E-Privacy/LIBE : Différence entre versions
Ligne 308 : | Ligne 308 : | ||
Clarification | Clarification | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
--> | --> |
Version du 22 août 2017 à 17:26
This page intends to rate the amendments tabled in LIBE Committee on the ePrivacy Regulation proposal
- amendments 1-135 (draft report)
- amendments 136-331
- amendments 332-705
- amendments 706-827
Sommaire
- 1 Scope and definitions
- 2 Confidentiality of communications
- 2.1 Bad
- 2.1.1 Amendment 395 --
- 2.1.2 Amendment 397 --
- 2.1.3 Amendment 402 --
- 2.1.4 Amendment 403 -
- 2.1.5 Amendment 404 --
- 2.1.6 Amendment 405 -
- 2.1.7 Amendment 408 -
- 2.1.8 Amendment 441 --
- 2.1.9 Amendment 471 --
- 2.1.10 Amendment 472 --
- 2.1.11 Amendment 473 --
- 2.1.12 Amendment 474 --
- 2.1.13 Amendment 475 --
- 2.1.14 Amendment 476 --
- 2.1.15 Amendment 478 --
- 2.1.16 Amendment 479 --
- 2.1.17 Amendment 480 --
- 2.1.18 Amendment 485 -
- 2.1.19 Amendment 486 -
- 2.1.20 Amendment 488 --
- 2.1.21 Amendment 489 -
- 2.1.22 Amendment 490 -
- 2.1.23 Amendment 496 --
- 2.1.24 Amendment 497 --
- 2.1.25 Amendment 498 --
- 2.2 Good
- 2.2.1 Amendment 67 +
- 2.2.2 Amendment 69 +
- 2.2.3 Amendment 72 ++
- 2.2.4 Amendment 73 ++
- 2.2.5 Amendment 399 +
- 2.2.6 Amendment 400 +
- 2.2.7 Amendment 401 +
- 2.2.8 Amendment 406 ++
- 2.2.9 Amendment 409 +
- 2.2.10 Amendment 410 +
- 2.2.11 Amendment 465 ++
- 2.2.12 Amendment 466 ++
- 2.2.13 Amendment 470 +
- 2.2.14 Amendment 495 +
- 2.1 Bad
- 3 Online tracking
- 3.1 Bad
- 3.1.1 Amendment 80 -
- 3.1.2 Amendment 519 --
- 3.1.3 Amendment 525 --
- 3.1.4 Amendment 526 --
- 3.1.5 Amendment 528 --
- 3.1.6 Amendment 529 -
- 3.1.7 Amendment 530 -
- 3.1.8 Amendment 531 -
- 3.1.9 Amendment 532 -
- 3.1.10 Amendment 533 -
- 3.1.11 Amendment 534 -
- 3.1.12 Amendment 538 -
- 3.1.13 Amendment 541 -
- 3.1.14 Amendment 542 -
- 3.1.15 Amendment 543 -
- 3.1.16 Amendment 549 -
- 3.1.17 Amendment 550 -
- 3.1.18 Amendment 552 --
- 3.1.19 Amendment 558 -
- 3.1.20 Amendment 561 --
- 3.1.21 Amendment 565 --
- 3.1.22 Amendment 566 --
- 3.1.23 Amendment 567 --
- 3.1.24 Amendment 568 --
- 3.1.25 Amendment 569 --
- 3.1.26 Amendment 576 --
- 3.1.27 Amendment 580 --
- 3.2 Good
- 3.1 Bad
- 4 Offline tracking
- 5 Consent definition
- 6 State surveillance
- 6.1 Bad
- 6.2 Good
- 6.2.1 Amendment 101 ++
- 6.2.2 Amendment 103 +
- 6.2.3 Amendment 669 ++
- 6.2.4 Amendment 670 ++
- 6.2.5 Amendment 671 /
- 6.2.6 Amendment 672 /
- 6.2.7 Amendment 674 ++
- 6.2.8 Amendment 675 ++
- 6.2.9 Amendment 678 +
- 6.2.10 Amendment 679 +
- 6.2.11 Amendment 680 +
- 6.2.12 Amendment 681 +
- 6.2.13 Amendment 682 ++
- 6.2.14 Amendment 683 ++
- 7 Sanctions
Scope and definitions
Bad
Amendment 334 --
Amendment 334 | |
1. This Regulation applies to the processing of electronic communications data carried out in connection with the provision and the use of electronic communications services and to information related to the terminal equipment of end-users. |
1. This Regulation applies to the processing of electronic communications data carried out in connection with the provision and the use of electronic communications services. |
A huge step back from the current law
Amendment 335 --
Amendment 335 | |
1. This Regulation applies to the processing of electronic communications data carried out in connection with the provision and the use of electronic communications services and to information related to the terminal equipment of end-users. |
1. This Regulation applies to the processing of electronic communications data carried out in connection with the provision and the use of electronic communications services. |
Justification: Article 1(3) stipulates that this regulation particularises and complements Regulation (EU) No 2016/679 by laying down specific rules.This turns this regulation into ‘lex specialis’ in relation to the GDPR.This regulation should not be used to correct Regulation (EU) No 2016/679. |
A huge step back from the current law
Amendment 341 --
Amendment 341 | |
(c) electronic communications services which are not publicly available; |
(c) electronic communications services which are intended for closed groups or are not publicly available pursuant to Article 2 (2) (c) of Regulation (EU) No 2016/679; |
This would exclude any private communications service (email, VoIP, Signal...) from the scope of this Regulation since, by definition, such services are "intended for closed groups" (for private communications).
Amendment 353 -
Amendment 353 | |
(c) the protection of information related to the terminal equipment of end-users located in the Union. |
(c) the protection of information related to the terminal equipment of end-users placed on the market in the Union. |
Excludes from the scope of the protection foreign equipments or equipments which were never placed in any market (handmade)
Amendment 363 -
Amendment 363 | |
Article 3 a | |
Applicable law in the online environment | |
1.To the extent that Regulation (EU) 2016/679 or this Regulation allows Member States to regulate the processing of personal data or electronic communications data, in their domestic laws, the relevant national law provisions shall apply to: | |
(a) the processing of personal data or electronic communications data in the context of the activities of an establishment of a controller, processor or a provider of an electronic communications service or network established in the Member State in question;or | |
(b) the processing of personal data or electronic communications data by a controller, processor or a provider of an electronic communications service or network not established in the Union , offering goods or services in that Member State or monitoring the behaviour of data subjects in that Member State; | |
2.The relevant national law provisions as set out in point 1 of this Article do not apply to the processing of personal data or electronic communications data in the context of the activities of an establishment of a controller, processor or a provider of an electronic communications service or network established in another Member State, who shall instead only be subject to the relevant national law provisions of that other Member State. |
This amendment makes absolutely no sense: if a controller is established in several MS, it is not subject to the national law of the MS where it is established but to the law of the "other" MS where it is established.
Amendment 366 -
Amendment 366 | |
2. For the purposes of point (b) of paragraph 1, the definition of ‘interpersonal communications service’ shall include services which enable interpersonal and interactive communication merely as a minor ancillary feature that is intrinsically linked to another service. |
deleted |
Limits the scope of the Regulation without any justification
Amendment 367 -
Amendment 367 | |
2. For the purposes of point (b) of paragraph 1, the definition of ‘interpersonal communications service’ shall include services which enable interpersonal and interactive communication merely as a minor ancillary feature that is intrinsically linked to another service. |
deleted |
Limits the scope of the Regulation without any justification
Good
Amendment 41 +
Amendment 41 | |
1. This Regulation applies to the processing of electronic communications data carried out in connection with the provision and the use of electronic communications services and to information related to the terminal equipment of end-users. |
1. This Regulation applies to the processing of electronic communications data carried out in connection with the provision and the use of electronic communications services and to information related to or processed by the terminal equipment of end-users. |
Information "processed" by terminal equipment is repeatedly missing in the recitals of EC's proposal
Amendment 42 +
Amendment 42 | |
(c) the protection of information related to the terminal equipment of end-users located in the Union. |
(c) the protection of information related to or processed by the terminal equipment of end-users in the Union. |
Information "processed" by terminal equipment is repeatedly missing in the recitals of EC's proposal
Amendment 55 ++
Amendment 55 | |
(c) ‘electronic communications metadata’ means data processed in an electronic communications network for the purposes of transmitting, distributing or exchanging electronic communications content; including data used to trace and identify the source and destination of a communication, data on the location of the device generated in the context of providing electronic communications services, and the date, time, duration and the type of communication; |
(c) ‘electronic communications metadata’ means data related to a user or electronic communications service, processed for the purposes of transmitting, distributing or exchanging electronic communications content and any other communications related data processed for the provision of the service, which is not considered content; including data to trace and identify the source and destination of a communication, and the date, time, duration and the type of communication; it includes data broadcasted or emitted by the terminal equipment to identify users' communications and/or the terminal equipment or its location and enable it to connect to a network or to another device; |
Justification: This amendment serves to clarify the exact concept of metadata, as underlined by the Article 29 Working Party, scholars and case-law authorities. |
The definition proposed by the EC was particularly incomplete: it only covered data processed "in a network" and excluded data processed by services
Amendment 59 +
Amendment 59 | |
Confidentiality of electronic communications shall also include terminal equipment and machine-to-machine communications when related to a user. |
Clarification
Amendment 342 +
Amendment 342 | |
(c) electronic communications services which are not publicly available; |
(c) electronic communications services which are not publicly available pursuant to Article 2(2)(c) of Regulation (EU) No 2016/679; |
Justification: The household exemption introduced by Article 2(2)(c) of Regulation (EU) No 2016/679 should also apply to this regulation. |
This would limit the scope of the initial limitation ("closed network") proposed by the EC. Not every "closed networks" (at work, typically) would be excluded from the scope of this Regulation anymore, but only those provided by individuals for their household activities
Amendment 345 +
Amendment 345 | |
1. This Regulation applies to: |
1. This Regulation applies to the activities referred to in Article 2 where the user or subscriber is in the Union, where the communications services, hardware, software, directories, or direct marketing commercial electronic communications are provided from the territory of the Union, or where the the processing of information related to or processed by the terminal equipment of users or subscribers takes place in the Union. |
Clarifies the scope of the Regulation
Amendment 349 +
Amendment 349 | |
(a) the provision of electronic communications services to end-users in the Union, irrespective of whether a payment of the end-user is required; |
(a) the provision of electronic communications services to end-users in the Union, irrespective of whether the provider is located inside the EU, and irrespective of whether a payment of the end-user is required; |
Clarifies the scope of the Regulation
Amendment 352 +
Amendment 352 | |
(c) the protection of information related to the terminal equipment of end-users located in the Union. |
(c) the protection of information related to or processed by the terminal equipment of end-users located in the Union. |
Clarifies the scope of the Regulation
Amendment 381 ++
Amendment 381 | |
(c) ‘electronic communications metadata’ means data processed in an electronic communications network for the purposes of transmitting, distributing or exchanging electronic communications content; including data used to trace and identify the source and destination of a communication, data on the location of the device generated in the context of providing electronic communications services, and the date, time, duration and the type of communication; |
(c) 'electronic communications metadata' means all data processed for the purposes of transmitting, distributing or exchanging electronic communications content; including data used to trace and identify the source and destination of a communication, electronic identifiers and any other data broadcasted or emitted by the terminal equipment, data on the location of the terminal equipment processed in the context of providing electronic communications services, and the date, time, duration and the type of communication; where metadata of other electronic communications services or protocols are transmitted, distributed or exchanged by using the respective service, they shall be considered electronic communications content for the respective service; |
Justification: With the clarification on "data broadcasted or emitted" in the definition of “metadata”, Article 8(2) can be deleted, as it is covered by Art.6(2).Last sentence:See explanatory recital (14a) on the separation and encapsulation of protocol layers. |
Drastically resolves the device-tracking issue + corrects the incomplete definition of metadata (which only covered data processed "in a network")
Amendment 382 ++
Amendment 382 | |
(c) ‘electronic communications metadata’ means data processed in an electronic communications network for the purposes of transmitting, distributing or exchanging electronic communications content; including data used to trace and identify the source and destination of a communication, data on the location of the device generated in the context of providing electronic communications services, and the date, time, duration and the type of communication; |
(c) 'electronic communications metadata' means all data processed for the purposes of transmitting, distributing or exchanging electronic communications content; including data used to trace and identify the source and destination of a communication, electronic identifiers and any other data broadcasted or emitted by the terminal equipment, data on the location of the terminal equipment processed in the context of providing electronic communications services, and the date, time, duration and the type of communication; where metadata of other electronic communications services or protocols are transmitted, distributed or exchanged by using the respective service, they shall be considered electronic communications content for the respective service; |
Drastically resolves the device-tracking issue + corrects the incomplete definition of metadata (which only covered data processed "in a network")
Amendment 383 +
Amendment 383 | |
(c) ‘electronic communications metadata’ means data processed in an electronic communications network for the purposes of transmitting, distributing or exchanging electronic communications content; including data used to trace and identify the source and destination of a communication, data on the location of the device generated in the context of providing electronic communications services, and the date, time, duration and the type of communication; |
