFN). This will facilitate cross-border exchanges between end-users, regardless of the operator they choose. Cross-border access to numbering resources and to the associated service should not be prevented except in objectively justified cases, such as when this is necessary to combat fraud, and abuse e.g. in connection with certain premium-rate services, or when the number is defined as having a national scope only (e.g. national short code). Users should be fully informed in advance in a clear manner of any charges applicable to freephone numbers, such as international call charges for numbers accessible through standard international dialling codes. In order to ensure that end-users have effective access to numbers and services in the Community, the Commission should be able to adopt implementing measures. End-users should also be able to connect to other end-users (especially via Internet Protocol (IP) numbers) in order to exchange data, regardless of the operator they choose.'' ''(36) A single market implies that end-users are able to access all numbers included in the national numbering plans of other Member States and to access services using non-geographic numbers within the Community, including, among others, freephone and premium rate numbers. End-users should also be able to access numbers from the European Telephone Numbering Space (ETNS) and Universal International Freephone Numbers (UIFN). This will facilitate cross-border exchanges between end-users, regardless of the operator they choose. Cross-border access to numbering resources and to the associated services should not be prevented, except in objectively justified cases, for example to combat fraud or abuse (e.g. in connection with certain premium-rate services), when the number is defined as having a national scope only (e.g. a national short code) or when it is technically or economically unfeasible. Users should be fully informed in advance and in a clear manner of any charges applicable to freephone numbers, such as international call charges for numbers accessible through standard international dialling codes.''

Article 32a

European Commission Amended Proposal European Parliament First Reading Council of European Union Common Position
Member States shall ensure that any restrictions to users' rights to access content, services and applications, if they are necessary, shall be implemented by appropriate measures, in accordance with the principles of proportionality, effectiveness and dissuasiveness. These measures shall not have the effect of hindering the development of the information society, in compliance with Directive 2000/31/EC, and shall not conflict with citizens' fundamental rights, including the right to privacy and the right to due process.

Article 33

European Commission Amended Proposal European Parliament First Reading Council of European Union Common Position
Article 33 − Consultation with interested parties Article 33 − Consultation with interested parties Article 33 − Consultation with interested parties
1. Member States shall ensure as far as appropriate that national regulatory authorities take account of the views of end-users, consumers, manufacturers and undertakings that provide electronic communications networks and/or services on issues related to all end-user and consumer rights concerning publicly available electronic communications services, in particular where they have a significant impact on the market. 1. Member States shall ensure as far as appropriate that national regulatory authorities take account of the views of end-users, consumers, manufacturers and undertakings that provide electronic communications networks and/or services on issues related to all end-user and consumer rights concerning publicly available electronic communications services, in particular where they have a significant impact on the market. 1. Member States shall ensure as far as appropriate that national regulatory authorities take account of the views of end-users, consumers (including, in particular, disabled end-users), manufacturers and undertakings that provide electronic communications networks and/or services on issues related to all end-user and consumer rights concerning publicly available electronic communications services, in particular where they have a significant impact on the market.
In particular, Member States shall ensure that national regulatory authorities establish consultation mechanisms ensuring that due consideration is given to, and account taken of, issues relating to end-users, including, in particular, disabled end-users, in their decision-making process. In particular, Member States shall ensure that national regulatory authorities establish consultation mechanisms ensuring that due consideration is given to, and account taken of, issues relating to end-users, including, in particular, disabled end-users, in their decision-making process. In particular, Member States shall ensure that national regulatory authorities establish a consultation mechanism ensuring that in their decisions on issues related to end-user and consumer rights concerning publicly available electronic communications services, due consideration is given to, and account taken of, issues relating to consumer interests in electronic communications.
2. Where appropriate, interested parties may develop, with the guidance of national regulatory authorities, mechanisms, involving consumers, user groups and service providers, to improve the general quality of service provision by, inter alia, developing and monitoring codes of conduct and operating standards. 2. Where appropriate, interested parties may develop, with the guidance of national regulatory authorities, mechanisms, involving consumers, user groups and service providers, to improve the general quality of service provision by, inter alia, developing and monitoring codes of conduct and operating standards. 2. Where appropriate, interested parties may develop, with the guidance of national regulatory authorities, mechanisms, involving consumers, user groups and service providers, to improve the general quality of service provision by, inter alia, developing and monitoring codes of conduct and operating standards.
2a. Without prejudice to national rules in conformity with Community law promoting cultural and media policy objectives, such as cultural and linguistic diversity and media pluralism, national regulatory authorities and other relevant authorities shall as far as appropriate promote cooperation between undertakings providing electronic communications networks and/or services and the sectors interested in the promotion of lawful content in electronic communication networks and services. That co-operation may also include coordination of the public interest information to be made available under Article 21(4a) and Article 20(2). 2a. Without prejudice to national rules in conformity with Community law promoting cultural and media policy objectives, such as cultural and linguistic diversity and media pluralism, national regulatory authorities and other relevant authorities shall as far as appropriate promote cooperation between undertakings providing electronic communications networks and/or services and the sectors interested in the promotion of lawful content in electronic communication networks and services. That co-operation may also include coordination of the public interest information to be made available under Article 21(4a) and Article 20(2). 3. Without prejudice to national rules in conformity with Community law promoting cultural and media policy objectives, such as cultural and linguistic diversity and media pluralism, national regulatory authorities and other relevant authorities may promote cooperation between undertakings providing electronic communications networks and/or services and the sectors interested in the promotion of lawful content in electronic communication networks and services. That cooperation may also include coordination of the public interest information to be provided pursuant to Article 21(4)(a) and Article 20(1).
3. Member States shall submit a yearly report to the Commission and the Authority on the measures taken and the progress towards improving interoperability and use of, and access to, electronic communications services and terminal equipment by disabled end-users. 3. Member States shall submit a yearly report to the Commission and the Authority on the measures taken and the progress towards improving interoperability and use of, and access to, electronic communications services and terminal equipment by disabled end-users. 3. Member States shall submit a yearly report to the Commission and the Authority on the measures taken and the progress towards improving interoperability and use of, and access to, electronic communications services and terminal equipment by disabled end-users.
4. Without prejudice to the application of Directive 1999/5/EC and in particular of disability requirements pursuant to its Article 3(3)(f), and in order to improve accessibility to electronic communications services and equipment by disabled end-users, the Commission may, having consulted the Authority, take the appropriate technical implementing measures to address the issues raised in the report referred to in paragraph 3, following a public consultation. These measures designed to amend non-essential elements of this Directive by supplementing it shall be adopted in accordance with the regulatory procedure with scrutiny referred to in Article 37(2). 4. Without prejudice to the application of Directive 1999/5/EC and in particular of disability requirements pursuant to its Article 3(3)(f), and in order to improve accessibility to electronic communications services and equipment by disabled end-users, the Commission may take the appropriate technical implementing measures, following a public consultation and after having consulted [xxx]. Those measures, designed to amend non-essential elements of this Directive by supplementing it, shall be adopted in accordance with the regulatory procedure with scrutiny referred to in Article 37(2). 4. Without prejudice to the application of Directive 1999/5/EC and in particular of disability requirements pursuant to its Article 3(3)(f), and in order to improve accessibility to electronic communications services and equipment by disabled end-users, the Commission may, having consulted the Authority, take the appropriate technical implementing measures to address the issues raised in the report referred to in paragraph 3, following a public consultation. These measures designed to amend non-essential elements of this Directive by supplementing it shall be adopted in accordance with the regulatory procedure with scrutiny referred to in Article 37(2).
(25) In order to overcome existing shortcomings in terms of consumer consultation and appropriately address the interests of citizens, Member States should put in place appropriate consultation mechanisms. Such mechanisms could take the form of a body which would, independently from the national regulatory authority as well as from service providers, carry out research on consumer-related issues, such as consumer behaviour and mechanisms for changing suppliers, and which would operate in a transparent manner and contribute to the existing mechanisms for stakeholders" consultation. Furthermore, a mechanism should be established for the purpose of enabling appropriate cooperation on issues relating to the promotion of lawful content. Any cooperation procedures agreed pursuant to such a mechanism should however not allow for systematic surveillance of internet usage. Where there is a need to address the facilitation of the access to and use of electronic communications services and terminal equipment for disabled users, and without prejudice to Directive 1999/5/EC of the European Parliament and of the Council of 9 March 1999 on radio equipment and telecommunications terminal equipment and the mutual recognition of their conformity and in particular the disability requirements pursuant to its Article 3(3)(f), the Commission should be able to adopt implementing measures. (25) In order to overcome existing shortcomings in terms of consumer consultation and appropriately address the interests of citizens, Member States should put in place appropriate consultation mechanisms. Such mechanisms could take the form of a body which would, independently from the national regulatory authority as well as from service providers, carry out research on consumer-related issues, such as consumer behaviour and mechanisms for changing suppliers, and which would operate in a transparent manner and contribute to the existing mechanisms for stakeholders" consultation. Furthermore, a mechanism should be established for the purpose of enabling appropriate cooperation on issues relating to the promotion of lawful content. Any cooperation procedures agreed pursuant to such a mechanism should however not allow for systematic surveillance of internet usage. Where there is a need to address the facilitation of the access to and use of electronic communications services and terminal equipment for disabled users, and without prejudice to Directive 1999/5/EC of the European Parliament and of the Council of 9 March 1999 on radio equipment and telecommunications terminal equipment and the mutual recognition of their conformity and in particular the disability requirements pursuant to its Article 3(3)(f), the Commission should be able to adopt implementing measures. ''(39) In order to overcome existing shortcomings in terms of consumer consultation and to appropriately address the interests of citizens, Member States should put in place an appropriate consultation mechanism. Such a mechanism could take the form of a body which would, independently of the national regulatory authority and service providers, carry out research into consumer-related issues, such as consumer behaviour and mechanisms for changing suppliers, and which would operate in a transparent manner and contribute to the existing mechanisms for stakeholder consultation. Furthermore, a mechanism could be established for the purpose of enabling appropriate cooperation on issues relating to the promotion of lawful content. Any cooperation procedures agreed pursuant to such a mechanism should, however, not allow for the systematic surveillance of internet usage.''

