E-Privacy/LIBE : Différence entre versions

De La Quadrature du Net
Aller à la navigationAller à la recherche
(Amendment 807 +)
(State surveillance)
Ligne 3 466 : Ligne 3 466 :
  
 
== Bad ==
 
== Bad ==
 +
 +
=== Amendment 673 -- ===
 +
 +
{| border='1' style='border-spacing:0;  width:100%;' cellpadding='30'
 +
|-
 +
| colspan='2' style='background-color: #A60000; text-align:center;' |
 +
'''Amendment 673'''<br/>
 +
Daniel Dalton, John Procter<br/>
 +
'''ECR'''<br/>
 +
Article 11 – paragraph 1
 +
|-
 +
|width='50%' style='vertical-align:top;border-top:none;border-bottom:none;'|
 +
1. Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 5 to 8 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the general public interests referred to in Article '''''23(1)(a) to (e)''''' of Regulation (EU) 2016/679 or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interests.
 +
|width='50%' style='vertical-align:top;border-top:none;border-bottom:none;'|
 +
1. Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 5 to 8 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the general public interests referred to in Article '''''23(1)''''' of Regulation (EU) 2016/679 or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interests.
 +
|}
 +
 +
 +
This would allow State surveillance for almost any imaginable purpose
 +
 +
  
 
== Good ==
 
== Good ==
Ligne 3 582 : Ligne 3 603 :
  
 
Excludes economic purposes from State surveillance (which is good) but do not implement CJUE case law
 
Excludes economic purposes from State surveillance (which is good) but do not implement CJUE case law
 
 
=== Amendment 673 -- ===
 
 
{| border='1' style='border-spacing:0;  width:100%;' cellpadding='30'
 
|-
 
| colspan='2' style='background-color: #A60000; text-align:center;' |
 
'''Amendment 673'''<br/>
 
Daniel Dalton, John Procter<br/>
 
'''ECR'''<br/>
 
Article 11 – paragraph 1
 
|-
 
|width='50%' style='vertical-align:top;border-top:none;border-bottom:none;'|
 
1. Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 5 to 8 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the general public interests referred to in Article '''''23(1)(a) to (e)''''' of Regulation (EU) 2016/679 or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interests.
 
|width='50%' style='vertical-align:top;border-top:none;border-bottom:none;'|
 
1. Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 5 to 8 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the general public interests referred to in Article '''''23(1)''''' of Regulation (EU) 2016/679 or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interests.
 
|}
 
 
 
This would allow State surveillance for almost any imaginable purpose
 
  
  

Version du 22 août 2017 à 16:21

Cette page vise à analyser les amendements débattus dans la commission LIBE au sujet du règlement ePrivacy

Sommaire

Amendment 4 +

Amendment 4
Marju Lauristin
S&D
Recital 5

(5) The provisions of this Regulation particularise and complement the general rules on the protection of personal data laid down in Regulation (EU) 2016/679 as regards electronic communications data that qualify as personal data. This Regulation therefore does not lower the level of protection enjoyed by natural persons under Regulation (EU) 2016/679. Processing of electronic communications data by providers of electronic communications services should only be permitted in accordance with this Regulation.

(5) The provisions of this Regulation particularise and complement the general rules on the protection of personal data laid down in Regulation (EU) 2016/679 as regards electronic communications data that qualify as personal data. This Regulation therefore should not lower the level of protection enjoyed by natural persons under Regulation (EU) 2016/679. On the contrary, it aims to provide additional, and complementary, safeguards taking into account the need for additional protection as regards the confidentiality of communications. Processing of electronic communications data by providers of electronic communications services should only be permitted in accordance with, and on a legal ground specifically provided for under, this Regulation.


It would ensure that article 6 is not overridden by the GDPR legal basis


Amendment 6 +

Amendment 6
Marju Lauristin
S&D
Recital 7

(7) The Member States should be allowed, within the limits of this Regulation, to maintain or introduce national provisions to further specify and clarify the application of the rules of this Regulation in order to ensure an effective application and interpretation of those rules. Therefore, the margin of discretion, which Member States have in this regard, should maintain a balance between the protection of private life and personal data and the free movement of electronic communications data.

deleted


The main purpose of this Regulation is to harmonize EU national laws


Amendment 7 +

Amendment 7
Marju Lauristin
S&D
Recital 8

(8) This Regulation should apply to providers of electronic communications services, to providers of publicly available directories, and to software providers permitting electronic communications, including the retrieval and presentation of information on the internet. This Regulation should also apply to natural and legal persons who use electronic communications services to send direct marketing commercial communications or collect information related to or stored in end-users’ terminal equipment.

(8) This Regulation should apply to providers of electronic communications services, to providers of publicly available directories, and to software providers permitting electronic communications, including the retrieval and presentation of information on the internet. This Regulation should also apply to natural and legal persons who use electronic communications services to send direct marketing, commercial communications or collect information related to, processed by or stored in end-users’ terminal equipment.

Justification: This amendment clarifies the scope of the Regulation. It takes into account the recommendations of the EDPS, Art 29 Working party, scholars and several stakeholders.


Information "processed" by terminal equipment is repeatedly missing in the recitals of EC's proposal


Amendment 13 +

Amendment 13
Marju Lauristin
S&D
Recital 15

(15) Electronic communications data should be treated as confidential. This means that any interference with the transmission of electronic communications data, whether directly by human intervention or through the intermediation of automated processing by machines, without the consent of all the communicating parties should be prohibited. The prohibition of interception of communications data should apply during their conveyance, i.e. until receipt of the content of the electronic communication by the intended addressee. Interception of electronic communications data may occur, for example, when someone other than the communicating parties, listens to calls, reads, scans or stores the content of electronic communications, or the associated metadata for purposes other than the exchange of communications. Interception also occurs when third parties monitor websites visited, timing of the visits, interaction with others, etc., without the consent of the end-user concerned. As technology evolves, the technical ways to engage in interception have also increased. Such ways may range from the installation of equipment that gathers data from terminal equipment over targeted areas, such as the so-called IMSI (International Mobile Subscriber Identity) catchers, to programs and techniques that, for example, surreptitiously monitor browsing habits for the purpose of creating end-user profiles. Other examples of interception include capturing payload data or content data from unencrypted wireless networks and routers, including browsing habits without the end-users' consent.

(15) Electronic communications should be treated as confidential. This means that any interference with the transmission of electronic communications, whether directly by human intervention or through the intermediation of automated processing by machines, without the consent of all the communicating parties should be prohibited. When the processing is allowed under any exception to the prohibitions under this Regulation, any other processing on the basis of Article 6 of Regulation (EU) 2016/679 should be considered as prohibited, including processing for another purpose on the basis of Article 6(4) of that Regulation. This should not prevent requesting additional consent for new processing operations. The prohibition of interception of communications should apply also during their conveyance, i.e. until receipt of the content of the electronic communication by the intended addressee, and to any temporary files in the network after receipt. Interception of electronic communications may occur, for example, when someone other than the communicating parties, listens to calls, reads, scans or stores the content of electronic communications, or the associated metadata for purposes other than the exchange of communications. Interception also occurs when other parties monitor websites visited, timing of the visits, interaction with others, etc., without the consent of the user concerned. As technology evolves, the technical ways to engage in interception have also increased. Such ways may range from the installation of equipment that gathers data from terminal equipment over targeted areas, such as the so-called IMSI (International Mobile Subscriber Identity) catchers, to programs and techniques that, for example, surreptitiously monitor browsing habits for the purpose of creating user profiles. Other examples of interception include capturing payload data or content data from unencrypted wireless networks and routers, and analysis of customers' traffic data, including browsing habits without the users' consent.


It would ensure that this Regulation is not overridden by the GDPR legal basis


Amendment 14 -

Amendment 14
Marju Lauristin
S&D
Recital 16

(16) The prohibition of storage of communications is not intended to prohibit any automatic, intermediate and transient storage of this information insofar as this takes place for the sole purpose of carrying out the transmission in the electronic communications network. It should not prohibit either the processing of electronic communications data to ensure the security and continuity of the electronic communications services, including checking security threats such as the presence of malware or the processing of metadata to ensure the necessary quality of service requirements, such as latency, jitter etc.

(16) The prohibition of storage of communications is not intended to prohibit any automatic, intermediate and transient storage of this information insofar as this takes place for the sole purpose of carrying out the transmission. It should not prohibit either the processing of electronic communications data to ensure the security and continuity of the electronic communications services, including checking security threats such as the presence of malware, spam or distributed denial-of-service attacks, or the processing of metadata to ensure the necessary quality of service requirements, such as latency, jitter etc.


Anti-spam should not be implemented without the consent of the receiver. The receiver should have the right to use another anti-spam solution that the one provided by its communications provider and should even be able to disable it completely (for testing or research purposes, etc).


Amendment 16 +

Amendment 16
Marju Lauristin
S&D
Recital 17

(17) The processing of electronic communications data can be useful for businesses, consumers and society as a whole. Vis-à-vis Directive 2002/58/EC, this Regulation broadens the possibilities for providers of electronic communications services to process electronic communications metadata, based on end-users consent. However, end-users attach great importance to the confidentiality of their communications, including their online activities, and that they want to control the use of electronic communications data for purposes other than conveying the communication. Therefore, this Regulation should require providers of electronic communications services to obtain end-users' consent to process electronic communications metadata, which should include data on the location of the device generated for the purposes of granting and maintaining access and connection to the service. Location data that is generated other than in the context of providing electronic communications services should not be considered as metadata. Examples of commercial usages of electronic communications metadata by providers of electronic communications services may include the provision of heatmaps; a graphical representation of data using colors to indicate the presence of individuals. To display the traffic movements in certain directions during a certain period of time, an identifier is necessary to link the positions of individuals at certain time intervals. This identifier would be missing if anonymous data were to be used and such movement could not be displayed. Such usage of electronic communications metadata could, for example, benefit public authorities and public transport operators to define where to develop new infrastructure, based on the usage of and pressure on the existing structure. Where a type of processing of electronic communications metadata, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, a data protection impact assessment and, as the case may be, a consultation of the supervisory authority should take place prior to the processing, in accordance with Articles 35 and 36 of Regulation (EU) 2016/679.

(17) The processing of electronic communications data can be useful for businesses, consumers and society as a whole. Examples of such usages of electronic communications metadata by providers of electronic communications services may include the provision of heatmaps; a graphical representation of data using colours to indicate the presence of individuals. To display the traffic movements in certain directions during a certain period of time, an identifier is necessary to link the positions of individuals at certain time intervals, provided that the data are immediately anonymised or anonymisation techniques are used where the user is mixed with others. Such usage of electronic communications metadata could, for example, benefit public authorities and public transport operators to define where to develop new infrastructure, based on the usage of and pressure on the existing structure.


This proposition is way more protective than the initial proposal but may be much clearer as regards anonymisation techniques that should be implemented


Amendment 17 +

Amendment 17
Marju Lauristin
S&D
Recital 17 a (new)

(17a) This Regulation broadens the possibilities for providers of electronic communications services to process electronic communications metadata based on users' informed consent. However, users attach great importance to the confidentiality of their communications, including their online activities, and they want to control the use of their electronic communications data for purposes other than conveying the communication. Therefore, this Regulation should require providers of electronic communications services to obtain users' consent to process electronic communications metadata, which should include data on the location of the device generated for the purposes of granting and maintaining access and connection to the service. For the purposes of this Regulation, the consent of an end-user, regardless of whether the latter is a natural or legal person, should have the same meaning and be subject to the same conditions as the consent of the data subject under Regulation (EU) 2016/679. The end-users should have the right to withdraw their consent from an additional service without breaching the contract for the basic service. Consent for processing data from internet or voice communications usage should not be valid if the user has no genuine and free choice, or is unable to refuse or withdraw consent without detriment.


