E-Privacy/ITRE : Différence entre versions

Amendment 1
Kaja Kallas
S&D
Recital 7

(7) The Member States should be allowed, within the limits of this Regulation, to maintain or introduce national provisions to further specify and clarify the application of the rules of this Regulation in order to ensure an effective application and interpretation of those rules. Therefore, the margin of discretion, which Member States have in this regard, should maintain a balance between the protection of private life and personal data and the free movement of electronic communications data.

(7) The European Data protection board should, where necessary, issue guidance and opinions within the limits of this Regulation to further specify and clarify the application of the rules of this Regulation in order to ensure an effective application and interpretation of those rules. Cooperation and consistency between Member States, in particular between national data protection authorities, is essential to maintain a balance between the protection of private life and personal data and the free movement of electronic communications data in the Union.

Amendment 3
Kaja Kallas
S&D
Recital 19

(19) The content of electronic communications pertains to the essence of the fundamental right to respect for private and family life, home and communications protected under Article 7 of the Charter. Any interference with the content of electronic communications should be allowed only under very clear defined conditions, for specific purposes and be subject to adequate safeguards against abuse. This Regulation provides for the possibility of providers of electronic communications services to process electronic communications data in transit, with the informed consent of all the end-users concerned. For example, providers may offer services that entail the scanning of emails to remove certain pre-defined material. Given the sensitivity of the content of communications, this Regulation sets forth a presumption that the processing of such content data will result in high risks to the rights and freedoms of natural persons. When processing such type of data, the provider of the electronic communications service should always consult the supervisory authority prior to the processing. Such consultation should be in accordance with Article 36 (2) and (3) of Regulation (EU) 2016/679. The presumption does not encompass the processing of content data to provide a service requested by the end-user where the end-user has consented to such processing and it is carried out for the purposes and duration strictly necessary and proportionate for such service. After electronic communications content has been sent by the end-user and received by the intended end-user or end-users, it may be recorded or stored by the end-user, end-users or by a third party entrusted by them to record or store such data. Any processing of such data must comply with Regulation (EU) 2016/679.

(19) The content of electronic communications pertains to the essence of the fundamental right to respect for private and family life, home and communications protected under Article 7 of the Charter. Any interference with the content of electronic communications should be allowed only under very clear defined conditions, for specific purposes and be subject to adequate safeguards against abuse. This Regulation provides for the possibility of providers of electronic communications services to process electronic communications data in transit, with the informed consent of all the end-users concerned. For example, providers may offer services that entail the scanning of emails to remove certain pre-defined material. For services that are provided to users engaged in purely personal or household activities, the consent of the end-user requesting the service should be sufficient. Given the sensitivity of the content of communications, this Regulation sets forth a presumption that the processing of such content data will result in high risks to the rights and freedoms of natural persons. When processing such type of data, the provider of the electronic communications service should always consult the supervisory authority prior to the processing. Such consultation should be in accordance with Article 36 (2) and (3) of Regulation (EU) 2016/679. The presumption does not encompass the processing of content data to provide a service requested by the end-user where the end-user has consented to such processing and it is carried out for the purposes and duration strictly necessary and proportionate for such service. After electronic communications content has been sent by the end-user and received by the intended end-user or end-users, it may be recorded or stored by the end-user, end-users or by a third party entrusted by them to record or store such data. Any processing of such data must comply with Regulation (EU) 2016/679.

Amendment 5
Kaja Kallas
S&D
Recital 23

(23) The principles of data protection by design and by default were codified under Article 25 of Regulation (EU) 2016/679. Currently, the default settings for cookies are set in most current browsers to ‘accept all cookies’. Therefore providers of software enabling the retrieval and presentation of information on the internet should have an obligation to configure the software so that it offers the option to prevent third parties from storing information on the terminal equipment; this is often presented as ‘reject third party cookies’. End-users should be offered a set of privacy setting options, ranging from higher (for example, ‘never accept cookies’) to lower (for example, ‘always accept cookies’) and intermediate (for example, ‘reject third party cookies’ or ‘only accept first party cookies’). Such privacy settings should be presented in a an easily visible and intelligible manner.

(23) The principles of data protection by design and by default were codified under Article 25 of Regulation (EU) 2016/679. Currently, the default settings for cookies are set in most current browsers to ‘accept all cookies’. Therefore providers of software enabling the retrieval and presentation of information on the internet should have an obligation to configure the software so that it offers the option for end-users to choose whether to reject or to accept cookies that are not necessary for the provision of the service requested by the end-user, after being informed of the function of the cookies, how they are used, and how the information gathered is shared. End-users should be offered a set of privacy setting options, ranging from higher (for example, ‘never accept cookies’) to lower (for example, ‘always accept cookies’) and intermediate options according to the types of information they are willing to share, the parties they agree to share it with, the purposes of a cookie, and the possibility to opt out from cross-device tracking. Where the end-user accepts cookies for purpose of targeted advertising, the end-user should also be able to correct the information gathered about him or her to prevent the possible harm caused by inaccurate information. Privacy settings should be presented in a an easily visible and intelligible manner.

Amendment 7
Kaja Kallas
S&D
Recital 24

(24) For web browsers to be able to obtain end-users’ consent as defined under Regulation (EU) 2016/679, for example, to the storage of third party tracking cookies, they should, among others, require a clear affirmative action from the end-user of terminal equipment to signify his or her freely given, specific informed, and unambiguous agreement to the storage and access of such cookies in and from the terminal equipment. Such action may be considered to be affirmative, for example, if end-users are required to actively select ‘accept third party cookies’ to confirm their agreement and are given the necessary information to make the choice. To this end, it is necessary to require providers of software enabling access to internet that, at the moment of installation, end-users are informed about the possibility to choose the privacy settings among the various options and ask them to make a choice. Information provided should not dissuade end-users from selecting higher privacy settings and should include relevant information about the risks associated to allowing third party cookies to be stored in the computer, including the compilation of long-term records of individuals' browsing histories and the use of such records to send targeted advertising. Web browsers are encouraged to provide easy ways for end-users to change the privacy settings at any time during use and to allow the user to make exceptions for or to whitelist certain websites or to specify for which websites (third) party cookies are always or never allowed.

(24) For web browsers or other applications to be able to obtain end-users’ consent as defined under Regulation (EU) 2016/679, for example, to the storage of tracking cookies that are not necessary for the provision of a specific service requested by an end user, they should, among others, require a clear affirmative action from the end-user of terminal equipment to signify his or her freely given, specific informed, and unambiguous agreement to the storage and access of such cookies in and from the terminal equipment. Such action may be considered to be affirmative, for example, if end-users are required to actively select cookies that process data beyond what is necessary for the service to function to confirm their agreement and are given the necessary information to make the choice. Consent should not be valid for cross-device tracking if the end-user was not informed and is not able to opt out. To this end, it is necessary to require providers of software enabling access to internet that, at the moment of installation, end-users are informed about the possibility to choose the privacy settings among the various options and ask them to make a choice. Information provided should not dissuade end-users from selecting higher privacy settings and should include relevant information about the risks associated to allowing certain cookies to be stored in the computer, including the compilation of long-term records of individuals' browsing histories and the use of such records to send targeted advertising. Web browsers or other applications are encouraged to provide easy ways for end-users to change the privacy settings at any time during use and to allow the user to make exceptions for or to whitelist certain parties or cookies that are always or never allowed. In cases where a business model is based on targeted advertising, consent should not be considered as freely given if the access to the service is made conditional to data processing. The end-user should therefore be able to choose between accepting cookies or being provided the service in exchange for payment.

Amendment 8
Kaja Kallas
S&D
Recital 25

(25) Accessing electronic communications networks requires the regular emission of certain data packets in order to discover or maintain a connection with the network or other devices on the network. Furthermore, devices must have a unique address assigned in order to be identifiable on that network. Wireless and cellular telephone standards similarly involve the emission of active signals containing unique identifiers such as a MAC address, the IMEI (International Mobile Station Equipment Identity), the IMSI etc. A single wireless base station (i.e. a transmitter and receiver), such as a wireless access point, has a specific range within which such information may be captured. Service providers have emerged who offer tracking services based on the scanning of equipment related information with diverse functionalities, including people counting, providing data on the number of people waiting in line, ascertaining the number of people in a specific area, etc. This information may be used for more intrusive purposes, such as to send commercial messages to end-users, for example when they enter stores, with personalized offers. While some of these functionalities do not entail high privacy risks, others do, for example, those involving the tracking of individuals over time, including repeated visits to specified locations. Providers engaged in such practices should display prominent notices located on the edge of the area of coverage informing end-users prior to entering the defined area that the technology is in operation within a given perimeter, the purpose of the tracking, the person responsible for it and the existence of any measure the end-user of the terminal equipment can take to minimize or stop the collection. Additional information should be provided where personal data are collected pursuant to Article 13 of Regulation (EU) 2016/679.

(25) Accessing electronic communications networks requires the regular emission of certain data packets in order to discover or maintain a connection with the network or other devices on the network. Furthermore, devices must have a unique address assigned in order to be identifiable on that network. Wireless and cellular telephone standards similarly involve the emission of active signals containing unique identifiers such as a MAC address, the IMEI (International Mobile Station Equipment Identity), the IMSI etc. A single wireless base station (i.e. a transmitter and receiver), such as a wireless access point, has a specific range within which such information may be captured. Service providers have emerged who offer tracking services based on the scanning of equipment related information with diverse functionalities, including people counting, providing data on the number of people waiting in line,ascertaining the number of people in a specific area, etc. This information may be used for more intrusive purposes, such as to send commercial messages to end-users, for example when they enter stores, with personalized offers. While some of these functionalities do not entail high privacy risks, others do, for example, those involving the tracking of individuals over time, including repeated visits to specified locations. Providers engaged in such practices should ask for the consent of the end-users concerned, or where consent is not possible, such practices should be limited to what is strictly necessary for the purpose of statistical counting, be limited in time and space and the data made anonymous or erased as soon as it is no longer needed for this purpose.

Amendment 9
Kaja Kallas
S&D
Recital 26

(26) When the processing of electronic communications data by providers of electronic communications services falls within its scope, this Regulation should provide for the possibility for the Union or Member States under specific conditions to restrict by law certain obligations and rights when such a restriction constitutes a necessary and proportionate measure in a democratic society to safeguard specific public interests, including national security, defence, public security and the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security and other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interests. Therefore, this Regulation should not affect the ability of Member States to carry out lawful interception of electronic communications or take other measures, if necessary and proportionate to safeguard the public interests mentioned above, in accordance with the Charter of Fundamental Rights of the European Union and the European Convention for the Protection of Human Rights and Fundamental Freedoms, as interpreted by the Court of Justice of the European Union and of the European Court of Human Rights. Providers of electronic communications services should provide for appropriate procedures to facilitate legitimate requests of competent authorities, where relevant also taking into account the role of the representative designated pursuant to Article 3(3).

(26) When the processing of electronic communications data by providers of electronic communications services falls within its scope, this Regulation should provide for the possibility for the Union or Member States under specific conditions to restrict by law certain obligations and rights when such a restriction constitutes a necessary and proportionate measure in a democratic society to safeguard specific public interests, including national security, defence, public security and the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. Therefore, this Regulation should not affect the ability of Member States to carry out lawful interception of electronic communications or take other measures, if necessary and proportionate to safeguard the public interests mentioned above, in accordance with the Charter of Fundamental Rights of the European Union and the European Convention for the Protection of Human Rights and Fundamental Freedoms, as interpreted by the Court of Justice of the European Union and of the European Court of Human Rights. Providers of electronic communications services should provide for appropriate procedures to facilitate legitimate requests of competent authorities, where relevant also taking into account the role of the representative designated pursuant to Article 3(3).