(c) ‘electronic communications metadata’ means all data processed for the purpose of transmitting, distributing or exchanging electronic communications content; including data used to trace and identify the source and destination of a communication, data on the location of the device generated in the context of providing electronic communications services, and the date, time, duration and the type of communication; |
corrects the incomplete definition of metadata (which only covered data processed "in a network")
Confidentiality of communications
Bad
Amendment 395 --
Amendment 395 | |
Confidentiality of electronic communications data |
Confidentiality of electronic communications content |
Would exclude metadata from the scope of the Regulation
Amendment 397 --
Amendment 397 | |
Electronic communications data shall be confidential. Any interference with electronic communications data, such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or processing of electronic communications data, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation. |
Electronic communications data shall be confidential. Any interference with electronic communications data during conveyance, such as by unauthorised listening, tapping, storing, scanning or other kinds of interception, or surveillance of electronic communications data, by persons other than the sender or intended recipients, shall be prohibited, except when permitted by Union or national legislation. The processing of electronic communications data following conveyance to the intended recipients or their service provider shall be subject to Regulation (EU) 2016/679. |
Would allow the processing of stored communications for "legitimate interests" (without consent) ; this is what Gmail used to do, typically
Amendment 402 --
Amendment 402 | |
Electronic communications data shall be confidential. Any interference with electronic communications data, such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or processing of electronic communications data, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation. |
Electronic communications data shall be confidential. Any interference with electronic communications data during conveyance, such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or processing of electronic communications content, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation. |
Justification: It is justifiable for electronic communication content to be protected against interference by third parties, with special requirements for the processing of content pursuant to Article 6(3) of the proposal.This does not apply to the processing of electronic communication metadata to which the principle of confidentiality is not relevant.Personal metadata may reveal personal information, but their processing is governed by Regulation (EU) No 2016/679. |
Excludes metadata from the principle of confidentiality + would allow the processing of stored communications for "legitimate interests" (without consent) ; this is what Gmail used to do, typically
Amendment 403 -
Amendment 403 | |
Electronic communications data shall be confidential. Any interference with electronic communications data, such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or processing of electronic communications data, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation. |
Electronic communications data shall be confidential. Any interference with electronic communications data, such as by unauthorised listening, tapping, storing, monitoring, scanning or other kinds of interception, or surveillance, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation. |
Limit the scope of the confidentiality principle
Amendment 404 --
Amendment 404 | |
Electronic communications data shall be confidential. Any interference with electronic communications data, such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or processing of electronic communications data, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation. |
Electronic communications data shall be confidential. Any interference with electronic communications data during transmission, such as by listening, tapping, storing, monitoring, scanning or other kinds of interception or surveillance, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation. |
Would allow the processing of stored communications for "legitimate interests" (without consent) ; this is what Gmail used to do, typically
Amendment 405 -
Amendment 405 | |
Electronic communications data shall be confidential. Any interference with electronic communications data, such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or processing of electronic communications data, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation. |
Electronic communications data shall be confidential. Any interference with electronic communications data, such as by listening, tapping, storing, monitoring, scanning or other kinds of interception or surveillance of electronic communications data, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation. |
Limit the scope of the confidentiality principle
Amendment 408 -
Amendment 408 | |
The prohibition of interception is not intended to prohibit access to electronic communications data by an electronic communications service provider or electronic communications network operator for purposes of conveying communications or for legitimate purposes related to the operation and protection of such services and networks consistent with obligations under Regulation (EU) 2016/679, Directive (EU) 2016/1148 and Regulation (EU) 2015/2120. |
Unnecessary and dangerously ambiguous: "the legitimate purposes related to the operation" of service may lead to loopholes similar to "legitimate interests"
Amendment 441 --
Amendment 441 | |
(b a) it is necessary for the purpose of the legitimate interests of the provider except where such interests are overridden by the interests or fundamental rights and freedoms of the consumers concerned; |
No legitimate interest!!
Amendment 471 --
Amendment 471 | |
(c) the end-user concerned has given his or her consent to the processing of his or her communications metadata for one or more specified purposes, including for the provision of specific services to such end-users, provided that the purpose or purposes concerned could not be fulfilled by processing information that is made anonymous. |
(c) a legitimate ground in accordance with Article 6 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (‘General Data Protection Regulation’) is applicable. |
This would allow processing of metadata for any "legitimate interest", which is currently and rightly forbidden
Amendment 472 --
Amendment 472 | |
(c a) the processing of these data for another specified purpose is compatible with the purpose for which the data were initially collected and is subject to specific safeguards, especially pseudonymisation, as set forth in Article 6(4) of Regulation (EU) 2016/679;or |
This would allow processing of metadata for any "further processing", which is currently and rightly forbidden
Amendment 473 --
Amendment 473 | |
(c a) the processing of electronic communications metadata for one or more specified purposes is compatible with the purposes for which the data were initially collected, as set forth under point (4) of Article 6 of Regulation (EU) 2016/679. |
This would allow processing of metadata for any "further processing", which is currently and rightly forbidden
Amendment 474 --
Amendment 474 | |
(c a) the further processing of electronic communications metadata is compatible with the purposes for which the data were initially collected, as set forth under point (4) of Art. 6 of Regulation (EU)2016/679. |
This would allow processing of metadata for any "further processing", which is currently and rightly forbidden
Amendment 475 --
Amendment 475 | |
(c a) processing is allowed pursuant to Articles 6(1) or 6(4) of Regulation (EU) 2016/679. |
This would allow processing of metadata for both "legitimate interest" and "further processing", which is currently and rightly forbidden
Amendment 476 --
Amendment 476 | |
(c b) it is necessary, in accordance with Article 6(1)(f) of Regulation (EU) 2016/679, for the purposes of the legitimate interests pursued by the service provider or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. |
This would allow processing of metadata for any "legitimate interest", which is currently and rightly forbidden
Amendment 478 --
Amendment 478 | |
2 a. Article 6 of Regulation (EU) No 2016/679 shall apply. | |
Justification: Article 6 of Regulation (EU) No 2016/679 already regulates the lawfulness of processing, and should therefore apply here. |
This would allow processing of metadata for both "legitimate interests" and "further processing", which is currently and rightly forbidden
Amendment 479 --
Amendment 479 | |
2 a. Art.6 of Regulation (EU) 2016/679 shall apply; |
This would allow processing of metadata for both "legitimate interests" and "further processing", which is currently and rightly forbidden
Amendment 480 --
Amendment 480 | |
3. Providers of the electronic communications services may process electronic communications content only: |
3. Providers of the electronic communications services may process electronic communications content in accordance with Art. 6 of Regulation (EU) 2016/679 and to the extent the processing of all end-user electronic communications content for one or more specified purposes cannot be fulfilled by processing information that is made anonymous; |
This would allow processing of communications content for both "legitimate interests" and "further processing", which is currently and rightly forbidden
Amendment 485 -
Amendment 485 | |
(a) for the sole purpose of the provision of a specific service to an end-user, if the end-user or end-users concerned have given their consent to the processing of his or her electronic communications content and the provision of that service cannot be fulfilled without the processing of such content; or |
(a) the user concerned has given his or her consent to the processing of his or her electronic communications content for the sole purpose of the provision of a specific service explicitly requested by the user, for the duration necessary for that purpose, , provided that the provision of that specific service cannot be fulfilled without the processing of such content by the provider, and the consent has not been a condition to access or use a service; or |
This would allow processing of content of communications without the consent of all end-users
Amendment 486 -
Amendment 486 | |
(a) for the sole purpose of the provision of a specific service to an end-user, if the end-user or end-users concerned have given their consent to the processing of his or her electronic communications content and the provision of that service cannot be fulfilled without the processing of such content; or |
(a) the user concerned has given his or her consent to the processing of his or her electronic communications content for the sole purpose of the provision of a specific service explicitly requested by the user, for the duration necessary for that purpose, , provided that the provision of that specific service cannot be fulfilled without the processing of such content by the provider, and the consent has not been a condition to access or use a service; or |
This would allow processing of content of communications without the consent of all end-users
Amendment 488 --
Amendment 488 | |
(a) for the sole purpose of the provision of a specific service to an end-user, if the end-user or end-users concerned have given their consent to the processing of his or her electronic communications content and the provision of that service cannot be fulfilled without the processing of such content; or |
(a) for the sole purpose of the provision of a specific service to an end-user, if the end-user or end-users concerned have given their consent to the processing of his or her electronic communications content, or the provision of that service cannot be fulfilled without the processing of such content; or |
This would allow to process the content of communications without any consent simply because the purpose cannot be fulfilled with anonymous data
Amendment 489 -
Amendment 489 | |
(a) for the sole purpose of the provision of a specific service to an end-user, if the end-user or end-users concerned have given their consent to the processing of his or her electronic communications content and the provision of that service cannot be fulfilled without the processing of such content; or |
(a) for the sole purpose of the provision of a specific service to an end-user, if the end-user concerned has given his or her consent to the processing of his or her electronic communications content and the provision of that service cannot be fulfilled without the processing of such content; or |
This would allow processing of content of communications without the consent of all end-users
Amendment 490 -
Amendment 490 | |
(b) if all end-users concerned have given their consent to the processing of their electronic communications content for one or more specified purposes that cannot be fulfilled by processing information that is made anonymous, and the provider has consulted the supervisory authority. Points (2) and (3) of Article 36 of Regulation (EU) 2016/679 shall apply to the consultation of the supervisory authority. |
(b) if service providers' end-users have consented to the processing of their electronic communications pursuant to Regulation (EU) 2016/679. |
This would allow processing of content of communications without the consent of all end-users (users not using the service are not required to consent, such as users sending emails to Gmail users)
Amendment 496 --
Amendment 496 | |
3 a. In so far as providers of electronic communications services are processing and receiving communications content to and by the end-user, the provisions of this regulation shall not apply but regulation (EU) 2016/679. |
This would make this Regulation completely ineffective and allow "legitimate interest" and "further processing"
Amendment 497 --
Amendment 497 | |
3 b. (a) The service provider may collect and use the personal data of a recipient of a service only to the extent necessary to enable and invoice the use of services (data on usage).Data on usage are in particular characteristics to identify the recipient of the service, details of the beginning and end of the scope of the respective usage, and details of the services used by the recipient of the service. | |
(b) The service provider may collate a recipient's usage data regarding the use of different services to the extent necessary for invoicing the recipient of the service. | |
(c) For the purposes of advertising, market research or in order to design the services in a needs-based manner, the service provider may produce profiles of usage based on pseudonyms to the extent that the recipient of the service does not object to this.The service provider must refer the recipient of the service to his right of refusal.These profiles of usage must not be collated with data on the bearer of the pseudonym without his consent (opt-in). |
This would simply allow processing for commercial purposes without any consent or even a "legitimate interest". This would be even less protective than the GDPR.