Article 34

European Commission Amended Proposal European Parliament First Reading Council of European Union Common Position
Article 34 − Out-of-court dispute resolution Article 34 − Out-of-court dispute resolution Article 34 − Out-of-court dispute resolution
1. Member States shall ensure that independent bodies provide transparent, simple and inexpensive out-of-court procedures for dealing with disputes between consumers and undertakings providing electronic communications networks and/or services relating to the contractual conditions and/or performance of contracts concerning the supply of such networks or services. Such procedures shall enable disputes to be settled fairly and promptly and shall take account of the requirements of Commission Recommendation 98/257/EC of 30 March 1998 on the principles applicable to the bodies responsible for out-of-court settlement of consumer disputes (OJ L 115, 17.4.1998, p. 31.). Member States may, where warranted, adopt a system of reimbursement and/or compensation. Member States may extend these obligations to cover disputes involving other end-users. 1. Member States shall ensure that independent bodies provide transparent, simple and inexpensive out-of-court procedures for dealing with disputes between consumers and undertakings providing electronic communications networks and/or services relating to the contractual conditions and/or performance of contracts concerning the supply of such networks or services. Such procedures shall enable disputes to be settled fairly and promptly and shall take account of the requirements of Commission Recommendation 98/257/EC of 30 March 1998 on the principles applicable to the bodies responsible for out-of-court settlement of consumer disputes (OJ L 115, 17.4.1998, p. 31.). Member States may, where warranted, adopt a system of reimbursement and/or compensation. Member States may extend these obligations to cover disputes involving other end-users. 1. Member States shall ensure that independent bodies provide transparent, simple and inexpensive out-of-court procedures are available for dealing with unresolved disputes between consumers and undertakings providing electronic communications networks and/or services arising under this Directive and relating to the contractual conditions and/or performance of contracts concerning the supply of those networks and/or services. Member States shall adopt measures to ensure that such procedures enable disputes to be settled fairly and promptly and shall take account of the requirements of Commission Recommendation 98/257/EC of 30 March 1998 on the principles applicable to the bodies responsible for out-of-court settlement of consumer disputes (OJ L 115, 17.4.1998, p. 31.). Member States may, where warranted, adopt a system of reimbursement and/or compensation. Member States may extend these obligations to cover disputes involving other end-users.
Member States shall ensure that the bodies in charge of dealing with such disputes, which can be single points of contact, provide relevant information for statistical purposes to the Commission and the authorities. Member States shall ensure that the bodies in charge of dealing with such disputes, which can be single points of contact, provide relevant information for statistical purposes to the Commission and the authorities. Member States shall ensure that the bodies in charge of dealing with such disputes, which can be single points of contact, provide relevant information for statistical purposes to the Commission and the authorities.
With specific regard to the interaction of audiovisual and electronic communications, Member States shall encourage reliable out-of-court procedures.
2. Member States shall ensure that their legislation does not hamper the establishment of complaints offices and the provision of on-line services at the appropriate territorial level to facilitate access to dispute resolution by consumers and end-users. 2. Member States shall ensure that their legislation does not hamper the establishment of complaints offices and the provision of on-line services at the appropriate territorial level to facilitate access to dispute resolution by consumers and end-users. 2. Member States shall ensure that their legislation does not hamper the establishment of complaints offices and the provision of on-line services at the appropriate territorial level to facilitate access to dispute resolution by consumers and end-users.
3. Where such disputes involve parties in different Member States, Member States shall coordinate their efforts with a view to bringing about a resolution of the dispute. 3. Where such disputes involve parties in different Member States, Member States shall coordinate their efforts with a view to bringing about a resolution of the dispute. 3. Where such disputes involve parties in different Member States, Member States shall coordinate their efforts with a view to bringing about a resolution of the dispute.
4. This Article is without prejudice to national court procedures. 4. This Article is without prejudice to national court procedures. 4. This Article is without prejudice to national court procedures.

Annex I

European Commission Amended Proposal European Parliament First Reading Council of European Union Common Position
(bb) Protection software
Member States shall ensure that national regulatory authorities are able to require operators to make available free of charge to their subscribers reliable, easy-to-use, and freely and fully configurable protection and/or filtering software to prevent access by children or vulnerable people to content unsuitable to them.
Traffic monitoring data that this software may collect is for the sole use of the subscriber only.

Directive concerning the processing of personal data and the protection of privacy in the electronic communications sector (ePrivacy 2002/58/EC)

Article 1

European Commission Amended Proposal European Parliament First Reading Council of European Union Common Position
(26a) Directive 2002/58/EC provides for the harmonisation of the provisions of the Member States required to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy, with respect to the processing of personal data in the electronic communications sector, and to ensure the free movement of such data and of electronic communications equipment and services in the Community. (26a) Directive 2002/58/EC provides for the harmonisation of the provisions of the Member States required to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy and the right to confidentiality and security of information technology systems, with respect to the processing of personal data in the electronic communications sector, and to ensure the free movement of such data and of electronic communications equipment and services in the Community. (26a) Directive 2002/58/EC provides for the harmonisation of the provisions of the Member States required to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy, with respect to the processing of personal data in the electronic communications sector, and to ensure the free movement of such data and of electronic communications equipment and services in the Community.