Amendment 10
Kaja Kallas
S&D
Recital 26 a (new)

(26a) In order to safeguard the security and integrity of networks and services, the use of end-to-end encryption should be promoted and, where necessary, be mandatory in accordance with the principles of security and privacy by design. Member States should not impose any obligation on encryption providers, on providers of electronic communications services or on any other organisations (at any level of the supply chain) that would result in the weakening of the security of their networks and services, such as the creation or facilitation of "backdoors".

Amendment 15
Kaja Kallas
S&D
Article 6 – paragraph 2 – point c

(c) the end-user concerned has given his or her consent to the processing of his or her communications metadata for one or more specified purposes, including for the provision of specific services to such end-users, provided that the purpose or purposes concerned could not be fulfilled by processing information that is made anonymous.

(c) the end-user concerned has given his or her consent to the processing of his or her communications metadata for one or more specified purposes, including for the provision of specific services to such end-users, provided that the purpose or purposes concerned could not be fulfilled by processing information that is made anonymous or are not compatible in accordance with Article 6(4) of Regulation (EU) 2016/679, with the purpose for which the personal data were initially collected.

Amendment 16
Kaja Kallas
S&D
Article 6 – paragraph 3 – point a a (new)

(aa) for the sole purpose of the provision of a specific service explicitly requested by an end-user in the course of a purely personal or household activity, if the end-user concerned has consented to the processing of his or her electronic communications content and that service cannot be provided without the processing of such content; or

Amendment 18
Kaja Kallas
S&D
Article 8 – paragraph 1 – point d

(d) if it is necessary for web audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end-user.

(d) it is necessary in order to obtain information about the technical quality or effectiveness of an information society service that has been delivered, and has no or little impact on the privacy of the end-user concerned.

Amendment 20
Kaja Kallas
S&D
Article 8 – paragraph 2 – subparagraph 1 – point b

(b) a clear and prominent notice is displayed informing of, at least, the modalities of the collection, its purpose, the person responsible for it and the other information required under Article 13 of Regulation (EU) 2016/679 where personal data are collected, as well as any measure the end-user of the terminal equipment can take to stop or minimise the collection.

(b) it is strictly necessary for the purpose of statistical counting, is limited in time and space to the extent strictly necessary for this purpose and the data is made anonymous or erased as soon as it is no longer needed for this purpose.

Amendment 26
Kaja Kallas
S&D
Article 10 – paragraph 1

1. Software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, shall offer the option to prevent third parties from storing information on the terminal equipment of an end-user or processing information already stored on that equipment.

1. Software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, shall offer the option to prevent parties from storing information on the terminal equipment of an end-user or processing information already stored on that equipment that is not necessary for the provision of the specific service requested by the end-user. It shall also offer the option to an end-user to choose the extent and types of information the end-user consents to being processed, on the basis of the purpose of the cookie and of the extent to which the information collected is shared with third parties. It shall, in addition, offer the option to opt out from cross-device tracking.

Amendment 27
Kaja Kallas
S&D
Article 10 – paragraph 2

2. Upon installation, the software shall inform the end-user about the privacy settings options and, to continue with the installation, require the end-user to consent to a setting.

2. The software shall inform the end-user about the privacy settings options upon installation and after any update to the software that affects the storing of information on the terminal equipment of the end-user or the processing of information already stored on that equipment.

Amendment 28
Kaja Kallas
S&D
Article 11 – paragraph 1

1. Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 5 to 8 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the general public interests referred to in Article 23(1)(a) to (e) of Regulation (EU) 2016/679 or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interests.

1. Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 5 to 8 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences.

Amendment 29
Kaja Kallas
Article 11 – paragraph 1 a (new)

1a. Member States shall not impose any obligation on undertakings that would result in the weakening of the security and encryption of their networks and services.

Amendment 41
Michel Reimon
Verts/ALE
Recital 2

(2) The content of electronic communications may reveal highly sensitive information about the natural persons involved in the communication, from personal experiences and emotions to medical conditions, sexual preferences and political views, the disclosure of which could result in personal and social harm, economic loss or embarrassment. Similarly, metadata derived from electronic communications may also reveal very sensitive and personal information. These metadata includes the numbers called, the websites visited, geographical location, the time, date and duration when an individual made a call etc., allowing precise conclusions to be drawn regarding the private lives of the persons involved in the electronic communication, such as their social relationships, their habits and activities of everyday life, their interests, tastes etc.

(2) Electronic communications may reveal highly sensitive information about the natural persons involved in the communication, from personal experiences and emotions to medical conditions, sexual preferences and political views, the disclosure of which could result in personal and social harm, economic loss or embarrassment. These data include text, voice, videos, images, sounds, IP and MAC addresses, the numbers called, the websites visited, geographical location, the time, date and duration when an individual made a call etc., allowing precise conclusions to be drawn regarding the private lives of the persons involved in the electronic communication, such as their social relationships, their habits and activities of everyday life, their interests, tastes etc.

Justification: Content and metadata should benefit from the same level of protection as metadata give as much relevant information as content linked to end-users private life

Amendment 44
Michel Reimon
Verts/ALE
Recital 4

(4) Pursuant to Article 8(1) of the Charter and Article 16(1) of the Treaty on the Functioning of the European Union, everyone has the right to the protection of personal data concerning him or her. Regulation (EU) 2016/679 lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. Electronic communications data may include personal data as defined in Regulation (EU) 2016/679.

(4) Pursuant to Article 8(1) of the Charter and Article 16(1) of the Treaty on the Functioning of the European Union, everyone has the right to the protection of personal data concerning him or her. Regulation (EU) 2016/679 lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. Electronic communications data may include personal data as defined in Regulation (EU) 2016/679 while in the case of natural persons electronic communications data is always personal data.

Justification: Clarifies which electronic communications data are personal data

Amendment 46
Michel Reimon
Verts/ALE
Recital 7

(7) The Member States should be allowed, within the limits of this Regulation, to maintain or introduce national provisions to further specify and clarify the application of the rules of this Regulation in order to ensure an effective application and interpretation of those rules. Therefore, the margin of discretion, which Member States have in this regard, should maintain a balance between the protection of private life and personal data and the free movement of electronic communications data.

deleted

Justification: Deletion needed in order to prevent fragmentation in users' protection across the EU.

Amendment 47
Dario Tamburrano, David Borrelli
EFDD
Recital 7

(7) The Member States should be allowed, within the limits of this Regulation, to maintain or introduce national provisions to further specify and clarify the application of the rules of this Regulation in order to ensure an effective application and interpretation of those rules. Therefore, the margin of discretion, which Member States have in this regard, should maintain a balance between the protection of private life and personal data and the free movement of electronic communications data.

deleted

Amendment 48
Michał Boni
EPP
Recital 7

(7) The Member States should be allowed, within the limits of this Regulation, to maintain or introduce national provisions to further specify and clarify the application of the rules of this Regulation in order to ensure an effective application and interpretation of those rules. Therefore, the margin of discretion, which Member States have in this regard, should maintain a balance between the protection of private life and personal data and the free movement of electronic communications data.

(7) The European Data Protection Board should, where necessary, issue guidance and opinions within the limits of this Regulation, to further clarify the application of the rules of this Regulation in order to ensure an effective application and interpretation of those rules. These guidance and opinions should take into account the dual objective of this Regulation, therefore they should maintain a balance between the protection of private life and personal data and the free movement of electronic communications data.

Amendment 49
Michel Reimon
Verts/ALE
Recital 8

(8) This Regulation should apply to providers of electronic communications services, to providers of publicly available directories, and to software providers permitting electronic communications, including the retrieval and presentation of information on the internet. This Regulation should also apply to natural and legal persons who use electronic communications services to send direct marketing commercial communications or collect information related to or stored in end-users’ terminal equipment.

(8) This Regulation should apply to providers of electronic communications services, to providers of publicly available directories, and to software providers permitting electronic communications, including the retrieval and presentation of information on the internet. This Regulation should also apply to natural and legal persons who use electronic communications services to send direct marketing commercial communications or collect information related to, using the input/output, the communication and processing capabilities or stored in end-users’ terminal equipment.

Justification: Clarifies the instances where natural or legal persons are currently interacting with terminal equipment for marketing commercial communications or collect information thus introducing the legal provisions dealing with such instances

Amendment 52
Michał Boni
EPP
Recital 11

(11) The services used for communications purposes, and the technical means of their delivery, have evolved considerably. End-users increasingly replace traditional voice telephony, text messages (SMS) and electronic mail conveyance services in favour of functionally equivalent online services such as Voice over IP, messaging services and web-based e-mail services. In order to ensure an effective and equal protection of end-users when using functionally equivalent services, this Regulation uses the definition of electronic communications services set forth in the [Directive of the European Parliament and of the Council establishing the European Electronic Communications Code24 ]. That definition encompasses not only internet access services and services consisting wholly or partly in the conveyance of signals but also interpersonal communications services, which may or may not be number-based, such as for example, Voice over IP, messaging services and web-based e-mail services. The protection of confidentiality of communications is crucial also as regards interpersonal communications services that are ancillary to another service; therefore, such type of services also having a communication functionality should be covered by this Regulation.

(11) The services used for communications purposes, and the technical means of their delivery, have evolved considerably. End-users increasingly replace traditional voice telephony, text messages (SMS) and electronic mail conveyance services in favour of functionally equivalent online services such as Voice over IP, messaging services and web-based e-mail services. In order to ensure an effective and equal protection of end-users when using functionally equivalent services, this Regulation uses the definition of electronic communications services set forth in the [Directive of the European Parliament and of the Council establishing the European Electronic Communications Code24 ]. That definition encompasses not only internet access services and services consisting wholly or partly in the conveyance of signals but also interpersonal communications services, which may or may not be number-based, such as for example, Voice over IP, messaging services and web-based e-mail services.

_________________

_________________

24 Commission proposal for a Directive of the European Parliament and of the Council establishing the European Electronic Communications Code (Recast) (COM/2016/0590 final - 2016/0288 (COD)).

24 Commission proposal for a Directive of the European Parliament and of the Council establishing the European Electronic Communications Code (Recast) (COM/2016/0590 final - 2016/0288 (COD)).

Amendment 55
Michał Boni
EPP
Recital 12

(12) Connected devices and machines increasingly communicate with each other by using electronic communications networks (Internet of Things). The transmission of machine-to-machine communications involves the conveyance of signals over a network and, hence, usually constitutes an electronic communications service. In order to ensure full protection of the rights to privacy and confidentiality of communications, and to promote a trusted and secure Internet of Things in the digital single market, it is necessary to clarify that this Regulation should apply to the transmission of machine-to-machine communications. Therefore, the principle of confidentiality enshrined in this Regulation should also apply to the transmission of machine-to-machine communications. Specific safeguards could also be adopted under sectorial legislation, as for instance Directive 2014/53/EU.

deleted

Amendment 58
Marian-Jean Marinescu
EPP
Recital 12

(12) Connected devices and machines increasingly communicate with each other by using electronic communications networks (Internet of Things). The transmission of machine-to-machine communications involves the conveyance of signals over a network and, hence, usually constitutes an electronic communications service. In order to ensure full protection of the rights to privacy and confidentiality of communications, and to promote a trusted and secure Internet of Things in the digital single market, it is necessary to clarify that this Regulation should apply to the transmission of machine-to-machine communications. Therefore, the principle of confidentiality enshrined in this Regulation should also apply to the transmission of machine-to-machine communications. Specific safeguards could also be adopted under sectorial legislation, as for instance Directive 2014/53/EU.