Clarifies a bit what is a "freely given" consent


Amendment 18 +

Amendment 18
Marju Lauristin
S&D
Recital 18

(18) End-users may consent to the processing of their metadata to receive specific services such as protection services against fraudulent activities (by analysing usage data, location and customer account in real time). In the digital economy, services are often supplied against counter-performance other than money, for instance by end-users being exposed to advertisements. For the purposes of this Regulation, consent of an end-user, regardless of whether the latter is a natural or a legal person, should have the same meaning and be subject to the same conditions as the data subject's consent under Regulation (EU) 2016/679. Basic broadband internet access and voice communications services are to be considered as essential services for individuals to be able to communicate and participate to the benefits of the digital economy. Consent for processing data from internet or voice communication usage will not be valid if the data subject has no genuine and free choice, or is unable to refuse or withdraw consent without detriment.

deleted


Deletes the very ambiguous idea of "essential services" (which may imply that non-essential services can be denied to users refusing to consent)


Amendment 23 -

Amendment 23
Marju Lauristin
S&D
Recital 22

(22) The methods used for providing information and obtaining end-user's consent should be as user-friendly as possible. Given the ubiquitous use of tracking cookies and other tracking techniques, end-users are increasingly requested to provide consent to store such tracking cookies in their terminal equipment. As a result, end-users are overloaded with requests to provide consent. The use of technical means to provide consent, for example, through transparent and user-friendly settings, may address this problem. Therefore, this Regulation should provide for the possibility to express consent by using the appropriate settings of a browser or other application. The choices made by end-users when establishing its general privacy settings of a browser or other application should be binding on, and enforceable against, any third parties. Web browsers are a type of software application that permits the retrieval and presentation of information on the internet. Other types of applications, such as the ones that permit calling and messaging or provide route guidance, have also the same capabilities. Web browsers mediate much of what occurs between the end-user and the website. From this perspective, they are in a privileged position to play an active role to help the end-user to control the flow of information to and from the terminal equipment. More particularly web browsers may be used as gatekeepers, thus helping end-users to prevent information from their terminal equipment (for example smart phone, tablet or computer) from being accessed or stored.

(22) The methods used for providing information and obtaining end-user's consent should be as user-friendly as possible. Given the ubiquitous use of tracking cookies and other tracking techniques, users are increasingly requested to provide consent to store such tracking cookies in their terminal equipment. As a result, users are overloaded with requests to provide consent. The use of technical means to provide consent, for example, through transparent and user-friendly settings, may address this problem. Therefore, this Regulation should prevent the use of so- called "cookie walls" and "cookie banners" that do not help users to maintain control over their personal information and privacy or become informed about their rights. This Regulation should provide for the possibility to express consent by technical specifications, for instance by using the appropriate settings of a browser or other application. Those settings should include choices concerning the storage of information on the user's terminal equipment as well as a signal sent by the browser or other application indicating the user's preferences to other parties. The choices made by users when establishing the general privacy settings of a browser or other application should be binding on, and enforceable against, any third parties. Web browsers are a type of software application that permits the retrieval and presentation of information on the internet. Other types of applications, such as the ones that permit calling and messaging or provide route guidance, have also the same capabilities. Web browsers mediate much of what occurs between the user and the website. From this perspective, they are in a privileged position to play an active role to help the user to control the flow of information to and from the terminal equipment. More particularly, web browsers, applications or mobile operating systems may be used as the executor of a user's choices, thus helping users to prevent information from their terminal equipment (for example smart phone, tablet or computer) from being accessed or stored.


There should be no option to ‘always accept trackers and cookies’ and no way to "express specific consent through the settings" of web browsers and such. Otherwise, users would be able to give their consent to an unlimited number of processing and prior being even provided with any information concerning any of them. Such consent can never be "specific" nor "informed".


Amendment 24 -

Amendment 24
Marju Lauristin
S&D
Recital 23

(23) The principles of data protection by design and by default were codified under Article 25 of Regulation (EU) 2016/679. Currently, the default settings for cookies are set in most current browsers to ‘accept all cookies’. Therefore providers of software enabling the retrieval and presentation of information on the internet should have an obligation to configure the software so that it offers the option to prevent third parties from storing information on the terminal equipment; this is often presented as ‘reject third party cookies’. End-users should be offered a set of privacy setting options, ranging from higher (for example, ‘never accept cookies’) to lower (for example, ‘always accept cookies’) and intermediate (for example, ‘reject third party cookies’ oronly accept first party cookies’). Such privacy settings should be presented in a an easily visible and intelligible manner.

(23) The principles of data protection by design and by default were codified under Article 25 of Regulation (EU) 2016/679. Currently, the default settings for cookies are set in most current browsers to ‘accept all cookies’. Therefore providers of software enabling the retrieval and presentation of information on the internet should have an obligation to configure the software so that it offers the option to prevent by default the cross-domain tracking and storing of information on the terminal equipment by other parties; this is often presented as ‘reject third party trackers and cookies’. Users should be offered, by default, a set of privacy setting options, ranging from higher (for example, ‘never accept tracker and cookies’) to lower (for example, ‘always accept trackers and cookies’) and intermediate (for example, ‘reject all trackers and cookies that are not strictly necessary to provide a service explicitly requested by the user’ or ‘reject all cross-domain tracking’). These options may also be more fine-grained. Privacy settings should also include options to allow the user to decide for example, whether Flash, JavaScript or similar software can be executed, if a website can collect geo-location data from the user, or if it can access specific hardware such as a webcam or microphone. Such privacy settings should be presented in an easily visible, objective and intelligible manner.


There should be no option to ‘always accept trackers and cookies’ and no way to "express specific consent through the settings" of web browsers and such. Otherwise, users would be able to give their consent to an unlimited number of processing and prior being even provided with any information concerning any of them. Such consent can never be "specific" nor "informed".


Amendment 25 +

Amendment 25
Marju Lauristin
S&D
Recital 24

(24) For web browsers to be able to obtain end-users’ consent as defined under Regulation (EU) 2016/679, for example, to the storage of third party tracking cookies, they should, among others, require a clear affirmative action from the end-user of terminal equipment to signify his or her freely given, specific informed, and unambiguous agreement to the storage and access of such cookies in and from the terminal equipment. Such action may be considered to be affirmative, for example, if end-users are required to actively select ‘accept third party cookies’ to confirm their agreement and are given the necessary information to make the choice. To this end, it is necessary to require providers of software enabling access to internet that, at the moment of installation, end-users are informed about the possibility to choose the privacy settings among the various options and ask them to make a choice. Information provided should not dissuade end-users from selecting higher privacy settings and should include relevant information about the risks associated to allowing third party cookies to be stored in the computer, including the compilation of long-term records of individuals' browsing histories and the use of such records to send targeted advertising. Web browsers are encouraged to provide easy ways for end-users to change the privacy settings at any time during use and to allow the user to make exceptions for or to whitelist certain websites or to specify for which websites (third) party cookies are always or never allowed.

deleted


Consent cannot be "freely given, specific informed, and unambiguous" through automated means.


Amendment 26 +

Amendment 26
Marju Lauristin
S&D
Recital 25

(25) Accessing electronic communications networks requires the regular emission of certain data packets in order to discover or maintain a connection with the network or other devices on the network. Furthermore, devices must have a unique address assigned in order to be identifiable on that network. Wireless and cellular telephone standards similarly involve the emission of active signals containing unique identifiers such as a MAC address, the IMEI (International Mobile Station Equipment Identity), the IMSI etc. A single wireless base station (i.e. a transmitter and receiver), such as a wireless access point, has a specific range within which such information may be captured. Service providers have emerged who offer tracking services based on the scanning of equipment related information with diverse functionalities, including people counting, providing data on the number of people waiting in line, ascertaining the number of people in a specific area, etc. This information may be used for more intrusive purposes, such as to send commercial messages to end-users, for example when they enter stores, with personalized offers. While some of these functionalities do not entail high privacy risks, others do, for example, those involving the tracking of individuals over time, including repeated visits to specified locations. Providers engaged in such practices should display prominent notices located on the edge of the area of coverage informing end-users prior to entering the defined area that the technology is in operation within a given perimeter, the purpose of the tracking, the person responsible for it and the existence of any measure the end-user of the terminal equipment can take to minimize or stop the collection. Additional information should be provided where personal data are collected pursuant to Article 13 of Regulation (EU) 2016/679.

(25) Accessing electronic communications networks requires the regular emission of certain data packets in order to discover or maintain a connection with the network or other devices on the network. Furthermore, devices must have a unique address assigned in order to be identifiable on that network. Wireless and cellular telephone standards similarly involve the emission of active signals containing unique identifiers such as a MAC address, the IMEI (International Mobile Station Equipment Identity), the IMSI etc. A single wireless base station (i.e. a transmitter and receiver), such as a wireless access point, has a specific range within which such information may be captured. Service providers have emerged who offer tracking services based on the scanning of equipment related information with diverse functionalities, including people counting, providing data on the number of people waiting in line, ascertaining the number of people in a specific area, etc. This information may be used for more intrusive purposes, such as to send commercial messages to users, for example when they enter stores, with personalised offers. While some of these functionalities do not entail high privacy risks, others do, for example, those involving the tracking of individuals over time, including repeated visits to specified locations. Providers engaged in such practices should display prominent notices located on the edge of the area of coverage informing users prior to entering the defined area that the technology is in operation within a given perimeter, the purpose of the tracking, the person responsible for it and the existence of any measure the user of the terminal equipment can take to minimize or stop the collection. Additional information should be provided where personal data are collected pursuant to Article 13 of Regulation (EU) 2016/679. In addition, such providers should either obtain the user's consent or anonymise the data immediately while limiting the purpose to mere statistical counting within a limited time and space and offering effective opt-out possibilities.


This proposition is way more protective than the initial proposal but should be much clearer as regards anonymisation techniques that should be implemented


Amendment 27 +

Amendment 27
Marju Lauristin
S&D
Recital 26

(26) When the processing of electronic communications data by providers of electronic communications services falls within its scope, this Regulation should provide for the possibility for the Union or Member States under specific conditions to restrict by law certain obligations and rights when such a restriction constitutes a necessary and proportionate measure in a democratic society to safeguard specific public interests, including national security, defence, public security and the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security and other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interests. Therefore, this Regulation should not affect the ability of Member States to carry out lawful interception of electronic communications or take other measures, if necessary and proportionate to safeguard the public interests mentioned above, in accordance with the Charter of Fundamental Rights of the European Union and the European Convention for the Protection of Human Rights and Fundamental Freedoms, as interpreted by the Court of Justice of the European Union and of the European Court of Human Rights. Providers of electronic communications services should provide for appropriate procedures to facilitate legitimate requests of competent authorities, where relevant also taking into account the role of the representative designated pursuant to Article 3(3).

