E-Privacy/LIBE : Différence entre versions

De La Quadrature du Net
Aller à la navigationAller à la recherche
Ligne 5 : Ligne 5 :
 
* [http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+COMPARL+PE-608.160+01+DOC+PDF+V0//EN&language=EN amendments 332-705]
 
* [http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+COMPARL+PE-608.160+01+DOC+PDF+V0//EN&language=EN amendments 332-705]
 
* [http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+COMPARL+PE-608.161+01+DOC+PDF+V0//EN&language=EN amendments 706-827]
 
* [http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+COMPARL+PE-608.161+01+DOC+PDF+V0//EN&language=EN amendments 706-827]
 +
 +
=== Amendment 4 + ===
 +
 +
{| border='1' style='border-spacing:0;  width:100%;' cellpadding='30'
 +
|-
 +
| colspan='2' style='background-color: #AEF279; text-align:center;' |
 +
'''Amendment 4'''<br/>
 +
Marju Lauristin<br/>
 +
'''S&D'''<br/>
 +
Recital 5
 +
|-
 +
|width='50%' style='vertical-align:top;border-top:none;border-bottom:none;'|
 +
(5) The provisions of this Regulation particularise and complement the general rules on the protection of personal data laid down in Regulation (EU) 2016/679 as regards electronic communications data that qualify as personal data. This Regulation therefore '''''does''''' not lower the level of protection enjoyed by natural persons under Regulation (EU) 2016/679. Processing of electronic communications data by providers of electronic communications services should only be permitted in accordance with this Regulation.
 +
|width='50%' style='vertical-align:top;border-top:none;border-bottom:none;'|
 +
(5) The provisions of this Regulation particularise and complement the general rules on the protection of personal data laid down in Regulation (EU) 2016/679 as regards electronic communications data that qualify as personal data. This Regulation therefore '''''should''''' not lower the level of protection enjoyed by natural persons under Regulation (EU) 2016/679'''''. On the contrary,''''' '''''it aims to provide additional, and complementary, safeguards taking into account the need for additional protection as regards the confidentiality of communications'''''. Processing of electronic communications data by providers of electronic communications services should only be permitted in accordance with''''', and on a legal ground specifically provided for under,''''' this Regulation.
 +
|}
 +
 +
 +
It would ensure that article 6 is not overridden by the GDPR legal basis
 +
 +
 +
=== Amendment 6 + ===
 +
 +
{| border='1' style='border-spacing:0;  width:100%;' cellpadding='30'
 +
|-
 +
| colspan='2' style='background-color: #AEF279; text-align:center;' |
 +
'''Amendment 6'''<br/>
 +
Marju Lauristin<br/>
 +
'''S&D'''<br/>
 +
Recital 7
 +
|-
 +
|width='50%' style='vertical-align:top;border-top:none;border-bottom:none;'|
 +
'''''(7) The Member States should be allowed, within the limits of this Regulation, to maintain or introduce national provisions to further specify and clarify the application of the rules of this Regulation in order to ensure an effective application and interpretation of those rules. Therefore, the margin of discretion, which Member States have in this regard, should maintain a balance between the protection of private life and personal data and the free movement of electronic communications data.'''''
 +
|width='50%' style='vertical-align:top;border-top:none;border-bottom:none;'|
 +
'''''deleted'''''
 +
|}
 +
 +
 +
The main purpose of this Regulation is to harmonize EU national laws
 +
 +
 +
=== Amendment 7 + ===
 +
 +
{| border='1' style='border-spacing:0;  width:100%;' cellpadding='30'
 +
|-
 +
| colspan='2' style='background-color: #AEF279; text-align:center;' |
 +
'''Amendment 7'''<br/>
 +
Marju Lauristin<br/>
 +
'''S&D'''<br/>
 +
Recital 8
 +
|-
 +
|width='50%' style='vertical-align:top;border-top:none;border-bottom:none;'|
 +
(8) This Regulation should apply to providers of electronic communications services, to providers of publicly available directories, and to software providers permitting electronic communications, including the retrieval and presentation of information on the internet. This Regulation should also apply to natural and legal persons who use electronic communications services to send direct marketing commercial communications or collect information related to or stored in end-users’ terminal equipment.
 +
|width='50%' style='vertical-align:top;border-top:none;border-bottom:none;'|
 +
(8) This Regulation should apply to providers of electronic communications services, to providers of publicly available directories, and to software providers permitting electronic communications, including the retrieval and presentation of information on the internet. This Regulation should also apply to natural and legal persons who use electronic communications services to send direct marketing''''',''''' commercial communications or collect information related to''''', processed by''''' or stored in end-users’ terminal equipment.
 +
|-
 +
| colspan='2' |
 +
''Justification: This amendment clarifies the scope of the Regulation. It takes into account the recommendations of the EDPS, Art 29 Working party, scholars and several stakeholders.''
 +
|}
 +
 +
 +
Information "processed" by terminal equipment is repeatedly missing in the recitals of EC's proposal
 +
 +
 +
=== Amendment 13 + ===
 +
 +
{| border='1' style='border-spacing:0;  width:100%;' cellpadding='30'
 +
|-
 +
| colspan='2' style='background-color: #AEF279; text-align:center;' |
 +
'''Amendment 13'''<br/>
 +
Marju Lauristin<br/>
 +
'''S&D'''<br/>
 +
Recital 15
 +
|-
 +
|width='50%' style='vertical-align:top;border-top:none;border-bottom:none;'|
 +
(15) Electronic communications '''''data''''' should be treated as confidential. This means that any interference with the transmission of electronic communications '''''data''''', whether directly by human intervention or through the intermediation of automated processing by machines, without the consent of all the communicating parties should be prohibited. The prohibition of interception of communications '''''data''''' should apply during their conveyance, i.e. until receipt of the content of the electronic communication by the intended addressee. Interception of electronic communications '''''data''''' may occur, for example, when someone other than the communicating parties, listens to calls, reads, scans or stores the content of electronic communications, or the associated metadata for purposes other than the exchange of communications. Interception also occurs when '''''third''''' parties monitor websites visited, timing of the visits, interaction with others, etc., without the consent of the '''''end-user''''' concerned. As technology evolves, the technical ways to engage in interception have also increased. Such ways may range from the installation of equipment that gathers data from terminal equipment over targeted areas, such as the so-called IMSI (International Mobile Subscriber Identity) catchers, to programs and techniques that, for example, surreptitiously monitor browsing habits for the purpose of creating '''''end-user''''' profiles. Other examples of interception include capturing payload data or content data from unencrypted wireless networks and routers, including browsing habits without the '''''end-users'''''' consent.
 +
|width='50%' style='vertical-align:top;border-top:none;border-bottom:none;'|
 +
(15) Electronic communications should be treated as confidential. This means that any interference with the transmission of electronic communications, whether directly by human intervention or through the intermediation of automated processing by machines, without the consent of all the communicating parties should be prohibited. '''''When the processing is allowed under any exception to the prohibitions under this Regulation, any other processing on the basis of Article 6 of Regulation (EU) 2016/679 should be considered as prohibited, including processing for another purpose on the basis of Article 6(4) of that Regulation. This should not prevent requesting additional consent for new processing operations.''''' The prohibition of interception of communications should apply '''''also''''' during their conveyance, i.e. until receipt of the content of the electronic communication by the intended addressee, '''''and to any temporary files in the network after receipt'''''. Interception of electronic communications may occur, for example, when someone other than the communicating parties, listens to calls, reads, scans or stores the content of electronic communications, or the associated metadata for purposes other than the exchange of communications. Interception also occurs when '''''other''''' parties monitor websites visited, timing of the visits, interaction with others, etc., without the consent of the '''''user''''' concerned. As technology evolves, the technical ways to engage in interception have also increased. Such ways may range from the installation of equipment that gathers data from terminal equipment over targeted areas, such as the so-called IMSI (International Mobile Subscriber Identity) catchers, to programs and techniques that, for example, surreptitiously monitor browsing habits for the purpose of creating '''''user''''' profiles. Other examples of interception include capturing payload data or content data from unencrypted wireless networks and routers, '''''and analysis of customers' traffic data,''''' including browsing habits without the '''''users'''''' consent.