(12) Connected devices and machines increasingly communicate with each other by using electronic communications networks (Internet of Things). The transmission of machine-to-machine communications involves the conveyance of signals over a network and, hence, usually constitutes an electronic communications service. In order to ensure full protection of the rights to privacy and confidentiality of communications, and to promote a trusted and secure Internet of Things in the digital single market, it is necessary to clarify that this Regulation should apply to the transmission of machine-to-machine communications. Therefore, the principle of confidentiality enshrined in this Regulation should also apply to the transmission of machine-to-machine communications. Categories of pure machine-to-machine communication such as transmission between network elements (servers, switches) should be exempted as they have no impact on the privacy and confidentiality of communications. Specific safeguards could also be adopted under sectorial legislation, as for instance Directive 2014/53/EU.

Amendment 63
Michel Reimon
Verts/ALE
Recital 13

(13) The development of fast and efficient wireless technologies has fostered the increasing availability for the public of internet access via wireless networks accessible by anyone in public and semi-private spaces such as 'hotspots' situated at different places within a city, department stores, shopping malls and hospitals. To the extent that those communications networks are provided to an undefined group of end-users, the confidentiality of the communications transmitted through such networks should be protected. The fact that wireless electronic communications services may be ancillary to other services should not stand in the way of ensuring the protection of confidentiality of communications data and application of this Regulation. Therefore, this Regulation should apply to electronic communications data using electronic communications services and public communications networks. In contrast, this Regulation should not apply to closed groups of end-users such as corporate networks, access to which is limited to members of the corporation.

(13) The development of fast and efficient wireless technologies has fostered the increasing availability for the public of internet access via wireless networks accessible by anyone in public and semi-private spaces such as 'hotspots' situated at different places within a city, department stores, shopping malls and hospitals. To the extent that those communications networks are provided to an undefined group of end-users, the confidentiality of the communications transmitted through such networks should be protected. The fact that wireless electronic communications services may be ancillary to other services should not stand in the way of ensuring the protection of confidentiality of communications data and application of this Regulation. Therefore, this Regulation should apply to electronic communications data using electronic communications services and communications networks irrespective of whether these services and networks are publicly available or not.

Amendment 64
Michel Reimon
Verts/ALE
Recital 14

(14) Electronic communications data should be defined in a sufficiently broad and technology neutral way so as to encompass any information concerning the content transmitted or exchanged (electronic communications content) and the information concerning an end-user of electronic communications services processed for the purposes of transmitting, distributing or enabling the exchange of electronic communications content; including data to trace and identify the source and destination of a communication, geographical location and the date, time, duration and the type of communication. Whether such signals and the related data are conveyed by wire, radio, optical or electromagnetic means, including satellite networks, cable networks, fixed (circuit- and packet-switched, including internet) and mobile terrestrial networks, electricity cable systems, the data related to such signals should be considered as electronic communications metadata and therefore be subject to the provisions of this Regulation. Electronic communications metadata may include information that is part of the subscription to the service when such information is processed for the purposes of transmitting, distributing or exchanging electronic communications content.

(14) Electronic communications data should be defined in a sufficiently broad and technology neutral way so as to encompass any information concerning the content transmitted or exchanged (electronic communications content) and the information concerning an end-user of electronic communications services processed for the purposes of transmitting, distributing or enabling the exchange of electronic communications content; including data to trace and identify the source and destination of a communication, geographical location and the date, time, duration and the type of communication. Whether such signals and the related data are conveyed by wire, radio, optical or electromagnetic means, including satellite networks, cable networks, fixed (circuit- and packet-switched, including internet) and mobile terrestrial networks, electricity cable systems, the data related to such signals should be considered as electronic communications metadata and therefore be subject to the provisions of this Regulation. Data generated, processed or transmitted by interpersonal communications services for the purpose of sending, transmitting or receiving such communications should be considered as electronic communications metadata from the perspective of the providers of these services but should still be considered as electronic communications content from the perspective of Internet access providers. Electronic communications metadata may include information that is part of the subscription to the service when such information is processed for the purposes of transmitting, distributing or exchanging electronic communications content.

Justification: The definition of metadata depends on which layer of the network is considered. On layer 3 (“transmission” - See the OSI model https://en.wikipedia.org/wiki/OSI_model ), the metadata and the content processed by OTT on higher level (“application” and “content”) are all transmitted together in TCP/IP packets.Telecommunications operators make no distinction between the metadata and the content processed by OTT. From the perspective of operators, these data are the “content” transmitted on the network. This recital should make this technical clarification.

Amendment 67
Michał Boni
EPP
Recital 15

(15) Electronic communications data should be treated as confidential. This means that any interference with the transmission of electronic communications data, whether directly by human intervention or through the intermediation of automated processing by machines, without the consent of all the communicating parties should be prohibited. The prohibition of interception of communications data should apply during their conveyance, i.e. until receipt of the content of the electronic communication by the intended addressee. Interception of electronic communications data may occur, for example, when someone other than the communicating parties, listens to calls, reads, scans or stores the content of electronic communications, or the associated metadata for purposes other than the exchange of communications. Interception also occurs when third parties monitor websites visited, timing of the visits, interaction with others, etc., without the consent of the end-user concerned. As technology evolves, the technical ways to engage in interception have also increased. Such ways may range from the installation of equipment that gathers data from terminal equipment over targeted areas, such as the so-called IMSI (International Mobile Subscriber Identity) catchers, to programs and techniques that, for example, surreptitiously monitor browsing habits for the purpose of creating end-user profiles. Other examples of interception include capturing payload data or content data from unencrypted wireless networks and routers, including browsing habits without the end-users' consent.

(15) Electronic communications data should be treated as confidential. This means that any interference with the transmission of electronic communications data, whether directly by human intervention or through the intermediation of automated processing by machines, without the consent of all the communicating parties should be prohibited. The prohibition of interception of communications data should apply during their conveyance, i.e. until receipt of the content of the electronic communication by the intended addressee. Interception of electronic communications data may occur, for example, when someone other than the communicating parties, listens to calls, reads, scans or stores the content of electronic communications, or the associated metadata for purposes other than the exchange of communications. As technology evolves, the technical ways to engage in interception have also increased. Such ways may range from the installation of equipment that gathers data from terminal equipment over targeted areas, such as the so-called IMSI (International Mobile Subscriber Identity) catchers, to programs and techniques that, for example, surreptitiously monitor browsing habits for the purpose of creating end-user profiles. Other examples of interception include capturing payload data or content data from unencrypted wireless networks and routers, including browsing habits without the end-users' consent.

Amendment 68
Michel Reimon
Verts/ALE
Recital 15

(15) Electronic communications data should be treated as confidential. This means that any interference with the transmission of electronic communications data, whether directly by human intervention or through the intermediation of automated processing by machines, without the consent of all the communicating parties should be prohibited. The prohibition of interception of communications data should apply during their conveyance, i.e. until receipt of the content of the electronic communication by the intended addressee. Interception of electronic communications data may occur, for example, when someone other than the communicating parties, listens to calls, reads, scans or stores the content of electronic communications, or the associated metadata for purposes other than the exchange of communications. Interception also occurs when third parties monitor websites visited, timing of the visits, interaction with others, etc., without the consent of the end-user concerned. As technology evolves, the technical ways to engage in interception have also increased. Such ways may range from the installation of equipment that gathers data from terminal equipment over targeted areas, such as the so-called IMSI (International Mobile Subscriber Identity) catchers, to programs and techniques that, for example, surreptitiously monitor browsing habits for the purpose of creating end-user profiles. Other examples of interception include capturing payload data or content data from unencrypted wireless networks and routers, including browsing habits without the end-users' consent.

(15) Electronic communications data should be treated as confidential. This means that any interference with the electronic communications data, whether directly by human intervention or through the intermediation of automated processing by machines, without the consent of all the communicating parties should be prohibited. For the purpose of this act, interfering means the processing of electronic communications for any purpose not requested by all end-users concerned, whether such process is carried out before, during or after the transmission of communications and includes the interception. The prohibition of interference, including interception of communications data should apply at all levels and steps of the communication, including the storage of communication data. . Interference with electronic communications data may occur, for example, when someone other than the communicating parties, listens to calls, reads, scans or stores the content of electronic communications, or the associated metadata for purposes other than the exchange of communications. Interference also occurs when third parties monitor websites visited, timing of the visits, interaction with others, etc., without the consent of the end-user concerned. As technology evolves, the technical ways to engage in interference have also increased. Such ways may range from the installation of equipment that gathers data from terminal equipment over targeted areas, such as the so-called IMSI (International Mobile Subscriber Identity) catchers, to programs and techniques that, for example, surreptitiously monitor browsing habits for the purpose of creating end-user profiles. Other examples of interference include capturing payload data or content data from unencrypted wireless networks and routers, including browsing habits without the end-users' consent.

Justification: The change would make communications data protected before and after the transmission.

Amendment 71
Eva Kaili
S&D
Recital 15 c (new)

(15c) Providers of electronic communications networks and services now provide their end-users with enhanced features by using communications data before the provider transmits the data through a public network or after the provider has received the data from such a network. These enhanced features include speech-to-text conversion for users with disabilities, digital personal assistants using voice commands, automatic language translation, and message prioritization and sorting. For the purposes of these service providers, electronic communications are not in transmission once the service provider of the intended recipient has received the communications for delivery to the recipient's terminal equipment or until the service provider of the sender has sent the communication to another service provider for eventual delivery to the intended recipient.

Amendment 73
Michel Reimon
Verts/ALE
Recital 17

(17) The processing of electronic communications data can be useful for businesses, consumers and society as a whole. Vis-à-vis Directive 2002/58/EC, this Regulation broadens the possibilities for providers of electronic communications services to process electronic communications metadata, based on end-users consent. However, end-users attach great importance to the confidentiality of their communications, including their online activities, and that they want to control the use of electronic communications data for purposes other than conveying the communication. Therefore, this Regulation should require providers of electronic communications services to obtain end-users' consent to process electronic communications metadata, which should include data on the location of the device generated for the purposes of granting and maintaining access and connection to the service. Location data that is generated other than in the context of providing electronic communications services should not be considered as metadata. Examples of commercial usages of electronic communications metadata by providers of electronic communications services may include the provision of heatmaps; a graphical representation of data using colors to indicate the presence of individuals. To display the traffic movements in certain directions during a certain period of time, an identifier is necessary to link the positions of individuals at certain time intervals. This identifier would be missing if anonymous data were to be used and such movement could not be displayed. Such usage of electronic communications metadata could, for example, benefit public authorities and public transport operators to define where to develop new infrastructure, based on the usage of and pressure on the existing structure. Where a type of processing of electronic communications metadata, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, a data protection impact assessment and, as the case may be, a consultation of the supervisory authority should take place prior to the processing, in accordance with Articles 35 and 36 of Regulation (EU) 2016/679.