(26) When the processing of electronic communications data by providers of electronic communications services falls within its scope, this Regulation is without prejudice to the possibility for the Union or Member States under specific conditions to restrict by law certain obligations and rights set out in this Regulation when such a restriction is targeted at persons suspected of having committed a criminal offence and constitutes a necessary and proportionate measure in a democratic society to safeguard specific public interests, including national security, defence, public security and the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. Therefore, this Regulation should not affect the ability of Member States to carry out lawful interception of electronic communications or take other measures, if necessary and proportionate to safeguard the public interests mentioned above, in accordance with the Charter of Fundamental Rights of the European Union and the European Convention for the Protection of Human Rights and Fundamental Freedoms, as interpreted by the Court of Justice of the European Union and of the European Court of Human Rights.


This would implement parts of the Tele2 case and limit the purposes of the derogations, which is great. But this Regulation should go much farther.

Amendment 92 -

Amendment 92
Marju Lauristin
S&D
Article 9 – paragraph 2

2. Without prejudice to paragraph 1, where technically possible and feasible, for the purposes of point (b) of Article 8(1), consent may be expressed by using the appropriate technical settings of a software application enabling access to the internet.

2. Without prejudice to paragraph 1, where technically possible and feasible, for the purposes of point (b) of Article 8(1), consent may be expressed by using technical specifications of electronic communications services. When such technical specifications are used by the user, they shall be binding on, and enforceable against, any other party.


Consent cannot be "freely given, specific informed, and unambiguous" through automated means. 


Amendment 93 +

Amendment 93
Marju Lauristin
S&D
Article 9 – paragraph 3

3. End-users who have consented to the processing of electronic communications data as set out in point (c) of Article 6(2) and points (a) and (b) of Article 6(3) shall be given the possibility to withdraw their consent at any time as set forth under Article 7(3) of Regulation (EU) 2016/679 and be reminded of this possibility at periodic intervals of 6 months, as long as the processing continues.

3. Users who have consented to the processing of electronic communications data as set out in point (c) of Article 6(2) and points (a) and (b) of Article 6(3), point (b) of Article 8(1) and point (aa) of Article 8(2) shall be given the possibility to withdraw their consent at any time as set forth under Article 7(3) of Regulation (EU) 2016/679 and be reminded of this possibility at periodic intervals of 6 months, as long as the processing continues.


Clarification


Amendment 98 -

Amendment 98
Marju Lauristin
S&D
Article 10 – paragraph 1 – point d (new)

(d) offer the user the possibility to express specific consent through the settings after the installation of the software.


Consent cannot be "freely given, specific informed, and unambiguous" through automated means. 


Amendment 101 ++

Amendment 101
Marju Lauristin
S&D
Article 11

Article 11

deleted

Restrictions

1. Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 5 to 8 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the general public interests referred to in Article 23(1)(a) to (e) of Regulation (EU) 2016/679 or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interests.

2. Providers of electronic communications services shall establish internal procedures for responding to requests for access to end-users’ electronic communications data based on a legislative measure adopted pursuant to paragraph 1. They shall provide the competent supervisory authority, on demand, with information about those procedures, the number of requests received, the legal justification invoked and their response.


Amendment 103 +

Amendment 103
Marju Lauristin
S&D
Article 11 b (new)

Article 11b

Restrictions on confidentiality of communications

1. Union or Member State law may restrict by way of a legislative measure the scope of the rights provided for in Article 5 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the following general public interests:

(a) national security;

(b) defence;

(c) public security;

(d) the prevention, investigation, detection or prosecution of serious criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.


Would limit the purpose for which this Regulation can be derogated. But could have gone much much farther!

Scope and definitions

Bad

Amendment 334 --

Amendment 334
Daniel Dalton, John Procter
ECR
Article 2 – paragraph 1

1. This Regulation applies to the processing of electronic communications data carried out in connection with the provision and the use of electronic communications services and to information related to the terminal equipment of end-users.

1. This Regulation applies to the processing of electronic communications data carried out in connection with the provision and the use of electronic communications services.


A huge step back from the current law


Amendment 335 --

Amendment 335
Axel Voss, Heinz K. Becker
EPP
Article 2 – paragraph 1

1. This Regulation applies to the processing of electronic communications data carried out in connection with the provision and the use of electronic communications services and to information related to the terminal equipment of end-users.

1. This Regulation applies to the processing of electronic communications data carried out in connection with the provision and the use of electronic communications services.

Justification: Article 1(3) stipulates that this regulation particularises and complements Regulation (EU) No 2016/679 by laying down specific rules.This turns this regulation into ‘lex specialis’ in relation to the GDPR.This regulation should not be used to correct Regulation (EU) No 2016/679.


A huge step back from the current law


Amendment 341 --

Amendment 341
Daniel Dalton, Helga Stevens, John Procter
ECR
Article 2 – paragraph 2 – point c

(c) electronic communications services which are not publicly available;

(c) electronic communications services which are intended for closed groups or are not publicly available pursuant to Article 2 (2) (c) of Regulation (EU) No 2016/679;


This would exclude any private communications service (email, VoIP, Signal...) from the scope of this Regulation since, by definition, such services are "intended for closed groups" (for private communications).


Amendment 353 -

Amendment 353
Daniel Dalton, John Procter
ECR
Article 3 – paragraph 1 – point c

(c) the protection of information related to the terminal equipment of end-users located in the Union.

(c) the protection of information related to the terminal equipment of end-users placed on the market in the Union.


Excludes from the scope of the protection foreign equipments or equipments which were never placed in any market (handmade)


Amendment 363 -

Amendment 363
Monica Macovei, Tomáš Zdechovský
ECR
Article 3 a (new)

Article 3 a

Applicable law in the online environment

1.To the extent that Regulation (EU) 2016/679 or this Regulation allows Member States to regulate the processing of personal data or electronic communications data, in their domestic laws, the relevant national law provisions shall apply to:

(a) the processing of personal data or electronic communications data in the context of the activities of an establishment of a controller, processor or a provider of an electronic communications service or network established in the Member State in question;or

(b) the processing of personal data or electronic communications data by a controller, processor or a provider of an electronic communications service or network not established in the Union , offering goods or services in that Member State or monitoring the behaviour of data subjects in that Member State;

2.The relevant national law provisions as set out in point 1 of this Article do not apply to the processing of personal data or electronic communications data in the context of the activities of an establishment of a controller, processor or a provider of an electronic communications service or network established in another Member State, who shall instead only be subject to the relevant national law provisions of that other Member State.


This amendment makes absolutely no sense: if a controller is established in several MS, it is not subject to the national law of the MS where it is established but to the law of the "other" MS where it is established.


Amendment 366 -

Amendment 366
Daniel Dalton, John Procter
ECR
Article 4 – paragraph 2

2. For the purposes of point (b) of paragraph 1, the definition of ‘interpersonal communications service’ shall include services which enable interpersonal and interactive communication merely as a minor ancillary feature that is intrinsically linked to another service.

deleted


Limits the scope of the Regulation without any justification


Amendment 367 -

Amendment 367
Michał Boni, Roberta Metsola, Frank Engel, Tomáš Zdechovský, Rachida Dati, Brice Hortefeux, Carlos Coelho, Pál Csáky, Elissavet Vozemberg-Vrionidi
EPP
Article 4 – paragraph 2

2. For the purposes of point (b) of paragraph 1, the definition of ‘interpersonal communications service’ shall include services which enable interpersonal and interactive communication merely as a minor ancillary feature that is intrinsically linked to another service.

deleted


Limits the scope of the Regulation without any justification

Good

Amendment 41 +

Amendment 41
Marju Lauristin
S&D
Article 2 – paragraph 1

1. This Regulation applies to the processing of electronic communications data carried out in connection with the provision and the use of electronic communications services and to information related to the terminal equipment of end-users.

1. This Regulation applies to the processing of electronic communications data carried out in connection with the provision and the use of electronic communications services and to information related to or processed by the terminal equipment of end-users.


Information "processed" by terminal equipment is repeatedly missing in the recitals of EC's proposal 


Amendment 42 +

Amendment 42
Marju Lauristin
S&D
Article 3 – paragraph 1 – point c

(c) the protection of information related to the terminal equipment of end-users located in the Union.

(c) the protection of information related to or processed by the terminal equipment of end-users in the Union.


Information "processed" by terminal equipment is repeatedly missing in the recitals of EC's proposal 


Amendment 55 ++

Amendment 55
Marju Lauristin
S&D
Article 4 – paragraph 3 – point c

(c) ‘electronic communications metadata’ means data processed in an electronic communications network for the purposes of transmitting, distributing or exchanging electronic communications content; including data used to trace and identify the source and destination of a communication, data on the location of the device generated in the context of providing electronic communications services, and the date, time, duration and the type of communication;

(c) ‘electronic communications metadata’ means data related to a user or electronic communications service, processed for the purposes of transmitting, distributing or exchanging electronic communications content and any other communications related data processed for the provision of the service, which is not considered content; including data to trace and identify the source and destination of a communication, and the date, time, duration and the type of communication; it includes data broadcasted or emitted by the terminal equipment to identify users' communications and/or the terminal equipment or its location and enable it to connect to a network or to another device;

Justification: This amendment serves to clarify the exact concept of metadata, as underlined by the Article 29 Working Party, scholars and case-law authorities.


The definition proposed by the EC was particularly incomplete: it only covered data processed "in a network" and excluded data processed by services


Amendment 59 +

Amendment 59
Marju Lauristin
S&D
Article 5 – paragraph 1 a (new)

Confidentiality of electronic communications shall also include terminal equipment and machine-to-machine communications when related to a user.


Clarification


Amendment 342 +

Amendment 342
Axel Voss, Heinz K. Becker, Elissavet Vozemberg-Vrionidi
EPP
Article 2 – paragraph 2 – point c

(c) electronic communications services which are not publicly available;

(c) electronic communications services which are not publicly available pursuant to Article 2(2)(c) of Regulation (EU) No 2016/679;

Justification: The household exemption introduced by Article 2(2)(c) of Regulation (EU) No 2016/679 should also apply to this regulation.


This would limit the scope of the initial limitation ("closed network") proposed by the EC. Not every "closed networks" (at work, typically) would be excluded from the scope of this Regulation anymore, but only those provided by individuals for their household activities


Amendment 345 +

Amendment 345
Jan Philipp Albrecht, Judith Sargentini
Verts/ALE
Article 3 – paragraph 1 – introductory part

1. This Regulation applies to:

1. This Regulation applies to the activities referred to in Article 2 where the user or subscriber is in the Union, where the communications services, hardware, software, directories, or direct marketing commercial electronic communications are provided from the territory of the Union, or where the the processing of information related to or processed by the terminal equipment of users or subscribers takes place in the Union.


Clarifies the scope of the Regulation


Amendment 349 +

Amendment 349
Cornelia Ernst
GUE/NGL
Article 3 – paragraph 1 – point a

(a) the provision of electronic communications services to end-users in the Union, irrespective of whether a payment of the end-user is required;

(a) the provision of electronic communications services to end-users in the Union, irrespective of whether the provider is located inside the EU, and irrespective of whether a payment of the end-user is required;


Clarifies the scope of the Regulation


Amendment 352 +

Amendment 352
Cornelia Ernst
GUE/NGL
Article 3 – paragraph 1 – point c

(c) the protection of information related to the terminal equipment of end-users located in the Union.

(c) the protection of information related to or processed by the terminal equipment of end-users located in the Union.