 +
|}
 +
 +
 +
It would ensure that this Regulation is not overridden by the GDPR legal basis
 +
 +
 +
=== Amendment 14 - ===
 +
 +
{| border='1' style='border-spacing:0;  width:100%;' cellpadding='30'
 +
|-
 +
| colspan='2' style='background-color: #F55E33; text-align:center;' |
 +
'''Amendment 14'''<br/>
 +
Marju Lauristin<br/>
 +
'''S&D'''<br/>
 +
Recital 16
 +
|-
 +
|width='50%' style='vertical-align:top;border-top:none;border-bottom:none;'|
 +
(16) The prohibition of storage of communications is not intended to prohibit any automatic, intermediate and transient storage of this information insofar as this takes place for the sole purpose of carrying out the transmission '''''in the electronic communications network'''''. It should not prohibit either the processing of electronic communications data to ensure the security and continuity of the electronic communications services, including checking security threats such as the presence of malware or the processing of metadata to ensure the necessary quality of service requirements, such as latency, jitter etc.
 +
|width='50%' style='vertical-align:top;border-top:none;border-bottom:none;'|
 +
(16) The prohibition of storage of communications is not intended to prohibit any automatic, intermediate and transient storage of this information insofar as this takes place for the sole purpose of carrying out the transmission. It should not prohibit either the processing of electronic communications data to ensure the security and continuity of the electronic communications services, including checking security threats such as the presence of malware''''', spam or distributed denial-of-service attacks,''''' or the processing of metadata to ensure the necessary quality of service requirements, such as latency, jitter etc.
 +
|}
 +
 +
 +
Anti-spam should not be implemented without the consent of the receiver. The receiver should have the right to use another anti-spam solution that the one provided by its communications provider and should even be able to disable it completely (for testing or research purposes, etc).
 +
 +
 +
=== Amendment 16 + ===
 +
 +
{| border='1' style='border-spacing:0;  width:100%;' cellpadding='30'
 +
|-
 +
| colspan='2' style='background-color: #AEF279; text-align:center;' |
 +
'''Amendment 16'''<br/>
 +
Marju Lauristin<br/>
 +
'''S&D'''<br/>
 +
Recital 17
 +
|-
 +
|width='50%' style='vertical-align:top;border-top:none;border-bottom:none;'|
 +
(17) The processing of electronic communications data can be useful for businesses, consumers and society as a whole. '''''Vis-à-vis Directive 2002/58/EC, this Regulation broadens the possibilities for providers of electronic communications services to process electronic communications metadata, based on end-users consent. However, end-users attach great importance to the confidentiality of their communications, including their online activities, and that they want to control the use of electronic communications data for purposes other than conveying the communication. Therefore, this Regulation should require providers of electronic communications services to obtain end-users' consent to process electronic communications metadata, which should include data on the location of the device generated for the purposes of granting and maintaining access and connection to the service. Location data that is generated other than in the context of providing electronic communications services should not be considered as metadata.''''' Examples of '''''commercial''''' usages of electronic communications metadata by providers of electronic communications services may include the provision of heatmaps; a graphical representation of data using '''''colors''''' to indicate the presence of individuals. To display the traffic movements in certain directions during a certain period of time, an identifier is necessary to link the positions of individuals at certain time intervals'''''. This identifier would be missing if anonymous data were to be used and such movement could not be displayed'''''. Such usage of electronic communications metadata could, for example, benefit public authorities and public transport operators to define where to develop new infrastructure, based on the usage of and pressure on the existing structure. '''''Where a type of processing of electronic communications metadata, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, a data protection impact assessment and, as the case may be, a consultation of the supervisory authority should take place prior to the processing, in accordance with Articles 35 and 36 of Regulation (EU) 2016/679.'''''
 +
|width='50%' style='vertical-align:top;border-top:none;border-bottom:none;'|
 +
(17) The processing of electronic communications data can be useful for businesses, consumers and society as a whole. Examples of '''''such''''' usages of electronic communications metadata by providers of electronic communications services may include the provision of heatmaps; a graphical representation of data using '''''colours''''' to indicate the presence of individuals. To display the traffic movements in certain directions during a certain period of time, an identifier is necessary to link the positions of individuals at certain time intervals''''', provided that the data are immediately anonymised or anonymisation techniques are used where the user is mixed with others'''''. Such usage of electronic communications metadata could, for example, benefit public authorities and public transport operators to define where to develop new infrastructure, based on the usage of and pressure on the existing structure.
 +
|}
 +
 +
 +
This proposition is way more protective than the initial proposal but may be much clearer as regards anonymisation techniques that should be implemented
 +
 +
 +
=== Amendment 17 + ===
 +
 +
{| border='1' style='border-spacing:0;  width:100%;' cellpadding='30'
 +
|-
 +
| colspan='2' style='background-color: #AEF279; text-align:center;' |
 +
'''Amendment 17'''<br/>
 +
Marju Lauristin<br/>
 +
'''S&D'''<br/>
 +
Recital 17 a (new)
 +
|-
 +
|width='50%' style='vertical-align:top;border-top:none;border-bottom:none;'|
 +
 +
|width='50%' style='vertical-align:top;border-top:none;border-bottom:none;'|
 +
'''''(17a) This Regulation broadens the possibilities for providers of electronic communications services to process electronic communications metadata based on users' informed consent. However, users attach great importance to the confidentiality of their communications, including their online activities, and they want to control the use of their electronic communications data for purposes other than conveying the communication. Therefore, this Regulation should require providers of electronic communications services to obtain users' consent to process electronic communications metadata, which should include data on the location of the device generated for the purposes of granting and maintaining access and connection to the service. For the purposes of this Regulation, the consent of an end-user, regardless of whether the latter is a natural or legal person, should have the same meaning and be subject to the same conditions as the consent of the data subject under Regulation (EU) 2016/679. The end-users should have the right to withdraw their consent from an additional service without breaching the contract for the basic service. Consent for processing data from internet or voice communications usage should not be valid if the user has no genuine and free choice, or is unable to refuse or withdraw consent without detriment.'''''
 +
|}
 +
 +
 +
Clarifies a bit what is a "freely given" consent
 +
 +
 +
=== Amendment 18 + ===
 +
 +
{| border='1' style='border-spacing:0;  width:100%;' cellpadding='30'
 +
|-
 +
| colspan='2' style='background-color: #AEF279; text-align:center;' |
 +
'''Amendment 18'''<br/>
 +
Marju Lauristin<br/>
 +
'''S&D'''<br/>
 +
Recital 18
 +
|-
 +
|width='50%' style='vertical-align:top;border-top:none;border-bottom:none;'|
 +
'''''(18) End-users may consent to the processing of their metadata to receive specific services such as protection services against fraudulent activities (by analysing usage data, location and customer account in real time). In the digital economy, services are often supplied against counter-performance other than money, for instance by end-users being exposed to advertisements. For the purposes of this Regulation, consent of an end-user, regardless of whether the latter is a natural or a legal person, should have the same meaning and be subject to the same conditions as the data subject's consent under Regulation (EU) 2016/679. Basic broadband internet access and voice communications services are to be considered as essential services for individuals to be able to communicate and participate to the benefits of the digital economy. Consent for processing data from internet or voice communication usage will not be valid if the data subject has no genuine and free choice, or is unable to refuse or withdraw consent without detriment.'''''