Amendment 498 --
Amendment 498 | |
Article 7 |
deleted |
Storage and erasure of electronic communications data |
|
1. Without prejudice to point (b) of Article 6(1) and points (a) and (b) of Article 6(3), the provider of the electronic communications service shall erase electronic communications content or make that data anonymous after receipt of electronic communication content by the intended recipient or recipients. Such data may be recorded or stored by the end-users or by a third party entrusted by them to record, store or otherwise process such data, in accordance with Regulation (EU) 2016/679. |
|
2. Without prejudice to point (b) of Article 6(1) and points (a) and (c) of Article 6(2), the provider of the electronic communications service shall erase electronic communications metadata or make that data anonymous when it is no longer needed for the purpose of the transmission of a communication. |
|
3. Where the processing of electronic communications metadata takes place for the purpose of billing in accordance with point (b) of Article 6(2), the relevant metadata may be kept until the end of the period during which a bill may lawfully be challenged or a payment may be pursued in accordance with national law. |
This would destroy the basis of the ePrivacy directive and of the confidentiality of communications: that communications must be deleted once transmitted
Good
Amendment 67 +
Amendment 67 | |
(c) the end-user concerned has given his or her consent to the processing of his or her communications metadata for one or more specified purposes, including for the provision of specific services to such end-users, provided that the purpose or purposes concerned could not be fulfilled by processing information that is made anonymous. |
(c) after receiving all relevant information about the intended processing in clear and easily understandable language, provided separately from the terms and conditions of the provider, the user or users concerned have given their specific consent to the processing of their communications metadata for one or more specified purposes, including for the provision of specific services to such users, provided that the purpose or purposes concerned could not be fulfilled without the processing of such metadata. |
The Proposal only requires the consent of one user, which is both ambiguous (which user?) and unjustified (why other users should not give their consent?). This amendment would correct that issue but can be much clearer by requiring the consent of "all users concerned" (speaking about "the users or users" may still be ambiguous)
Amendment 69 +
Amendment 69 | |
(a) for the sole purpose of the provision of a specific service to an end-user, if the end-user or end-users concerned have given their consent to the processing of his or her electronic communications content and the provision of that service cannot be fulfilled without the processing of such content; or |
(a) for the sole purpose of the provision of a specific service requested by the user, if the users concerned have given their specific consent to the processing of their electronic communications content and the provision of that specific service cannot be fulfilled without the processing of such content; or |
Clarifies the ambiguous "the end-user or end-users".
Amendment 72 ++
Amendment 72 | |
3b. Neither providers of electronic communications services, nor any other party, shall further process electronic communications data collected on the basis of this Regulation. |
Excludes the extremely dangerous derogation of "further processing" required by big companies
Amendment 73 ++
Amendment 73 | |
1. Without prejudice to point (b) of Article 6(1) and points (a) and (b) of Article 6(3), the provider of the electronic communications service shall erase electronic communications content or make that data anonymous after receipt of electronic communication content by the intended recipient or recipients. Such data may be recorded or stored by the end-users or by a third party entrusted by them to record, store or otherwise process such data, in accordance with Regulation (EU) 2016/679. |
1. Without prejudice to point (b) of Article 6(1) and points (a) and (b) of Article 6(3), the provider of the electronic communications service shall erase electronic communications content after receipt of electronic communication content by the intended recipient or recipients. Such data may be recorded or stored by the users or by a specific other party entrusted by them to record, store or otherwise process such data. |
The content of communications can almost never be made anonymous + we should always be able to choose the primary purposes for which the ideas we express can be used, anonymised or not (this is part of our freedom of expression)
Amendment 399 +
Amendment 399 | |
Electronic communications data shall be confidential. Any interference with electronic communications data, such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or processing of electronic communications data, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation. |
1. Electronic communications shall be confidential. Any processing of electronic communications data, including any interference with electronic communications data such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance of electronic communications data, by persons other than the users, shall be prohibited, except when permitted by this Regulation. This includes electronic communications data that is stored after the transmission has been completed. |
Justification: First part clarifies that all processing of communications data is covered by this Regulation, not only processing that can be interpreted as “interference”.Last part as recommended by the EDPS, in order to make it future-proof for cloud-based services. |
Clarifies the protection
Amendment 400 +
Amendment 400 | |
Electronic communications data shall be confidential. Any interference with electronic communications data, such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or processing of electronic communications data, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation. |
Electronic communications shall be confidential. Any processing of electronic communications data, including any interference with electronic communications data such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance of electronic communications data, by persons other than the users, shall be prohibited, except when permitted by this Regulation. This includes electronic communications data that is stored after the transmission has been completed. |
Clarifies the protection
Amendment 401 +
Amendment 401 | |
Electronic communications data shall be confidential. Any interference with electronic communications data, such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or processing of electronic communications data, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation. |
Electronic communications data shall be confidential. Any interference with electronic communications data regardless of whether this data is in transit or stored, such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or any processing of electronic communications data, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation. |
Clarifies the protection
Amendment 406 ++
Amendment 406 | |
Neither providers of electronic communication services, nor any third parties, shall process electronic communications data collected on the basis of consent or any other legal ground under this Regulation on any other legal basis not specifically provided for in this Regulation |
Excludes the extremely dangerous derogation of "further processing" required by big companies
Amendment 409 +
Amendment 409 | |
2.Confidentiality of electronic communications shall also apply to data related to or processed by terminal equipment and to machine-to-machine communication. | |
Justification: Communications providers should also protect communications related to automated supply chains and any other M2M communication.This protects confidential business information. |
Clarifications
Amendment 410 +
Amendment 410 | |
Confidentiality of electronic communications shall also apply to data related to or processed by terminal equipment and to machine-to-machine communication. |
Clarifications
Amendment 465 ++
Amendment 465 | |
(c) the end-user concerned has given his or her consent to the processing of his or her communications metadata for one or more specified purposes, including for the provision of specific services to such end-users, provided that the purpose or purposes concerned could not be fulfilled by processing information that is made anonymous. |
(c) the user or users concerned have given their specific consent to the processing of their communications metadata by the respective electronic communications service for one or more specified purposes, including for the provision of specific services to such users, provided that the purpose or purposes concerned could not be fulfilled by processing data that is made anonymous, and the consent has not been a condition to access or use a service. |
Strengthens what a "freely given consent" is + The initial proposal only requires the consent of one user, which is both ambiguous (which user?) and unjustified (why other users should not give their consent?): this amendment would correct that issue but can be much clearer by requiring the consent of "all users concerned" (speaking about "the users or users" may still be ambiguous)
Amendment 466 ++
Amendment 466 | |
(c) the end-user concerned has given his or her consent to the processing of his or her communications metadata for one or more specified purposes, including for the provision of specific services to such end-users, provided that the purpose or purposes concerned could not be fulfilled by processing information that is made anonymous. |
(c) the user or users concerned have given their specific consent to the processing of their communications metadata by the respective electronic communications service for one or more specified purposes, including for the provision of specific services to such users, provided that the purpose or purposes concerned could not be fulfilled by processing data that is made anonymous, and the consent has not been a condition to access or use a service. |
Strengthens what a "freely given consent" is + The initial proposal only requires the consent of one user, which is both ambiguous (which user?) and unjustified (why other users should not give their consent?): this amendment would correct that issue but can be much clearer by requiring the consent of "all users concerned" (speaking about "the users or users" may still be ambiguous)
Amendment 470 +
Amendment 470 | |
(c) the end-user concerned has given his or her consent to the processing of his or her communications metadata for one or more specified purposes, including for the provision of specific services to such end-users, provided that the purpose or purposes concerned could not be fulfilled by processing information that is made anonymous. |
(c) the end-user or end-users concerned have given his or her consent to the processing of his or her communications metadata for one or more specified purposes, including for the provision of specific services to such end-users, provided that the purpose or purposes concerned could not be fulfilled by processing information that is made anonymous. |
The initial proposal only requires the consent of one user, which is both ambiguous (which user?) and unjustified (why other users should not give their consent?): this amendment would correct that issue but can be much clearer by requiring the consent of "all users concerned" (speaking about "the users or users" may still be ambiguous)
Amendment 495 +
Amendment 495 | |
3 a. Without prejudice to paragraphs 1, 2 and 3, neither providers of the electronic communications services, nor any other party, shall process electronic communications data collected on the basis of this Regulation, for further processing. |
Clearly forbids "further processing"
Online tracking
Bad
Amendment 80 -
Amendment 80 | |
(d) if it is necessary for web audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end-user. |
(d) if it is technically necessary for web audience measuring of the information society service requested by the user, provided that such measurement is carried out by the provider, or on behalf of the provider, or by an independent web analytics agency acting in the public interest or for scientific purpose; and further provided that no personal data is made accessible to any other party and that such web audience measurement does not adversely affect the fundamental rights of the user; |
This amendment is worst than the initial proposal: web audience should not be lawful without users' consent nor where carried out by third parties
Amendment 519 --
Amendment 519 | |
1. The use of processing and storage capabilities of terminal equipment and the collection of information from end-users’ terminal equipment, including about its software and hardware, other than by the end-user concerned shall be prohibited, except on the following grounds: |
1. Without prejudice to paragraph 2 of this Article, the storage or collection of personal data from consumers' terminal equipment, including about its software and hardware, other than by the consumer concerned shall be prohibited, except on the following grounds: |
This would allow to use the processing capabilities (for advertising, for instance) of terminals without consent
Amendment 525 --
Amendment 525 | |
(b) the end-user has given his or her consent; or |
(b) the end-user has given his or her consent or there is another legitimate ground within the meaning of Article 6 of Regulation (EU) 2016/679; or |
This would allow tracking for both "legitimate interest" and "further processing", which is currently and rightly forbidden
Amendment 526 --
Amendment 526 | |
(b) the end-user has given his or her consent; or |
(b) the use of their terminal equipment for one or more specific purposes is in accordance with Art. 6 of Regulation (EU) 2016/679; or |
This would allow tracking for both "legitimate interest" and "further processing", which is currently and rightly forbidden
Amendment 528 --
Amendment 528 | |
(b a) the information is or is rendered pseudonymous or anonymous;or |
This would allow tracking for any purpose without consent, which is currently and rightly forbidden
Amendment 529 -
Amendment 529 | |
(c) it is necessary for providing an information society service requested by the end-user; or |
(c) it is necessary for providing an information society service requested by the end-user, particularly in order to preserve the integrity or security of the information society service or access to it, to improve what is offered or for measures to protect against unauthorised use of the service in accordance with the terms and conditions of use relating to the provision of services to the end-user; or |
"improving what is offered" is not a clear enough purpose + users would gladly consent to any processing really improving what they get. Thus, this amendment intends to allow unwanted processing: how can they be regarded as able to "improve what is offered"?