Clarifies the scope of the Regulation

Amendment 381 ++

Amendment 381
Jan Philipp Albrecht, Judith Sargentini
Verts/ALE
Article 4 – paragraph 3 – point c

(c) ‘electronic communications metadata’ means data processed in an electronic communications network for the purposes of transmitting, distributing or exchanging electronic communications content; including data used to trace and identify the source and destination of a communication, data on the location of the device generated in the context of providing electronic communications services, and the date, time, duration and the type of communication;

(c) 'electronic communications metadata' means all data processed for the purposes of transmitting, distributing or exchanging electronic communications content; including data used to trace and identify the source and destination of a communication, electronic identifiers and any other data broadcasted or emitted by the terminal equipment, data on the location of the terminal equipment processed in the context of providing electronic communications services, and the date, time, duration and the type of communication; where metadata of other electronic communications services or protocols are transmitted, distributed or exchanged by using the respective service, they shall be considered electronic communications content for the respective service;

Justification: With the clarification on "data broadcasted or emitted" in the definition of “metadata”, Article 8(2) can be deleted, as it is covered by Art.6(2).Last sentence:See explanatory recital (14a) on the separation and encapsulation of protocol layers.


Drastically resolves the device-tracking issue + corrects the incomplete definition of metadata (which only covered data processed "in a network")


Amendment 382 ++

Amendment 382
Cornelia Ernst
GUE/NGL
Article 4 – paragraph 3 – point c

(c) ‘electronic communications metadata’ means data processed in an electronic communications network for the purposes of transmitting, distributing or exchanging electronic communications content; including data used to trace and identify the source and destination of a communication, data on the location of the device generated in the context of providing electronic communications services, and the date, time, duration and the type of communication;

(c) 'electronic communications metadata' means all data processed for the purposes of transmitting, distributing or exchanging electronic communications content; including data used to trace and identify the source and destination of a communication, electronic identifiers and any other data broadcasted or emitted by the terminal equipment, data on the location of the terminal equipment processed in the context of providing electronic communications services, and the date, time, duration and the type of communication; where metadata of other electronic communications services or protocols are transmitted, distributed or exchanged by using the respective service, they shall be considered electronic communications content for the respective service;


Drastically resolves the device-tracking issue + corrects the incomplete definition of metadata (which only covered data processed "in a network")


Amendment 383 +

Amendment 383
Sophia in 't Veld
ALDE
Article 4 – paragraph 3 – point c

(c) ‘electronic communications metadata’ means data processed in an electronic communications network for the purposes of transmitting, distributing or exchanging electronic communications content; including data used to trace and identify the source and destination of a communication, data on the location of the device generated in the context of providing electronic communications services, and the date, time, duration and the type of communication;

(c) ‘electronic communications metadata’ means all data processed for the purpose of transmitting, distributing or exchanging electronic communications content; including data used to trace and identify the source and destination of a communication, data on the location of the device generated in the context of providing electronic communications services, and the date, time, duration and the type of communication;


corrects the incomplete definition of metadata (which only covered data processed "in a network")

Confidentiality of communications

Bad

Amendment 395 --

Amendment 395
Axel Voss, Heinz K. Becker, Rachida Dati, Brice Hortefeux
EPP
Article 5 – title

Confidentiality of electronic communications data

Confidentiality of electronic communications content


Would exclude metadata from the scope of the Regulation


Amendment 397 --

Amendment 397
Anna Maria Corazza Bildt
EPP
Article 5 – paragraph 1

Electronic communications data shall be confidential. Any interference with electronic communications data, such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or processing of electronic communications data, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation.

Electronic communications data shall be confidential. Any interference with electronic communications data during conveyance, such as by unauthorised listening, tapping, storing, scanning or other kinds of interception, or surveillance of electronic communications data, by persons other than the sender or intended recipients, shall be prohibited, except when permitted by Union or national legislation. The processing of electronic communications data following conveyance to the intended recipients or their service provider shall be subject to Regulation (EU) 2016/679.


Would allow the processing of stored communications for "legitimate interests" (without consent) ; this is what Gmail used to do, typically


Amendment 402 --

Amendment 402
Axel Voss, Heinz K. Becker, Rachida Dati, Elissavet Vozemberg-Vrionidi, Brice Hortefeux
EPP
Article 5 – paragraph 1

Electronic communications data shall be confidential. Any interference with electronic communications data, such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or processing of electronic communications data, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation.

Electronic communications data shall be confidential. Any interference with electronic communications data during conveyance, such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or processing of electronic communications content, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation.

Justification: It is justifiable for electronic communication content to be protected against interference by third parties, with special requirements for the processing of content pursuant to Article 6(3) of the proposal.This does not apply to the processing of electronic communication metadata to which the principle of confidentiality is not relevant.Personal metadata may reveal personal information, but their processing is governed by Regulation (EU) No 2016/679.


Excludes metadata from the principle of confidentiality + would allow the processing of stored communications for "legitimate interests" (without consent) ; this is what Gmail used to do, typically


Amendment 403 -

Amendment 403
Emilian Pavel
S&D
Article 5 – paragraph 1

Electronic communications data shall be confidential. Any interference with electronic communications data, such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or processing of electronic communications data, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation.

Electronic communications data shall be confidential. Any interference with electronic communications data, such as by unauthorised listening, tapping, storing, monitoring, scanning or other kinds of interception, or surveillance, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation.


Limit the scope of the confidentiality principle


Amendment 404 --

Amendment 404
Daniel Dalton, John Procter
ECR
Article 5 – paragraph 1

Electronic communications data shall be confidential. Any interference with electronic communications data, such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or processing of electronic communications data, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation.

Electronic communications data shall be confidential. Any interference with electronic communications data during transmission, such as by listening, tapping, storing, monitoring, scanning or other kinds of interception or surveillance, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation.


Would allow the processing of stored communications for "legitimate interests" (without consent) ; this is what Gmail used to do, typically


Amendment 405 -

Amendment 405
Michał Boni, Roberta Metsola, Frank Engel, Tomáš Zdechovský, Rachida Dati, Brice Hortefeux, Carlos Coelho, Pál Csáky
EPP
Article 5 – paragraph 1

Electronic communications data shall be confidential. Any interference with electronic communications data, such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or processing of electronic communications data, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation.

Electronic communications data shall be confidential. Any interference with electronic communications data, such as by listening, tapping, storing, monitoring, scanning or other kinds of interception or surveillance of electronic communications data, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation.


Limit the scope of the confidentiality principle


Amendment 408 -

Amendment 408
Anna Maria Corazza Bildt
EPP
Article 5 – paragraph 1 a (new)

The prohibition of interception is not intended to prohibit access to electronic communications data by an electronic communications service provider or electronic communications network operator for purposes of conveying communications or for legitimate purposes related to the operation and protection of such services and networks consistent with obligations under Regulation (EU) 2016/679, Directive (EU) 2016/1148 and Regulation (EU) 2015/2120.


Unnecessary and dangerously ambiguous: "the legitimate purposes related to the operation" of service may lead to loopholes similar to "legitimate interests"


Amendment 441 --

Amendment 441
Anna Maria Corazza Bildt
EPP
Article 6 – paragraph 1 – point b a (new)

(b a) it is necessary for the purpose of the legitimate interests of the provider except where such interests are overridden by the interests or fundamental rights and freedoms of the consumers concerned;


No legitimate interest!!

Amendment 471 --

Amendment 471
Heinz K. Becker
EPP
Article 6 – paragraph 2 – point c

(c) the end-user concerned has given his or her consent to the processing of his or her communications metadata for one or more specified purposes, including for the provision of specific services to such end-users, provided that the purpose or purposes concerned could not be fulfilled by processing information that is made anonymous.

(c) a legitimate ground in accordance with Article 6 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (‘General Data Protection Regulation’) is applicable.


This would allow processing of metadata for any "legitimate interest", which is currently and rightly forbidden


Amendment 472 --

Amendment 472
Michał Boni, Frank Engel, Tomáš Zdechovský, Carlos Coelho, Pál Csáky, Elissavet Vozemberg-Vrionidi
EPP
Article 6 – paragraph 2 – point c a (new)

(c a) the processing of these data for another specified purpose is compatible with the purpose for which the data were initially collected and is subject to specific safeguards, especially pseudonymisation, as set forth in Article 6(4) of Regulation (EU) 2016/679;or


This would allow processing of metadata for any "further processing", which is currently and rightly forbidden


Amendment 473 --

Amendment 473
Brice Hortefeux, Rachida Dati
EPP
Article 6 – paragraph 2 – point c a (new)

(c a) the processing of electronic communications metadata for one or more specified purposes is compatible with the purposes for which the data were initially collected, as set forth under point (4) of Article 6 of Regulation (EU) 2016/679.


This would allow processing of metadata for any "further processing", which is currently and rightly forbidden


Amendment 474 --

Amendment 474
Emilian Pavel
S&D
Article 6 – paragraph 2 – point c a (new)

(c a) the further processing of electronic communications metadata is compatible with the purposes for which the data were initially collected, as set forth under point (4) of Art. 6 of Regulation (EU)2016/679.


This would allow processing of metadata for any "further processing", which is currently and rightly forbidden


Amendment 475 --

Amendment 475
Daniel Dalton, Helga Stevens, John Procter
ECR
Article 6 – paragraph 2 – point c a (new)

(c a) processing is allowed pursuant to Articles 6(1) or 6(4) of Regulation (EU) 2016/679.


This would allow processing of metadata for both "legitimate interest" and "further processing", which is currently and rightly forbidden


Amendment 476 --

Amendment 476
Michał Boni, Frank Engel, Tomáš Zdechovský, Rachida Dati, Brice Hortefeux, Carlos Coelho, Pál Csáky, Elissavet Vozemberg-Vrionidi
EPP
Article 6 – paragraph 2 – point c b (new)

(c b) it is necessary, in accordance with Article 6(1)(f) of Regulation (EU) 2016/679, for the purposes of the legitimate interests pursued by the service provider or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.


This would allow processing of metadata for any "legitimate interest", which is currently and rightly forbidden


Amendment 478 --

Amendment 478
Axel Voss, Heinz K. Becker
Article 6 – paragraph 2 a (new)

2 a. Article 6 of Regulation (EU) No 2016/679 shall apply.

Justification: Article 6 of Regulation (EU) No 2016/679 already regulates the lawfulness of processing, and should therefore apply here.