 +
|width='50%' style='vertical-align:top;border-top:none;border-bottom:none;'|
 +
'''''deleted'''''
 +
|}
 +
 +
 +
Deletes the very ambiguous idea of "essential services" (which may imply that non-essential services can be denied to users refusing to consent)
 +
 +
 +
=== Amendment 23 - ===
 +
 +
{| border='1' style='border-spacing:0;  width:100%;' cellpadding='30'
 +
|-
 +
| colspan='2' style='background-color: #F55E33; text-align:center;' |
 +
'''Amendment 23'''<br/>
 +
Marju Lauristin<br/>
 +
'''S&D'''<br/>
 +
Recital 22
 +
|-
 +
|width='50%' style='vertical-align:top;border-top:none;border-bottom:none;'|
 +
(22) The methods used for providing information and obtaining end-user's consent should be as user-friendly as possible. Given the ubiquitous use of tracking cookies and other tracking techniques, '''''end-users''''' are increasingly requested to provide consent to store such tracking cookies in their terminal equipment. As a result, '''''end-users''''' are overloaded with requests to provide consent. The use of technical means to provide consent, for example, through transparent and user-friendly settings, may address this problem. Therefore, this Regulation should provide for the possibility to express consent by using the appropriate settings of a browser or other application. '''''The''''' choices made by '''''end-users''''' when establishing '''''its''''' general privacy settings of a browser or other application should be binding on, and enforceable against, any third parties. Web browsers are a type of software application that permits the retrieval and presentation of information on the internet. Other types of applications, such as the ones that permit calling and messaging or provide route guidance, have also the same capabilities. Web browsers mediate much of what occurs between the '''''end-user''''' and the website. From this perspective, they are in a privileged position to play an active role to help the '''''end-user''''' to control the flow of information to and from the terminal equipment. More particularly web browsers may be used as '''''gatekeepers''''', thus helping '''''end-users''''' to prevent information from their terminal equipment (for example smart phone, tablet or computer) from being accessed or stored.
 +
|width='50%' style='vertical-align:top;border-top:none;border-bottom:none;'|
 +
(22) The methods used for providing information and obtaining end-user's consent should be as user-friendly as possible. Given the ubiquitous use of tracking cookies and other tracking techniques, '''''users''''' are increasingly requested to provide consent to store such tracking cookies in their terminal equipment. As a result, '''''users''''' are overloaded with requests to provide consent. The use of technical means to provide consent, for example, through transparent and user-friendly settings, may address this problem. Therefore, this Regulation should '''''prevent the use of so- called "cookie walls" and "cookie banners" that do not help users to maintain control over their personal information and privacy or become informed about their rights. This Regulation should''''' provide for the possibility to express consent by '''''technical specifications, for instance by''''' using the appropriate settings of a browser or other application. '''''Those settings should include choices concerning the storage of information on the user's terminal equipment as well as a signal sent by the browser or other application indicating the user's preferences to other parties. The''''' choices made by '''''users''''' when establishing '''''the''''' general privacy settings of a browser or other application should be binding on, and enforceable against, any third parties. Web browsers are a type of software application that permits the retrieval and presentation of information on the internet. Other types of applications, such as the ones that permit calling and messaging or provide route guidance, have also the same capabilities. Web browsers mediate much of what occurs between the '''''user''''' and the website. From this perspective, they are in a privileged position to play an active role to help the '''''user''''' to control the flow of information to and from the terminal equipment. More particularly''''',''''' web browsers''''', applications or mobile operating systems''''' may be used as '''''the executor of a user's choices''''', thus helping '''''users''''' to prevent information from their terminal equipment (for example smart phone, tablet or computer) from being accessed or stored.
 +
|}
 +
 +
 +
There should be no option to ‘always accept trackers and cookies’ and no way to "express specific consent through the settings" of web browsers and such. Otherwise, users would be able to give their consent to an unlimited number of processing and prior being even provided with any information concerning any of them. Such consent can never be "specific" nor "informed".
 +
 +
 +
=== Amendment 24 - ===
 +
 +
{| border='1' style='border-spacing:0;  width:100%;' cellpadding='30'
 +
|-
 +
| colspan='2' style='background-color: #F55E33; text-align:center;' |
 +
'''Amendment 24'''<br/>
 +
Marju Lauristin<br/>
 +
'''S&D'''<br/>
 +
Recital 23
 +
|-
 +
|width='50%' style='vertical-align:top;border-top:none;border-bottom:none;'|
 +
(23) The principles of data protection by design and by default were codified under Article 25 of Regulation (EU) 2016/679. Currently, the default settings for cookies are set in most current browsers to ‘accept all cookies’. Therefore providers of software enabling the retrieval and presentation of information on the internet should have an obligation to configure the software so that it offers the option to prevent '''''third parties from''''' storing information on the terminal equipment; this is often presented as ‘reject third party cookies’. '''''End-users''''' should be offered a set of privacy setting options, ranging from higher (for example, ‘never accept cookies’) to lower (for example, ‘always accept cookies’) and intermediate (for example, ‘reject '''''third party''''' cookies'''''’ or''''' ‘'''''only accept first party cookies’)'''''. Such privacy settings should be presented in '''''a '''''an easily visible and intelligible manner.
 +
|width='50%' style='vertical-align:top;border-top:none;border-bottom:none;'|
 +
(23) The principles of data protection by design and by default were codified under Article 25 of Regulation (EU) 2016/679. Currently, the default settings for cookies are set in most current browsers to ‘accept all cookies’. Therefore providers of software enabling the retrieval and presentation of information on the internet should have an obligation to configure the software so that it offers the option to prevent '''''by default the cross-domain tracking and '''''storing '''''of '''''information on the terminal equipment '''''by other parties'''''; this is often presented as ‘reject third party '''''trackers and''''' cookies’. '''''Users''''' should be offered''''', by default,''''' a set of privacy setting options, ranging from higher (for example, ‘never accept '''''tracker and''''' cookies’) to lower (for example, ‘always accept '''''trackers and''''' cookies’) and intermediate (for example, ‘reject '''''all trackers and''''' cookies '''''that are not strictly necessary to provide a service explicitly requested by the user’ or ‘reject all cross-domain tracking’). These options may also be more fine-grained. Privacy settings should also include options to allow the user to decide for example, whether Flash, JavaScript or similar software can be executed, if a website can collect geo-location data from the user, or if it can access specific hardware such as a webcam or microphone'''''. Such privacy settings should be presented in an easily visible''''', objective''''' and intelligible manner.
 +
|}
 +
 +
 +
There should be no option to ‘always accept trackers and cookies’ and no way to "express specific consent through the settings" of web browsers and such. Otherwise, users would be able to give their consent to an unlimited number of processing and prior being even provided with any information concerning any of them. Such consent can never be "specific" nor "informed".
 +
 +
 +
=== Amendment 25 + ===
 +
 +
{| border='1' style='border-spacing:0;  width:100%;' cellpadding='30'
 +
|-
 +
| colspan='2' style='background-color: #AEF279; text-align:center;' |
 +
'''Amendment 25'''<br/>
 +
Marju Lauristin<br/>
 +
'''S&D'''<br/>
 +
Recital 24
 +
|-
 +
|width='50%' style='vertical-align:top;border-top:none;border-bottom:none;'|
 +