(17) The processing of electronic communications data can be useful for businesses, consumers and society as a whole. However, end-users attach great importance to the confidentiality of their communications, including their online activities, and that they want to control the use of electronic communications data for purposes other than conveying the communication. Therefore, this Regulation should require providers of electronic communications services to obtain end-users' consent to process electronic communications metadata, which should include data on the location of the device generated for the purposes of granting and maintaining access and connection to the service. Where a type of processing of electronic communications metadata, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, a data protection impact assessment and, as the case may be, a consultation of the supervisory authority should take place prior to the processing, in accordance with Articles 35 and 36 of Regulation (EU) 2016/679.

Justification: Location data are highly sensitive data especially as they enable one of the highest form of surveillance. Users shall benefit from the higher level of protection.

Amendment 74
Michał Boni
EPP
Recital 17

(17) The processing of electronic communications data can be useful for businesses, consumers and society as a whole. Vis-à-vis Directive 2002/58/EC, this Regulation broadens the possibilities for providers of electronic communications services to process electronic communications metadata, based on end-users consent. However, end-users attach great importance to the confidentiality of their communications, including their online activities, and that they want to control the use of electronic communications data for purposes other than conveying the communication. Therefore, this Regulation should require providers of electronic communications services to obtain end-users' consent to process electronic communications metadata, which should include data on the location of the device generated for the purposes of granting and maintaining access and connection to the service. Location data that is generated other than in the context of providing electronic communications services should not be considered as metadata. Examples of commercial usages of electronic communications metadata by providers of electronic communications services may include the provision of heatmaps; a graphical representation of data using colors to indicate the presence of individuals. To display the traffic movements in certain directions during a certain period of time, an identifier is necessary to link the positions of individuals at certain time intervals. This identifier would be missing if anonymous data were to be used and such movement could not be displayed. Such usage of electronic communications metadata could, for example, benefit public authorities and public transport operators to define where to develop new infrastructure, based on the usage of and pressure on the existing structure. Where a type of processing of electronic communications metadata, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, a data protection impact assessment and, as the case may be, a consultation of the supervisory authority should take place prior to the processing, in accordance with Articles 35 and 36 of Regulation (EU) 2016/679.

(17) The processing of electronic communications data can be useful for businesses, consumers and society as a whole. Vis-à-vis Directive 2002/58/EC, this Regulation broadens the possibilities for providers of electronic communications services to process electronic communications metadata, based on end-users consent. However, end-users attach great importance to the confidentiality of their communications, including their online activities, and that they want to control the use of electronic communications data for purposes other than conveying the communication. Therefore, this Regulation should require providers of electronic communications services to obtain end-users' consent to process electronic communications metadata, which should include data on the location of the device generated for the purposes of granting and maintaining access and connection to the service. Location data that is generated other than in the context of providing electronic communications services should not be considered as metadata. Examples of commercial usages of electronic communications metadata by providers of electronic communications services may include the provision of heatmaps; a graphical representation of data using colours to indicate the presence of individuals. To display the traffic movements in certain directions during a certain period of time, an identifier is necessary to link the positions of individuals at certain time intervals. This identifier would be missing if anonymous data were to be used and such movement could not be displayed. Such usage of electronic communications metadata could, for example, benefit public authorities and public transport operators to define where to develop new infrastructure, based on the usage of and pressure on the existing structure. As an exemption from obtaining end-user´s consent, the processing of metadata for purposes other than those for which they were initially collected should be allowed in cases where the processing is compatible and is subject to specific safeguards, especially pseudonymisation as set forth in point (4) of Article 6 of Regulation (EU) 2016/679, as well as if it is necessary in accordance with Article 6 (1) (f) of Regulation (EU) 2016/679 for the purpose of legitimate interest, provided that the data protection impact assessment was carried out, as prescribed in Article 35 of Regulation (EU) 2016/679.

Amendment 75
Michel Reimon
Verts/ALE
Recital 18

(18) End-users may consent to the processing of their metadata to receive specific services such as protection services against fraudulent activities (by analysing usage data, location and customer account in real time). In the digital economy, services are often supplied against counter-performance other than money, for instance by end-users being exposed to advertisements. For the purposes of this Regulation, consent of an end-user, regardless of whether the latter is a natural or a legal person, should have the same meaning and be subject to the same conditions as the data subject's consent under Regulation (EU) 2016/679. Basic broadband internet access and voice communications services are to be considered as essential services for individuals to be able to communicate and participate to the benefits of the digital economy. Consent for processing data from internet or voice communication usage will not be valid if the data subject has no genuine and free choice, or is unable to refuse or withdraw consent without detriment.

(18) End-users may consent to the processing of their data to receive specific services. In the digital economy, services are often supplied against counter-performance other than money, for instance by end-users being exposed to advertisements. For the purposes of this Regulation, consent of an end-user, regardless of whether the latter is a natural or a legal person, should have the same meaning and be subject to the same conditions as the data subject's consent under Regulation (EU) 2016/679. Consent for processing data will not be valid if the data subject has no genuine and free choice, or is unable to refuse or withdraw consent without detriment. As provided by article 7 of the Regulation (EU) 2016/679, consent is not freely given if it is required to access any service or obtained through insisting and repetitive requests. In order to prevent such abusive requests, end-users shall be able to order service providers to remember their choice not to consent.

Justification: Consent should be freely given for any kind of processing. The GDPR is not making any distinction between processing. This Regulation should not do this either. Furthermore, end-users shall be protected from harassing requests leading to consent fatigue and to forced consent.

Amendment 77
Michel Reimon
Verts/ALE
Recital 19

(19) The content of electronic communications pertains to the essence of the fundamental right to respect for private and family life, home and communications protected under Article 7 of the Charter. Any interference with the content of electronic communications should be allowed only under very clear defined conditions, for specific purposes and be subject to adequate safeguards against abuse. This Regulation provides for the possibility of providers of electronic communications services to process electronic communications data in transit, with the informed consent of all the end-users concerned. For example, providers may offer services that entail the scanning of emails to remove certain pre-defined material. Given the sensitivity of the content of communications, this Regulation sets forth a presumption that the processing of such content data will result in high risks to the rights and freedoms of natural persons. When processing such type of data, the provider of the electronic communications service should always consult the supervisory authority prior to the processing. Such consultation should be in accordance with Article 36 (2) and (3) of Regulation (EU) 2016/679. The presumption does not encompass the processing of content data to provide a service requested by the end-user where the end-user has consented to such processing and it is carried out for the purposes and duration strictly necessary and proportionate for such service. After electronic communications content has been sent by the end-user and received by the intended end-user or end-users, it may be recorded or stored by the end-user, end-users or by a third party entrusted by them to record or store such data. Any processing of such data must comply with Regulation (EU) 2016/679.

(19) Electronic communications pertains to the essence of the fundamental right to respect for private and family life, home and communications protected under Article 7 of the Charter. Any interference with the electronic communications data should be allowed only under very clear defined conditions, for specific purposes and be subject to adequate safeguards against abuse. This Regulation provides for the possibility of providers of electronic communications services to process electronic communications data in transit, with the informed consent of all the end-users concerned. For example, providers may offer services that entail the scanning of emails to remove certain pre-defined material. Given the sensitivity of electronic communications data, this Regulation sets forth a presumption that the processing of such content data will result in high risks to the rights and freedoms of natural persons. When processing such type of data, the provider of the electronic communications service should always consult the supervisory authority prior to the processing. Such consultation should be in accordance with Article 36 (2) and (3) of Regulation (EU) 2016/679. After electronic communications data has been sent by the end-user and received by the intended end-user or end-users, it may be recorded or stored by the end-user, end-users or by a third party entrusted by them to record or store such data. Any processing of such data must comply with Regulation (EU) 2016/679.Where communications data are stored by a third party, this third party shall protect with state of the art security measures applied from end to end, such as encryption, any information whose processing is not necessary to provide the service requested by the end-user.

Justification: Content and metadata should benefit from the same level of protection. Providers should apply state of the art measure, including encryption, to protect communications from end to end.

Amendment 81
Michał Boni
EPP
Recital 21

(21) Exceptions to the obligation to obtain consent to make use of the processing and storage capabilities of terminal equipment or to access information stored in terminal equipment should be limited to situations that involve no, or only very limited, intrusion of privacy. For instance, consent should not be requested for authorizing the technical storage or access which is strictly necessary and proportionate for the legitimate purpose of enabling the use of a specific service explicitly requested by the end-user. This may include the storing of cookies for the duration of a single established session on a website to keep track of the end-user’s input when filling in online forms over several pages. Cookies can also be a legitimate and useful tool, for example, in measuring web traffic to a website. Information society providers that engage in configuration checking to provide the service in compliance with the end-user's settings and the mere logging of the fact that the end-user’s device is unable to receive content requested by the end-user should not constitute access to such a device or use of the device processing capabilities.

(21) Exceptions to the obligation to obtain consent to make use of the processing and storage capabilities of terminal equipment or to access information stored in terminal equipment should be limited to situations that involve no, or only very limited, intrusion of privacy. For instance, consent should not be requested for authorizing the technical storage or access which is strictly necessary and proportionate for the legitimate purpose of enabling the use of a specific service explicitly requested by the end-user. This may include the storing of cookies for the duration of a single established session on a website to keep track of the end-user’s input when filling in online forms over several pages. Consent should also not be necessary if the information processed or stored is necessary to protect privacy, security or safety of the end-user, or to protect confidentiality, integrity, availability and authenticity of the terminal equipment. Cookies can also be a legitimate and useful tool, for example, in measuring web traffic to a website. Information society providers that engage in configuration checking to provide the service in compliance with the end-user's settings and the mere logging of the fact that the end-user’s device is unable to receive content requested by the end-user should not constitute access to such a device or use of the device processing capabilities. As an exemption from obtaining end-user´s consent, the processing of information and data that are or are rendered pseudonymous or anonymous should be allowed or for purposes other than those for which they were initially collected in cases where the processing is compatible and is subject to specific safeguards, especially pseudonymisation as set forth in point (4) of Article 6 of Regulation (EU) 2016/679, as well as if it is necessary in accordance with Article 6 (1) (f) of Regulation (EU) 2016/679 for the purpose of legitimate interest, provided that the data protection impact assessment was carried out, as prescribed in Article 35 of Regulation (EU) 2016/679. Adherence to the data protection certification mechanisms, seals or marks, as defined respectively in Article 40 and Article 42 of Regulation (EU) 2016/679, shall be encouraged and promoted, especially to demonstrate compliance with the Regulation in case of exceptions concerning compatible processing and legitimate interests as described above.

Amendment 86
Michel Reimon
Verts/ALE
Recital 23

(23) The principles of data protection by design and by default were codified under Article 25 of Regulation (EU) 2016/679. Currently, the default settings for cookies are set in most current browsers to ‘accept all cookies’. Therefore providers of software enabling the retrieval and presentation of information on the internet should have an obligation to configure the software so that it offers the option to prevent third parties from storing information on the terminal equipment; this is often presented as ‘reject third party cookies’. End-users should be offered a set of privacy setting options, ranging from higher (for example, ‘never accept cookies’) to lower (for example, ‘always accept cookies’) and intermediate (for example, ‘reject third party cookies’ or ‘only accept first party cookies’). Such privacy settings should be presented in a an easily visible and intelligible manner.