Amendment 530 -
Amendment 530 | |
(c) it is necessary for providing an information society service requested by the end-user; or |
(c) it is necessary for providing an information society service requested by the end-user which shall include inter alia maintaining, operating and managing the integrity, access or security of the information society service, enhancing user experience or measures for preventing unauthorized access to or use of the information society service according to the terms of use for making available the service to the end-user; or |
"enhancing user experience" is not a clear enough purpose + users would gladly consent to any processing really improving what they get. Thus, this amendment intends to allow unwanted processing: how can they be regarded as "enhancing user experience"?
Amendment 531 -
Amendment 531 | |
(c) it is necessary for providing an information society service requested by the end-user; or |
(c) it is necessary for providing an information society service requested by the end-user which shall include inter alia maintaining, operating and managing the integrity, access or security of the information society service, enhancing user experience or measures for preventing unauthorised access to or use of the information society service according to the terms of use for making available the service to the end-user; or |
"enhancing user experience" is not a clear enough purpose + users would gladly consent to any processing really improving what they get. Thus, this amendment intends to allow unwanted processing: how can they be regarded as "enhancing user experience"?
Amendment 532 -
Amendment 532 | |
(c) it is necessary for providing an information society service requested by the end-user; or |
(c) it is necessary for providing an information society service requested by the end-user which shall include inter alia maintaining, operating and managing the integrity, access or security of the information society service, enhancing user experience or measures for preventing unauthorized access to or use information society service according to the terms of use for making available the service to the end-user; or |
"enhancing user experience" is not a clear enough purpose + users would gladly consent to any processing really improving what they get. Thus, this amendment intends to allow unwanted processing: how can they be regarded as "enhancing user experience"?
Amendment 533 -
Amendment 533 | |
(c) it is necessary for providing an information society service requested by the end-user; or |
(c) it is necessary for providing an information society service requested by the end-user especially in order to secure the integrity, security and access of the information society service, to enhance user experience or for measures to protect against unauthorised use or access to the information society services in agreement with the terms of use for making available the service to the end-user; or |
"enhancing user experience" is not a clear enough purpose + users would gladly consent to any processing really improving what they get. Thus, this amendment intends to allow unwanted processing: how can they be regarded as "enhancing user experience"?
Amendment 534 -
Amendment 534 | |
(c) it is necessary for providing an information society service requested by the end-user; or |
(c) it is necessary for providing an information society service requested by the end-user, particularly in order to preserve the integrity or security of the information society service or access to it, to improve what is offered or for measures to protect against unauthorised use of the service in accordance with the terms and conditions of use relating to the provision of services to the end-user; or |
"enhancing user experience" is not a clear enough purpose + users would gladly consent to any processing really improving what they get. Thus, this amendment intends to allow unwanted processing: how can they be regarded as "enhancing user experience"?
Amendment 538 -
Amendment 538 | |
(c b) it is necessary for scientific research purposes, provided that the controller plans appropriate technical and organisational measures to safeguard the rights and freedoms of the user and the processed personal data will be anonymised as soon as possible according to the research purpose. |
Scientific research purposes does not need to bypass users consent: if a research is legitimate, user will gladly accept it. The "research exemption" of the GDPR is legitimate because the GDPR covers situation where consent can hardly be obtained. This Regulation does not cover such situation (quite the opposite, actually).
Amendment 541 -
Amendment 541 | |
(d) if it is necessary for web audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end-user. |
(d) if it is necessary to obtain information about technical quality or effectiveness of an information society service that has been delivered, to understand and optimize web usage or about terminal equipment functionality, and it has no or little impact on the privacy of the end-user concerned; or |
The "effectiveness" of a website is a completely vague purpose. What does being effective mean for a website which purpose is to be visited by as many people as possible? How is it measurable? By monitoring every act of its users? This exemption is way too broad and dangerous.
Amendment 542 -
Amendment 542 | |
(d) if it is necessary for web audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end-user. |
(d) if it is technically necessary for web audience measuring of the information society service requested by the user, provided that such measurement is carried out by the provider, or on behalf of the provider, or by an independent web analytics organization acting in the public interest or for statistical or scientific purpose; and further provided that no personal data is made accessible to any other party and that such web audience measurement does not adversely affect the fundamental rights of the user; |
This amendment is worst than the initial proposal: web audience should not be lawful without users' consent nor where carried out by third parties
Amendment 543 -
Amendment 543 | |
(d) if it is necessary for web audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end-user. |
(d) if it is necessary for audience measuring, provided that such measurement is carried out by, or on behalf of, the provider of the information society service requested by the end-user, including measurement of indicators for the use of information society services in order to calculate a payment due; or |
This amendment is worst than the initial proposal: web audience should not be lawful without users' consent nor where carried out by third parties
Amendment 549 -
Amendment 549 | |
(d) if it is necessary for web audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end-user. |
(d) it is necessary for web audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end-user or another party acting on their behalf;. |
This amendment is worst than the initial proposal: web audience should not be lawful without users' consent nor where carried out by third parties
Amendment 550 -
Amendment 550 | |
(d) if it is necessary for web audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end-user. |
(d) if it is necessary for web audience measuring, provided that such measurement is controlled by the provider of the information society service requested by the end-user. |
This amendment is worst than the initial proposal: web audience should not be lawful without users' consent nor where carried out by third parties
Amendment 552 --
Amendment 552 | |
(d a) a clear and prominent notice is displayed informing of, at least, the modalities of the collection, its purpose, the person responsible for it and the other information required under Article 13 of Regulation (EU) 2016/679 where personal data are collected, as well as any measure the end-user of the terminal equipment can take to stop or minimise the collection. | |
The collection of such information shall be conditional on the application of appropriate technical and organisational measures to limit the collection and processing of information to the purposes required therefor and ensure a level of security appropriate to the risks, as set out in Article 32 of Regulation (EU) 2016/679, have been applied, for example by means of pseudonymisation of information collected pursuant to Article 4(5) of Regulation (EU) No 2016/679. |
This would allow tracking without consent or without pursuing any "legitimate interest" of any kind
Amendment 558 -
Amendment 558 | |
(d a) it is necessary for scientific and statistical research purposes authorized by the provider of the information society service requested by the end-user;or |
Scientific research purposes does not need to bypass users consent: if a research is legitimate, user will gladly accept it. The "research exemption" of the GDPR is legitimate because the GDPR covers situation where consent can hardly be obtained. This Regulation does not cover such situation (quite the opposite, actually).