'''''(24) For web browsers to be able to obtain end-users’ consent as defined under Regulation (EU) 2016/679, for example, to the storage of third party tracking cookies, they should, among others, require a clear affirmative action from the end-user of terminal equipment to signify his or her freely given, specific informed, and unambiguous agreement to the storage and access of such cookies in and from the terminal equipment. Such action may be considered to be affirmative, for example, if end-users are required to actively select ‘accept third party cookies’ to confirm their agreement and are given the necessary information to make the choice. To this end, it is necessary to require providers of software enabling access to internet that, at the moment of installation, end-users are informed about the possibility to choose the privacy settings among the various options and ask them to make a choice. Information provided should not dissuade end-users from selecting higher privacy settings and should include relevant information about the risks associated to allowing third party cookies to be stored in the computer, including the compilation of long-term records of individuals' browsing histories and the use of such records to send targeted advertising. Web browsers are encouraged to provide easy ways for end-users to change the privacy settings at any time during use and to allow the user to make exceptions for or to whitelist certain websites or to specify for which websites (third) party cookies are always or never allowed.'''''
 +
|width='50%' style='vertical-align:top;border-top:none;border-bottom:none;'|
 +
'''''deleted'''''
 +
|}
 +
 +
 +
Consent cannot be "freely given, specific informed, and unambiguous" through automated means.
 +
 +
 +
=== Amendment 26 + ===
 +
 +
{| border='1' style='border-spacing:0;  width:100%;' cellpadding='30'
 +
|-
 +
| colspan='2' style='background-color: #AEF279; text-align:center;' |
 +
'''Amendment 26'''<br/>
 +
Marju Lauristin<br/>
 +
'''S&D'''<br/>
 +
Recital 25
 +
|-
 +
|width='50%' style='vertical-align:top;border-top:none;border-bottom:none;'|
 +
(25) Accessing electronic communications networks requires the regular emission of certain data packets in order to discover or maintain a connection with the network or other devices on the network. Furthermore, devices must have a unique address assigned in order to be identifiable on that network. Wireless and cellular telephone standards similarly involve the emission of active signals containing unique identifiers such as a MAC address, the IMEI (International Mobile Station Equipment Identity), the IMSI etc. A single wireless base station (i.e. a transmitter and receiver), such as a wireless access point, has a specific range within which such information may be captured. Service providers have emerged who offer tracking services based on the scanning of equipment related information with diverse functionalities, including people counting, providing data on the number of people waiting in line, ascertaining the number of people in a specific area, etc. This information may be used for more intrusive purposes, such as to send commercial messages to '''''end-users''''', for example when they enter stores, with '''''personalized''''' offers. While some of these functionalities do not entail high privacy risks, others do, for example, those involving the tracking of individuals over time, including repeated visits to specified locations. Providers engaged in such practices should display prominent notices located on the edge of the area of coverage informing '''''end-users''''' prior to entering the defined area that the technology is in operation within a given perimeter, the purpose of the tracking, the person responsible for it and the existence of any measure the '''''end-user''''' of the terminal equipment can take to minimize or stop the collection. Additional information should be provided where personal data are collected pursuant to Article 13 of Regulation (EU) 2016/679.
 +
|width='50%' style='vertical-align:top;border-top:none;border-bottom:none;'|
 +
(25) Accessing electronic communications networks requires the regular emission of certain data packets in order to discover or maintain a connection with the network or other devices on the network. Furthermore, devices must have a unique address assigned in order to be identifiable on that network. Wireless and cellular telephone standards similarly involve the emission of active signals containing unique identifiers such as a MAC address, the IMEI (International Mobile Station Equipment Identity), the IMSI etc. A single wireless base station (i.e. a transmitter and receiver), such as a wireless access point, has a specific range within which such information may be captured. Service providers have emerged who offer tracking services based on the scanning of equipment related information with diverse functionalities, including people counting, providing data on the number of people waiting in line, ascertaining the number of people in a specific area, etc. This information may be used for more intrusive purposes, such as to send commercial messages to '''''users''''', for example when they enter stores, with '''''personalised''''' offers. While some of these functionalities do not entail high privacy risks, others do, for example, those involving the tracking of individuals over time, including repeated visits to specified locations. Providers engaged in such practices should display prominent notices located on the edge of the area of coverage informing '''''users''''' prior to entering the defined area that the technology is in operation within a given perimeter, the purpose of the tracking, the person responsible for it and the existence of any measure the '''''user''''' of the terminal equipment can take to minimize or stop the collection. Additional information should be provided where personal data are collected pursuant to Article 13 of Regulation (EU) 2016/679. '''''In addition, such providers should either obtain the user's consent or anonymise the data immediately while limiting the purpose to mere statistical counting within a limited time and space and offering effective opt-out possibilities.'''''
 +
|}
 +
 +
 +
This proposition is way more protective than the initial proposal but should be much clearer as regards anonymisation techniques that should be implemented
 +
 +
 +
=== Amendment 27 + ===
 +
 +
{| border='1' style='border-spacing:0;  width:100%;' cellpadding='30'
 +
|-
 +
| colspan='2' style='background-color: #AEF279; text-align:center;' |
 +
'''Amendment 27'''<br/>
 +
Marju Lauristin<br/>
 +
'''S&D'''<br/>
 +
Recital 26
 +
|-
 +
|width='50%' style='vertical-align:top;border-top:none;border-bottom:none;'|
 +
(26) When the processing of electronic communications data by providers of electronic communications services falls within its scope, this Regulation '''''should provide for''''' the possibility for the Union or Member States under specific conditions to restrict by law certain obligations and rights when such a restriction constitutes a necessary and proportionate measure in a democratic society to safeguard specific public interests, including national security, defence, public security and the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security '''''and other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interests'''''. Therefore, this Regulation should not affect the ability of Member States to carry out lawful interception of electronic communications or take other measures, if necessary and proportionate to safeguard the public interests mentioned above, in accordance with the Charter of Fundamental Rights of the European Union and the European Convention for the Protection of Human Rights and Fundamental Freedoms, as interpreted by the Court of Justice of the European Union and of the European Court of Human Rights. '''''Providers of electronic communications services should provide for appropriate procedures to facilitate legitimate requests of competent authorities, where relevant also taking into account the role of the representative designated pursuant to Article 3(3).'''''
 +
|width='50%' style='vertical-align:top;border-top:none;border-bottom:none;'|
 +
(26) When the processing of electronic communications data by providers of electronic communications services falls within its scope, this Regulation '''''is without prejudice to''''' the possibility for the Union or Member States under specific conditions to restrict by law certain obligations and rights '''''set out in this Regulation '''''when such a restriction '''''is targeted at persons suspected of having committed a criminal offence and''''' constitutes a necessary and proportionate measure in a democratic society to safeguard specific public interests, including national security, defence, public security and the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. Therefore, this Regulation should not affect the ability of Member States to carry out lawful interception of electronic communications or take other measures, if necessary and proportionate to safeguard the public interests mentioned above, in accordance with the Charter of Fundamental Rights of the European Union and the European Convention for the Protection of Human Rights and Fundamental Freedoms, as interpreted by the Court of Justice of the European Union and of the European Court of Human Rights.
 +
|}
 +
 +
 +
This would implement parts of the Tele2 case and limit the purposes of the derogations, which is great. But this Regulation should go much farther.