(23) The principles of data protection by design and by default were codified under Article 25 of Regulation (EU) 2016/679. Currently, the default settings for cookies are set in most current browsers to 'accept all cookies', which prevents end-users from providing informed and freely given consent, overloading them with requests. Therefore providers of software enabling the retrieval and presentation of information on the internet should have an obligation to configure the software so that by default prevents cross-domain and cross-devices tracking and third parties from storing information on the terminal equipment or requesting end-users' consent for that; this is often presented as 'reject third party trackers and cookies'. End-users should be offered a set of privacy setting options, ranging from higher (for example, 'never accept trackers and cookies but always reject them') to lower (for example, 'always ask whether to accept trackers and cookies') and intermediate (for example, 'reject all trackers and cookies that are not strictly necessary in order to provide a service explicitly requested by the user’ or ‘reject all cross-domain tracking’). Such privacy settings should be presented in an objective, easily visible and intelligible manner.

Amendment 87
Michał Boni, Krišjānis Kariņš
EPP
Recital 23

(23) The principles of data protection by design and by default were codified under Article 25 of Regulation (EU) 2016/679. Currently, the default settings for cookies are set in most current browsers to ‘accept all cookies’. Therefore providers of software enabling the retrieval and presentation of information on the internet should have an obligation to configure the software so that it offers the option to prevent third parties from storing information on the terminal equipment; this is often presented as ‘reject third party cookies’. End-users should be offered a set of privacy setting options, ranging from higher (for example, ‘never accept cookies’) to lower (for example, ‘always accept cookies’) and intermediate (for example, ‘reject third party cookies’ or ‘only accept first party cookies’). Such privacy settings should be presented in a an easily visible and intelligible manner.

(23) The principles of data protection by design and by default were codified under Article 25 of Regulation (EU) 2016/679. Currently, the default settings for cookies are set in most current browsers to ‘accept all cookies’. Therefore providers of software enabling the retrieval and presentation of information on the internet should have an obligation to inform the end-user about the possibility to express his or her consent using appropriate technical settings. The end-user should be offered multiple options to choose from, including to prevent third parties from storing information on the terminal equipment. End-users should be offered a set of privacy setting options, ranging from, for example, rejecting tracking that is not necessary for the functionality of the website or other software to, for example, accepting tracking necessary for the functionality of the website or other software as well as for other purposes or, for example, accepting tracking necessary for the functionality of the website or other software and tracking for other purposes by parties that demonstrate the compliance with the EU data protection and privacy legislation, for instance in line with Article 40 and 42 of Regulation (EU) 2016/679. Such privacy settings should be presented in an easily visible and intelligible manner.

Amendment 88
Eva Kaili
S&D
Recital 23

(23) The principles of data protection by design and by default were codified under Article 25 of Regulation (EU) 2016/679. Currently, the default settings for cookies are set in most current browsers to ‘accept all cookies’. Therefore providers of software enabling the retrieval and presentation of information on the internet should have an obligation to configure the software so that it offers the option to prevent third parties from storing information on the terminal equipment; this is often presented as ‘reject third party cookies’. End-users should be offered a set of privacy setting options, ranging from higher (for example, ‘never accept cookies’) to lower (for example, ‘always accept cookies’) and intermediate (for example, ‘reject third party cookies’ or ‘only accept first party cookies’). Such privacy settings should be presented in a an easily visible and intelligible manner.

(23) The principles of data protection by design and by default were codified under Article 25 of Regulation (EU) 2016/679. Currently, the default settings for cookies are set in most current browsers to ‘accept all cookies’. Therefore providers of software enabling the retrieval and presentation of information on the internet should have an obligation to configure the software so that it offers the option to prevent third parties from storing information on the terminal equipment; this is often presented as ‘reject third party cookies’. End-users should be offered a set of privacy setting options, ranging from higher (for example, ‘never accept cookies’) to lower (for example, ‘always accept cookies’) and intermediate (for example, ‘reject third party cookies’ or ‘only accept first party cookies’). Such privacy settings should be presented in a an easily visible and intelligible manner. Additionally, when personal data, including transaction data, is collected, it should be anonymised by default. When the end user decides not to allow the collection of their data or metadata they should be allowed to use the relative service to the extent possible, while respecting their choice.

Amendment 91
Michel Reimon
Verts/ALE
Recital 24

(24) For web browsers to be able to obtain end-users’ consent as defined under Regulation (EU) 2016/679, for example, to the storage of third party tracking cookies, they should, among others, require a clear affirmative action from the end-user of terminal equipment to signify his or her freely given, specific informed, and unambiguous agreement to the storage and access of such cookies in and from the terminal equipment. Such action may be considered to be affirmative, for example, if end-users are required to actively select ‘accept third party cookies’ to confirm their agreement and are given the necessary information to make the choice. To this end, it is necessary to require providers of software enabling access to internet that, at the moment of installation, end-users are informed about the possibility to choose the privacy settings among the various options and ask them to make a choice. Information provided should not dissuade end-users from selecting higher privacy settings and should include relevant information about the risks associated to allowing third party cookies to be stored in the computer, including the compilation of long-term records of individuals' browsing histories and the use of such records to send targeted advertising. Web browsers are encouraged to provide easy ways for end-users to change the privacy settings at any time during use and to allow the user to make exceptions for or to whitelist certain websites or to specify for which websites (third) party cookies are always or never allowed.

deleted

Justification: Consent expressed through automated means (for example through technical settings of a software application enabling access to the internet) can never be informed nor valid.

Amendment 92
Michał Boni, Krišjānis Kariņš
EPP
Recital 24

(24) For web browsers to be able to obtain end-users’ consent as defined under Regulation (EU) 2016/679, for example, to the storage of third party tracking cookies, they should, among others, require a clear affirmative action from the end-user of terminal equipment to signify his or her freely given, specific informed, and unambiguous agreement to the storage and access of such cookies in and from the terminal equipment. Such action may be considered to be affirmative, for example, if end-users are required to actively select ‘accept third party cookies’ to confirm their agreement and are given the necessary information to make the choice. To this end, it is necessary to require providers of software enabling access to internet that, at the moment of installation, end-users are informed about the possibility to choose the privacy settings among the various options and ask them to make a choice. Information provided should not dissuade end-users from selecting higher privacy settings and should include relevant information about the risks associated to allowing third party cookies to be stored in the computer, including the compilation of long-term records of individuals' browsing histories and the use of such records to send targeted advertising. Web browsers are encouraged to provide easy ways for end-users to change the privacy settings at any time during use and to allow the user to make exceptions for or to whitelist certain websites or to specify for which websites (third) party cookies are always or never allowed.

(24) For web browsers to be able to obtain end-users’ consent as defined under Regulation (EU) 2016/679, they should, among others, require a clear affirmative action from the end-user of terminal equipment to signify his or her freely given, specific informed, and unambiguous agreement to the storage and access of such cookies or other tracking mechanisms in and from the terminal equipment. Such action may be considered to be affirmative, for example, if end-users are required to actively select one of the offered options to confirm their agreement and are given the necessary information to make the choice. To this end, it is necessary to require providers of software enabling access to internet that, at the moment of installation, end-users are informed about the possibility to choose the privacy settings among the various options and ask them to make a choice. Information provided should not dissuade end-users from selecting higher privacy settings and should include relevant information about the risks associated to allowing third party cookies or other tracking mechanism to be stored in the computer, including the compilation of long-term records of individuals' browsing histories and the use of such records to send targeted advertising. Web browsers are encouraged to provide easy ways for end-users to change the privacy settings at any time during use. Web browsers shall allow the end-user to customise his or her privacy settings for each individual website visited. The website shall be able to communicate to the end-user the fact that their privacy settings may influence his or her customer experience or access to all functionalities of the website and shall be allowed to offer end-user information how to change his or her settings, request consent from the end-user or offer him or her alternative options, such as i.e. subscription or paid access. The choice of end user for specific websites shall be respected by web browsers.

Amendment 96
Michał Boni
EPP
Recital 25

(25) Accessing electronic communications networks requires the regular emission of certain data packets in order to discover or maintain a connection with the network or other devices on the network. Furthermore, devices must have a unique address assigned in order to be identifiable on that network. Wireless and cellular telephone standards similarly involve the emission of active signals containing unique identifiers such as a MAC address, the IMEI (International Mobile Station Equipment Identity), the IMSI etc. A single wireless base station (i.e. a transmitter and receiver), such as a wireless access point, has a specific range within which such information may be captured. Service providers have emerged who offer tracking services based on the scanning of equipment related information with diverse functionalities, including people counting, providing data on the number of people waiting in line, ascertaining the number of people in a specific area, etc. This information may be used for more intrusive purposes, such as to send commercial messages to end-users, for example when they enter stores, with personalized offers. While some of these functionalities do not entail high privacy risks, others do, for example, those involving the tracking of individuals over time, including repeated visits to specified locations. Providers engaged in such practices should display prominent notices located on the edge of the area of coverage informing end-users prior to entering the defined area that the technology is in operation within a given perimeter, the purpose of the tracking, the person responsible for it and the existence of any measure the end-user of the terminal equipment can take to minimize or stop the collection. Additional information should be provided where personal data are collected pursuant to Article 13 of Regulation (EU) 2016/679.

(25) Accessing electronic communications networks requires the regular emission of certain data packets in order to discover or maintain a connection with the network or other devices on the network. Furthermore, devices must have a unique address assigned in order to be identifiable on that network. Wireless and cellular telephone standards similarly involve the emission of active signals containing unique identifiers such as a MAC address, the IMEI (International Mobile Station Equipment Identity), the IMSI etc. A single wireless base station (i.e. a transmitter and receiver), such as a wireless access point, has a specific range within which such information may be captured. Service providers have emerged who offer tracking services based on the scanning of equipment related information with diverse functionalities, including people counting, providing data on the number of people waiting in line, ascertaining the number of people in a specific area, etc. This information may be used for more intrusive purposes, such as to send commercial messages to end-users, for example when they enter stores, with personalized offers. While some of these functionalities do not entail high privacy risks, others do, for example, those involving the tracking of individuals over time, including repeated visits to specified locations. Providers engaged in such practices should ask for the end-user´s consent or should carry out data protection impact assessment and in this case the data collected is or is rendered pseudonymous or anonymous. Where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk, prior consultation with the supervisory authority, as prescribed in Article 36 of Regulation (EU) 2016/679, shall be carried out. Providers should display prominent notices located on the edge of the area of coverage informing end-users prior to entering the defined area that the technology is in operation within a given perimeter, the purpose of the tracking, the person responsible for it and the existence of any measure the end-user of the terminal equipment can take to minimize or stop the collection. Additional information should be provided where personal data are collected pursuant to Article 13 of Regulation (EU) 2016/679.

Amendment 97
Nikolay Barekov
ECR
Recital 25

(25) Accessing electronic communications networks requires the regular emission of certain data packets in order to discover or maintain a connection with the network or other devices on the network. Furthermore, devices must have a unique address assigned in order to be identifiable on that network. Wireless and cellular telephone standards similarly involve the emission of active signals containing unique identifiers such as a MAC address, the IMEI (International Mobile Station Equipment Identity), the IMSI etc. A single wireless base station (i.e. a transmitter and receiver), such as a wireless access point, has a specific range within which such information may be captured. Service providers have emerged who offer tracking services based on the scanning of equipment related information with diverse functionalities, including people counting, providing data on the number of people waiting in line, ascertaining the number of people in a specific area, etc. This information may be used for more intrusive purposes, such as to send commercial messages to end-users, for example when they enter stores, with personalized offers. While some of these functionalities do not entail high privacy risks, others do, for example, those involving the tracking of individuals over time, including repeated visits to specified locations. Providers engaged in such practices should display prominent notices located on the edge of the area of coverage informing end-users prior to entering the defined area that the technology is in operation within a given perimeter, the purpose of the tracking, the person responsible for it and the existence of any measure the end-user of the terminal equipment can take to minimize or stop the collection. Additional information should be provided where personal data are collected pursuant to Article 13 of Regulation (EU) 2016/679.