Amendment 561 --
Amendment 561 | |
(d a) under the conditions as set out in point (b) of paragraph 2 and paragraph 3. |
This would allow tracking without consent or without pursuing any "legitimate interest" of any kind
Amendment 565 --
Amendment 565 | |
(d b) the processing of these data and information for another specified purpose is compatible with the purpose for which the data were initially collected and is subject to specific safeguards, especially pseudonymisation, as set forth in Article 6(4) of Regulation (EU) 2016/679;or |
This would allow tracking for any "further processing", which is currently and rightly forbidden
Amendment 566 --
Amendment 566 | |
(d b) in order to mark terminal equipment for advertising purposes, on condition that the person responsible has clearly informed the end-user of this at the beginning of the data processing and has provided an opportunity for objection that is easy to exercise.;or |
This would allow advertising tracking without consent or without pursuing any "legitimate interest" of any kind
Amendment 567 --
Amendment 567 | |
(d b) in order to mark terminal equipment for advertising purposes, on condition that the person responsible has clearly informed the end-user of this at the beginning of the data processing and has provided an opportunity for objection that is easy to exercise;or |
This would allow advertising tracking without consent or without pursuing any "legitimate interest" of any kind
Amendment 568 --
Amendment 568 | |
(d c) it is necessary, in accordance with Article 6(1)(f) of Regulation (EU) 2016/679 for the purposes of the legitimate interests pursued by the service provider or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. |
This would allow tracking for any "legitimate interest", which is currently and rightly forbidden
Amendment 569 --
Amendment 569 | |
(d c) it is necessary for the purpose of the legitimate interests of the provider of the terminal equipment and its operating software, an electronic communications service or an information society service, except where such interests are overridden by the interests of fundamental rights and freedoms of the end-user.;or |
This would allow tracking for any "legitimate interest", which is currently and rightly forbidden
Amendment 576 --
Amendment 576 | |
1 a. Wherever a clearly formulated declaration of consent is presented before use of a service or access to online content, and if absence of consent for processing prevents a provider from collecting remuneration through their usual means, the provider shall not be obliged to provide the full access to the service or content. |
Would prevent any consent from being freely given, in contradiction with the GDPR and with what is acceptable
Amendment 580 --
Amendment 580 | |
1 b. a clear and prominent notice is displayed to the public informing of, at least, the modalities of the collection, its purpose, the person responsible for it and the other information required under Article 13 of Regulation 2016/679/EU where personal data are collected, as well as any measure the end-user of the terminal equipment can take to stop or minimize the collection.The collection of such information shall be conditional on the application of appropriate technical and organization measures to ensure that the collection and processing of information is limited to what is necessary in relation to the purposes of processing and to ensure a level of security appropriate to the risks, as set out in Article 32 of Regulation 2016/679/EU, have been applied, which may inter alia include pseudonymisation of the information collected as set out in Art. 4 (5) of Regulation (EU) 2016/679. |
This would allow tracking without consent or without pursuing any "legitimate interest" of any kind
Good
Amendment 76 +
Amendment 76 | |
1. The use of processing and storage capabilities of terminal equipment and the collection of information from end-users’ terminal equipment, including about its software and hardware, other than by the end-user concerned shall be prohibited, except on the following grounds: |
1. The use of processing and storage capabilities of terminal equipment and the collection of information from users’ terminal equipment, or making information available through the terminal equipment, including information about or generated by its software and hardware, other than by the user concerned shall be prohibited, except on the following grounds: |
Clarifications
Amendment 78 ++
Amendment 78 | |
(b) the end-user has given his or her consent; or |
(b) the user has given his or her specific consent, which shall not be mandatory to access the service; or |
Forbids tracking-wall and guarantees freedom of choice
Amendment 83 ++
Amendment 83 | |
1a. No user shall be denied access to any information society service or functionality, regardless of whether this service is remunerated or not, on grounds that he or she has not given his or her consent under Article 8(1)(b) to the processing of personal information and/or the use of storage capabilities of his or her terminal equipment that is not necessary for the provision of that service or functionality. |
Forbids tracking-wall and guarantees freedom of choice
Amendment 515 +
Amendment 515 | |
1. The use of processing and storage capabilities of terminal equipment and the collection of information from end-users’ terminal equipment, including about its software and hardware, other than by the end-user concerned shall be prohibited, except on the following grounds: |
1. The use of input, output, processing and storage capabilities of terminal equipment and the processing of information from users' terminal equipment, or making information available through the terminal equipment, including information about and processed by its software and hardware, other than by the user concerned shall be prohibited, except on the following grounds: |
Justification: Terminal equipment nowadays has multiple input and output channels, such as microphones, cameras, Bluetooth sensors etc. This clarification also prevents online services from listening etc. in the user’s physical environment without him or her being aware and having consented. |
Clarifications
Amendment 516 +
Amendment 516 | |
1. The use of processing and storage capabilities of terminal equipment and the collection of information from end-users’ terminal equipment, including about its software and hardware, other than by the end-user concerned shall be prohibited, except on the following grounds: |
1. The use of input, output, processing and storage capabilities of terminal equipment and the processing of information from users' terminal equipment, or making information available through the terminal equipment, including information about and processed by its software and hardware, other than by the user concerned shall be prohibited, except on the following grounds: |
Clarifications
Amendment 523 ++
Amendment 523 | |
(b) the end-user has given his or her consent; or |
(b) the user has given his or her consent for a specific purpose, and the consent has not been a condition to access or use a service or use a terminal equipment, for the duration strictly technically necessary for that purpose; or |
Strengthens what a "freely given consent" is
Amendment 524 +
Amendment 524 | |
(b) the end-user has given his or her consent; or |
(b) the user has given his or her consent for a specific purpose, and the consent has not been a condition to access or use a service or use a terminal equipment, for the duration strictly technically necessary for that purpose; or |
Strengthens what a "freely given consent" is
Amendment 539 ++
Amendment 539 | |
(d) if it is necessary for web audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end-user. |
deleted |
Justification: Audience measuring should be based on consent and therefore is covered by (b).This is also the approach in the existing e-Privacy Directive 2002/58/EC and should therefore be maintained, in order to not lower the level of protection.Point (c) continues to allow for function cookies, whereas tracking cookies should remain under opt-in. |
see justification
Amendment 540 ++
Amendment 540 | |
(d) if it is necessary for web audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end-user. |
deleted |
see previous amendment
Amendment 555 ++
Amendment 555 | |
(d a) The end-user shall not be denied access to an information society service or electronic communications service (whether these services are remunerated or not) on grounds that the end-user does not provide consent under point (b) of Article 8(1) or point (b) of Article 8(2) for processing any data that is not strictly necessary for the provision of that service. |
Clarifies what a "freely given consent" is
Amendment 563 +
Amendment 563 | |
(d b) The end-user shall not be denied any functionality of the terminal equipment on grounds that the end-user does not provide consent as set out in point (b) of Article 8(1) or point (b) of Article 8(2) for processing any data that is not strictly necessary for the functionality requested by the end-user. |
Clarifies what a "freely given consent" is
Amendment 575 ++
Amendment 575 | |
1 a. No one shall be denied access to any information society services or to the functionality of interconnected equipment, regardless of the service concerned being remunerated or not: | |
- on grounds that he or she has not given his or her consent under Article 8(1)(b) to the processing of personal data that is not necessary for the provision of those services;and/ or, | |
- on grounds that he or she has installed software or applications to protect their information and terminal equipment. | |
Processing of data for purposes of providing targeted advertisements cannot be considered as necessary for the performance of a service. |
Clarifies what a "freely given consent" is
Offline tracking
Bad
Amendment 89 --
Amendment 89 | |
2a. For the purpose of point (ab) of paragraph 2, the following controls shall be implemented to mitigate the risks: | |
(a) the purpose of the data collection from the terminal equipment shall be restricted to mere statistical counting; and | |
(b) the tracking shall be limited in time and space to the extent strictly necessary for this purpose; and | |
(c) the data shall be deleted or anonymised immediately after the purpose is fulfilled; and | |
(d) the users shall be given effective opt-out possibilities. |
This amendment would authorize the processing of unanomized data for statistical counting, which may mean anything (how many people have visited a store during the last 6 month, how many times each, etc ? which implies to store personal data for a long duration)
Amendment 589 -
Amendment 589 | |
(b) a clear and prominent notice is displayed informing of, at least, the modalities of the collection, its purpose, the person responsible for it and the other information required under Article 13 of Regulation (EU) 2016/679 where personal data are collected, as well as any measure the end-user of the terminal equipment can take to stop or minimise the collection. |
(b) the information collected is or is rendered pseudonymous or anonymous and the data protection impact assessment and, if necessary, a prior consultation with the supervisory authority were carried out, as prescribed respectively in Article 35 and 36 of Regulation (EU) 2016/679, and a clear and prominent notice is displayed informing of, at least, the modalities of the collection, its purpose, the person responsible for it and the other information required under Article 13 of Regulation (EU) 2016/679 where personal data are collected, as well as any measure the end-user of the terminal equipment can take to stop or minimise the collection. |
Making the data pseudonymous does not protect tracked people from the tracker at all
Amendment 591 --
Amendment 591 | |
(b a) (a) the purpose of the data collection from the terminal equipment is restricted to mere statistical counting;and | |
(b) the tracking is limited in time and space to the extent strictly necessary for this purpose;and | |
(c) the data will be be deleted or anonymised immediately after the purpose is fulfilled;and | |
(d) the users are informed and given effective opt-out possibilities. |
This would authorize the processing of unanomized data for "statistical counting", which may mean anything (how many people have visited a store during the last 6 month, how many times each, etc ? which implies to store personal data for a long duration)
Amendment 592 -
Amendment 592 | |
(b a) it is necessary for protecting the confidentiality, integrity, availability, authenticity of the terminal equipment or of the electronic communications network or service, or for protecting the privacy, security or safety of the user. |
Protecting the "security and safety" of people against their will is rarely acceptable (and the context that would make it acceptable is not specified by this amendment) and would mainly be a pretext for surveillance (in protests and crowded events, typically)
Amendment 609 --
Amendment 609 | |
1. The definition of and conditions for consent provided for under Articles 4(11) and 7 of Regulation (EU) 2016/679/EU shall apply. |
1. The definition of and conditions for consent provided for under Articles 4(11) and 7 of Regulation (EU) 2016/679/EU shall apply. The application of Art. 7(4) of Regulation (EU) 2016/679/EU must not oblige providers of information society services to offer a service without data processing which the service provider means to provide together with the service like e.g. data processing for the purpose of advertising. |
Would prevent any consent from being freely given, in contradiction with the GDPR and with what is acceptable
Amendment 611 --
Amendment 611 | |
1. The definition of and conditions for consent provided for under Articles 4(11) and 7 of Regulation (EU) 2016/679/EU shall apply. |
1. The definition of and conditions for consent provided for under Articles 4(11) and Article 7 (1), (2), and (3) of Regulation (EU) 2016/679/EU shall apply. |
Justification: Legal basis for opt-in by the end-user based on informed browsing |
Would not require consent to be freely given (as required by the GDPR) any more
Amendment 612 --
Amendment 612 | |
1. The definition of and conditions for consent provided for under Articles 4(11) and 7 of Regulation (EU) 2016/679/EU shall apply. |
1. The definitions of and conditions for consent provided for under Articles 4(11) and 7(1), (2) and (3) of Regulation (EU) 2016/679 shall apply. |
Would not require consent to be freely given (as required by the GDPR) any more
Amendment 613 --
Amendment 613 | |
1. The definition of and conditions for consent provided for under Articles 4(11) and 7 of Regulation (EU) 2016/679/EU shall apply. |
1. The definition of and conditions for consent provided for under Articles 4(11) and 7 (1), (2), and (3) of Regulation (EU) 2016/679/EU shall apply. |
Would not require consent to be freely given (as required by the GDPR) any more
Amendment 614 --
Amendment 614 | |
1. The definition of and conditions for consent provided for under Articles 4(11) and 7 of Regulation (EU) 2016/679/EU shall apply. |
1. The definition of and conditions for consent provided for under Articles 4(11) and 7 (1), (2) and (3)of Regulation (EU) 2016/679/EU shall apply. |
Justification: The reference here to the conditions for consent laid down by Article 7 of Regulation (EU) No 2016/679/EU must at all events be limited to Article 7(1) to (3).The non-applicability of Article 7(4) of Regulation (EU) No 2016/679 to consent pursuant to Article 9 of the proposal for a regulation is necessary because, unlike in Regulation (EU) No 2016/679, data processing based on the general clause concerning justified interests is not provided for in this proposal. |
Would not require consent to be freely given (as required by the GDPR) any more. As regards the provided justification, we do not understand what "data processing based on the general clause concerning justified interests" means. It mays simply refer to the "legitimate interest" legal basis. But the lack of such basis in this Regulation would not justified to bypass consent (since the purpose of this Regulation is specifically to protect communications by requiring consent).