Article 2

European Commission Amended Proposal European Parliament First Reading Council of European Union Common Position
Article 2 − Definitions Article 2 − Definitions Article 2 − Definitions
Save as otherwise provided, the definitions in Directive 95/46/EC and in Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive)(8) shall apply. Save as otherwise provided, the definitions in Directive 95/46/EC and in Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive)(8) shall apply. Save as otherwise provided, the definitions in Directive 95/46/EC and in Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive) shall apply.
The following definitions shall also apply: The following definitions shall also apply: The following definitions shall also apply:
(a) “user” means any natural person using a publicly available electronic communications service, for private or business purposes, without necessarily having subscribed to this service; (a) “user” means any natural person using a publicly available electronic communications service, for private or business purposes, without necessarily having subscribed to this service; (a) “user” means any natural person using a publicly available electronic communications service, for private or business purposes, without necessarily having subscribed to this service;
(b) “traffic data” means any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof; (b) “traffic data” means any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof; (b) “traffic data” means any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof;
(c) “location data” means any data processed in an electronic communications network, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service; (c) “location data” means any data processed in an electronic communications network, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service; (c) “location data” means any data processed in an electronic communications network or by an electronic communications service, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service;
(d) “communication” means any information exchanged or conveyed between a finite number of parties by means of a publicly available electronic communications service. This does not include any information conveyed as part of a broadcasting service to the public over an electronic communications network except to the extent that the information can be related to the identifiable subscriber or user receiving the information; (d) “communication” means any information exchanged or conveyed between a finite number of parties by means of a publicly available electronic communications service. This does not include any information conveyed as part of a broadcasting service to the public over an electronic communications network except to the extent that the information can be related to the identifiable subscriber or user receiving the information; (d) “communication” means any information exchanged or conveyed between a finite number of parties by means of a publicly available electronic communications service. This does not include any information conveyed as part of a broadcasting service to the public over an electronic communications network except to the extent that the information can be related to the identifiable subscriber or user receiving the information;
(e) “call” means a connection established by means of a publicly available telephone service allowing two-way communication; (e) “call” means a connection established by means of a publicly available telephone service allowing two-way communication; (e) “call” means a connection established by means of a publicly available telephone service allowing two-way communication;
(f) “consent” by a user or subscriber corresponds to the data subject's consent in Directive 95/46/EC; (f) “consent” by a user or subscriber corresponds to the data subject's consent in Directive 95/46/EC; (e) “consent” by a user or subscriber corresponds to the data subject's consent in Directive 95/46/EC;
(g) “value added service” means any service which requires the processing of traffic data or location data other than traffic data beyond what is necessary for the transmission of a communication or the billing thereof; (g) “value added service” means any service which requires the processing of traffic data or location data other than traffic data beyond what is necessary for the transmission of a communication or the billing thereof; (f) “value added service” means any service which requires the processing of traffic data or location data other than traffic data beyond what is necessary for the transmission of a communication or the billing thereof;
(h) “electronic mail” means any text, voice, sound or image message sent over a public communications network which can be stored in the network or in the recipient's terminal equipment until it is collected by the recipient. (h) “electronic mail” means any text, voice, sound or image message sent over a public communications network which can be stored in the network or in the recipient's terminal equipment until it is collected by the recipient. (g) “electronic mail” means any text, voice, sound or image message sent over a public communications network which can be stored in the network or in the recipient's terminal equipment until it is collected by the recipient;
(i) “Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed in connection with the provision of publicly available electronic communications services in the Community. (i) “Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed in connection with the provision of publicly available electronic communications services in the Community. (h) “personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Community.

Article 3

European Commission Amended Proposal European Parliament First Reading Council of European Union Common Position
(27a) IP addresses are essential to the working of the internet. They are unique numbers assigned to devices participating in a computer network using the Internet Protocol for communication between its nodes, such as computers or mobile smart devices. In practice, they may also be used to identify the user of a given device. Considering the different scenarios in which IP addresses are used, and the related technologies which are rapidly evolving (including the deployment of IPv6), questions have arisen about their treatment as personal data in certain circumstances. Developments concerning the use of IP addresses should be followed closely, taking into consideration the work already done by, among others, the Working Party on the Protection of Individuals with regard to the Processing of Personal Data established by Article 29 of Directive 95/46/EC, and in the light of such proposals as may be appropriate. (27a) IP addresses are essential to the working of the internet. They identify network participating devices, such as computers or mobile smart devices by a number. Considering the different scenarios in which IP addresses are used, and the related technologies which are rapidly evolving, questions have arisen about their use as personal data in certain circumstances. The Commission should therefore conduct a study regarding IP addresses should be followed closely, taking into consideration the work already done by, among others, the Working Party on the Protection of Individuals with regard to the Processing of Personal Data established by Article 29 of Directive 95/46/EC, and their use and present such proposals as may be appropriate. (27a) IP addresses are essential to the working of the internet. They are unique numbers assigned to devices participating in a computer network using the Internet Protocol for communication between its nodes, such as computers or mobile smart devices. In practice, they may also be used to identify the user of a given device. Considering the different scenarios in which IP addresses are used, and the related technologies which are rapidly evolving (including the deployment of IPv6), questions have arisen about their treatment as personal data in certain circumstances. Developments concerning the use of IP addresses should be followed closely, taking into consideration the work already done by, among others, the Working Party on the Protection of Individuals with regard to the Processing of Personal Data established by Article 29 of Directive 95/46/EC, and in the light of such proposals as may be appropriate.
(28) Technological progress allows the development of new applications based on devices for data collection and identification, which may be contactless devices using radio frequencies. For example, Radio Frequency Identification Devices (RFID) use radio frequencies to capture data from uniquely identified tags, which can then be transferred over existing communications networks. The wide use of such technologies can bring considerable economic and social benefits and thus make a powerful contribution to the internal market if their use is acceptable to citizens. To achieve that, it is necessary to ensure that all the fundamental rights of individuals, including the right to privacy and data protection, are safeguarded. When such devices are connected to publicly available electronic communications networks or make use of electronic communications services as a basic infrastructure, the relevant provisions of Directive 2002/58/EC, including those on security, traffic and location data and on confidentiality, should apply. (28) Technological progress allows the development of new applications based on devices for data collection and identification, which may be contactless devices using radio frequencies. For example, Radio Frequency Identification Devices (RFID) use radio frequencies to capture data from uniquely identified tags, which can then be transferred over existing communications networks. The wide use of such technologies can bring considerable economic and social benefits and thus make a powerful contribution to the internal market if their use is acceptable to citizens. To achieve that, it is necessary to ensure that all the fundamental rights of individuals, including the right to privacy and data protection, are safeguarded. When such devices are connected to publicly available electronic communications networks or make use of electronic communications services as a basic infrastructure, the relevant provisions of Directive 2002/58/EC, including those on security, traffic and location data and on confidentiality, should apply. ''(44) Technological progress allows the development of new applications based on devices for data collection and identification, which could be contactless devices using radio frequencies. For example, Radio Frequency Identification Devices (RFID) use radio frequencies to capture data from uniquely identified tags which can then be transferred over existing communications networks. The wide use of such technologies can bring considerable economic and social benefit and thus make a powerful contribution to the internal market, if their use is acceptable to citizens. To achieve this aim, it is necessary to ensure that all the fundamental rights of individuals, including the right to privacy and data protection, are safeguarded. When such devices are connected to publicly available electronic communications networks or make use of electronic communications services as a basic infrastructure, the relevant provisions of Directive 2002/58/EC (Directive on privacy and electronic communications), including those on security, traffic and location data and on confidentiality, should apply.