25. Accessing electronic communications networks requires the regular emission of certain data packets in order to discover or maintain a connection with the network or other devices on the network. Furthermore, devices must have a unique address assigned in order to be identifiable on that network. Wireless and cellular telephone standards similarly involve the emission of active signals containing unique identifiers such as a MAC address, the IMEI (International Mobile Station Equipment Identity), the IMSI etc. A single wireless base station (i.e. a transmitter and receiver), such as a wireless access point, has a specific range within which such information may be captured. Service providers have emerged who offer tracking services based on the scanning of equipment related information with diverse functionalities, including people counting, providing data on the number of people waiting in line, ascertaining the number of people in a specific area, etc. This information may be used for more intrusive purposes, such as to send commercial messages to end-users, for example when they enter stores, with personalized offers. While some of these functionalities do not entail high privacy risks, others do, for example, those involving the tracking of individuals over time, including repeated visits to specified locations. Providers engaged in such practices should seek the consent of, and display prominent notices located on the edge of the area of coverage informing, end-users prior to entering the defined area that the technology is in operation within a given perimeter, the purpose of the tracking, the person responsible for it and the existence of any measure the end-user of the terminal equipment can take to minimize or stop the collection. Personal data must only be collected where this is strictly necessary. That data must be anonymous and erased as soon as it is no longer needed. In order to bolster end-user security, the data should not be provided in real time.

Amendment 101
Michel Reimon
Verts/ALE
Recital 26

(26) When the processing of electronic communications data by providers of electronic communications services falls within its scope, this Regulation should provide for the possibility for the Union or Member States under specific conditions to restrict by law certain obligations and rights when such a restriction constitutes a necessary and proportionate measure in a democratic society to safeguard specific public interests, including national security, defence, public security and the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security and other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interests. Therefore, this Regulation should not affect the ability of Member States to carry out lawful interception of electronic communications or take other measures, if necessary and proportionate to safeguard the public interests mentioned above, in accordance with the Charter of Fundamental Rights of the European Union and the European Convention for the Protection of Human Rights and Fundamental Freedoms, as interpreted by the Court of Justice of the European Union and of the European Court of Human Rights. Providers of electronic communications services should provide for appropriate procedures to facilitate legitimate requests of competent authorities, where relevant also taking into account the role of the representative designated pursuant to Article 3(3).

(26) When the processing of electronic communications data by providers of electronic communications services falls within its scope, this Regulation is without prejudice to the possibility for the Union or Member States under specific conditions to restrict by law certain obligations and rights set under this Regulation when such a restriction is targeted to suspects, requires prior judicial authorisation, and constitutes a necessary and proportionate measure in a democratic society to safeguard specific public interests, including national security, defence, public security and the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security of the Union or of a Member State. Those restrictions should be in accordance with the requirements set out in the Charter and in the European Convention for the Protection of Human Rights and Fundamental Freedoms. Therefore, this Regulation should not affect the ability of Member States to carry out lawful interception of electronic communications or take other measures, if necessary and proportionate to safeguard the public interests mentioned above in accordance with the Charter of Fundamental Rights of the European Union and the European Convention for the Protection of Human Rights and Fundamental Freedoms, as interpreted by the Court of Justice of the European Union and of the European Court of Human Rights. Providers of electronic communications services should provide for appropriate procedures to facilitate legitimate requests of competent authorities, where relevant also taking into account the role of the representative designated pursuant to Article 3(3).

Amendment 120
Michel Reimon
Verts/ALE
Article 2 – paragraph 1

1. This Regulation applies to the processing of electronic communications data carried out in connection with the provision and the use of electronic communications services and to information related to the terminal equipment of end-users.

1. This Regulation applies to : (a) the processing of electronic communications data carried out in connection with the provision and the use of electronic communications services, irrespective of whether a payment of the end-user is required; (b) the processing of information related to or processed by the terminal equipment of end-users; (d) the provision of publicly available directories of users of electronic communication;

Justification: Clarifies the material scope covering all the situations encountered in practice until today

Amendment 122
Michel Reimon
Verts/ALE
Article 2 – paragraph 2 – point c

(c) electronic communications services which are not publicly available;

deleted

Justification: Services not publicly available are excluded from the scope of telecommunications regulations for reasons specific to such regulations. This distinction is irrelevant as regards the confidentiality of communications: all communications should be protected equally, irrespective of end-users' location. Excluding them from this scope would allow organisations to monitor how their employees are using their access to the network, beyond the scope of ensuring the functioning of the network. Moreover, communications originating in a different network but ending in a non-public one might be intercepted with prejudice to the confidentiality of communications.

Amendment 124
Michel Reimon
Article 3 – paragraph 1 – introductory part

1. This Regulation applies to:

1. This Regulation applies to the activities referred to in Article 2 where the user or end-user is in the Union or where the communications services, hardware, software, directories, or direct marketing commercial electronic communications are provided to users or end-users in the Union.

Justification: Aligning the scope with GDPR

Amendment 133
Michał Boni, Krišjānis Kariņš
Article 4 – paragraph 2

2. For the purposes of point (b) of paragraph 1, the definition of ‘interpersonal communications service’ shall include services which enable interpersonal and interactive communication merely as a minor ancillary feature that is intrinsically linked to another service.

deleted

Amendment 135
Michel Reimon
Verts/ALE
Article 4 – paragraph 3 – point b

(b) ‘electronic communications content’ means the content exchanged by means of electronic communications services, such as text, voice, videos, images, and sound;

(b) 'electronic communications content' means the content transmitted, distributed or exchanged by means of electronic communications services, such as text, voice, videos, images, and sound, including electronic communications metadata of other electronic communications services or protocols that are transmitted by using the respective service;

Amendment 137
Peter Kouroumbashev, Miroslav Poche, Carlos Zorrinho
S&D
Article 4 – paragraph 3 – point b

(b) ‘electronic communications content’ means the content exchanged by means of electronic communications services, such as text, voice, videos, images, and sound;

(b) ‘electronic communications content’ means the content exchanged by means of publically accessible electronic communications services, such as text, voice, videos, images, and sound;

Justification: This amendment is to clarify that all private networks should be out of the scope of the regulation.

Amendment 138
Michel Reimon
Verts/ALE
Article 4 – paragraph 3 – point c

(c) ‘electronic communications metadata’ means data processed in an electronic communications network for the purposes of transmitting, distributing or exchanging electronic communications content; including data used to trace and identify the source and destination of a communication, data on the location of the device generated in the context of providing electronic communications services, and the date, time, duration and the type of communication;

(c) 'electronic communications metadata' means data generated, transmitted or processed for the purposes of transmitting, distributing or exchanging electronic communications content, including data used to trace and identify the source and destination of a communication; electronic identifiers and other data broadcasted or emitted by the terminal equipment to identify users' communication or to enable it to connect to an electronic communications service or to another terminal equipment, data on the location of the terminal equipment processed in the context of providing electronic communications services, and the date, time, duration and the type of communication; where metadata of other electronic communications services or protocols are transmitted, distributed or exchanged by using the respective service, they shall be considered electronic communications content for the respective service;

Amendment 140
Peter Kouroumbashev, Carlos Zorrinho
S&D
Article 4 – paragraph 3 – point c

(c) ‘electronic communications metadata’ means data processed in an electronic communications network for the purposes of transmitting, distributing or exchanging electronic communications content; including data used to trace and identify the source and destination of a communication, data on the location of the device generated in the context of providing electronic communications services, and the date, time, duration and the type of communication;

(c) ‘electronic communications metadata’ means all data processed in an open communications network for the purposes of transmitting, distributing or exchanging electronic communications content; including data used to trace and identify the source and destination of a communication, data on the location of the device generated in the context of providing electronic communications services, and the date, time, duration and the type of communication;

Amendment 150
Michel Reimon
Verts/ALE
Article 5 – paragraph 1

Electronic communications data shall be confidential. Any interference with electronic communications data, such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or processing of electronic communications data, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation.

Electronic communications shall be confidential. Any processing of electronic communications data, including any interference with electronic communications data such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance of electronic communications data, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation. This includes electronic communications data that is stored after the transmission has been completed.

Amendment 151
Dario Tamburrano, David Borrelli
EFDD
Article 5 – paragraph 1

Electronic communications data shall be confidential. Any interference with electronic communications data, such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or processing of electronic communications data, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation.

Electronic communications data shall be confidential. Any interference with electronic communications data, such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance, or any processing of electronic communications data regardless of whether this data is in transit or stored, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation.

Amendment 152
Michał Boni
EPP
Article 5 – paragraph 1

Electronic communications data shall be confidential. Any interference with electronic communications data, such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or processing of electronic communications data, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation.

Electronic communications data shall be confidential. Any interference with electronic communications data, such as by listening, tapping, storing, monitoring, scanning or other kinds of interception or surveillance of electronic communications data, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation.

Amendment 153
Michel Reimon
Verts/ALE
Article 5 – paragraph 1 a (new)

Confidentiality of electronic communications shall also apply to data related to or processed by terminal equipment and to machine-to-machine communication.

Amendment 164
Michel Reimon
Verts/ALE
Article 6 – paragraph 1 – point b a (new)

(ba) the users concerned have given their consent to the processing of his or her electronic communications data, provided that it is technically and strictly necessary for the provision of an information society service explicitly requested by a user for his or her purely individual usage, solely for the provision of the explicitly requested service and only for the duration necessary for that purpose and without the consent of all users, only where such processing produces effects solely in relation to the user who requested the service and does not adversely affect the fundamental rights of other users.

Amendment 171
Peter Kouroumbashev, Carlos Zorrinho
S&D
Article 6 – paragraph 2 – point a

(a) it is necessary to meet mandatory quality of service requirements pursuant to [Directive establishing the European Electronic Communications Code] or Regulation (EU) 2015/212028 for the duration necessary for that purpose; or

(a) it is necessary to meet mandatory quality of service requirements pursuant to [Directive establishing the European Electronic Communications Code] or Regulation (EU) 2015/212028 for the duration necessary for that purpose; or for the purpose of network planning of the Electronic Communication Systems; or for the purpose of technological innovations, strictly related to the improvement of the network. This should be possible under the following safeguards: approval of the supervisory authority; pseudonymisation of the data, only if anonymisation is not possible for the purpose of the service; the minimum data required should be processed.

_________________

_________________

28 Regulation (EU) 2015/2120 of the European Parliament and of the Council of 25 November 2015 laying down measures concerning open internet access and amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services and Regulation (EU) No 531/2012 on roaming on public mobile communications networks within the Union (OJ L 310, 26.11.2015, p. 1–18).

28 Regulation (EU) 2015/2120 of the European Parliament and of the Council of 25 November 2015 laying down measures concerning open internet access and amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services and Regulation (EU) No 531/2012 on roaming on public mobile communications networks within the Union (OJ L 310, 26.11.2015, p. 1–18).

Justification: This amendment aims to ensure that network planning, favouring the en-users, as well as, technological advancement, needed to provide the improvement of the networks in the digital sphere, should not be obstructed. However, the necessary safeguards should be in place.