Amendment 616 --
Amendment 616 | |
1. The definition of and conditions for consent provided for under Articles 4(11) and 7 of Regulation (EU) 2016/679/EU shall apply. |
1. The definition of and conditions for consent provided for under Articles 4(11) of Regulation (EU) 2016/679/EU shall apply. |
Would not require consent to be freely given (as required by the GDPR) any more
Good
Amendment 84 +
Amendment 84 | |
(a) it is done exclusively in order to, for the time necessary for, and for the purpose of establishing a connection; or |
(a) it is done exclusively in order to, for the time necessary for, and for the sole purpose of establishing a connection requested by the user; or |
Would ensure that users are not directly harassed on their phones by spams, consent requests and such
Amendment 85 ++
Amendment 85 | |
(aa) the user has been informed and has given consent; or |
Device-tracking should only be lawful with our consent (this amendment corrects the absurdly dangerous proposal of the EC)
Amendment 86 +
Amendment 86 | |
(ab) the data are anonymised and the risks are adequately mitigated. |
Device-tracking is not "tracking" anymore if the data are anonymised, which is good
Amendment 87 ++
Amendment 87 | |
(b) a clear and prominent notice is displayed informing of, at least, the modalities of the collection, its purpose, the person responsible for it and the other information required under Article 13 of Regulation (EU) 2016/679 where personal data are collected, as well as any measure the end-user of the terminal equipment can take to stop or minimise the collection. |
deleted |
Device-tracking should only be lawful with our consent (this amendment corrects the absurdly dangerous proposal of the EC)
Amendment 583 ++
Amendment 583 | |
2. The collection of information emitted by terminal equipment to enable it to connect to another device and, or to network equipment shall be prohibited, except if: |
deleted |
(a) it is done exclusively in order to, for the time necessary for, and for the purpose of establishing a connection; or |
|
(b) a clear and prominent notice is displayed informing of, at least, the modalities of the collection, its purpose, the person responsible for it and the other information required under Article 13 of Regulation (EU) 2016/679 where personal data are collected, as well as any measure the end-user of the terminal equipment can take to stop or minimise the collection. |
|
The collection of such information shall be conditional on the application of appropriate technical and organisational measures to ensure a level of security appropriate to the risks, as set out in Article 32 of Regulation (EU) 2016/679, have been applied. |
|
Justification: See related amendment to Article 4:Since these data emissions are included in the definition of “metadata”, Article 8(2) can be deleted, as it is now covered by Article 6(2). |
This would restore the protection provided by current EU law: device tracking requires consent
Amendment 584 ++
Amendment 584 | |
2. The collection of information emitted by terminal equipment to enable it to connect to another device and, or to network equipment shall be prohibited, except if: |
deleted |
(a) it is done exclusively in order to, for the time necessary for, and for the purpose of establishing a connection; or |
|
(b) a clear and prominent notice is displayed informing of, at least, the modalities of the collection, its purpose, the person responsible for it and the other information required under Article 13 of Regulation (EU) 2016/679 where personal data are collected, as well as any measure the end-user of the terminal equipment can take to stop or minimise the collection. |
|
The collection of such information shall be conditional on the application of appropriate technical and organisational measures to ensure a level of security appropriate to the risks, as set out in Article 32 of Regulation (EU) 2016/679, have been applied. |
This would restore the protection provided by current EU law: device tracking requires consent
Amendment 588 ++
Amendment 588 | |
(b) a clear and prominent notice is displayed informing of, at least, the modalities of the collection, its purpose, the person responsible for it and the other information required under Article 13 of Regulation (EU) 2016/679 where personal data are collected, as well as any measure the end-user of the terminal equipment can take to stop or minimise the collection. |
(b) all relevant information about the intended processing is provided in clear and easily understandable language, provided separately from the terms and conditions of the provider, and if the end-user concerned has given his or her consent to the processing of the data for one or more specified purposes, including for the provision of specific services, provided that the purpose or purposes concerned could not be fulfilled by processing information that is made anonymous; the collection of such information shall be conditional on the application of appropriate technical and organisational measures to ensure a level of security appropriate to the risks, as set out in Article 32 of Regulation (EU) 2016/679 and supplemented with a mandatory data protection impact assessment, have been applied. |
This would restore the protection provided by current EU law: device tracking requires consent
Amendment 590 ++
Amendment 590 | |
(b) a clear and prominent notice is displayed informing of, at least, the modalities of the collection, its purpose, the person responsible for it and the other information required under Article 13 of Regulation (EU) 2016/679 where personal data are collected, as well as any measure the end-user of the terminal equipment can take to stop or minimise the collection. |
(b) the user has been informed according to Article 13 of Regulation (EU) 2016/679 and has given consent to the collection for a specific purpose. |
This would restore the protection provided by current EU law: device tracking requires consent
Consent definition
Bad
Amendment 92 -
Amendment 92 | |
2. Without prejudice to paragraph 1, where technically possible and feasible, for the purposes of point (b) of Article 8(1), consent may be expressed by using the appropriate technical settings of a software application enabling access to the internet. |
2. Without prejudice to paragraph 1, where technically possible and feasible, for the purposes of point (b) of Article 8(1), consent may be expressed by using technical specifications of electronic communications services. When such technical specifications are used by the user, they shall be binding on, and enforceable against, any other party. |
Consent cannot be "freely given, specific informed, and unambiguous" through automated means.
Amendment 98 -
Amendment 98 | |
(d) offer the user the possibility to express specific consent through the settings after the installation of the software. |
Consent cannot be "freely given, specific informed, and unambiguous" through automated means.
Amendment 662 -
Amendment 662 | |
2 a. The software shall not block data processing wich is legally allowed to Art. 8 (1) a), c) or d) or (2) a), irrespective of the browser settings. |
This amendment would lead to an unacceptable situation where users are deprived of any control on their very own equipments.
Amendment 623 --
Amendment 623 | |
2. Without prejudice to paragraph 1, where technically possible and feasible, for the purposes of point (b) of Article 8(1), consent may be expressed by using the appropriate technical settings of a software application enabling access to the internet. |
2. Where technically possible and feasible, in particular for the purposes of point (b) of Article 8(1), consent may be expressed by using the appropriate technical settings of a software application enabling access to the internet, or by continuing the use of an information society service, having been provided with clear and comprehensive information that this action by the end-user signifies consent |
This amendment would allow "implicit" consent - not expressed by an "affirmative action" (which is required by the GDPR)
Amendment 624 --
Amendment 624 | |
2. Without prejudice to paragraph 1, where technically possible and feasible, for the purposes of point (b) of Article 8(1), consent may be expressed by using the appropriate technical settings of a software application enabling access to the internet. |
2. Where technically possible and feasible, in particular for the purposes of point (b) of Article 8(1), consent may be expressed by using the appropriate technical settings of a software application enabling access to the internet or by continuing the use of an information society service, having been provided with clear and comprehensive information that this action by the end-user signifies consent. |
This amendment would allow "implicit" consent - not expressed by an "affirmative action" (which is required by the GDPR)
Amendment 625 --
Amendment 625 | |
2. Without prejudice to paragraph 1, where technically possible and feasible, for the purposes of point (b) of Article 8(1), consent may be expressed by using the appropriate technical settings of a software application enabling access to the internet. |
2. Where technically possible and feasible for the purposes of point (b) of Article 8(1) consent may be expressed by using the appropriate technical setting of software application enabling access to the internet or by the continued use of the information society service after having been provided with accessible and comprehensive information about this action of the end-user. |
Justification: The user's continued use of the services provided to them, based on accessible information, should be regarded as consent. |
This amendment would allow "implicit" consent - not expressed by an "affirmative action" (which is required by the GDPR)
Amendment 635 -
Amendment 635 | |
Article 10 |
deleted |
Information and options for privacy settings to be provided |
|
1. Software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, shall offer the option to prevent third parties from storing information on the terminal equipment of an end-user or processing information already stored on that equipment. |
|
2. Upon installation, the software shall inform the end-user about the privacy settings options and, to continue with the installation, require the end-user to consent to a setting. |
|
3. In the case of software which has already been installed on 25 May 2018, the requirements under paragraphs 1 and 2 shall be complied with at the time of the first update of the software, but no later than 25 August 2018. |
|
Justification: Article 25 of Regulation (EU) 2016/679 governs data protection by design and by default.Article 10 of the proposal for a regulation only undermines Article 25 of Regulation (EU) 2016/679 and would hamper most business models. |
This amendment would delete an interesting (and probably useful) informative measure proposed by the Commission. The provided justification makes no sense: GDPR 25 only applies to data controller while this measure does not. It has no impact on GDPR 25 at all
Amendment 636 -
Amendment 636 | |
Article 10 |
deleted |
Information and options for privacy settings to be provided |
|
1. Software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, shall offer the option to prevent third parties from storing information on the terminal equipment of an end-user or processing information already stored on that equipment. |
|
2. Upon installation, the software shall inform the end-user about the privacy settings options and, to continue with the installation, require the end-user to consent to a setting. |
|
3. In the case of software which has already been installed on 25 May 2018, the requirements under paragraphs 1 and 2 shall be complied with at the time of the first update of the software, but no later than 25 August 2018. |
This amendment would delete an interesting (and probably useful) informative measure proposed by the Commission.
Amendment 637 -
Amendment 637 | |
Article 10 |
deleted |
Information and options for privacy settings to be provided |
|
1. Software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, shall offer the option to prevent third parties from storing information on the terminal equipment of an end-user or processing information already stored on that equipment. |
|
2. Upon installation, the software shall inform the end-user about the privacy settings options and, to continue with the installation, require the end-user to consent to a setting. |
|
3. In the case of software which has already been installed on 25 May 2018, the requirements under paragraphs 1 and 2 shall be complied with at the time of the first update of the software, but no later than 25 August 2018. |
This amendment would delete an interesting (and probably useful) informative measure proposed by the Commission.
Amendment 643 -
Amendment 643 | |
1. Software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, shall offer the option to prevent third parties from storing information on the terminal equipment of an end-user or processing information already stored on that equipment. |
1. Software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, shall offer appropriate technical settings referred to in Art.9 (2) for end- users to express consent. |
This amendment would delete an interesting (and probably useful) informative measure proposed by the Commission.
Amendment 644 -
Amendment 644 | |
1. Software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, shall offer the option to prevent third parties from storing information on the terminal equipment of an end-user or processing information already stored on that equipment. |
1. Software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, shall offer appropriate technical settings referred to in Article 9 (2) for end-user to express consent. |
This amendment would delete an interesting (and probably useful) informative measure proposed by the Commission.
Amendment 647 -
Amendment 647 | |
(c) upon installation, inform and offer the user the possibility to change or confirm the privacy settings options defined in point (a) by requiring the user's consent to a setting; |
This would allow user to choose to automaticly provide consent (which is not acceptable) or to accept to be unlawfully tracked (which makes no sense).