Article 4

European Commission Amended Proposal European Parliament First Reading Council of European Union Common Position
Article 4 − Security of processing Article 4 − Security of processing Article 4 − Security of processing
1. The provider of a publicly available electronic communications service must take appropriate technical and organisational measures to safeguard security of its services, if necessary in conjunction with the provider of the public communications network with respect to network security. Having regard to the state of the art and the cost of their implementation, these measures shall ensure a level of security appropriate to the risk presented. 1. The provider of a publicly available electronic communications service must take appropriate technical and organisational measures to safeguard security of its services, if necessary in conjunction with the provider of the public communications network with respect to network security. Having regard to the state of the art and the cost of their implementation, these measures shall ensure a level of security appropriate to the risk presented. 1. The provider of a publicly available electronic communications service must take appropriate technical and organisational measures to safeguard security of its services, if necessary in conjunction with the provider of the public communications network with respect to network security. Having regard to the state of the art and the cost of their implementation, these measures shall ensure a level of security appropriate to the risk presented.
1a. Without prejudice to the provisions of Directive 95/46/EC, these measures shall include: 1a. Without prejudice to the provisions of Directive 95/46/EC and Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks (OJ L 105, 13.4.2006, p. 54.), these measures shall include: 1a. Without prejudice to the provisions of Directive 95/46/EC, these measures shall include:
- ensure that personal data can be accessed only by authorised personnel for legally authorised purposes; - appropriate technical and organisational measures to ensure that personal data can be accessed only by authorised personnel for legally authorised purposes and to protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration and unauthorised or unlawful storage, processing, access or disclosure; - ensure that personal data can be accessed only by authorised personnel for legally authorised purposes;
- protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, or unauthorised or unlawful storage, processing, access or disclosure; and - appropriate technical and organisational measures to protect the network and services against accidental, unlawful destruction, accidental loss or alteration, or unauthorised usage or interference with or hindering of their functioning or availability; - protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, or unauthorised or unlawful storage, processing, access or disclosure; and
- implement a security policy with respect to the processing of personal data. - implement a security policy with respect to the processing of personal data; - implement a security policy with respect to the processing of personal data.
- a process for identifying and assessing reasonably foreseeable vulnerabilities in the systems maintained by the provider of electronic communications services, which shall include regular monitoring for security breaches; and
- a process for taking preventive, corrective and mitigating action against any vulnerabilities discovered in the process described under the fourth indent and a process for taking preventive, corrective and mitigating action against security incidents that can lead to a security breach.
1b. National regulatory authorities shall be able to audit the measures taken by providers of publicly available electronic communication services and to issue recommendations about best practices concerning the level of security which these measures should achieve. 1b. National regulatory authorities shall be able to audit the measures taken by providers of publicly available electronic communication services and information society services and to issue recommendations about best practices and performance indicators concerning the level of security which these measures should achieve. 1b. National regulatory authorities shall be able to audit the measures taken by providers of publicly available electronic communication services and to issue recommendations about best practices concerning the level of security which these measures should achieve.
2. In case of a particular risk of a breach of the security of the network, the provider of a publicly available electronic communications service must inform the subscribers concerning such risk and, where the risk lies outside the scope of the measures to be taken by the service provider, of any possible remedies, including an indication of the likely costs involved. 2. In case of a particular risk of a breach of the security of the network, the provider of a publicly available electronic communications service must inform the subscribers concerning such risk and, where the risk lies outside the scope of the measures to be taken by the service provider, of any possible remedies, including an indication of the likely costs involved. 2. In case of a particular risk of a breach of the security of the network, the provider of a publicly available electronic communications service must inform the subscribers concerning such risk and, where the risk lies outside the scope of the measures to be taken by the service provider, of any possible remedies, including an indication of the likely costs involved.
3. In the case of a personal data breach, the provider of publicly available electronic communications services shall, without undue delay, notify the national regulatory authority or the competent authority according to the individual law of the Member State and the subscriber or individual concerned of such a breach, subject to paragraphs 3a and 3b below.. The notification to the subscriber or individual concerned shall at least describe the nature of the breach and the contact points where more information can be obtained, and shall recommend measures to mitigate possible negative effects of the personal data breach. The notification to the competent authority shall, in addition, describe the consequences of the personal data breach and the measures proposed or taken by the provider to address the breach. 3. In the case of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed in connection with the provision of publicly available communications services in the Community, the provider of publicly available electronic communications services, as well as any undertaking operating on the internet and providing services to consumers, which is the data controller and the provider of information society services shall, without undue delay, notify the national regulatory authority or the competent authority according to the individual law of the Member State and the subscriber or individual concerned of such a breach. The notification to the competent authority shall at least describe the nature of the breach and the contact points where more information can be obtained, and shall recommend measures to mitigate its possible negative effects. The notification to the competent authority shall, in addition, describe the consequences of the personal data breach and the measures proposed or taken by the provider to address the breach. 3. In the case of a personal data breach, the provider of publicly available electronic communications services shall assess the scope of the personal data breach, evaluate its seriousness and consider whether it is necessary to notify the subscriber or individual concerned shall at least describe the nature of the breach and the contact points where more information can be obtained, and shall recommend measures to mitigate possible negative effects of the personal data breach to the competent national authority shall, in addition, describe the consequences of the personal data breach and subscriber concerned, taking into account the relevant rules set by the competent national authority in accordance with paragraph 4.
3a. Notification of a personal data breach to a subscriber or individual concerned shall not be required if the provider of publicly available electronic communications services has demonstrated to the satisfaction of the competent authority that no harm to the rights and interests of consumers is reasonably likely to occur as a result of the personal data breach. The provider of publicly available electronic communications services, as well as any undertaking operating on the Internet and providing services has demonstrated to consumers, which is the data controller and the provider of information society services, shall notify their users beforehand to avoid imminent and direct danger to the rights and interests of consumers. When the personal data breach represents a serious risk for the subscriber's privacy, the provider of publicly available electronic communications services shall notify the satisfaction of the competent national authority that no harm to the rights and the subscriber of consumers is reasonably likely to occur as a result of the breach without undue delay.
3b. Notification of a personal data breach to a subscriber or individual concerned shall not be required if the provider has demonstrated to the satisfaction of the competent authority that it has implemented appropriate technological protection measures, and those measures were applied to the data concerned by the security breach. Such technological protection measures shall render the data unintelligible to any person who is not authorised to access the data. 3b. Notification of a security breach to a subscriber or individual concerned shall not be required if the provider has demonstrated to the satisfaction of the competent authority that it has implemented appropriate technological protection measures, and those measures were applied to the data concerned by the security breach. Such technological protection measures shall render the data unintelligible to any person who is not authorized to access the data. The notification to the subscriber shall at least describe the nature of the personal data breach and the contact points where more information can be obtained, and shall recommend measures to mitigate the possible negative effects of the personal data breach. The notification to the competent national authority shall, in addition, describe the consequences of, and those measures were applied to the measures proposed or taken by the provider to address, the personal data breach.
3c. Member States shall ensure that the competent national authority is able to set detailed rules and, where necessary, issue instructions concerning the circumstances when the notification of personal data breaches by the provider of a publicly available electronic communications service is required, in compliance with paragraphs 3a and 3b, the format applicable to such notification, as well as the manner in which the notification is made. Competent national authorities shall also monitor whether companies have complied with their notification obligations under this Article and impose appropriate sanctions and remedies, including publication, as appropriate, in the event of a failure to do so. 3c. Member States shall ensure that the competent national authority is able to set detailed rules and, where necessary, issue instructions concerning the circumstances when the notification of personal data breaches by the provider of a publicly available electronic communications service is required, in compliance with paragraphs 3a and 3b, the format applicable to such notification, as well as the manner in which the notification is made. Competent national authorities shall also monitor whether companies have complied with their notification obligations under this Article and impose appropriate sanctions and remedies, including publication, as appropriate, in the event of a failure to do so. 3c. Member States shall ensure that the competent national authority is able to set detailed rules and, where necessary, issue instructions concerning the circumstances when the notification of personal data breaches by the provider of a publicly available electronic communications service is required, in compliance with paragraphs 3a and 3b, the format applicable to such notification, as well as the manner in which the notification is made. Competent national authorities shall also monitor whether companies have complied with their notification obligations under this Article and impose appropriate sanctions and remedies, including publication, as appropriate, in the event of a failure to do so.
(29) A breach of security resulting in the loss or compromising of personal data of a subscriber or individual may, if not addressed in an adequate and timely manner, result in substantial harm to users, such as economic loss, social harm or identity theft. Therefore, subscribers concerned by such security incidents should be notified by the relevant service provider of every security breach without delay in order to be able to take the necessary precautions. In particular, in cases where there is an imminent and direct danger for consumers' rights and interests (such as in cases of unauthorised access to the content of e-mails, access to credit card records, etc.), it is essential that the relevant service providers notify affected users immediately. Providers should also notify affected users once a year of all breaches of security under this Directive that occurred during the preceding twelve months. The notification to the national authorities and to users should include information about measures taken by the provider to address the breach, as well as recommendations for the protection of the users affected. (29) A breach of security resulting in the loss or compromising of personal data of a subscriber or individual may, if not addressed in an adequate and timely manner, result in substantial harm to users. Therefore, the national regulatory authority or other competent national authority should be notified by the relevant service provider of every security breach without delay. The competent authority should determine the seriousness of the breach and should require the relevant service providers to give an appropriate notification without undue delay in order to be able to take the persons affected by the breach, as appropriate. Furthermore, and in cases where there is an imminent and direct danger for consumers' rights and interests (such as in cases of unauthorized access to the content of e-mails, access to credit card records, etc.), it is essential that the relevant service providers should, in addition to the competent national authorities, immediately notify affected users directly. Finally, providers should annually notify affected users once a year of all breaches of security under this Directive that occurred during the relevant time period. The notification to the national authorities and to users should include information about measures taken by the provider to address the breach, as well as recommendations for the protection of the users affected. ''(47) A breach of security resulting in the loss or compromising of personal data of an individual subscriber may, if not addressed in an adequate and timely manner, result in substantial harm to users, such as economic loss and social harm, including identity fraud. Therefore, as soon as the provider of publicly available electronic communications service becomes aware that such a breach has occurred, it should assess the risks associated with it, e.g. by establishing the type of data affected by the breach (including their sensitivity, context and the security measures in place), the cause and extent of unauthorised access to the breach, the number of subscribers affected and the possible harm for subscribers as a result of the breach (e.g. identity theft, financial loss, loss of business or employment opportunities or physical harm). The subscribers concerned by security incidents that could result in a serious risk to their privacy (e.g. identity theft or fraud, physical harm, significant humiliation or damage to reputation) should be notified without delay in order to allow them to take the necessary precautions. The notification to the national authorities and to users should include information about measures taken by the provider to address the breach, as well as recommendations for the users affected. Notification of a security breach to a subscriber should not be required if the provider has demonstrated to the competent authority that it has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the security breach. Such technological protection measures should render the data unintelligible to any person who is not authorised to access it.''
3a. The competent authority shall consider and determine the seriousness of the breach. If the breach is deemed to be serious, the competent authority shall require the provider of publicly available electronic communications services and the provider of information society services to give an appropriate notification without undue delay to the persons affected by the breach. The notification shall contain the elements described in paragraph 3. 4. Member States shall ensure that the competent national authority is able to set detailed rules and, where necessary, issue instructions concerning the circumstances in which notification of personal data breaches by providers of a publicly available electronic communications service is necessary, the format applicable to such notification and the manner in which the notification is to be made.
The notification of a serious breach may be postponed in cases where the notification may hinder the progress of a criminal investigation related to the serious breach.
Providers shall annually notify affected users of all breaches of security that have led to the accidental or unlawful destruction, loss or alteration or the unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed in connection with the provision of publicly available communications services in the Community.
National regulatory authorities shall also monitor whether companies have complied with their notification obligations under this Article and impose appropriate sanctions, including publication, as appropriate, in the event of a failure to do so.
3b. The seriousness of a breach requiring notification to subscribers shall be determined according to the circumstances of the breach, such as the risk to the personal data affected by the breach, the type of data affected by the breach, the number of subscribers involved, and the immediate or potential impact of the breach on the provision of services.
5. In order to ensure consistency in implementation of the measures referred to in paragraphs 1 to 4 the Commission may, following consultation with the European Network and Information Security Agency (ENISA), the Article 29 Working Party and the European Data Protection Supervisor, adopt recommendations concerning, inter alia, the circumstances, format and procedures applicable to the information and notification requirements referred to in this Article.
4. In order to ensure consistency in implementation of the measures referred to in paragraphs 1 to 3d, the Commission may, following consultation with the European Data Protection Supervisor, the Working Party on the Protection of Individuals with regard to the Processing of Personal Data established by Article 29 of Directive 95/46/EC, relevant stakeholders and ENISA, adopt technical implementing measures concerning inter alia the measures set out in paragraph 1a and the circumstances, format and procedures applicable to information and notification requirements referred to in paragraphs 3a to 3d. 4. In order to ensure consistency in implementation of the measures referred to in paragraphs 1 to 3b, the Commission shall, following consultation with the European Data Protection Supervisor, the Working Party on the Protection of Individuals with regard to the Processing of Personal Data established by Article 29 of Directive 95/46/EC, relevant stakeholders and ENISA, recommend technical implementing measures concerning inter alia the measures set out in paragraph 1a and the circumstances, format and procedures applicable to information and notification requirements referred to in paragraphs 3a and 3b. 4. In order to ensure consistency in implementation of the measures referred to in paragraphs 1 to 3d, the Commission may, following consultation with the European Data Protection Supervisor, the Working Party on the Protection of Individuals with regard to the Processing of Personal Data established by Article 29 of Directive 95/46/EC, relevant stakeholders and ENISA, adopt technical implementing measures concerning inter alia the measures set out in paragraph 1a and the circumstances, format and procedures applicable to information and notification requirements referred to in paragraphs 3a to 3d.
The Commission shall involve all relevant stakeholders, particularly in order to be informed of the best available technical and economic methods for improving the implementation of this Directive. The Commission shall involve all relevant stakeholders, particularly in order to be informed of the best available technical and economic methods for improving the implementation of this Directive. The Commission shall involve all relevant stakeholders, particularly in order to be informed of the best available technical and economic methods for improving the implementation of this Directive.
Those measures designed to amend non-essential elements of this Directive by supplementing it shall be adopted in accordance with the regulatory procedure with scrutiny referred to in Article 14a (2). On imperative grounds of urgency, the Commission may use the urgency procedure referred to in Article 14a (3). Those measures designed to amend non-essential elements of this Directive by supplementing it shall be adopted in accordance with the regulatory procedure with scrutiny referred to in Article 14a (2). On imperative grounds of urgency, the Commission may use the urgency procedure referred to in Article 14a (3). Those measures designed to amend non-essential elements of this Directive by supplementing it shall be adopted in accordance with the regulatory procedure with scrutiny referred to in Article 14a (2). On imperative grounds of urgency, the Commission may use the urgency procedure referred to in Article 14a (3).