Version du 8 août 2017 à 15:04

Cette page vise à analyser les amendements débattus dans la commission LIBE au sujet du règlement ePrivacy

Amendment 4 +

Amendment 4
Marju Lauristin
S&D
Recital 5

(5) The provisions of this Regulation particularise and complement the general rules on the protection of personal data laid down in Regulation (EU) 2016/679 as regards electronic communications data that qualify as personal data. This Regulation therefore does not lower the level of protection enjoyed by natural persons under Regulation (EU) 2016/679. Processing of electronic communications data by providers of electronic communications services should only be permitted in accordance with this Regulation.

(5) The provisions of this Regulation particularise and complement the general rules on the protection of personal data laid down in Regulation (EU) 2016/679 as regards electronic communications data that qualify as personal data. This Regulation therefore should not lower the level of protection enjoyed by natural persons under Regulation (EU) 2016/679. On the contrary, it aims to provide additional, and complementary, safeguards taking into account the need for additional protection as regards the confidentiality of communications. Processing of electronic communications data by providers of electronic communications services should only be permitted in accordance with, and on a legal ground specifically provided for under, this Regulation.


It would ensure that article 6 is not overridden by the GDPR legal basis


Amendment 6 +

Amendment 6
Marju Lauristin
S&D
Recital 7

(7) The Member States should be allowed, within the limits of this Regulation, to maintain or introduce national provisions to further specify and clarify the application of the rules of this Regulation in order to ensure an effective application and interpretation of those rules. Therefore, the margin of discretion, which Member States have in this regard, should maintain a balance between the protection of private life and personal data and the free movement of electronic communications data.

deleted


The main purpose of this Regulation is to harmonize EU national laws


Amendment 7 +

Amendment 7
Marju Lauristin
S&D
Recital 8

(8) This Regulation should apply to providers of electronic communications services, to providers of publicly available directories, and to software providers permitting electronic communications, including the retrieval and presentation of information on the internet. This Regulation should also apply to natural and legal persons who use electronic communications services to send direct marketing commercial communications or collect information related to or stored in end-users’ terminal equipment.