Amendment 661 -
Amendment 661 | |
2 a. The software shall not block data processing which is legally allowed according to Art. 8 (1) a), c) or d) or (2) a), irrespective of the browser settings. |
This amendment would lead to an unacceptable situation where users are deprived of any control on their very own equipments.
Good
Amendment 93 +
Amendment 93 | |
3. End-users who have consented to the processing of electronic communications data as set out in point (c) of Article 6(2) and points (a) and (b) of Article 6(3) shall be given the possibility to withdraw their consent at any time as set forth under Article 7(3) of Regulation (EU) 2016/679 and be reminded of this possibility at periodic intervals of 6 months, as long as the processing continues. |
3. Users who have consented to the processing of electronic communications data as set out in point (c) of Article 6(2) and points (a) and (b) of Article 6(3), point (b) of Article 8(1) and point (aa) of Article 8(2) shall be given the possibility to withdraw their consent at any time as set forth under Article 7(3) of Regulation (EU) 2016/679 and be reminded of this possibility at periodic intervals of 6 months, as long as the processing continues. |
Clarification
Amendment 617 +
Amendment 617 | |
2. Without prejudice to paragraph 1, where technically possible and feasible, for the purposes of point (b) of Article 8(1), consent may be expressed by using the appropriate technical settings of a software application enabling access to the internet. |
deleted |
This amendment would prevent consent from being given through automated means, which is good since automated consent cannot be "specific" nor "informed" as requested by the GDPR
Amendment 618 +
Amendment 618 | |
2. Without prejudice to paragraph 1, where technically possible and feasible, for the purposes of point (b) of Article 8(1), consent may be expressed by using the appropriate technical settings of a software application enabling access to the internet. |
deleted |
This amendment would prevent consent from being given through automated means, which is good since automated consent cannot be "specific" nor "informed" as requested by the GDPR
Amendment 619 +
Amendment 619 | |
2. Without prejudice to paragraph 1, where technically possible and feasible, for the purposes of point (b) of Article 8(1), consent may be expressed by using the appropriate technical settings of a software application enabling access to the internet. |
deleted |
Justification: Articles 4(11) and 7 of Regulation (EU) No 2016/679 define the conditions for consent and are perfectly sufficient here.The proposal goes beyond these definitions and thus creates a dual regime for consent and renders the situation less clear.Article 9(2) should therefore be deleted. |
This amendment would prevent consent from being given through automated means, which is good since automated consent cannot be "specific" nor "informed" as requested by the GDPR
Amendment 620 ++
Amendment 620 | |
2. Without prejudice to paragraph 1, where technically possible and feasible, for the purposes of point (b) of Article 8(1), consent may be expressed by using the appropriate technical settings of a software application enabling access to the internet. |
2. Without prejudice to paragraph 1, where technically feasible, for the purposes of point (b) of Article 8(1), consent may be expressed and withdrawn by using the appropriate technical specifications for electronic communications services or information society services which allow for specific consent for specific purposes and with regard to specific service providers actively selected by the user in each case, pursuant to paragraph 1. When such technical specifications are used by the user's terminal equipment or the software running on it, they may signal the user's preferences based on previous active selections by him or her. These signals shall be binding on, and enforceable against, any other party. |
Justification: The GDPR carefully avoids automated consent in Recital 32, as it cannot be informed, specific and active.Recital 32 GDPR only refers to individual information society services.Therefore, consent should be given actively by the user in each case, and the software should only remember this for later visits. |
This amendment would prevent consent from being given through automated means, which is good since automated consent cannot be "specific" nor "informed" as requested by the GDPR. Furthermore, this amendment would make browsers and such remembering user's choice, protecting them from harassing consent requests
Amendment 621 ++
Amendment 621 | |
2. Without prejudice to paragraph 1, where technically possible and feasible, for the purposes of point (b) of Article 8(1), consent may be expressed by using the appropriate technical settings of a software application enabling access to the internet. |
2. Without prejudice to paragraph 1, where technically feasible, for the purposes of point (b) of Article 8(1), consent may be expressed and withdrawn by using the appropriate technical specifications for electronic communications services or information society services which allow for specific consent for specific purposes and with regard to specific service providers selected by the user. When such technical specifications are used by the user's terminal equipment or the software running on it, they shall be binding on, and enforceable against, any other party. |
This amendment would prevent consent from being given through automated means, which is good since automated consent cannot be "specific" nor "informed" as requested by the GDPR. Furthermore, this amendment would make browsers and such remembering user's choice, protecting them from harassing consent requests
Amendment 633 ++
Amendment 633 | |
3 a. Without prejudice to Article 7(4) of Regulation (EU) 2016/679, a user shall not be denied access to any electronic communications service, information society service or functionality of a terminal equipment, regardless of whether this is remunerated or not, on the mere grounds that he or she has not given his or her consent to | |
(a) the processing of electronic communications data, metadata or content pursuant to Article 6;or | |
(b) the use of input, output, processing and storage capabilities of terminal equipment and the processing of information related to or processed by the users' terminal equipment, or making information available through the terminal equipment, including information about and processed by its software and hardware, pursuant to Article 8(1) | |
that is technically not strictly necessary for the provision of that service or functionality. | |
Justification: based on LIBE AM 83 rapporteur, moved to the Article on consent where it belongs.This is complementary to 7(4) GDPR.7(4) GDPR is about invalidity of forced consent, this here is about not forcing consent as a condition for access (“consent wall”). |
Would clearly ensure that consent is "freely given"
Amendment 639 +
Amendment 639 | |
1. Software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, shall offer the option to prevent third parties from storing information on the terminal equipment of an end-user or processing information already stored on that equipment. |
1. Hardware and software placed on the market that enable the access to and use of electronic communications services or the access to and use of information society services shall be able to prevent other parties from using input, output, processing and storage capabilities of terminal equipment and the processing of information related to or processed by a users' terminal equipment, or making information available through the terminal equipment, including information about and processed by its software and hardware. |
Justification: WP 29 notes that the definition of “third parties” in the GDPR doesn’t include the controllers.Therefore this expression should be avoided in the context of this Regulation.See related amendments to Articles 7 and 14.Rest of the text aligned with Article 8(1).The Commission proposal and also AMs 94-98 LIBE rapporteur only refer to cookies, which is not future proof and already outdated with browser fingerprinting etc. |
Useful clarifications
Amendment 640 +
Amendment 640 | |
1. Software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, shall offer the option to prevent third parties from storing information on the terminal equipment of an end-user or processing information already stored on that equipment. |
1. Hardware and software that enable the access to and use of electronic communications services or the access to, and use of, information society services shall be able to prevent other parties from using input, output, processing and storage capabilities of terminal equipment and the processing of information related to, or processed by, a user's terminal equipment, or making information available through the terminal equipment, including information about, and processed by, its software and hardware. |
Useful clarifications
Amendment 641 /
Amendment 641 | |
1. Software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, shall offer the option to prevent third parties from storing information on the terminal equipment of an end-user or processing information already stored on that equipment. |
1. The default setting of software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, shall not allow the storing of information on the terminal equipment of an end-user, the processing of information already stored on that equipment, or sharing of personal data. Such software setting options shall allow end-users to provide or withdraw consent for each distinct category of purposes. |
This is a mixed amendment. Bad : allows automated consent. Good: but provide that, by default, consent is not automatically given
Amendment 645 +
Amendment 645 | |
(a) by default, offer privacy protective settings to prevent other parties from storing information on the terminal equipment of a user and from processing information already stored on that equipment, except for the purposes laid down by Article 8 paragraph (1), points (a), (c) and (d); |
This amendment would clearly provide that softwares shall not allow unlawful tracking. But it is not really clear how softwares may identify lawful tracking (especially those not based on consent).
Amendment 655 +
Amendment 655 | |
2. Upon installation, the software shall inform the end-user about the privacy settings options and, to continue with the installation, require the end-user to consent to a setting. |
2. By default, such hardware or software shall have activated privacy settings that prevent other parties from exercising the activities referred to in paragraph 1. If the hardware or software allows for deviating settings, the user shall be informed about the privacy settings options during first use or installation and shall be offered the possibility to change or confirm them. |
This would make tracking disabled by default
State surveillance
Bad
Amendment 673 --
Amendment 673 | |
1. Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 5 to 8 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the general public interests referred to in Article 23(1)(a) to (e) of Regulation (EU) 2016/679 or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interests. |
1. Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 5 to 8 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the general public interests referred to in Article 23(1) of Regulation (EU) 2016/679 or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interests. |
This would allow State surveillance for almost any imaginable purpose
Good
Amendment 101 ++
Amendment 101 | |
Article 11 |
deleted |
Restrictions |
|
1. Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 5 to 8 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the general public interests referred to in Article 23(1)(a) to (e) of Regulation (EU) 2016/679 or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interests. |
|
2. Providers of electronic communications services shall establish internal procedures for responding to requests for access to end-users’ electronic communications data based on a legislative measure adopted pursuant to paragraph 1. They shall provide the competent supervisory authority, on demand, with information about those procedures, the number of requests received, the legal justification invoked and their response. |
Amendment 103 +
Amendment 103 | |
Article 11b | |
Restrictions on confidentiality of communications | |
1. Union or Member State law may restrict by way of a legislative measure the scope of the rights provided for in Article 5 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the following general public interests: | |
(a) national security; | |
(b) defence; | |
(c) public security; | |
(d) the prevention, investigation, detection or prosecution of serious criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. |
Would limit the purpose for which this Regulation can be derogated. But could have gone much much farther!