Article 5

European Commission Amended Proposal European Parliament First Reading Council of European Union Common Position
Article 5 − Confidentiality of the communications Article 5 − Confidentiality of the communications Article 5 − Confidentiality of the communications
1. Member States shall ensure the confidentiality of communications and the related traffic data by means of a public communications network and publicly available electronic communications services, through national legislation. In particular, they shall prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, except when legally authorised to do so in accordance with Article 15(1). This paragraph shall not prevent technical storage which is necessary for the conveyance of a communication without prejudice to the principle of confidentiality. 1. Member States shall ensure the confidentiality of communications and the related traffic data by means of a public communications network and publicly available electronic communications services, through national legislation. In particular, they shall prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, except when legally authorised to do so in accordance with Article 15(1). This paragraph shall not prevent technical storage which is necessary for the conveyance of a communication without prejudice to the principle of confidentiality. 1. Member States shall ensure the confidentiality of communications and the related traffic data by means of a public communications network and publicly available electronic communications services, through national legislation. In particular, they shall prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, except when legally authorised to do so in accordance with Article 15(1). This paragraph shall not prevent technical storage which is necessary for the conveyance of a communication without prejudice to the principle of confidentiality.
2. Paragraph 1 shall not affect any legally authorised recording of communications and the related traffic data when carried out in the course of lawful business practice for the purpose of providing evidence of a commercial transaction or of any other business communication. 2. Paragraph 1 shall not affect any legally authorised recording of communications and the related traffic data when carried out in the course of lawful business practice for the purpose of providing evidence of a commercial transaction or of any other business communication. 2. Paragraph 1 shall not affect any legally authorised recording of communications and the related traffic data when carried out in the course of lawful business practice for the purpose of providing evidence of a commercial transaction or of any other business communication.
3. Member States shall ensure that the storing of information, or gaining access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user. 3. Member States shall ensure that the storing of information, or gaining access to information already stored, in the terminal equipment of a subscriber or user, either directly or indirectly by means of any kind of storage medium, is prohibited unless the subscriber or user concerned has given his/her prior consent, taking into account that browser settings constitute prior consent, and is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communication network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user. 3. Member States shall ensure that the storing of information, or gaining access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.