(8) This Regulation should apply to providers of electronic communications services, to providers of publicly available directories, and to software providers permitting electronic communications, including the retrieval and presentation of information on the internet. This Regulation should also apply to natural and legal persons who use electronic communications services to send direct marketing, commercial communications or collect information related to, processed by or stored in end-users’ terminal equipment.

Justification: This amendment clarifies the scope of the Regulation. It takes into account the recommendations of the EDPS, Art 29 Working party, scholars and several stakeholders.


Information "processed" by terminal equipment is repeatedly missing in the recitals of EC's proposal


Amendment 13 +

Amendment 13
Marju Lauristin
S&D
Recital 15

(15) Electronic communications data should be treated as confidential. This means that any interference with the transmission of electronic communications data, whether directly by human intervention or through the intermediation of automated processing by machines, without the consent of all the communicating parties should be prohibited. The prohibition of interception of communications data should apply during their conveyance, i.e. until receipt of the content of the electronic communication by the intended addressee. Interception of electronic communications data may occur, for example, when someone other than the communicating parties, listens to calls, reads, scans or stores the content of electronic communications, or the associated metadata for purposes other than the exchange of communications. Interception also occurs when third parties monitor websites visited, timing of the visits, interaction with others, etc., without the consent of the end-user concerned. As technology evolves, the technical ways to engage in interception have also increased. Such ways may range from the installation of equipment that gathers data from terminal equipment over targeted areas, such as the so-called IMSI (International Mobile Subscriber Identity) catchers, to programs and techniques that, for example, surreptitiously monitor browsing habits for the purpose of creating end-user profiles. Other examples of interception include capturing payload data or content data from unencrypted wireless networks and routers, including browsing habits without the end-users' consent.

(15) Electronic communications should be treated as confidential. This means that any interference with the transmission of electronic communications, whether directly by human intervention or through the intermediation of automated processing by machines, without the consent of all the communicating parties should be prohibited. When the processing is allowed under any exception to the prohibitions under this Regulation, any other processing on the basis of Article 6 of Regulation (EU) 2016/679 should be considered as prohibited, including processing for another purpose on the basis of Article 6(4) of that Regulation. This should not prevent requesting additional consent for new processing operations. The prohibition of interception of communications should apply also during their conveyance, i.e. until receipt of the content of the electronic communication by the intended addressee, and to any temporary files in the network after receipt. Interception of electronic communications may occur, for example, when someone other than the communicating parties, listens to calls, reads, scans or stores the content of electronic communications, or the associated metadata for purposes other than the exchange of communications. Interception also occurs when other parties monitor websites visited, timing of the visits, interaction with others, etc., without the consent of the user concerned. As technology evolves, the technical ways to engage in interception have also increased. Such ways may range from the installation of equipment that gathers data from terminal equipment over targeted areas, such as the so-called IMSI (International Mobile Subscriber Identity) catchers, to programs and techniques that, for example, surreptitiously monitor browsing habits for the purpose of creating user profiles. Other examples of interception include capturing payload data or content data from unencrypted wireless networks and routers, and analysis of customers' traffic data, including browsing habits without the users' consent.


It would ensure that this Regulation is not overridden by the GDPR legal basis


Amendment 14 -

Amendment 14
Marju Lauristin
S&D
Recital 16

(16) The prohibition of storage of communications is not intended to prohibit any automatic, intermediate and transient storage of this information insofar as this takes place for the sole purpose of carrying out the transmission in the electronic communications network. It should not prohibit either the processing of electronic communications data to ensure the security and continuity of the electronic communications services, including checking security threats such as the presence of malware or the processing of metadata to ensure the necessary quality of service requirements, such as latency, jitter etc.

(16) The prohibition of storage of communications is not intended to prohibit any automatic, intermediate and transient storage of this information insofar as this takes place for the sole purpose of carrying out the transmission. It should not prohibit either the processing of electronic communications data to ensure the security and continuity of the electronic communications services, including checking security threats such as the presence of malware, spam or distributed denial-of-service attacks, or the processing of metadata to ensure the necessary quality of service requirements, such as latency, jitter etc.


Anti-spam should not be implemented without the consent of the receiver. The receiver should have the right to use another anti-spam solution that the one provided by its communications provider and should even be able to disable it completely (for testing or research purposes, etc).


Amendment 16 +

Amendment 16
Marju Lauristin
S&D
Recital 17

(17) The processing of electronic communications data can be useful for businesses, consumers and society as a whole. Vis-à-vis Directive 2002/58/EC, this Regulation broadens the possibilities for providers of electronic communications services to process electronic communications metadata, based on end-users consent. However, end-users attach great importance to the confidentiality of their communications, including their online activities, and that they want to control the use of electronic communications data for purposes other than conveying the communication. Therefore, this Regulation should require providers of electronic communications services to obtain end-users' consent to process electronic communications metadata, which should include data on the location of the device generated for the purposes of granting and maintaining access and connection to the service. Location data that is generated other than in the context of providing electronic communications services should not be considered as metadata. Examples of commercial usages of electronic communications metadata by providers of electronic communications services may include the provision of heatmaps; a graphical representation of data using colors to indicate the presence of individuals. To display the traffic movements in certain directions during a certain period of time, an identifier is necessary to link the positions of individuals at certain time intervals. This identifier would be missing if anonymous data were to be used and such movement could not be displayed. Such usage of electronic communications metadata could, for example, benefit public authorities and public transport operators to define where to develop new infrastructure, based on the usage of and pressure on the existing structure. Where a type of processing of electronic communications metadata, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, a data protection impact assessment and, as the case may be, a consultation of the supervisory authority should take place prior to the processing, in accordance with Articles 35 and 36 of Regulation (EU) 2016/679.

(17) The processing of electronic communications data can be useful for businesses, consumers and society as a whole. Examples of such usages of electronic communications metadata by providers of electronic communications services may include the provision of heatmaps; a graphical representation of data using colours to indicate the presence of individuals. To display the traffic movements in certain directions during a certain period of time, an identifier is necessary to link the positions of individuals at certain time intervals, provided that the data are immediately anonymised or anonymisation techniques are used where the user is mixed with others. Such usage of electronic communications metadata could, for example, benefit public authorities and public transport operators to define where to develop new infrastructure, based on the usage of and pressure on the existing structure.