This would allow processing of metadata for both "legitimate interests" and "further processing", which is currently and rightly forbidden


Amendment 479 --

Amendment 479
Anna Maria Corazza Bildt
EPP
Article 6 – paragraph 2 a (new)

2 a. Art.6 of Regulation (EU) 2016/679 shall apply;


This would allow processing of metadata for both "legitimate interests" and "further processing", which is currently and rightly forbidden


Amendment 480 --

Amendment 480
Anna Maria Corazza Bildt
EPP
Article 6 – paragraph 3 – introductory part

3. Providers of the electronic communications services may process electronic communications content only:

3. Providers of the electronic communications services may process electronic communications content in accordance with Art. 6 of Regulation (EU) 2016/679 and to the extent the processing of all end-user electronic communications content for one or more specified purposes cannot be fulfilled by processing information that is made anonymous;


This would allow processing of communications content for both "legitimate interests" and "further processing", which is currently and rightly forbidden


Amendment 485 -

Amendment 485
Cornelia Ernst
GUE/NGL
Article 6 – paragraph 3 – point a

(a) for the sole purpose of the provision of a specific service to an end-user, if the end-user or end-users concerned have given their consent to the processing of his or her electronic communications content and the provision of that service cannot be fulfilled without the processing of such content; or

(a) the user concerned has given his or her consent to the processing of his or her electronic communications content for the sole purpose of the provision of a specific service explicitly requested by the user, for the duration necessary for that purpose, , provided that the provision of that specific service cannot be fulfilled without the processing of such content by the provider, and the consent has not been a condition to access or use a service; or


This would allow processing of content of communications without the consent of all end-users


Amendment 486 -

Amendment 486
Jan Philipp Albrecht, Judith Sargentini
Verts/ALE
Article 6 – paragraph 3 – point a

(a) for the sole purpose of the provision of a specific service to an end-user, if the end-user or end-users concerned have given their consent to the processing of his or her electronic communications content and the provision of that service cannot be fulfilled without the processing of such content; or

(a) the user concerned has given his or her consent to the processing of his or her electronic communications content for the sole purpose of the provision of a specific service explicitly requested by the user, for the duration necessary for that purpose, , provided that the provision of that specific service cannot be fulfilled without the processing of such content by the provider, and the consent has not been a condition to access or use a service; or


This would allow processing of content of communications without the consent of all end-users


Amendment 488 --

Amendment 488
Heinz K. Becker
EPP
Article 6 – paragraph 3 – point a

(a) for the sole purpose of the provision of a specific service to an end-user, if the end-user or end-users concerned have given their consent to the processing of his or her electronic communications content and the provision of that service cannot be fulfilled without the processing of such content; or

(a) for the sole purpose of the provision of a specific service to an end-user, if the end-user or end-users concerned have given their consent to the processing of his or her electronic communications content, or the provision of that service cannot be fulfilled without the processing of such content; or


This would allow to process the content of communications without any consent simply because the purpose cannot be fulfilled with anonymous data


Amendment 489 -

Amendment 489
Michał Boni, Roberta Metsola, Frank Engel, Tomáš Zdechovský, Rachida Dati, Brice Hortefeux, Carlos Coelho, Pál Csáky, Elissavet Vozemberg-Vrionidi
EPP
Article 6 – paragraph 3 – point a

(a) for the sole purpose of the provision of a specific service to an end-user, if the end-user or end-users concerned have given their consent to the processing of his or her electronic communications content and the provision of that service cannot be fulfilled without the processing of such content; or

(a) for the sole purpose of the provision of a specific service to an end-user, if the end-user concerned has given his or her consent to the processing of his or her electronic communications content and the provision of that service cannot be fulfilled without the processing of such content; or


This would allow processing of content of communications without the consent of all end-users


Amendment 490 -

Amendment 490
Anna Maria Corazza Bildt
EPP
Article 6 – paragraph 3 – point b

(b) if all end-users concerned have given their consent to the processing of their electronic communications content for one or more specified purposes that cannot be fulfilled by processing information that is made anonymous, and the provider has consulted the supervisory authority. Points (2) and (3) of Article 36 of Regulation (EU) 2016/679 shall apply to the consultation of the supervisory authority.

(b) if service providers' end-users have consented to the processing of their electronic communications pursuant to Regulation (EU) 2016/679.


This would allow processing of content of communications without the consent of all end-users (users not using the service are not required to consent, such as users sending emails to Gmail users)


Amendment 496 --

Amendment 496
Axel Voss, Heinz K. Becker
EPP
Article 6 – paragraph 3 a (new)

3 a. In so far as providers of electronic communications services are processing and receiving communications content to and by the end-user, the provisions of this regulation shall not apply but regulation (EU) 2016/679.


This would make this Regulation completely ineffective and allow "legitimate interest" and "further processing"


Amendment 497 --

Amendment 497
Axel Voss, Heinz K. Becker
EPP
Article 6 – paragraph 3 b (new)

3 b. (a) The service provider may collect and use the personal data of a recipient of a service only to the extent necessary to enable and invoice the use of services (data on usage).Data on usage are in particular characteristics to identify the recipient of the service, details of the beginning and end of the scope of the respective usage, and details of the services used by the recipient of the service.

(b) The service provider may collate a recipient's usage data regarding the use of different services to the extent necessary for invoicing the recipient of the service.

(c) For the purposes of advertising, market research or in order to design the services in a needs-based manner, the service provider may produce profiles of usage based on pseudonyms to the extent that the recipient of the service does not object to this.The service provider must refer the recipient of the service to his right of refusal.These profiles of usage must not be collated with data on the bearer of the pseudonym without his consent (opt-in).


This would simply allow processing for commercial purposes without any consent or even a "legitimate interest". This would be even less protective than the GDPR.


Amendment 498 --

Amendment 498
Daniel Dalton, John Procter
ECR
Article 7

Article 7

deleted

Storage and erasure of electronic communications data

1. Without prejudice to point (b) of Article 6(1) and points (a) and (b) of Article 6(3), the provider of the electronic communications service shall erase electronic communications content or make that data anonymous after receipt of electronic communication content by the intended recipient or recipients. Such data may be recorded or stored by the end-users or by a third party entrusted by them to record, store or otherwise process such data, in accordance with Regulation (EU) 2016/679.

2. Without prejudice to point (b) of Article 6(1) and points (a) and (c) of Article 6(2), the provider of the electronic communications service shall erase electronic communications metadata or make that data anonymous when it is no longer needed for the purpose of the transmission of a communication.

3. Where the processing of electronic communications metadata takes place for the purpose of billing in accordance with point (b) of Article 6(2), the relevant metadata may be kept until the end of the period during which a bill may lawfully be challenged or a payment may be pursued in accordance with national law.


This would destroy the basis of the ePrivacy directive and of the confidentiality of communications: that communications must be deleted once transmitted


Good

Amendment 67 +

Amendment 67
Marju Lauristin
S&D
Article 6 – paragraph 2 – point c

(c) the end-user concerned has given his or her consent to the processing of his or her communications metadata for one or more specified purposes, including for the provision of specific services to such end-users, provided that the purpose or purposes concerned could not be fulfilled by processing information that is made anonymous.

(c) after receiving all relevant information about the intended processing in clear and easily understandable language, provided separately from the terms and conditions of the provider, the user or users concerned have given their specific consent to the processing of their communications metadata for one or more specified purposes, including for the provision of specific services to such users, provided that the purpose or purposes concerned could not be fulfilled without the processing of such metadata.


The Proposal only requires the consent of one user, which is both ambiguous (which user?) and unjustified (why other users should not give their consent?). This amendment would correct that issue but can be much clearer by requiring the consent of "all users concerned" (speaking about "the users or users" may still be ambiguous)


Amendment 69 +

Amendment 69
Marju Lauristin
S&D
Article 6 – paragraph 3 – point a

(a) for the sole purpose of the provision of a specific service to an end-user, if the end-user or end-users concerned have given their consent to the processing of his or her electronic communications content and the provision of that service cannot be fulfilled without the processing of such content; or

(a) for the sole purpose of the provision of a specific service requested by the user, if the users concerned have given their specific consent to the processing of their electronic communications content and the provision of that specific service cannot be fulfilled without the processing of such content; or


Clarifies the ambiguous "the end-user or end-users".


Amendment 72 ++

Amendment 72
Marju Lauristin
Article 6 – paragraph 3 b (new)

3b. Neither providers of electronic communications services, nor any other party, shall further process electronic communications data collected on the basis of this Regulation.


Excludes the extremely dangerous derogation of "further processing" required by big companies


Amendment 73 ++

Amendment 73
Marju Lauristin
S&D
Article 7 – paragraph 1

1. Without prejudice to point (b) of Article 6(1) and points (a) and (b) of Article 6(3), the provider of the electronic communications service shall erase electronic communications content or make that data anonymous after receipt of electronic communication content by the intended recipient or recipients. Such data may be recorded or stored by the end-users or by a third party entrusted by them to record, store or otherwise process such data, in accordance with Regulation (EU) 2016/679.

1. Without prejudice to point (b) of Article 6(1) and points (a) and (b) of Article 6(3), the provider of the electronic communications service shall erase electronic communications content after receipt of electronic communication content by the intended recipient or recipients. Such data may be recorded or stored by the users or by a specific other party entrusted by them to record, store or otherwise process such data.


The content of communications can almost never be made anonymous + we should always be able to choose the primary purposes for which the ideas we express can be used, anonymised or not (this is part of our freedom of expression)

Amendment 399 +

Amendment 399
Jan Philipp Albrecht, Judith Sargentini, Viviane Reding
Verts/ALE
Article 5 – paragraph 1

Electronic communications data shall be confidential. Any interference with electronic communications data, such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or processing of electronic communications data, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation.

1. Electronic communications shall be confidential. Any processing of electronic communications data, including any interference with electronic communications data such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance of electronic communications data, by persons other than the users, shall be prohibited, except when permitted by this Regulation. This includes electronic communications data that is stored after the transmission has been completed.

Justification: First part clarifies that all processing of communications data is covered by this Regulation, not only processing that can be interpreted as “interference”.Last part as recommended by the EDPS, in order to make it future-proof for cloud-based services.


Clarifies the protection


Amendment 400 +

Amendment 400
Cornelia Ernst
GUE/NGL
Article 5 – paragraph 1

Electronic communications data shall be confidential. Any interference with electronic communications data, such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or processing of electronic communications data, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation.

Electronic communications shall be confidential. Any processing of electronic communications data, including any interference with electronic communications data such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance of electronic communications data, by persons other than the users, shall be prohibited, except when permitted by this Regulation. This includes electronic communications data that is stored after the transmission has been completed.


Clarifies the protection


Amendment 401 +

Amendment 401
Monica Macovei, Marian-Jean Marinescu, Barbara Spinelli
ECR
Article 5 – paragraph 1

Electronic communications data shall be confidential. Any interference with electronic communications data, such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or processing of electronic communications data, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation.

Electronic communications data shall be confidential. Any interference with electronic communications data regardless of whether this data is in transit or stored, such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or any processing of electronic communications data, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation.


Clarifies the protection

Amendment 406 ++

Amendment 406
Monica Macovei, Tomáš Zdechovský, Barbara Spinelli
ECR
Article 5 – paragraph 1 – subparagraph 1 (new)

Neither providers of electronic communication services, nor any third parties, shall process electronic communications data collected on the basis of consent or any other legal ground under this Regulation on any other legal basis not specifically provided for in this Regulation


Excludes the extremely dangerous derogation of "further processing" required by big companies 

Amendment 409 +

Amendment 409
Jan Philipp Albrecht, Judith Sargentini, Viviane Reding
Verts/ALE
Article 5 – paragraph 1 a (new)

2.Confidentiality of electronic communications shall also apply to data related to or processed by terminal equipment and to machine-to-machine communication.

Justification: Communications providers should also protect communications related to automated supply chains and any other M2M communication.This protects confidential business information.


Clarifications


Amendment 410 +

Amendment 410
Sophia in 't Veld
ALDE
Article 5 – paragraph 1 a (new)

Confidentiality of electronic communications shall also apply to data related to or processed by terminal equipment and to machine-to-machine communication.


Clarifications

Amendment 465 ++

Amendment 465
Cornelia Ernst
GUE/NGL
Article 6 – paragraph 2 – point c

(c) the end-user concerned has given his or her consent to the processing of his or her communications metadata for one or more specified purposes, including for the provision of specific services to such end-users, provided that the purpose or purposes concerned could not be fulfilled by processing information that is made anonymous.

(c) the user or users concerned have given their specific consent to the processing of their communications metadata by the respective electronic communications service for one or more specified purposes, including for the provision of specific services to such users, provided that the purpose or purposes concerned could not be fulfilled by processing data that is made anonymous, and the consent has not been a condition to access or use a service.