Amendment 177
Michel Reimon
Verts/ALE
Article 6 – paragraph 2 – point c

(c) the end-user concerned has given his or her consent to the processing of his or her communications metadata for one or more specified purposes, including for the provision of specific services to such end-users, provided that the purpose or purposes concerned could not be fulfilled by processing information that is made anonymous.

(c) all users concerned have given their specific consent to the processing of their communications metadata by the respective electronic communications service for one or more specified purposes, including for the provision of specific services to such end-users, provided that the purpose or purposes concerned could not be fulfilled by processing data that is made anonymous, and the consent has not been a condition to access or use a service. Providers have to consult the supervisory authority before such processing occurs.

Amendment 178
Michał Boni
Article 6 – paragraph 2 – point c

(c) the end-user concerned has given his or her consent to the processing of his or her communications metadata for one or more specified purposes, including for the provision of specific services to such end-users, provided that the purpose or purposes concerned could not be fulfilled by processing information that is made anonymous.

(c) the end-user concerned has given his or her consent to the processing of his or her communications metadata for one or more specified purposes, including for the provision of specific services to such end-users; or

Amendment 180
Michał Boni, Krišjānis Kariņš
EPP
Article 6 – paragraph 2 – point c a (new)

(c a) the processing of these data for another specified purpose is compatible with the purpose for which the data were initially collected and is subject to specific safeguards, especially pseudonymisation, as set forth in Article 6(4) of Regulation (EU) 2016/679;or

Amendment 181
Michał Boni, Krišjānis Kariņš
EPP
Article 6 – paragraph 2 – point c b (new)

(cb) it is necessary, in accordance with Article 6(1)(f) of Regulation (EU) 2016/679, for the purposes of the legitimate interests pursued by the service provider or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Amendment 186
Michel Reimon
Verts/ALE
Article 6 – paragraph 3 – point a

(a) for the sole purpose of the provision of a specific service to an end-user, if the end-user or end-users concerned have given their consent to the processing of his or her electronic communications content and the provision of that service cannot be fulfilled without the processing of such content; or

(a) all users concerned have given their consent to the processing of his or her electronic communications content for the sole purpose of the provision of a specific service explicitly requested by the end-user, for the duration necessary for that purpose, provided that the provision of that specific service cannot be fulfilled without the processing of such content by the provider, and the consent has not been a condition to access or use a service; or

Amendment 188
Michał Boni
EPP
Article 6 – paragraph 3 – point a

(a) for the sole purpose of the provision of a specific service to an end-user, if the end-user or end-users concerned have given their consent to the processing of his or her electronic communications content and the provision of that service cannot be fulfilled without the processing of such content; or

(a) for the sole purpose of the provision of a specific service to an end-user, if the end-user concerned has given his or her consent to the processing of his or her electronic communications content and the provision of that service cannot be fulfilled without the processing of such content; or

Amendment 191
Rolandas Paksas
EFDD
Article 6 – paragraph 3 a (new)

3a. Any processing based on end-user consent must not adversely affect the rights and freedoms of individuals whose personal data are related to the communication, in particular, their rights to privacy and the protection of their personal data.

Amendment 192
Gunnar Hökmark
Article 7

Article 7

deleted

Storage and erasure of electronic communications data

1. Without prejudice to point (b) of Article 6(1) and points (a) and (b) of Article 6(3), the provider of the electronic communications service shall erase electronic communications content or make that data anonymous after receipt of electronic communication content by the intended recipient or recipients. Such data may be recorded or stored by the end-users or by a third party entrusted by them to record, store or otherwise process such data, in accordance with Regulation (EU) 2016/679.

2. Without prejudice to point (b) of Article 6(1) and points (a) and (c) of Article 6(2), the provider of the electronic communications service shall erase electronic communications metadata or make that data anonymous when it is no longer needed for the purpose of the transmission of a communication.

3. Where the processing of electronic communications metadata takes place for the purpose of billing in accordance with point (b) of Article 6(2), the relevant metadata may be kept until the end of the period during which a bill may lawfully be challenged or a payment may be pursued in accordance with national law.

Justification: Overlapping with GDPR (Regulation (EU) 2016/679)

Amendment 197
Michel Reimon
Verts/ALE
Article 7 – paragraph 2

2. Without prejudice to point (b) of Article 6(1) and points (a) and (c) of Article 6(2), the provider of the electronic communications service shall erase electronic communications metadata or make that data anonymous when it is no longer needed for the purpose of the transmission of a communication.

2. Without prejudice to point (b) and (c) of Article 6(1) and point (c) of Article 6(2), the provider of the electronic communications service shall erase electronic communications metadata when it is no longer needed for the purpose of the transmission of a communication

Justification: Communication data are highly structured data that cannot be fully anonymised. Therefore, only the end-users should decide whether to be subject to such processing.Furthermore, freedom of expression requires that individuals should be free to express or not their opinion and to choose how and where to express it.Using their communications for other purposes than the one they choose is against such freedom and should be strictly forbidden.

Amendment 202
Aldo Patriciello
EPP
Article 8 – paragraph 1 – introductory part

1. The use of processing and storage capabilities of terminal equipment and the collection of information from end-users’ terminal equipment, including about its software and hardware, other than by the end-user concerned shall be prohibited, except on the following grounds:

1. The use of processing and storage capabilities of terminal equipment and the collection of information from end-users' terminal equipment, including about its software and hardware, other than by the end-user concerned shall be prohibited, unless the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party and, except on the following grounds:

Amendment 203
Michel Reimon
Verts/ALE
Article 8 – paragraph 1 – introductory part

1. The use of processing and storage capabilities of terminal equipment and the collection of information from end-users’ terminal equipment, including about its software and hardware, other than by the end-user concerned shall be prohibited, except on the following grounds:

1. The use of input, output, processing and storage capabilities of terminal equipment and the collection or processing of information from users' terminal equipment, or making information available through the terminal equipment, including information about and processed by its software and hardware, other than by the user concerned shall be prohibited, excepting the following grounds:

Amendment 207
Michel Reimon
Verts/ALE
Article 8 – paragraph 1 – point b

(b) the end-user has given his or her consent; or

(b) the user has given his or her consent for a specific purpose, and the consent has not been a condition to access or use a service, for the duration necessary for that purpose; or

Amendment 209
Michał Boni, Krišjānis Kariņš
EPP
Article 8 – paragraph 1 – point b a (new)

(b a) the information is or is rendered pseudonymous or anonymous; or

Amendment 210
Herbert Reul, Werner Langen
EPP
Article 8 – paragraph 1 – point c

(c) it is necessary for providing an information society service requested by the end-user; or

(c) it is necessary for providing an information society service requested by the end-user, particularly in order to preserve the integrity or security of the information society service or access to it, to improve what is offered or for measures to protect against unauthorised use of the service in accordance with the terms and conditions of use relating to the provision of services to the end-user; or

Amendment 211
Eva Kaili
S&D
Article 8 – paragraph 1 – point c

(c) it is necessary for providing an information society service requested by the end-user; or

(c) it is necessary for providing an information society service requested by the end-user which shall include inter alia maintaining, operating and managing the integrity, access or security of the information society service, enhancing user experience or measures for preventing unauthorized access to or use of the information society service according to the terms of use for making available the service to the end user; or

Amendment 212
Michel Reimon
Verts/ALE
Article 8 – paragraph 1 – point c

(c) it is necessary for providing an information society service requested by the end-user; or

(c) it is strictly and technically necessary for providing an information society service specifically requested by the user, for the duration necessary for that provision of the service, provided that the provision of that specific service cannot be fulfilled without the processing of such content by the provider; or

Amendment 214
Michel Reimon
Verts/ALE
Article 8 – paragraph 1 – point d

(d) if it is necessary for web audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end-user.

deleted

Justification: Audience measuring should be based on consent, therefore is covered in b)

Amendment 216
Michał Boni
EPP
Article 8 – paragraph 1 – point d

(d) if it is necessary for web audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end-user.

(d) if it is necessary to obtain information about technical quality or effectiveness of an information society service that has been delivered or about terminal equipment functionality, and it has no or little impact on the privacy of the end-user concerned; or

Amendment 217
Herbert Reul, Werner Langen
EPP
Article 8 – paragraph 1 – point d

(d) if it is necessary for web audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end-user.

(d) if it is necessary in order to measure the reach of an information society service desired by the end-user, including measurement of indicators for the use of information society services in order to calculate a payment due.

Amendment 218
Aldo Patriciello
EPP
Article 8 – paragraph 1 – point d

(d) if it is necessary for web audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end-user.

(d) if it is necessary for audience measuring or other statistical purposes, provided that such measurement is carried out by the provider of the information society service requested by the end-user or on behalf of the provider; or

Amendment 220
Eva Kaili
S&D
Article 8 – paragraph 1 – point d a (new)

(d a) a clear and prominent notice is displayed to the public informing of, at least, the modalities of the collection, its purpose, the person responsible for it and the other information required under Article 13 of Regulation 2016/679/EU where personal data are collected, as well as any measure the end-user of the terminal equipment can take to stop or minimize the collection.

The collection of such information shall be conditional on the application of appropriate technical and organization measures to ensure that the collection and processing of information is limited to what is necessary in relation to the purposes of processing and to ensure a level of security appropriate to the risks, as set out in Article 32 of Regulation 2016/679/EU, have been applied, which may inter alia include pseudonymisation or anonymisation of the information collected as set out in Art. 4 (5) of Regulation (EU) 2016/679

Amendment 221
Michel Reimon
S&D
Article 8 – paragraph 1 – point d a (new)

(da) it is strictly technically necessary for a security update, provided that:

(i) such updates are discreetly packaged and do not in any way change the functionality of the hardware or software or the privacy settings chosen by the user;

(ii) the user is informed in advance each time such an update is being installed; and

(iii) the user has the possibility to postpone or turn off the automatic installation of such updates;

Amendment 223
Aldo Patriciello
EPP
Article 8 – paragraph 1 – point d a (new)

(d a) (e) where the processing is strictly limited to anonymised or pseudonymised data and the entity concerned undertakes to comply with specific privacy safeguards; or

Amendment 226
Anne Sander, Françoise Grossetête, Nadine Morano
EPP
Article 8 – paragraph 1 – point d a (new)

(d a) under the conditions as set out in point (b) of paragraph 2 and paragraph 3

Amendment 227
Michał Boni
EPP
Article 8 – paragraph 1 – point d b (new)

(d b) the processing of these data and information for another specified purpose is compatible with the purpose for which the data were initially collected and is subject to specific safeguards, especially pseudonymisation, as set forth in Article 6(4) of Regulation (EU) 2016/679;or

Amendment 228
Herbert Reul, Werner Langen
EPP
Article 8 – paragraph 1 – point d b (new)

db) in order to mark terminal equipment for advertising purposes, on condition that the person responsible has clearly informed the end-user of this at the beginning of the data processing and has provided an opportunity for objection that is easy to exercise; or

Amendment 229
Aldo Patriciello
EPP
Article 8 – paragraph 1 – point d b (new)

(db) if it used for the personalisation of the electronic communications services provided to end-users

Justification: Justification:Advertisers and, indirectly, broadcasters rely more and more on Online Behavioural Advertisement (OBA) as a basis for their business models.For broadcasters, revenues from advertising and commercial communications play a fundamental role in financing the development, production and licensing of original high-quality EU content.In this regard, OBA is crucial for the future of broadcasting, as financing is gradually shifting to new forms of advertisement.In addition, data can be used to improve the overall user experience and provide more targeted and individualised video viewing experiences – from the type of content that is proposed to users to the way the content is discovered and delivered on the platform.Users also might want to start watching content on one device and continue on another.For all these reasons, there should be exceptions to the consent rule when the processing of personal data is necessary for the purposes of legitimate interest, targeted advertisement (OBA) and/or personalisation of service, notably through audience segmentation.Similarly, the exception for audience measurement (Article 8.1.d) needs clarification.As the Commission acknowledges, audience measurement does not affect end-users’ privacy (Recital 21).However, audience measurement third party cookies are not covered by this exception, while website providers rarely conduct audience measurement in-house.It should at least apply to processors when they have been directly engaged by a website provider.