Article 6

European Commission Amended Proposal European Parliament First Reading Council of European Union Common Position
Article 6 − Traffic data Article 6 − Traffic data Article 6 − Traffic data
1. Traffic data relating to subscribers and users processed and stored by the provider of a public communications network or publicly available electronic communications service must be erased or made anonymous when it is no longer needed for the purpose of the transmission of a communication without prejudice to paragraphs 2, 3 and 5 of this Article and Article 15(1). 1. Traffic data relating to subscribers and users processed and stored by the provider of a public communications network or publicly available electronic communications service must be erased or made anonymous when it is no longer needed for the purpose of the transmission of a communication without prejudice to paragraphs 2, 3 and 5 of this Article and Article 15(1). 1. Traffic data relating to subscribers and users processed and stored by the provider of a public communications network or publicly available electronic communications service shall be erased or made anonymous when it is no longer needed for the purpose of the transmission of a communication. This shall be without prejudice to paragraphs 2, 3, 5 and 7 of this Article and Article 15(1).
2. Traffic data necessary for the purposes of subscriber billing and interconnection payments may be processed. Such processing is permissible only up to the end of the period during which the bill may lawfully be challenged or payment pursued. 2. Traffic data necessary for the purposes of subscriber billing and interconnection payments may be processed. Such processing is permissible only up to the end of the period during which the bill may lawfully be challenged or payment pursued. 2. Traffic data necessary for the purposes of subscriber billing and interconnection payments may be processed. Such processing is permissible only up to the end of the period during which the bill may lawfully be challenged or payment pursued.
3. For the purpose of marketing electronic communications services or for the provision of value added services, the provider of a publicly available electronic communications service may process the data referred to in paragraph 1 to the extent and for the duration necessary for such services or marketing, if the subscriber or user to whom the data relate has given his/her prior consent. Users or subscribers shall be given the possibility to withdraw their consent for the processing of traffic data at any time. 3. For the purpose of marketing electronic communications services or for the provision of value added services, the provider of a publicly available electronic communications service may process the data referred to in paragraph 1 to the extent and for the duration necessary for such services or marketing, if the subscriber or user to whom the data relate has given his/her prior consent. Users or subscribers shall be given the possibility to withdraw their consent for the processing of traffic data at any time. 3. For the purpose of marketing electronic communications services or for the provision of value added services, the provider of a publicly available electronic communications service may process the data referred to in paragraph 1 to the extent and for the duration necessary for such services or marketing, if the subscriber or user to whom the data relate has given his or her prior consent. Users or subscribers shall be given the possibility to withdraw their consent for the processing of traffic data at any time.
4. The service provider must inform the subscriber or user of the types of traffic data which are processed and of the duration of such processing for the purposes mentioned in paragraph 2 and, prior to obtaining consent, for the purposes mentioned in paragraph 3. 4. The service provider must inform the subscriber or user of the types of traffic data which are processed and of the duration of such processing for the purposes mentioned in paragraph 2 and, prior to obtaining consent, for the purposes mentioned in paragraph 3. 4. The service provider must inform the subscriber or user of the types of traffic data which are processed and of the duration of such processing for the purposes mentioned in paragraph 2 and, prior to obtaining consent, for the purposes mentioned in paragraph 3.
5. Processing of traffic data, in accordance with paragraphs 1, 2, 3 and 4, must be restricted to persons acting under the authority of providers of the public communications networks and publicly available electronic communications services handling billing or traffic management, customer enquiries, fraud detection, marketing electronic communications services or providing a value added service, and must be restricted to what is necessary for the purposes of such activities. 5. Processing of traffic data, in accordance with paragraphs 1, 2, 3 and 4, must be restricted to persons acting under the authority of providers of the public communications networks and publicly available electronic communications services handling billing or traffic management, customer enquiries, fraud detection, marketing electronic communications services or providing a value added service, and must be restricted to what is necessary for the purposes of such activities. 5. Processing of traffic data, in accordance with paragraphs 1, 2, 3 and 4, must be restricted to persons acting under the authority of providers of the public communications networks and publicly available electronic communications services handling billing or traffic management, customer enquiries, fraud detection, marketing electronic communications services or providing a value added service, and must be restricted to what is necessary for the purposes of such activities.
6. Paragraphs 1, 2, 3 and 5 shall apply without prejudice to the possibility for competent bodies to be informed of traffic data in conformity with applicable legislation with a view to settling disputes, in particular interconnection or billing disputes. 6. Paragraphs 1, 2, 3 and 5 shall apply without prejudice to the possibility for competent bodies to be informed of traffic data in conformity with applicable legislation with a view to settling disputes, in particular interconnection or billing disputes. 6. Paragraphs 1, 2, 3 and 5 shall apply without prejudice to the possibility for competent bodies to be informed of traffic data in conformity with applicable legislation with a view to settling disputes, in particular interconnection or billing disputes.
6a. Traffic data may be processed for the legitimate interest of the data controller for the purpose of implementing technical measures to ensure the network and information security, as defined by Article 4(c) of Regulation (EC) 460/2004 of the European Parliament and of the Council of 10 March 2004 establishing the European Network and Information Security Agency (OJ L 77, 13.3.2004, p. 1.), of a public electronic communication service, a public electronic communications network or related terminal and electronic communication equipment, except where such interests are overridden by the interests of the fundamental rights and freedoms of the data subject. Such processing shall be restricted to that which is strictly necessary for the purposes of such security activity. 6a. Without prejudice to compliance with the provisions other than Article 7 of Directive 95/46/EC and Article 5 of this Directive, traffic data may be processed for the legitimate interest of the data controller for the purpose of implementing technical measures to ensure the network and information security, as defined by Article 4 (c) of Regulation (EC) 460/2004 of the European Parliament and of the Council of 10 March 2004 establishing the European Network and Information Security Agency (OJ L 77, 13.3.2004, p. 1.), of a public electronic communication service, a public or private electronic communications network, an information society service or related terminal and electronic communication equipment, except where such interests are overridden by the interests for the fundamental rights and freedoms of the data subject. Such processing must be restricted to that which is strictly necessary for the purposes of such security activity. 7. Traffic data may be processed to the extent strictly necessary to ensure the network and information security, as defined by Article 4(c) of Regulation (EC) No 460/2004 of the European Parliament and of the Council of 10 March 2004 establishing the European Network and Information Security Agency (OJ L 77, 13.3.2004, p. 1.).
(26b) The processing of traffic data for the purpose of ensuring network and information security, including ensuring the availability, authenticity, integrity and confidentiality of stored or transmitted data, by providers of security services acting as data controllers would, under normal circumstances, be considered to be for the legitimate interest of the data controller within the meaning of Article 7(f) of Directive 95/46/EC. This could for example include preventing unauthorized access to electronic communications networks, or denial of service attacks. (26b) The processing of traffic data for the purpose of ensuring network and information security purposes, ensuring the availability, authenticity, integrity and confidentiality of stored or transmitted data will enable the processing of such data controllers would, under normal circumstances, be considered to be for the legitimate interest of the data controller for the purpose of Article 7(f) of Directive 95/46/EC. This could for example include preventing unauthorized access and malicious code distribution, stopping the denial of service attacks, and damages to computer and electronic communication systems. The European Network and Information Security Agency (ENISA) should publish regular studies with the purpose of illustrating the types of processing allowed under Article 6 of this Directive.'' ''(41) The processing of traffic data to the extent strictly necessary for the purposes of the detection, location and elimination of faults and malfunctions of network and information security, including ensuring the availability, authenticity, integrity and confidentiality of stored or transmitted data, will help prevent unauthorised access and malicious code distribution, "denial of service" attacks and damage to computer and electronic communication systems.''