Amendment 669 ++
Amendment 669 | |
Article 11 |
deleted |
Restrictions |
|
1. Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 5 to 8 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the general public interests referred to in Article 23(1)(a) to (e) of Regulation (EU) 2016/679 or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interests. |
|
2. Providers of electronic communications services shall establish internal procedures for responding to requests for access to end-users’ electronic communications data based on a legislative measure adopted pursuant to paragraph 1. They shall provide the competent supervisory authority, on demand, with information about those procedures, the number of requests received, the legal justification invoked and their response. |
This would get State surveillance out of this Regulation, making the legislative debate way clearer
Amendment 670 ++
Amendment 670 | |
Article 11 |
deleted |
Restrictions |
|
1. Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 5 to 8 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the general public interests referred to in Article 23(1)(a) to (e) of Regulation (EU) 2016/679 or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interests. |
|
2. Providers of electronic communications services shall establish internal procedures for responding to requests for access to end-users’ electronic communications data based on a legislative measure adopted pursuant to paragraph 1. They shall provide the competent supervisory authority, on demand, with information about those procedures, the number of requests received, the legal justification invoked and their response. |
|
Justification: Following the LIBE rapporteur:Art. 11a for restrictions of user rights, Art. 11b for restrictions of confidentiality, added Art. 11c on documentation and reporting. |
This would get State surveillance out of this Regulation, making the legislative debate way clearer
Amendment 671 /
Amendment 671 | |
1. Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 5 to 8 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the general public interests referred to in Article 23(1)(a) to (e) of Regulation (EU) 2016/679 or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interests. |
1. Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 5 to 8 where such a restriction fully respects fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard national security, defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communications system. |
Justification: This amendment stays as close to the status quo as possible. |
Excludes economic purposes from State surveillance (which is good) but do not implement CJUE case law
Amendment 672 /
Amendment 672 | |
1. Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 5 to 8 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the general public interests referred to in Article 23(1)(a) to (e) of Regulation (EU) 2016/679 or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interests. |
1. Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 5 to 8 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the general public interests referred to in Article 23(1)(a) to (d) of Regulation (EU) 2016/679 or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interests. |
Excludes economic purposes from State surveillance (which is good) but do not implement CJUE case law
Amendment 674 ++
Amendment 674 | |
1 a. The Union or Member States shall not impose any obligation on undertakings that would result in the weakening of the security and encryption of their networks and services. |
Would clearly forbid backdoors (in networks and services only, not in device, though)
Amendment 675 ++
Amendment 675 | |
2. Providers of electronic communications services shall establish internal procedures for responding to requests for access to end-users’ electronic communications data based on a legislative measure adopted pursuant to paragraph 1. They shall provide the competent supervisory authority, on demand, with information about those procedures, the number of requests received, the legal justification invoked and their response. |
2. Providers of electronic communications services shall publish information about the number of requests received, the legal justification invoked and their response. |
Justification: Mandatory Transparency Reports. |
Would add some transparency (which is not enough at all on its own, but would still be a huge progress)
Amendment 678 +
Amendment 678 | |
Article 11 a | |
Restrictions on the rights of the user or subscriber | |
1.Union or Member State law to which the provider is subject may temporarily restrict by way of a legislative measure the scope of the obligations and principles relating to processing of electronic communications data provided for in Articles 6, 7 and 8 of this Regulation in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22 of Regulation (EU) 2016/679, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the following general public interests: | |
(a) national security; | |
(c) defence; | |
(d) the prevention, investigation, detection or prosecution of serious criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. | |
2.In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, pursuant to Article 23(2) of Regulation (EU) 2016/679. |
This would limit national derogations to the rights to be informed, to access and to obtain erasure of ones information
Amendment 679 +
Amendment 679 | |
Article 11 a | |
Restrictions on the rights of the user or subscriber | |
1.Union or Member State law to which the provider is subject may temporarily restrict by way of a legislative measure the scope of the obligations and principles relating to processing of electronic communications data provided for in Articles 6, 7 and 8 of this Regulation in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22 of Regulation (EU) 2016/679, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the following general public interests: | |
(a) national security; | |
(b) defence; | |
(c) the prevention, investigation, detection or prosecution of serious criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. | |
2.In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, pursuant to Article 23(2) of Regulation (EU) 2016/679. |
This would limit national derogations to the rights to be informed, to access and to obtain erasure of ones information
Amendment 680 +
Amendment 680 | |
Article 11 b | |
Restrictions of the confidentiality of communications | |
1.Union or Member State law to which the provider is subject may temporarily restrict by way of a legislative measure the scope of the rights provided for in Article 5 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the following general public interests: | |
(a) national security; | |
(b) defence; | |
(c) the prevention, investigation, detection or prosecution of serious criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. | |
2.In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, pursuant to Article 23(2) of Regulation (EU) 2016/679.It shall also require prior judicial authorisation for any access to content or metadata. | |
3.No legislative measure referred to in paragraph 1 may allow for the weakening of the integrity and confidentiality of electronic communications by mandating a manufacturer of hardware or software, including terminal equipment or software providing for the use of electronic communications, or a provider of electronic communications services, to create and build in backdoors that weaken the cryptographic methods used or the security and integrity of the terminal equipment. |
It would requires prior judicial authorization for any restriction of the confidentiality of communications and not allow such restriction for economic purposes. Also, it would forbid any kind of backdoor. However, it would allow restrictions for "national security" and "defence" purposes which, as long as they are broader than the prevention of serious crime, cover extremely broad, vague and unpredictable purposes. Also, this amendments does not specifically limit the duration of the derogations.
Amendment 681 +
Amendment 681 | |
Article 11 b | |
Restrictions of the confidentiality of communications | |
1.Union or Member State law to which the provider is subject may temporarily restrict by way of a legislative measure the scope of the rights provided for in Article 5 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the following general public interests: | |
(a) national security; | |
(b) defence; | |
(c) the prevention, investigation, detection or prosecution of serious criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. | |
2.In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, pursuant to Article 23(2) of Regulation (EU) 2016/679.It shall also require prior judicial authorisation for any access to content or metadata. | |
3.No legislative measure referred to in paragraph 1 may allow for the weakening of the integrity and confidentiality of electronic communications by mandating a manufacturer of hardware or software, including terminal equipment or software providing for the use of electronic communications, or a provider of electronic communications services, to create and build in backdoors that weaken the cryptographic methods used or the security and integrity of the terminal equipment. |
It would requires prior judicial authorization for any restriction of the confidentiality of communications and not allow such restriction for economic purposes. Also, it would forbid any kind of backdoor. However, it would allow restrictions for "national security" and "defence" purposes which, as long as they are broader than the prevention of serious crime, cover extremely broad, vague and unpredictable purposes. Also, this amendments does not specifically limit the duration of the derogations.
Amendment 682 ++
Amendment 682 | |
Article 11 c | |
Documentation and reporting of restrictions | |
1.Providers of electronic communications services shall keep documentation about requests made by competent authorities to access communications content or metadata pursuant to Article 11b(2).This documentation shall include for each request: | |
(a) the in-house staff member who handled the request; | |
(b) the identity of the body making the request; | |
(c) the purpose for which the information was sought; | |
(d) the date and time of the request; | |
(e) the legal basis and authority for the request, including the identity and status or function of the official submitting the request; | |
(f) the judicial authorisation of the request; | |
(g) the number of subscribers to whose data the request related; | |
(h) the data provided to the requesting authority;and | |
(i) the period covered by the data. | |
The documentation shall be made available to the competent supervisory authority upon request. | |
2.Providers of electronic communications services shall publish once per year a report with statistical information about data access requests by law enforcement authorities pursuant to Articles 11a and 11b.The report shall include, at least | |
(a) the number of requests; | |
(b) the categories of purposes for the request; | |
(b) the categories of data requested; | |
(c) the legal basis and authority for the request; | |
(d) the number of subscribers to whose data the request related; | |
(e) the period covered by the data; | |
(f) the number of negative and positive responses to those requests. | |
3.Member States' competent authorities shall publish once per year a report with statistical information per month about data access requests pursuant to Articles 11a and 11b, including requests that were not authorised by a judge, including, but not limited to, the following points: | |
(a) the number of requests; | |
(b) the categories of purposes for the request; | |
(b) the categories of data requested; | |
(c) the legal basis and authority for the request; | |
(d) the number of subscribers to whose data the request related; | |
(e) the period covered by the data; | |
(f) the number of negative and positive responses to those requests. | |
The reports shall also contain statistical information per month about any other restrictions pursuant to Articles 11a and 11b. |
Would add some transparency (which is not enough at all on its own, but would still be a huge progress)
Amendment 683 ++
Amendment 683 | |
Article 11 c | |
Documentation and reporting of restrictions | |
1.Providers of electronic communications services shall keep documentation about requests made by competent authorities to access communications content or metadata pursuant to Article 11b(2).This documentation shall include for each request: | |
(a) the in-house staff member who handled the request; | |
(b) the identity of the body making the request; | |
(c) the purpose for which the information was sought; | |
(d) the date and time of the request; | |
(e) the legal basis and authority for the request, including the identity and status or function of the official submitting the request; | |
(f) the judicial authorisation of the request; | |
(g) the number of subscribers to whose data the request related; | |
(h) the data provided to the requesting authority;and | |
(i) the period covered by the data. | |
The documentation shall be made available to the competent supervisory authority upon request. | |
2.Member States' competent authorities shall publish once per year a report with statistical information per month about data access requests pursuant to Article 11b(2), including requests that were not authorised by a judge, including, but not limited to, the following points: | |
(a) the number of requests; | |
(b) the categories of purposes for the request; | |
(b) the categories of data requested; | |
(c) the legal basis and authority for the request; | |
(d) the number of subscribers to whose data the request related; | |
(e) the period covered by the data; | |
The reports shall also contain statistical information per month about any other restrictions pursuant to Articles 11a and 11b. | |
Justification: Reports by Member States’ authorities are more comprehensive, as they consolidate all requests to all communications service providers.This also avoids additional burdens for providers. |
Would add some transparency (which is not enough at all on its own, but would still be a huge progress)
Sanctions
Good
Amendment 807 +
Amendment 807 | |
3. Infringements of the principle of confidentiality of communications, permitted processing of electronic communications data, time limits for erasure pursuant to Articles 5, 6, and 7 shall, in accordance with paragraph 1 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. |
3. Infringements of the following provisions of this Regulation shall, in accordance with paragraph 1, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher: |
Harmonize sanctions
Amendment 808 +
Amendment 808 | |
3. Infringements of the principle of confidentiality of communications, permitted processing of electronic communications data, time limits for erasure pursuant to Articles 5, 6, and 7 shall, in accordance with paragraph 1 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. |
3. Infringements of the following provisions of this Regulation shall, in accordance with paragraph 1, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher: |
Harmonize sanctions
Amendment 809 +
Amendment 809 | |
(a) the principle of confidentiality of communications pursuant to Article 5; | |
(b) the permitted processing of electronic communications data, pursuant to Article 6, | |
(c) the time limits for erasure and the confidentiality obligations pursuant to Article 7; | |
(d) the obligations of any legal or natural person who process electronic communications data pursuant to Article 8; | |
(e) the requirements for consent pursuant to Article 9; | |
(f) the obligations of the provider of software or hardware enabling electronic communications, pursuant to Article 10; | |
(g) the obligations of the providers of electronic communications services, of the providers of information society services, or of the manufacturers of hardware and software permitting the retrieval and presentation of information on the internet pursuant to Article 17. |
Harmonize sanctions
Amendment 810 +
Amendment 810 | |
(a) the principle of confidentiality of communications pursuant to Article 5; | |
(b) the permitted processing of electronic communications data, pursuant to Article 6, | |
(c) the time limits for erasure and the confidentiality obligations pursuant to Article 7; | |
(d) the obligations of any legal or natural person who process electronic communications data pursuant to Article 8; | |
(e) the requirements for consent pursuant to Article 9; | |
(f) the obligations of the provider of software enabling electronic communications, pursuant to Article 10; | |
(g) the obligations of the providers of electronic communications services, of the providers of information society services, or of the manufacturers of hardware and software permitting the retrieval and presentation of information on the internet pursuant to Article 17. |
Harmonize sanctions