Strengthens what a "freely given consent" is + The initial proposal only requires the consent of one user, which is both ambiguous (which user?) and unjustified (why other users should not give their consent?): this amendment would correct that issue but can be much clearer by requiring the consent of "all users concerned" (speaking about "the users or users" may still be ambiguous)


Amendment 466 ++

Amendment 466
Jan Philipp Albrecht, Judith Sargentini
Verts/ALE
Article 6 – paragraph 2 – point c

(c) the end-user concerned has given his or her consent to the processing of his or her communications metadata for one or more specified purposes, including for the provision of specific services to such end-users, provided that the purpose or purposes concerned could not be fulfilled by processing information that is made anonymous.

(c) the user or users concerned have given their specific consent to the processing of their communications metadata by the respective electronic communications service for one or more specified purposes, including for the provision of specific services to such users, provided that the purpose or purposes concerned could not be fulfilled by processing data that is made anonymous, and the consent has not been a condition to access or use a service.


Strengthens what a "freely given consent" is + The initial proposal only requires the consent of one user, which is both ambiguous (which user?) and unjustified (why other users should not give their consent?): this amendment would correct that issue but can be much clearer by requiring the consent of "all users concerned" (speaking about "the users or users" may still be ambiguous)


Amendment 470 +

Amendment 470
Sophia in 't Veld
ALDE
Article 6 – paragraph 2 – point c

(c) the end-user concerned has given his or her consent to the processing of his or her communications metadata for one or more specified purposes, including for the provision of specific services to such end-users, provided that the purpose or purposes concerned could not be fulfilled by processing information that is made anonymous.

(c) the end-user or end-users concerned have given his or her consent to the processing of his or her communications metadata for one or more specified purposes, including for the provision of specific services to such end-users, provided that the purpose or purposes concerned could not be fulfilled by processing information that is made anonymous.


The initial proposal only requires the consent of one user, which is both ambiguous (which user?) and unjustified (why other users should not give their consent?): this amendment would correct that issue but can be much clearer by requiring the consent of "all users concerned" (speaking about "the users or users" may still be ambiguous)

Amendment 495 +

Amendment 495
Marju Lauristin
S&D
Article 6 – paragraph 3 a (new)

3 a. Without prejudice to paragraphs 1, 2 and 3, neither providers of the electronic communications services, nor any other party, shall process electronic communications data collected on the basis of this Regulation, for further processing.


Clearly forbids "further processing"

Online tracking

Bad

Amendment 80 -

Amendment 80
Marju Lauristin
S&D
Article 8 – paragraph 1 – point d

(d) if it is necessary for web audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end-user.

(d) if it is technically necessary for web audience measuring of the information society service requested by the user, provided that such measurement is carried out by the provider, or on behalf of the provider, or by an independent web analytics agency acting in the public interest or for scientific purpose; and further provided that no personal data is made accessible to any other party and that such web audience measurement does not adversely affect the fundamental rights of the user;


This amendment is worst than the initial proposal: web audience should not be lawful without users' consent nor where carried out by third parties


Amendment 519 --

Amendment 519
Anna Maria Corazza Bildt
EPP
Article 8 – paragraph 1 – introductory part

1. The use of processing and storage capabilities of terminal equipment and the collection of information from end-users’ terminal equipment, including about its software and hardware, other than by the end-user concerned shall be prohibited, except on the following grounds:

1. Without prejudice to paragraph 2 of this Article, the storage or collection of personal data from consumers' terminal equipment, including about its software and hardware, other than by the consumer concerned shall be prohibited, except on the following grounds:


This would allow to use the processing capabilities (for advertising, for instance) of terminals without consent

Amendment 525 --

Amendment 525
Heinz K. Becker
EPP
Article 8 – paragraph 1 – point b

(b) the end-user has given his or her consent; or

(b) the end-user has given his or her consent or there is another legitimate ground within the meaning of Article 6 of Regulation (EU) 2016/679; or


This would allow tracking for both "legitimate interest" and "further processing", which is currently and rightly forbidden 


Amendment 526 --

Amendment 526
Anna Maria Corazza Bildt
EPP
Article 8 – paragraph 1 – point b

(b) the end-user has given his or her consent; or

(b) the use of their terminal equipment for one or more specific purposes is in accordance with Art. 6 of Regulation (EU) 2016/679; or


This would allow tracking for both "legitimate interest" and "further processing", which is currently and rightly forbidden 


Amendment 528 --

Amendment 528
Michał Boni, Roberta Metsola, Frank Engel, Tomáš Zdechovský, Rachida Dati, Brice Hortefeux, Carlos Coelho, Elissavet Vozemberg-Vrionidi
EPP
Article 8 – paragraph 1 – point b a (new)

(b a) the information is or is rendered pseudonymous or anonymous;or


This would allow tracking for any purpose without consent, which is currently and rightly forbidden 


Amendment 529 -

Amendment 529
Heinz K. Becker
EPP
Article 8 – paragraph 1 – point c

(c) it is necessary for providing an information society service requested by the end-user; or

(c) it is necessary for providing an information society service requested by the end-user, particularly in order to preserve the integrity or security of the information society service or access to it, to improve what is offered or for measures to protect against unauthorised use of the service in accordance with the terms and conditions of use relating to the provision of services to the end-user; or


"improving what is offered" is not a clear enough purpose + users would gladly consent to any processing really improving what they get. Thus, this amendment intends to allow unwanted processing: how can they be regarded as able to "improve what is offered"?


Amendment 530 -

Amendment 530
Pál Csáky
EPP
Article 8 – paragraph 1 – point c

(c) it is necessary for providing an information society service requested by the end-user; or

(c) it is necessary for providing an information society service requested by the end-user which shall include inter alia maintaining, operating and managing the integrity, access or security of the information society service, enhancing user experience or measures for preventing unauthorized access to or use of the information society service according to the terms of use for making available the service to the end-user; or


"enhancing user experience" is not a clear enough purpose + users would gladly consent to any processing really improving what they get. Thus, this amendment intends to allow unwanted processing: how can they be regarded as "enhancing user experience"?


Amendment 531 -

Amendment 531
Anna Maria Corazza Bildt
EPP
Article 8 – paragraph 1 – point c

(c) it is necessary for providing an information society service requested by the end-user; or

(c) it is necessary for providing an information society service requested by the end-user which shall include inter alia maintaining, operating and managing the integrity, access or security of the information society service, enhancing user experience or measures for preventing unauthorised access to or use of the information society service according to the terms of use for making available the service to the end-user; or


"enhancing user experience" is not a clear enough purpose + users would gladly consent to any processing really improving what they get. Thus, this amendment intends to allow unwanted processing: how can they be regarded as "enhancing user experience"?


Amendment 532 -

Amendment 532
Miltiadis Kyrkos
S&D
Article 8 – paragraph 1 – point c

(c) it is necessary for providing an information society service requested by the end-user; or

(c) it is necessary for providing an information society service requested by the end-user which shall include inter alia maintaining, operating and managing the integrity, access or security of the information society service, enhancing user experience or measures for preventing unauthorized access to or use information society service according to the terms of use for making available the service to the end-user; or


"enhancing user experience" is not a clear enough purpose + users would gladly consent to any processing really improving what they get. Thus, this amendment intends to allow unwanted processing: how can they be regarded as "enhancing user experience"?


Amendment 533 -

Amendment 533
Gérard Deprez, Morten Løkkegaard, Jean-Marie Cavada, Petr Ježek, Louis Michel, Pavel Telička
ALDE
Article 8 – paragraph 1 – point c

(c) it is necessary for providing an information society service requested by the end-user; or

(c) it is necessary for providing an information society service requested by the end-user especially in order to secure the integrity, security and access of the information society service, to enhance user experience or for measures to protect against unauthorised use or access to the information society services in agreement with the terms of use for making available the service to the end-user; or


"enhancing user experience" is not a clear enough purpose + users would gladly consent to any processing really improving what they get. Thus, this amendment intends to allow unwanted processing: how can they be regarded as "enhancing user experience"?


Amendment 534 -

Amendment 534
Axel Voss
EPP
Article 8 – paragraph 1 – point c

(c) it is necessary for providing an information society service requested by the end-user; or

(c) it is necessary for providing an information society service requested by the end-user, particularly in order to preserve the integrity or security of the information society service or access to it, to improve what is offered or for measures to protect against unauthorised use of the service in accordance with the terms and conditions of use relating to the provision of services to the end-user; or


"enhancing user experience" is not a clear enough purpose + users would gladly consent to any processing really improving what they get. Thus, this amendment intends to allow unwanted processing: how can they be regarded as "enhancing user experience"?


Amendment 538 -

Amendment 538
Axel Voss, Heinz K. Becker
EPP
Article 8 – paragraph 1 – point c b (new)

(c b) it is necessary for scientific research purposes, provided that the controller plans appropriate technical and organisational measures to safeguard the rights and freedoms of the user and the processed personal data will be anonymised as soon as possible according to the research purpose.


Scientific research purposes does not need to bypass users consent: if a research is legitimate, user will gladly accept it. The "research exemption" of the GDPR is legitimate because the GDPR covers situation where consent can hardly be obtained. This Regulation does not cover such situation (quite the opposite, actually).

Amendment 541 -

Amendment 541
Michał Boni, Frank Engel, Tomáš Zdechovský, Rachida Dati, Brice Hortefeux, Carlos Coelho, Elissavet Vozemberg-Vrionidi
EPP
Article 8 – paragraph 1 – point d

(d) if it is necessary for web audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end-user.

(d) if it is necessary to obtain information about technical quality or effectiveness of an information society service that has been delivered, to understand and optimize web usage or about terminal equipment functionality, and it has no or little impact on the privacy of the end-user concerned; or


The "effectiveness" of a website is a completely vague purpose. What does being effective mean for a website which purpose is to be visited by as many people as possible? How is it measurable? By monitoring every act of its users? This exemption is way too broad and dangerous.


Amendment 542 -

Amendment 542
Marju Lauristin
S&D
Article 8 – paragraph 1 – point d

(d) if it is necessary for web audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end-user.

(d) if it is technically necessary for web audience measuring of the information society service requested by the user, provided that such measurement is carried out by the provider, or on behalf of the provider, or by an independent web analytics organization acting in the public interest or for statistical or scientific purpose; and further provided that no personal data is made accessible to any other party and that such web audience measurement does not adversely affect the fundamental rights of the user;


This amendment is worst than the initial proposal: web audience should not be lawful without users' consent nor where carried out by third parties 


Amendment 543 -

Amendment 543
Daniel Dalton, John Procter
ECR
Article 8 – paragraph 1 – point d

(d) if it is necessary for web audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end-user.

(d) if it is necessary for audience measuring, provided that such measurement is carried out by, or on behalf of, the provider of the information society service requested by the end-user, including measurement of indicators for the use of information society services in order to calculate a payment due; or


This amendment is worst than the initial proposal: web audience should not be lawful without users' consent nor where carried out by third parties 


Amendment 549 -

Amendment 549
Anna Maria Corazza Bildt
EPP
Article 8 – paragraph 1 – point d

(d) if it is necessary for web audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end-user.

(d) it is necessary for web audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end-user or another party acting on their behalf;.


This amendment is worst than the initial proposal: web audience should not be lawful without users' consent nor where carried out by third parties 


Amendment 550 -

Amendment 550
Sophia in 't Veld
ALDE
Article 8 – paragraph 1 – point d

(d) if it is necessary for web audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end-user.