This proposition is way more protective than the initial proposal but may be much clearer as regards anonymisation techniques that should be implemented


Amendment 17 +

Amendment 17
Marju Lauristin
S&D
Recital 17 a (new)

(17a) This Regulation broadens the possibilities for providers of electronic communications services to process electronic communications metadata based on users' informed consent. However, users attach great importance to the confidentiality of their communications, including their online activities, and they want to control the use of their electronic communications data for purposes other than conveying the communication. Therefore, this Regulation should require providers of electronic communications services to obtain users' consent to process electronic communications metadata, which should include data on the location of the device generated for the purposes of granting and maintaining access and connection to the service. For the purposes of this Regulation, the consent of an end-user, regardless of whether the latter is a natural or legal person, should have the same meaning and be subject to the same conditions as the consent of the data subject under Regulation (EU) 2016/679. The end-users should have the right to withdraw their consent from an additional service without breaching the contract for the basic service. Consent for processing data from internet or voice communications usage should not be valid if the user has no genuine and free choice, or is unable to refuse or withdraw consent without detriment.


Clarifies a bit what is a "freely given" consent


Amendment 18 +

Amendment 18
Marju Lauristin
S&D
Recital 18

(18) End-users may consent to the processing of their metadata to receive specific services such as protection services against fraudulent activities (by analysing usage data, location and customer account in real time). In the digital economy, services are often supplied against counter-performance other than money, for instance by end-users being exposed to advertisements. For the purposes of this Regulation, consent of an end-user, regardless of whether the latter is a natural or a legal person, should have the same meaning and be subject to the same conditions as the data subject's consent under Regulation (EU) 2016/679. Basic broadband internet access and voice communications services are to be considered as essential services for individuals to be able to communicate and participate to the benefits of the digital economy. Consent for processing data from internet or voice communication usage will not be valid if the data subject has no genuine and free choice, or is unable to refuse or withdraw consent without detriment.

deleted


Deletes the very ambiguous idea of "essential services" (which may imply that non-essential services can be denied to users refusing to consent)


Amendment 23 -

Amendment 23
Marju Lauristin
S&D
Recital 22

(22) The methods used for providing information and obtaining end-user's consent should be as user-friendly as possible. Given the ubiquitous use of tracking cookies and other tracking techniques, end-users are increasingly requested to provide consent to store such tracking cookies in their terminal equipment. As a result, end-users are overloaded with requests to provide consent. The use of technical means to provide consent, for example, through transparent and user-friendly settings, may address this problem. Therefore, this Regulation should provide for the possibility to express consent by using the appropriate settings of a browser or other application. The choices made by end-users when establishing its general privacy settings of a browser or other application should be binding on, and enforceable against, any third parties. Web browsers are a type of software application that permits the retrieval and presentation of information on the internet. Other types of applications, such as the ones that permit calling and messaging or provide route guidance, have also the same capabilities. Web browsers mediate much of what occurs between the end-user and the website. From this perspective, they are in a privileged position to play an active role to help the end-user to control the flow of information to and from the terminal equipment. More particularly web browsers may be used as gatekeepers, thus helping end-users to prevent information from their terminal equipment (for example smart phone, tablet or computer) from being accessed or stored.

(22) The methods used for providing information and obtaining end-user's consent should be as user-friendly as possible. Given the ubiquitous use of tracking cookies and other tracking techniques, users are increasingly requested to provide consent to store such tracking cookies in their terminal equipment. As a result, users are overloaded with requests to provide consent. The use of technical means to provide consent, for example, through transparent and user-friendly settings, may address this problem. Therefore, this Regulation should prevent the use of so- called "cookie walls" and "cookie banners" that do not help users to maintain control over their personal information and privacy or become informed about their rights. This Regulation should provide for the possibility to express consent by technical specifications, for instance by using the appropriate settings of a browser or other application. Those settings should include choices concerning the storage of information on the user's terminal equipment as well as a signal sent by the browser or other application indicating the user's preferences to other parties. The choices made by users when establishing the general privacy settings of a browser or other application should be binding on, and enforceable against, any third parties. Web browsers are a type of software application that permits the retrieval and presentation of information on the internet. Other types of applications, such as the ones that permit calling and messaging or provide route guidance, have also the same capabilities. Web browsers mediate much of what occurs between the user and the website. From this perspective, they are in a privileged position to play an active role to help the user to control the flow of information to and from the terminal equipment. More particularly, web browsers, applications or mobile operating systems may be used as the executor of a user's choices, thus helping users to prevent information from their terminal equipment (for example smart phone, tablet or computer) from being accessed or stored.


There should be no option to ‘always accept trackers and cookies’ and no way to "express specific consent through the settings" of web browsers and such. Otherwise, users would be able to give their consent to an unlimited number of processing and prior being even provided with any information concerning any of them. Such consent can never be "specific" nor "informed".


Amendment 24 -

Amendment 24
Marju Lauristin
S&D
Recital 23

(23) The principles of data protection by design and by default were codified under Article 25 of Regulation (EU) 2016/679. Currently, the default settings for cookies are set in most current browsers to ‘accept all cookies’. Therefore providers of software enabling the retrieval and presentation of information on the internet should have an obligation to configure the software so that it offers the option to prevent third parties from storing information on the terminal equipment; this is often presented as ‘reject third party cookies’. End-users should be offered a set of privacy setting options, ranging from higher (for example, ‘never accept cookies’) to lower (for example, ‘always accept cookies’) and intermediate (for example, ‘reject third party cookies’ oronly accept first party cookies’). Such privacy settings should be presented in a an easily visible and intelligible manner.

(23) The principles of data protection by design and by default were codified under Article 25 of Regulation (EU) 2016/679. Currently, the default settings for cookies are set in most current browsers to ‘accept all cookies’. Therefore providers of software enabling the retrieval and presentation of information on the internet should have an obligation to configure the software so that it offers the option to prevent by default the cross-domain tracking and storing of information on the terminal equipment by other parties; this is often presented as ‘reject third party trackers and cookies’. Users should be offered, by default, a set of privacy setting options, ranging from higher (for example, ‘never accept tracker and cookies’) to lower (for example, ‘always accept trackers and cookies’) and intermediate (for example, ‘reject all trackers and cookies that are not strictly necessary to provide a service explicitly requested by the user’ or ‘reject all cross-domain tracking’). These options may also be more fine-grained. Privacy settings should also include options to allow the user to decide for example, whether Flash, JavaScript or similar software can be executed, if a website can collect geo-location data from the user, or if it can access specific hardware such as a webcam or microphone. Such privacy settings should be presented in an easily visible, objective and intelligible manner.