Amendment 230
Michał Boni
EPP
Article 8 – paragraph 1 – point d c (new)

(d c) it is necessary, in accordance with Article 6(1)(f) of Regulation (EU) 2016/679 for the purposes of the legitimate interests pursued by the service provider or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Amendment 236
Marisa Matias
GUE/NGL
Article 8 – paragraph 2 – subparagraph 1 – point a a (new)

(aa) the end-user has been informed of the purpose for which his or her data are to be used and has given his or her informed consent.

Amendment 237
Michel Reimon
Verts/ALE
Article 8 – paragraph 2 – subparagraph 1 – point a

(a) it is done exclusively in order to, for the time necessary for, and for the purpose of establishing a connection; or

(a) it is done exclusively in order to, for the time necessary for, and for the purpose of establishing a connection, if this connection is requested by the user or the establishing of the connection is an integral part of the terminal equipment's functionality; or

Amendment 238
Michał Boni
EPP
Article 8 – paragraph 2 – subparagraph 1 – point a a (new)

(aa) the end-user has given his or her consent;or

Amendment 239
Marisa Matias
GUE/NGL
Article 8 – paragraph 2 – subparagraph 1 – point b

(b) a clear and prominent notice is displayed informing of, at least, the modalities of the collection, its purpose, the person responsible for it and the other information required under Article 13 of Regulation (EU) 2016/679 where personal data are collected, as well as any measure the end-user of the terminal equipment can take to stop or minimise the collection.

deleted

Amendment 240
Michel Reimon
Verts/ALE
Article 8 – paragraph 2 – subparagraph 1 – point b

(b) a clear and prominent notice is displayed informing of, at least, the modalities of the collection, its purpose, the person responsible for it and the other information required under Article 13 of Regulation (EU) 2016/679 where personal data are collected, as well as any measure the end-user of the terminal equipment can take to stop or minimise the collection.

deleted

Amendment 241
Michał Boni
EPP
Article 8 – paragraph 2 – subparagraph 1 – point b

(b) a clear and prominent notice is displayed informing of, at least, the modalities of the collection, its purpose, the person responsible for it and the other information required under Article 13 of Regulation (EU) 2016/679 where personal data are collected, as well as any measure the end-user of the terminal equipment can take to stop or minimise the collection.

(b) the information collected is or is rendered pseudonymous or anonymous and the data protection impact assessment and, if necessary, a prior consultation with the supervisory authority were carried out, as prescribed respectively in Article 35 and 36 of Regulation (EU) 2016/679, and a clear and prominent notice is displayed informing of, at least, the modalities of the collection, its purpose, the person responsible for it and the other information required under Article 13 of Regulation (EU) 2016/679 where personal data are collected, as well as any measure the end-user of the terminal equipment can take to stop or minimise the collection.

Amendment 242
Peter Kouroumbashev, Miroslav Poche, Carlos Zorrinho
EPP
Article 8 – paragraph 2 – subparagraph 1 – point b

(b) a clear and prominent notice is displayed informing of, at least, the modalities of the collection, its purpose, the person responsible for it and the other information required under Article 13 of Regulation (EU) 2016/679 where personal data are collected, as well as any measure the end-user of the terminal equipment can take to stop or minimise the collection.

(b) a clear and prominent notice is displayed in the public space as a warning, additionally information is sent to terminal equipment providing the end-user with an option of informed consent, as well as with additional information regarding the modalities of the collection, its purpose, the person responsible for it and the other information required under Article 13 of Regulation (EU) 2016/679 where personal data are collected, as well as any measure the end-user of the terminal equipment can take to stop or minimise the collection.

Justification: When wi-fi tracking is in place, it is important that a physical sign, indicating the tracking, is available.However, additionally a notification should be sent to the terminal equipment of the affected users.

Amendment 244
Michel Reimon
Verts/ALE
Article 8 – paragraph 2 – subparagraph 1 – point b a (new)

(b a) the data are immediately anonymised in a way that they cannot be linked to the terminal equipment anymore or used to single out users based on their terminal equipment, and is only further processed for statistical purposes that generate aggregate information;

Amendment 253
Herbert Reul, Werner Langen
EPP
Article 9 – paragraph 1

1. The definition of and conditions for consent provided for under Articles 4(11) and7of Regulation (EU)2016/679/Shall apply.

1. The definition of and conditions for consent provided for under Articles 4(11) and 7(1), (2) and (3) of Regulation (EU) 2016/679 shall apply.

Justification: The reference here to the conditions for consent laid down by Article 7 of Regulation (EU) No 2016/679/EU must at all events be limited to Article 7(1) to (3).The non-applicability of Article 7(4) of Regulation (EU) No 2016/679 to consent pursuant to Article 9 of the proposal for a regulation is necessary because, unlike in Regulation (EU) No 2016/679, data processing based on the general clause concerning justified interests is not provided for in this proposal.

Amendment 254
Herbert Reul, Werner Langen
EPP
Article 9 – paragraph 2

2. Without prejudice to paragraph 1, where technically possible and feasible, for the purposes of point (b) of Article 8(1), consent may be expressed by using the appropriate technical settings of a software application enabling access to the internet.

deleted

Justification: Articles 4(11) and 7 of Regulation (EU) 2016/679 define the conditions for consent and are perfectly sufficient here.The proposal goes beyond these definitions and thus creates a dual regime for consent and renders the situation less clear.Article 9(2) should therefore be deleted.

Amendment 255
Michel Reimon
Verts/ALE
Article 9 – paragraph 2

2. Without prejudice to paragraph 1, where technically possible and feasible, for the purposes of point (b) of Article 8(1), consent may be expressed by using the appropriate technical settings of a software application enabling access to the internet.

2. Without prejudice to paragraph 1, where technically possible and feasible, for the purposes of point (b) of Article 8(1), consent may be expressed by using the appropriate technical specifications for electronic communications services or information society services which allow for specific consent for specific purposes. When such technical specifications are used by the user, they shall be binding on, and enforceable against any other party. Access to a service shall not be denied to an end-user for the sole reason that he or she has refused to give his or her consent to processing which are not strictly necessary for the provision of this service.

Amendment 264
Michel Reimon
Verts/ALE
Article 9 – paragraph 3 a (new)

3 a. A user shall not be denied access to any electronic communications service, information society service or functionality of a terminal equipment, regardless of whether this is remunerated or not, on the mere grounds that he or she has not given his or her consent to

(a) the processing of electronic communications data, metadata or content pursuant to Article 6;or

(b) the use of input, output, processing and storage capabilities of terminal equipment and the collection of information from the users' terminal equipment, or making information available through the terminal equipment, including information about and processed by its software and hardware, pursuant to Article 8(1);or

(c) the collection of information emitted by terminal equipment pursuant to Article 8(2) that is technically not necessary for the provision of that service or functionality.

Amendment 268
Herbert Reul, Werner Langen
EPP
Article 10

Article 10

deleted

Information and options for privacy settings to be provided

1.Software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, shall offer the option to prevent third parties from storing information on the terminal equipment of an end-user or processing information already stored on that equipment.

2.Upon installation, the software shall inform the end-user about the privacy settings options and, to continue with the installation, require the end-user to consent to a setting.

3.In the case of software which has already been installed on 25 May 2018, the requirements under paragraphs 1 and 2 shall be complied with at the time of the first update of the software, but no later than 25 August 2018.

Justification: Article 25 of Regulation (EU) 2016/679 governs data protection by design and by default.Article 10 of the proposal for a regulation only undermines Article 25 of Regulation (EU) 2016/679 and would hamper most business models.

Amendment 269
Anne Sander, Nadine Morano, Françoise Grossetête
EPP
Article 10

Article 10

deleted

Information and options for privacy settings to be provided

1. Software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, shall offer the option to prevent third parties from storing information on the terminal equipment of an end-user or processing information already stored on that equipment.

2. Upon installation, the software shall inform the end-user about the privacy settings options and, to continue with the installation, require the end-user to consent to a setting.

3. In the case of software which has already been installed on 25 May 2018, the requirements under paragraphs 1 and 2 shall be complied with at the time of the first update of the software, but no later than 25 August 2018.

Amendment 273
Peter Kouroumbashev, Carlos Zorrinho
S&D
Article 10 – paragraph 1

1. Software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, shall offer the option to prevent third parties from storing information on the terminal equipment of an end-user or processing information already stored on that equipment.

1. Software and terminal equipment placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, shall offer a set of four different privacy settings by design, including an option to accept cookies from whitelisted and/or frequently visited information society services.

Justification: This amendment aims at drawing a distinct line between the four different privacy settings that the end-user can chose from.Whitelisted and/or frequently visited information society services means that if an end-user has some preferences towards trusted, frequently visited websites, the end-user allows the collection of their data only on those websites.

Amendment 278
Michał Boni, Krišjānis Kariņš
EPP
Article 10 – paragraph 2

2. Upon installation, the software shall inform the end-user about the privacy settings options and, to continue with the installation, require the end-user to consent to a setting.

2. Upon installation, the software shall inform the end-user about the privacy settings options. The technical settings shall consist of multiple options for end-user to choose from, including an option to prevent other parties from storing information on the terminal equipment of an end-user and from processing information already stored on that equipment. These settings should be easily accessible during the use of the software.

Amendment 281
Michel Reimon
Verts/ALE
Article 10 – paragraph 2

2. Upon installation, the software shall inform the end-user about the privacy settings options and, to continue with the installation, require the end-user to consent to a setting.

2. By default, such hardware or software shall have, enabled by default, privacy settings that prevent other parties from exercising the activities referred to in paragraph 1. If the hardware or software allows for deviating settings, the user shall be informed about the privacy settings options during first use or installation and shall be offered the possibility to change or confirm them.

Amendment 289
Marisa Matias
GUE/NGL
Article 10 – paragraph 3 a (new)

3a. Tracking walls and similar take-it-or-live-it choices regarding privacy should be prohibited in public funded websites and sites with monopoly-like position. The visitors cannot be banned of using the website if they haven't given their prior consent to disclose data.

Amendment 292
Michel Reimon
Verts/ALE
Article 11

Article 11

deleted

Restrictions

1. Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 5 to 8 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the general public interests referred to in Article 23(1)(a) to (e) of Regulation (EU) 2016/679 or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interests.

2. Providers of electronic communications services shall establish internal procedures for responding to requests for access to end-users’ electronic communications data based on a legislative measure adopted pursuant to paragraph 1. They shall provide the competent supervisory authority, on demand, with information about those procedures, the number of requests received, the legal justification invoked and their response.

Justification: Replaced by 11a and 11b