(d) if it is necessary for web audience measuring, provided that such measurement is controlled by the provider of the information society service requested by the end-user.


This amendment is worst than the initial proposal: web audience should not be lawful without users' consent nor where carried out by third parties 


Amendment 552 --

Amendment 552
Heinz K. Becker
EPP
Article 8 – paragraph 1 – point d a (new)

(d a) a clear and prominent notice is displayed informing of, at least, the modalities of the collection, its purpose, the person responsible for it and the other information required under Article 13 of Regulation (EU) 2016/679 where personal data are collected, as well as any measure the end-user of the terminal equipment can take to stop or minimise the collection.

The collection of such information shall be conditional on the application of appropriate technical and organisational measures to limit the collection and processing of information to the purposes required therefor and ensure a level of security appropriate to the risks, as set out in Article 32 of Regulation (EU) 2016/679, have been applied, for example by means of pseudonymisation of information collected pursuant to Article 4(5) of Regulation (EU) No 2016/679.


This would allow tracking without consent or without pursuing any "legitimate interest" of any kind

Amendment 558 -

Amendment 558
Brice Hortefeux, Rachida Dati
EPP
Article 8 – paragraph 1 – point d a (new)

(d a) it is necessary for scientific and statistical research purposes authorized by the provider of the information society service requested by the end-user;or


Scientific research purposes does not need to bypass users consent: if a research is legitimate, user will gladly accept it. The "research exemption" of the GDPR is legitimate because the GDPR covers situation where consent can hardly be obtained. This Regulation does not cover such situation (quite the opposite, actually).


Amendment 561 --

Amendment 561
Pál Csáky
EPP
Article 8 – paragraph 1 – point d a (new)

(d a) under the conditions as set out in point (b) of paragraph 2 and paragraph 3.


This would allow tracking without consent or without pursuing any "legitimate interest" of any kind

Amendment 565 --

Amendment 565
Michał Boni, Frank Engel, Tomáš Zdechovský, Rachida Dati, Brice Hortefeux, Carlos Coelho, Elissavet Vozemberg-Vrionidi
EPP
Article 8 – paragraph 1 – point d b (new)

(d b) the processing of these data and information for another specified purpose is compatible with the purpose for which the data were initially collected and is subject to specific safeguards, especially pseudonymisation, as set forth in Article 6(4) of Regulation (EU) 2016/679;or


This would allow tracking for any "further processing", which is currently and rightly forbidden 


Amendment 566 --

Amendment 566
Daniel Dalton, John Procter
ECR
Article 8 – paragraph 1 – point d b (new)

(d b) in order to mark terminal equipment for advertising purposes, on condition that the person responsible has clearly informed the end-user of this at the beginning of the data processing and has provided an opportunity for objection that is easy to exercise.;or


This would allow advertising tracking without consent or without pursuing any "legitimate interest" of any kind


Amendment 567 --

Amendment 567
Axel Voss, Heinz K. Becker
EPP
Article 8 – paragraph 1 – point d b (new)

(d b) in order to mark terminal equipment for advertising purposes, on condition that the person responsible has clearly informed the end-user of this at the beginning of the data processing and has provided an opportunity for objection that is easy to exercise;or


This would allow advertising tracking without consent or without pursuing any "legitimate interest" of any kind


Amendment 568 --

Amendment 568
Michał Boni, Frank Engel, Tomáš Zdechovský, Rachida Dati, Brice Hortefeux, Carlos Coelho, Elissavet Vozemberg-Vrionidi
EPP
Article 8 – paragraph 1 – point d c (new)

(d c) it is necessary, in accordance with Article 6(1)(f) of Regulation (EU) 2016/679 for the purposes of the legitimate interests pursued by the service provider or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.


This would allow tracking for any "legitimate interest", which is currently and rightly forbidden 


Amendment 569 --

Amendment 569
Brice Hortefeux, Rachida Dati
EPP
Article 8 – paragraph 1 – point d c (new)

(d c) it is necessary for the purpose of the legitimate interests of the provider of the terminal equipment and its operating software, an electronic communications service or an information society service, except where such interests are overridden by the interests of fundamental rights and freedoms of the end-user.;or


This would allow tracking for any "legitimate interest", which is currently and rightly forbidden 

Amendment 576 --

Amendment 576
Daniel Dalton, John Procter, Helga Stevens
ECR
Article 8 – paragraph 1 a (new)

1 a. Wherever a clearly formulated declaration of consent is presented before use of a service or access to online content, and if absence of consent for processing prevents a provider from collecting remuneration through their usual means, the provider shall not be obliged to provide the full access to the service or content.


Would prevent any consent from being freely given, in contradiction with the GDPR and with what is acceptable


Amendment 580 --

Amendment 580
Anna Maria Corazza Bildt
EPP
Article 8 – paragraph 1 b (new)

1 b. a clear and prominent notice is displayed to the public informing of, at least, the modalities of the collection, its purpose, the person responsible for it and the other information required under Article 13 of Regulation 2016/679/EU where personal data are collected, as well as any measure the end-user of the terminal equipment can take to stop or minimize the collection.The collection of such information shall be conditional on the application of appropriate technical and organization measures to ensure that the collection and processing of information is limited to what is necessary in relation to the purposes of processing and to ensure a level of security appropriate to the risks, as set out in Article 32 of Regulation 2016/679/EU, have been applied, which may inter alia include pseudonymisation of the information collected as set out in Art. 4 (5) of Regulation (EU) 2016/679.


This would allow tracking without consent or without pursuing any "legitimate interest" of any kind

Good

Amendment 76 +

Amendment 76
Marju Lauristin
S&D
Article 8 – paragraph 1 – introductory part

1. The use of processing and storage capabilities of terminal equipment and the collection of information from end-users’ terminal equipment, including about its software and hardware, other than by the end-user concerned shall be prohibited, except on the following grounds:

1. The use of processing and storage capabilities of terminal equipment and the collection of information from users’ terminal equipment, or making information available through the terminal equipment, including information about or generated by its software and hardware, other than by the user concerned shall be prohibited, except on the following grounds:


Clarifications


Amendment 78 ++

Amendment 78
Marju Lauristin
S&D
Article 8 – paragraph 1 – point b

(b) the end-user has given his or her consent; or

(b) the user has given his or her specific consent, which shall not be mandatory to access the service; or


Forbids tracking-wall and guarantees freedom of choice


Amendment 83 ++

Amendment 83
Marju Lauristin
S&D
Article 8 – paragraph 1 a (new)

1a. No user shall be denied access to any information society service or functionality, regardless of whether this service is remunerated or not, on grounds that he or she has not given his or her consent under Article 8(1)(b) to the processing of personal information and/or the use of storage capabilities of his or her terminal equipment that is not necessary for the provision of that service or functionality.


Forbids tracking-wall and guarantees freedom of choice


Amendment 515 +

Amendment 515
Jan Philipp Albrecht, Judith Sargentini, Viviane Reding
Verts/ALE
Article 8 – paragraph 1 – introductory part

1. The use of processing and storage capabilities of terminal equipment and the collection of information from end-users’ terminal equipment, including about its software and hardware, other than by the end-user concerned shall be prohibited, except on the following grounds:

1. The use of input, output, processing and storage capabilities of terminal equipment and the processing of information from users' terminal equipment, or making information available through the terminal equipment, including information about and processed by its software and hardware, other than by the user concerned shall be prohibited, except on the following grounds:

Justification: Terminal equipment nowadays has multiple input and output channels, such as microphones, cameras, Bluetooth sensors etc. This clarification also prevents online services from listening etc. in the user’s physical environment without him or her being aware and having consented.


Clarifications


Amendment 516 +

Amendment 516
Cornelia Ernst
GUE/NGL
Article 8 – paragraph 1 – introductory part

1. The use of processing and storage capabilities of terminal equipment and the collection of information from end-users’ terminal equipment, including about its software and hardware, other than by the end-user concerned shall be prohibited, except on the following grounds:

1. The use of input, output, processing and storage capabilities of terminal equipment and the processing of information from users' terminal equipment, or making information available through the terminal equipment, including information about and processed by its software and hardware, other than by the user concerned shall be prohibited, except on the following grounds:


Clarifications


Amendment 523 ++

Amendment 523
Jan Philipp Albrecht, Judith Sargentini, Viviane Reding
Verts/ALE
Article 8 – paragraph 1 – point b

(b) the end-user has given his or her consent; or

(b) the user has given his or her consent for a specific purpose, and the consent has not been a condition to access or use a service or use a terminal equipment, for the duration strictly technically necessary for that purpose; or


Strengthens what a "freely given consent" is

Amendment 524 +

Amendment 524
Cornelia Ernst
GUE/NGL
Article 8 – paragraph 1 – point b

(b) the end-user has given his or her consent; or

(b) the user has given his or her consent for a specific purpose, and the consent has not been a condition to access or use a service or use a terminal equipment, for the duration strictly technically necessary for that purpose; or


Strengthens what a "freely given consent" is


Amendment 539 ++

Amendment 539
Jan Philipp Albrecht, Judith Sargentini
Verts/ALE
Article 8 – paragraph 1 – point d

(d) if it is necessary for web audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end-user.

deleted

Justification: Audience measuring should be based on consent and therefore is covered by (b).This is also the approach in the existing e-Privacy Directive 2002/58/EC and should therefore be maintained, in order to not lower the level of protection.Point (c) continues to allow for function cookies, whereas tracking cookies should remain under opt-in.


see justification


Amendment 540 ++

Amendment 540
Cornelia Ernst
GUE/NGL
Article 8 – paragraph 1 – point d

(d) if it is necessary for web audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end-user.

deleted


see previous amendment


Amendment 555 ++

Amendment 555
Monica Macovei, Marian-Jean Marinescu, Barbara Spinelli
ECR
Article 8 – paragraph 1 – point d a (new)

(d a) The end-user shall not be denied access to an information society service or electronic communications service (whether these services are remunerated or not) on grounds that the end-user does not provide consent under point (b) of Article 8(1) or point (b) of Article 8(2) for processing any data that is not strictly necessary for the provision of that service.


Clarifies what a "freely given consent" is


Amendment 563 +

Amendment 563
Monica Macovei, Marian-Jean Marinescu, Barbara Spinelli
ECR
Article 8 – paragraph 1 – point d b (new)

(d b) The end-user shall not be denied any functionality of the terminal equipment on grounds that the end-user does not provide consent as set out in point (b) of Article 8(1) or point (b) of Article 8(2) for processing any data that is not strictly necessary for the functionality requested by the end-user.


Clarifies what a "freely given consent" is


Amendment 575 ++

Amendment 575
Sophia in 't Veld
ALDE
Article 8 – paragraph 1 a (new)

1 a. No one shall be denied access to any information society services or to the functionality of interconnected equipment, regardless of the service concerned being remunerated or not:

- on grounds that he or she has not given his or her consent under Article 8(1)(b) to the processing of personal data that is not necessary for the provision of those services;and/ or,

- on grounds that he or she has installed software or applications to protect their information and terminal equipment.

Processing of data for purposes of providing targeted advertisements cannot be considered as necessary for the performance of a service.