There should be no option to ‘always accept trackers and cookies’ and no way to "express specific consent through the settings" of web browsers and such. Otherwise, users would be able to give their consent to an unlimited number of processing and prior being even provided with any information concerning any of them. Such consent can never be "specific" nor "informed".


Amendment 25 +

Amendment 25
Marju Lauristin
S&D
Recital 24

(24) For web browsers to be able to obtain end-users’ consent as defined under Regulation (EU) 2016/679, for example, to the storage of third party tracking cookies, they should, among others, require a clear affirmative action from the end-user of terminal equipment to signify his or her freely given, specific informed, and unambiguous agreement to the storage and access of such cookies in and from the terminal equipment. Such action may be considered to be affirmative, for example, if end-users are required to actively select ‘accept third party cookies’ to confirm their agreement and are given the necessary information to make the choice. To this end, it is necessary to require providers of software enabling access to internet that, at the moment of installation, end-users are informed about the possibility to choose the privacy settings among the various options and ask them to make a choice. Information provided should not dissuade end-users from selecting higher privacy settings and should include relevant information about the risks associated to allowing third party cookies to be stored in the computer, including the compilation of long-term records of individuals' browsing histories and the use of such records to send targeted advertising. Web browsers are encouraged to provide easy ways for end-users to change the privacy settings at any time during use and to allow the user to make exceptions for or to whitelist certain websites or to specify for which websites (third) party cookies are always or never allowed.

deleted


Consent cannot be "freely given, specific informed, and unambiguous" through automated means.


Amendment 26 +

Amendment 26
Marju Lauristin
S&D
Recital 25

(25) Accessing electronic communications networks requires the regular emission of certain data packets in order to discover or maintain a connection with the network or other devices on the network. Furthermore, devices must have a unique address assigned in order to be identifiable on that network. Wireless and cellular telephone standards similarly involve the emission of active signals containing unique identifiers such as a MAC address, the IMEI (International Mobile Station Equipment Identity), the IMSI etc. A single wireless base station (i.e. a transmitter and receiver), such as a wireless access point, has a specific range within which such information may be captured. Service providers have emerged who offer tracking services based on the scanning of equipment related information with diverse functionalities, including people counting, providing data on the number of people waiting in line, ascertaining the number of people in a specific area, etc. This information may be used for more intrusive purposes, such as to send commercial messages to end-users, for example when they enter stores, with personalized offers. While some of these functionalities do not entail high privacy risks, others do, for example, those involving the tracking of individuals over time, including repeated visits to specified locations. Providers engaged in such practices should display prominent notices located on the edge of the area of coverage informing end-users prior to entering the defined area that the technology is in operation within a given perimeter, the purpose of the tracking, the person responsible for it and the existence of any measure the end-user of the terminal equipment can take to minimize or stop the collection. Additional information should be provided where personal data are collected pursuant to Article 13 of Regulation (EU) 2016/679.

(25) Accessing electronic communications networks requires the regular emission of certain data packets in order to discover or maintain a connection with the network or other devices on the network. Furthermore, devices must have a unique address assigned in order to be identifiable on that network. Wireless and cellular telephone standards similarly involve the emission of active signals containing unique identifiers such as a MAC address, the IMEI (International Mobile Station Equipment Identity), the IMSI etc. A single wireless base station (i.e. a transmitter and receiver), such as a wireless access point, has a specific range within which such information may be captured. Service providers have emerged who offer tracking services based on the scanning of equipment related information with diverse functionalities, including people counting, providing data on the number of people waiting in line, ascertaining the number of people in a specific area, etc. This information may be used for more intrusive purposes, such as to send commercial messages to users, for example when they enter stores, with personalised offers. While some of these functionalities do not entail high privacy risks, others do, for example, those involving the tracking of individuals over time, including repeated visits to specified locations. Providers engaged in such practices should display prominent notices located on the edge of the area of coverage informing users prior to entering the defined area that the technology is in operation within a given perimeter, the purpose of the tracking, the person responsible for it and the existence of any measure the user of the terminal equipment can take to minimize or stop the collection. Additional information should be provided where personal data are collected pursuant to Article 13 of Regulation (EU) 2016/679. In addition, such providers should either obtain the user's consent or anonymise the data immediately while limiting the purpose to mere statistical counting within a limited time and space and offering effective opt-out possibilities.


This proposition is way more protective than the initial proposal but should be much clearer as regards anonymisation techniques that should be implemented


Amendment 27 +

Amendment 27
Marju Lauristin
S&D
Recital 26

(26) When the processing of electronic communications data by providers of electronic communications services falls within its scope, this Regulation should provide for the possibility for the Union or Member States under specific conditions to restrict by law certain obligations and rights when such a restriction constitutes a necessary and proportionate measure in a democratic society to safeguard specific public interests, including national security, defence, public security and the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security and other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interests. Therefore, this Regulation should not affect the ability of Member States to carry out lawful interception of electronic communications or take other measures, if necessary and proportionate to safeguard the public interests mentioned above, in accordance with the Charter of Fundamental Rights of the European Union and the European Convention for the Protection of Human Rights and Fundamental Freedoms, as interpreted by the Court of Justice of the European Union and of the European Court of Human Rights. Providers of electronic communications services should provide for appropriate procedures to facilitate legitimate requests of competent authorities, where relevant also taking into account the role of the representative designated pursuant to Article 3(3).

(26) When the processing of electronic communications data by providers of electronic communications services falls within its scope, this Regulation is without prejudice to the possibility for the Union or Member States under specific conditions to restrict by law certain obligations and rights set out in this Regulation when such a restriction is targeted at persons suspected of having committed a criminal offence and constitutes a necessary and proportionate measure in a democratic society to safeguard specific public interests, including national security, defence, public security and the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. Therefore, this Regulation should not affect the ability of Member States to carry out lawful interception of electronic communications or take other measures, if necessary and proportionate to safeguard the public interests mentioned above, in accordance with the Charter of Fundamental Rights of the European Union and the European Convention for the Protection of Human Rights and Fundamental Freedoms, as interpreted by the Court of Justice of the European Union and of the European Court of Human Rights.


This would implement parts of the Tele2 case and limit the purposes of the derogations, which is great. But this Regulation should go much farther.