Article 14

European Commission Amended Proposal European Parliament First Reading Council of European Union Common Position
Article 14 − Technical features and standardisation Article 14 − Technical features and standardisation Article 14 − Technical features and standardisation
1. In implementing the provisions of this Directive, Member States shall ensure, subject to paragraphs 2 and 3, that no mandatory requirements for specific technical features are imposed on terminal or other electronic communication equipment which could impede the placing of equipment on the market and the free circulation of such equipment in and between Member States. 1. In implementing the provisions of this Directive, Member States shall ensure, subject to paragraphs 2 and 3, that no mandatory requirements for specific technical features are imposed on terminal or other electronic communication equipment which could impede the placing of equipment on the market and the free circulation of such equipment in and between Member States. 1 In implementing the provisions of this Directive, Member States shall ensure, subject to paragraphs 2 and 3, that no mandatory requirements for specific technical features are imposed on terminal or other electronic communication equipment which could impede the placing of equipment on the market and the free circulation of such equipment in and between Member States.
2. Where provisions of this Directive can be implemented only by requiring specific technical features in electronic communications networks, Member States shall inform the Commission in accordance with the procedure provided for by Directive 98/34/EC of the European Parliament and of the Council of 22 June 1998 laying down a procedure for the provision of information in the field of technical standards and regulations and of rules on information society services(9). 2. Where provisions of this Directive can be implemented only by requiring specific technical features in electronic communications networks, Member States shall inform the Commission in accordance with the procedure provided for by Directive 98/34/EC of the European Parliament and of the Council of 22 June 1998 laying down a procedure for the provision of information in the field of technical standards and regulations and of rules on information society services(9). 2. Where provisions of this Directive can be implemented only by requiring specific technical features in electronic communications networks, Member States shall inform the Commission in accordance with the procedure provided for by Directive 98/34/EC of the European Parliament and of the Council of 22 June 1998 laying down a procedure for the provision of information in the field of technical standards and regulations and of rules on information society services.
3. Where required, measures may be adopted to ensure that terminal equipment is constructed in a way that is compatible with the right of users to protect and control the use of their personal data, in accordance with Directive 1999/5/EC and Council Decision 87/95/EEC of 22 December 1986 on standardisation in the field of information technology and communications. 3. Where required, measures may be adopted to ensure that terminal equipment is constructed in a way that is compatible with the right of users to protect and control the use of their personal data, in accordance with Directive 1999/5/EC and Council Decision 87/95/EEC of 22 December 1986 on standardisation in the field of information technology and communications. Such measures shall respect the principle of technology neutrality. 3. Where required, measures may be adopted to ensure that terminal equipment is constructed in a way that is compatible with the right of users to protect and control the use of their personal data, in accordance with Directive 1999/5/EC and Council Decision 87/95/EEC of 22 December 1986 on standardisation in the field of information technology and communications.
(35b) Where measures aiming to ensure that terminal equipment is constructed so as to safeguard the protection of personal data and privacy are adopted pursuant to Directive 1999/5/EC or Council Decision 87/95/EEC, such measures should respect the principle of technology neutrality to the greatest extent possible. (35b) Where measures aiming to ensure that terminal equipment is constructed so as to safeguard the protection of personal data and privacy are adopted pursuant to Directive 1999/5/EC or Council Decision 87/95/EEC, such measures should respect the principle of technology neutrality to the greatest extent possible. (35b) Where measures aiming to ensure that terminal equipment is constructed so as to safeguard the protection of personal data and privacy are adopted pursuant to Directive 1999/5/EC or Council Decision 87/95/EEC, such measures should respect the principle of technology neutrality to the greatest extent possible.

Article 15

European Commission Amended Proposal European Parliament First Reading Council of European Union Common Position
Article 15 − Application of certain provisions of Directive 95/46/EC Article 15 − Application of certain provisions of Directive 95/46/EC Article 15 − Application of certain provisions of Directive 95/46/EC
1. Member States may adopt legislative measures to restrict the scope of the rights and obligations provided for in Article 5, Article 6, Article 8(1), (2), (3) and (4), and Article 9 of this Directive when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system, as referred to in Article 13(1) of Directive 95/46/EC. To this end, Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period justified on the grounds laid down in this paragraph. All the measures referred to in this paragraph shall be in accordance with the general principles of Community law, including those referred to in Article 6(1) and (2) of the Treaty on European Union. 1. Member States may adopt legislative measures to restrict the scope of the rights and obligations provided for in Article 5, Article 6, Article 8(1), (2), (3) and (4), and Article 9 of this Directive when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system, as referred to in Article 13(1) of Directive 95/46/EC. To this end, Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period justified on the grounds laid down in this paragraph. All the measures referred to in this paragraph shall be in accordance with the general principles of Community law, including those referred to in Article 6(1) and (2) of the Treaty on European Union. 1. Member States may adopt legislative measures to restrict the scope of the rights and obligations provided for in Article 5, Article 6, Article 8(1), (2), (3) and (4), and Article 9 of this Directive when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system, as referred to in Article 13(1) of Directive 95/46/EC. To this end, Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period justified on the grounds laid down in this paragraph. All the measures referred to in this paragraph shall be in accordance with the general principles of Community law, including those referred to in Article 6(1) and (2) of the Treaty on European Union.
1a. Paragraph 1 shall not apply to data specifically required by Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks to be retained for the purposes referred to in Article 1(1) of that Directive.
1b. Providers of publicly available communications services shall notify the supervisory authority established in accordance with Article 28 of Directive 95/46/EC, without undue delay, of all requests for access to users" personal data received pursuant to paragraph 1, including the legal justification given and the legal procedure followed for each request; the supervisory authority concerned shall notify the appropriate judicial authorities of those cases in which it deems that the relevant provisions of national law have not been complied with. 1b. Providers of publicly available communications services and providers of information society services shall notify the independent data protection authorities, without undue delay, of all requests for access to users" personal data received pursuant to paragraph 1, including the legal justification given and the legal procedure followed for each request; the independent data protection authority concerned shall notify the appropriate judicial authorities of those cases in which it deems that the relevant provisions of national law have not been complied with. 1b. Providers of publicly available communications services shall notify the supervisory authority established in accordance with Article 28 of Directive 95/46/EC, without undue delay, of all requests for access to users" personal data received pursuant to paragraph 1, including the legal justification given and the legal procedure followed for each request; the supervisory authority concerned shall notify the appropriate judicial authorities of those cases in which it deems that the relevant provisions of national law have not been complied with.
2. The provisions of Chapter III on judicial remedies, liability and sanctions of Directive 95/46/EC shall apply with regard to national provisions adopted pursuant to this Directive and with regard to the individual rights derived from this Directive. 2. The provisions of Chapter III on judicial remedies, liability and sanctions of Directive 95/46/EC shall apply with regard to national provisions adopted pursuant to this Directive and with regard to the individual rights derived from this Directive. 2. The provisions of Chapter III on judicial remedies, liability and sanctions of Directive 95/46/EC shall apply with regard to national provisions adopted pursuant to this Directive and with regard to the individual rights derived from this Directive.
3. The Working Party on the Protection of Individuals with regard to the Processing of Personal Data instituted by Article 29 of Directive 95/46/EC shall also carry out the tasks laid down in Article 30 of that Directive with regard to matters covered by this Directive, namely the protection of fundamental rights and freedoms and of legitimate interests in the electronic communications sector. 3. The Working Party on the Protection of Individuals with regard to the Processing of Personal Data instituted by Article 29 of Directive 95/46/EC shall also carry out the tasks laid down in Article 30 of that Directive with regard to matters covered by this Directive, namely the protection of fundamental rights and freedoms and of legitimate interests in the electronic communications sector. 3. The Working Party on the Protection of Individuals with regard to the Processing of Personal Data instituted by Article 29 of Directive 95/46/EC shall also carry out the tasks laid down in Article 30 of that Directive with regard to matters covered by this Directive, namely the protection of fundamental rights and freedoms and of legitimate interests in the electronic communications sector.

Article 15a

European Commission Amended Proposal European Parliament First Reading Council of European Union Common Position
Article 15a − Implementation and enforcement Article 15a − Implementation and enforcement Article 15a − Implementation and enforcement
1. Member States shall lay down the rules on penalties, including penal sanctions where appropriate, applicable to infringements of the national provisions adopted pursuant to this Directive and shall take all measures necessary to ensure that they are implemented. The penalties provided for must be effective, proportionate and dissuasive. The Member States shall notify those provisions to the Commission by the [time limit for implementation of the amending act] at the latest and shall notify it without delay of any subsequent amendment affecting them. 1. Member States shall lay down the rules on penalties, including penal sanctions where appropriate, applicable to infringements of the national provisions adopted pursuant to this Directive and shall take all measures necessary to ensure that they are implemented. The penalties provided for must be effective, proportionate and dissuasive. The Member States shall notify those provisions to the Commission by the [time limit for implementation of the amending act] at the latest and shall notify it without delay of any subsequent amendment affecting them. 1. Member States shall lay down the rules on penalties applicable to infringements of the national provisions adopted pursuant to this Directive and shall take all measures necessary to ensure that they are implemented. The penalties provided for must be effective, proportionate and dissuasive and may be applied to cover the period of any breach, even where the breach has subsequently been rectified. The Member States shall notify those provisions to the Commission by ...(The date referred to in Article 4(1).), and shall notify it without delay of any subsequent amendment affecting them.
2. Without prejudice to any judicial remedy which might be available, Member States shall ensure that the national regulatory authority has the power to order the cessation of the infringements referred to in paragraph 1. 2. Without prejudice to any judicial remedy which might be available, Member States shall ensure that the national regulatory authority has the power to order the cessation of the infringements referred to in paragraph 1. 2. Without prejudice to any judicial remedy which might be available, Member States shall ensure that the competent national regulatory authority and, where relevant, other national bodies have the power to order the cessation of the infringements referred to in paragraph 1.
3. Member States shall ensure that national regulatory authorities have all the investigative powers and resources necessary, including the possibility to obtain any relevant information they might need to monitor and enforce national provisions adopted pursuant to this Directive. 3. Member States shall ensure that national regulatory authorities have all the investigative powers and resources necessary, including the possibility to obtain any relevant information they might need to monitor and enforce national provisions adopted pursuant to this Directive. 3. Member States shall ensure that the competent national authority and, where relevant, other national bodies have all necessary investigative powers and resources, including the power to obtain any relevant information they might need to monitor and enforce national provisions adopted pursuant to this Directive.
4. In order to ensure effective cross-border co-operation in the enforcement of the national laws adopted pursuant to this Directive and to create harmonised conditions for the provision of services involving cross-border data flows, the Commission may adopt technical implementing measures, following consultation with the Working Party on the Protection of Individuals with regard to the Procesing of Personal Data established by the Article 29 of Directive 95/46/EC ("Article 29 Data Protection Working Party"), the relevant regulatory authorities and, where appropriate, ENISA. 4. In order to ensure effective cross-border co-operation in the enforcement of the national laws adopted pursuant to this Directive and to create harmonised conditions for the provision of services involving cross-border data flows, the Commission may adopt technical implementing measures, following consultation with ENISA, the Working Party on the Protection of Individuals with regard to the Procesing of Personal Data established by the Article 29 of Directive 95/46/EC ("Article 29 Data Protection Working Party and the relevant regulatory authorities. 4. In order to ensure effective cross-border cooperation in the enforcement of the national laws adopted pursuant to this Directive and to create harmonised conditions for the provision of services involving cross-border data flows, the Commission may adopt recommendations, following consultation with ENISA, the Working Party on the Protection of Individuals with regard to the Procesing of Personal Data established by the Article 29 of Directive 95/46/EC ("Article 29 Data Protection Working Party and the relevant regulatory authorities.
The measures designed to amend non-essential elements of this Directive by supplementing it shall be adopted in accordance with the regulatory procedure with scrutiny referred to in Article 14a (2). On imperative grounds of urgency, the Commission may use the urgency procedure referred to in Article 14a (3). The measures designed to amend non-essential elements of this Directive by supplementing it shall be adopted in accordance with the regulatory procedure with scrutiny referred to in Article 14a (2). On imperative grounds of urgency, the Commission may use the urgency procedure referred to in Article 14a (3). The measures designed to amend non-essential elements of this Directive by supplementing it shall be adopted in accordance with the regulatory procedure with scrutiny referred to in Article 14a (2). On imperative grounds of urgency, the Commission may use the urgency procedure referred to in Article 14a (3).
(26c) When defining the implementing measures on the security of processing, in accordance with the regulatory procedure with scrutiny, the Commission should consult all relevant European authorities and organisations (ENISA, the European Data Protection Supervisor and the Article 29 Working Party) as well as all other relevant stakeholders, particularly in order to be informed of the best available technical and economic methods for improving the implementation of Directive 2002/58/EC. (26c) When defining the implementing measures on the security of processing, in accordance with the regulatory procedure with scrutiny, the Commission should consult all relevant European authorities and organisations (ENISA, the European Data Protection Supervisor and the Article 29 Working Party) as well as all other relevant stakeholders, particularly in order to be informed of the best available technical and economic methods for improving the implementation of Directive 2002/58/EC. (26c) When defining the implementing measures on the security of processing, in accordance with the regulatory procedure with scrutiny, the Commission should consult all relevant European authorities and organisations (ENISA, the European Data Protection Supervisor and the Article 29 Working Party) as well as all other relevant stakeholders, particularly in order to be informed of the best available technical and economic methods for improving the implementation of Directive 2002/58/EC.
''(30a) When implementing measures transposing Directive 2002/58/EC, the authorities and courts of the Member States should not only interpret their national law in a manner consistent with that Directive, but should also ensure that they do not rely on an interpretation of that Directive which would be in conflict with other fundamental rights or general principles of Community law, such as the principle of proportionality.''
(36) The need to ensure an adequate level of protection of privacy and personal data transmitted and processed in connection with the use of electronic communications networks in the Community calls for effective implementation and enforcement powers in order to provide adequate incentives for compliance. National regulatory authorities should have sufficient powers and resources to investigate cases of non-compliance effectively, including the possibility to obtain any relevant information they might need, to decide on complaints and to impose sanctions in cases of non-compliance. (36) The need to ensure an adequate level of protection of privacy and personal data transmitted and processed in connection with the use of electronic communications networks in the Community calls for effective implementation and enforcement powers in order to provide adequate incentives for compliance. National regulatory authorities should have sufficient powers and resources to investigate cases of non-compliance effectively, including the possibility to obtain any relevant information they might need, to decide on complaints and to impose sanctions in cases of non-compliance. ''(54) The need to ensure an adequate level of protection of privacy and personal data transmitted and processed in connection with the use of electronic communications networks in the Community calls for effective implementation and enforcement powers in order to provide adequate incentives for compliance. Competent national authorities and, where appropriate, other relevant national bodies should have sufficient powers and resources to investigate cases of non-compliance effectively, including powers to obtain any relevant information they might need, to decide on complaints and to impose sanctions in cases of non-compliance.
''(55) The implementation and enforcement of the provisions of this Directive often require cooperation between the national regulatory authorities of two or more Member States, for example in combating cross-border spam and spyware. In order to ensure smooth and rapid cooperation in such cases, procedures relating for example to the quantity and format of information exchanged between authorities, or deadlines to be complied with, should be defined in recommendations. Such procedures will also allow the resulting obligations of market actors to be harmonised, contributing to the creation of a level playing field in the Community.''

Article 18

European Commission Amended Proposal European Parliament First Reading Council of European Union Common Position
Article 18 − Review Article 18 − Review Article 18 − Review
Not later than three years after By ... (Two years from the date of entry into force of this Directive.), the Commission shall submit to the European Parliament and the Council, having consulted the Article 29 Working Party and the European Data Protection Supervisor, a report on the application of this Directive and its impact on economic operators and consumers, in particular as regards the provisions on unsolicited communications, breach notifications and the use of personal data by public or private third parties for purposes not covered by this Directive, taking into account the international environment. For this purpose, the Commission may request information from the Member States, which shall be supplied without undue delay. Where appropriate, the Commission shall submit proposals to amend this Directive, taking account of the results of that report, any changes in the sector, the Treaty of Lisbon amending the Treaty on European Union and the Treaty establishing the European Community (OJ C 306, 17.12.2007, p. 1.), in particular the new competences in matters of data protection as laid down in Article 16, and any other proposal it may deem necessary in order to improve the effectiveness of this Directive. Not later than three years after <time limit for implementation of the amending act>, the Commission shall submit to the European Parliament and the Council, having consulted the Working Party on the Protection of Individuals with regard to the Processing of Personal Data established by Article 29 of Directive 95/46/EC and the European Data Protection Supervisor, a report on the application of this Directive 2002/58/EC and its impact on economic operators and consumers, in particular as regards the provisions on unsolicited communications, and breach notifications, taking into account the international environment. For this purpose, the Commission may request information from the Member States, which shall be supplied without undue delay. The Commission may submit proposals to amend this Directive, taking account of the results of that report, any changes in the sector and any other proposal it may deem necessary in order to improve the effectiveness of this Directive.
No later than two years from the date of entry into force of Directive 2008/.../EC [amending Directive 2002/22/EC on universal service and users" rights relating to electronic communications networks, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on consumer protection cooperation], the Commission shall submit to the European Parliament, the Council and the European Economic and Social Committee a report, based on an in-depth study, with recommendations on standard uses of IP addresses and the application of the ePrivacy and Data Protection Directives as regards their collection and further processing, following the consultation of the EDPS, the Article 29 Working Party, and other stakeholders to include industry representatives.