Clarifies what a "freely given consent" is

Offline tracking

Bad

Amendment 89 --

Amendment 89
Marju Lauristin
S&D
Article 8 – paragraph 2 a (new)

2a. For the purpose of point (ab) of paragraph 2, the following controls shall be implemented to mitigate the risks:

(a) the purpose of the data collection from the terminal equipment shall be restricted to mere statistical counting; and

(b) the tracking shall be limited in time and space to the extent strictly necessary for this purpose; and

(c) the data shall be deleted or anonymised immediately after the purpose is fulfilled; and

(d) the users shall be given effective opt-out possibilities.


This amendment would authorize the processing of unanomized data for statistical counting, which may mean anything (how many people have visited a store during the last 6 month, how many times each, etc ? which implies to store personal data for a long duration)


Amendment 589 -

Amendment 589
Michał Boni, Frank Engel, Tomáš Zdechovský, Viviane Reding, Carlos Coelho, Elissavet Vozemberg-Vrionidi
EPP
Article 8 – paragraph 2 – subparagraph 1 – point b

(b) a clear and prominent notice is displayed informing of, at least, the modalities of the collection, its purpose, the person responsible for it and the other information required under Article 13 of Regulation (EU) 2016/679 where personal data are collected, as well as any measure the end-user of the terminal equipment can take to stop or minimise the collection.

(b) the information collected is or is rendered pseudonymous or anonymous and the data protection impact assessment and, if necessary, a prior consultation with the supervisory authority were carried out, as prescribed respectively in Article 35 and 36 of Regulation (EU) 2016/679, and a clear and prominent notice is displayed informing of, at least, the modalities of the collection, its purpose, the person responsible for it and the other information required under Article 13 of Regulation (EU) 2016/679 where personal data are collected, as well as any measure the end-user of the terminal equipment can take to stop or minimise the collection.


Making the data pseudonymous does not protect tracked people from the tracker at all

Amendment 591 --

Amendment 591
Sophia in 't Veld
ALDE
Article 8 – paragraph 2 – subparagraph 1 – point b a (new)

(b a) (a) the purpose of the data collection from the terminal equipment is restricted to mere statistical counting;and

(b) the tracking is limited in time and space to the extent strictly necessary for this purpose;and

(c) the data will be be deleted or anonymised immediately after the purpose is fulfilled;and

(d) the users are informed and given effective opt-out possibilities.


This would authorize the processing of unanomized data for "statistical counting", which may mean anything (how many people have visited a store during the last 6 month, how many times each, etc ? which implies to store personal data for a long duration)


Amendment 592 -

Amendment 592
Axel Voss, Heinz K. Becker
EPP
Article 8 – paragraph 2 – subparagraph 1 – point b a (new)

(b a) it is necessary for protecting the confidentiality, integrity, availability, authenticity of the terminal equipment or of the electronic communications network or service, or for protecting the privacy, security or safety of the user.


Protecting the "security and safety" of people against their will is rarely acceptable (and the context that would make it acceptable is not specified by this amendment) and would mainly be a pretext for surveillance (in protests and crowded events, typically)


Amendment 609 --

Amendment 609
Miltiadis Kyrkos
S&D
Article 9 – paragraph 1

1. The definition of and conditions for consent provided for under Articles 4(11) and 7 of Regulation (EU) 2016/679/EU shall apply.

1. The definition of and conditions for consent provided for under Articles 4(11) and 7 of Regulation (EU) 2016/679/EU shall apply. The application of Art. 7(4) of Regulation (EU) 2016/679/EU must not oblige providers of information society services to offer a service without data processing which the service provider means to provide together with the service like e.g. data processing for the purpose of advertising.


Would prevent any consent from being freely given, in contradiction with the GDPR and with what is acceptable


Amendment 611 --

Amendment 611
Gérard Deprez, Morten Løkkegaard, Jean-Marie Cavada, Petr Ježek, Pavel Telička
ALDE
Article 9 – paragraph 1

1. The definition of and conditions for consent provided for under Articles 4(11) and 7 of Regulation (EU) 2016/679/EU shall apply.

1. The definition of and conditions for consent provided for under Articles 4(11) and Article 7 (1), (2), and (3) of Regulation (EU) 2016/679/EU shall apply.

Justification: Legal basis for opt-in by the end-user based on informed browsing


Would not require consent to be freely given (as required by the GDPR) any more


Amendment 612 --

Amendment 612
Heinz K. Becker
EPP
Article 9 – paragraph 1

1. The definition of and conditions for consent provided for under Articles 4(11) and 7 of Regulation (EU) 2016/679/EU shall apply.

1. The definitions of and conditions for consent provided for under Articles 4(11) and 7(1), (2) and (3) of Regulation (EU) 2016/679 shall apply.


Would not require consent to be freely given (as required by the GDPR) any more


Amendment 613 --

Amendment 613
Daniel Dalton, John Procter
ECR
Article 9 – paragraph 1

1. The definition of and conditions for consent provided for under Articles 4(11) and 7 of Regulation (EU) 2016/679/EU shall apply.

1. The definition of and conditions for consent provided for under Articles 4(11) and 7 (1), (2), and (3) of Regulation (EU) 2016/679/EU shall apply.


Would not require consent to be freely given (as required by the GDPR) any more


Amendment 614 --

Amendment 614
Axel Voss, Heinz K. Becker
EPP
Article 9 – paragraph 1

1. The definition of and conditions for consent provided for under Articles 4(11) and 7 of Regulation (EU) 2016/679/EU shall apply.

1. The definition of and conditions for consent provided for under Articles 4(11) and 7 (1), (2) and (3)of Regulation (EU) 2016/679/EU shall apply.

Justification: The reference here to the conditions for consent laid down by Article 7 of Regulation (EU) No 2016/679/EU must at all events be limited to Article 7(1) to (3).The non-applicability of Article 7(4) of Regulation (EU) No 2016/679 to consent pursuant to Article 9 of the proposal for a regulation is necessary because, unlike in Regulation (EU) No 2016/679, data processing based on the general clause concerning justified interests is not provided for in this proposal.


Would not require consent to be freely given (as required by the GDPR) any more. As regards the provided justification, we do not understand what "data processing based on the general clause concerning justified interests" means. It mays simply refer to the "legitimate interest" legal basis. But the lack of such basis in this Regulation would not justified to bypass consent (since the purpose of this Regulation is specifically to protect communications by requiring consent).


Amendment 616 --

Amendment 616
Pál Csáky
EPP
Article 9 – paragraph 1

1. The definition of and conditions for consent provided for under Articles 4(11) and 7 of Regulation (EU) 2016/679/EU shall apply.

1. The definition of and conditions for consent provided for under Articles 4(11) of Regulation (EU) 2016/679/EU shall apply.


Would not require consent to be freely given (as required by the GDPR) any more


Good

Amendment 84 +

Amendment 84
Marju Lauristin
S&D
Article 8 – paragraph 2 – subparagraph 1 – point a

(a) it is done exclusively in order to, for the time necessary for, and for the purpose of establishing a connection; or

(a) it is done exclusively in order to, for the time necessary for, and for the sole purpose of establishing a connection requested by the user; or


Would ensure that users are not directly harassed on their phones by spams, consent requests and such


Amendment 85 ++

Amendment 85
Marju Lauristin
S&D
Article 8 – paragraph 2 – subparagraph 1 – point a a (new)

(aa) the user has been informed and has given consent; or


Device-tracking should only be lawful with our consent (this amendment corrects the absurdly dangerous proposal of the EC)


Amendment 86 +

Amendment 86
Marju Lauristin
Article 8 – paragraph 2 – subparagraph 1 – point a b (new)

(ab) the data are anonymised and the risks are adequately mitigated.


Device-tracking is not "tracking" anymore if the data are anonymised, which is good


Amendment 87 ++

Amendment 87
Marju Lauristin
S&D
Article 8 – paragraph 2 – subparagraph 1 – point b

(b) a clear and prominent notice is displayed informing of, at least, the modalities of the collection, its purpose, the person responsible for it and the other information required under Article 13 of Regulation (EU) 2016/679 where personal data are collected, as well as any measure the end-user of the terminal equipment can take to stop or minimise the collection.

deleted


Device-tracking should only be lawful with our consent (this amendment corrects the absurdly dangerous proposal of the EC)

Amendment 583 ++

Amendment 583
Jan Philipp Albrecht, Judith Sargentini
Verts/ALE
Article 8 – paragraph 2

2. The collection of information emitted by terminal equipment to enable it to connect to another device and, or to network equipment shall be prohibited, except if:

deleted

(a) it is done exclusively in order to, for the time necessary for, and for the purpose of establishing a connection; or

(b) a clear and prominent notice is displayed informing of, at least, the modalities of the collection, its purpose, the person responsible for it and the other information required under Article 13 of Regulation (EU) 2016/679 where personal data are collected, as well as any measure the end-user of the terminal equipment can take to stop or minimise the collection.

The collection of such information shall be conditional on the application of appropriate technical and organisational measures to ensure a level of security appropriate to the risks, as set out in Article 32 of Regulation (EU) 2016/679, have been applied.

Justification: See related amendment to Article 4:Since these data emissions are included in the definition of “metadata”, Article 8(2) can be deleted, as it is now covered by Article 6(2).


This would restore the protection provided by current EU law: device tracking requires consent

Amendment 584 ++

Amendment 584
Cornelia Ernst
GUE/NGL
Article 8 – paragraph 2

2. The collection of information emitted by terminal equipment to enable it to connect to another device and, or to network equipment shall be prohibited, except if:

deleted

(a) it is done exclusively in order to, for the time necessary for, and for the purpose of establishing a connection; or

(b) a clear and prominent notice is displayed informing of, at least, the modalities of the collection, its purpose, the person responsible for it and the other information required under Article 13 of Regulation (EU) 2016/679 where personal data are collected, as well as any measure the end-user of the terminal equipment can take to stop or minimise the collection.

The collection of such information shall be conditional on the application of appropriate technical and organisational measures to ensure a level of security appropriate to the risks, as set out in Article 32 of Regulation (EU) 2016/679, have been applied.


This would restore the protection provided by current EU law: device tracking requires consent


Amendment 588 ++

Amendment 588
Monica Macovei
ECR
Article 8 – paragraph 2 – subparagraph 1 – point b

(b) a clear and prominent notice is displayed informing of, at least, the modalities of the collection, its purpose, the person responsible for it and the other information required under Article 13 of Regulation (EU) 2016/679 where personal data are collected, as well as any measure the end-user of the terminal equipment can take to stop or minimise the collection.

(b) all relevant information about the intended processing is provided in clear and easily understandable language, provided separately from the terms and conditions of the provider, and if the end-user concerned has given his or her consent to the processing of the data for one or more specified purposes, including for the provision of specific services, provided that the purpose or purposes concerned could not be fulfilled by processing information that is made anonymous; the collection of such information shall be conditional on the application of appropriate technical and organisational measures to ensure a level of security appropriate to the risks, as set out in Article 32 of Regulation (EU) 2016/679 and supplemented with a mandatory data protection impact assessment, have been applied.


This would restore the protection provided by current EU law: device tracking requires consent


Amendment 590 ++

Amendment 590
Sophia in 't Veld
ALDE
Article 8 – paragraph 2 – subparagraph 1 – point b

(b) a clear and prominent notice is displayed informing of, at least, the modalities of the collection, its purpose, the person responsible for it and the other information required under Article 13 of Regulation (EU) 2016/679 where personal data are collected, as well as any measure the end-user of the terminal equipment can take to stop or minimise the collection.

(b) the user has been informed according to Article 13 of Regulation (EU) 2016/679 and has given consent to the collection for a specific purpose.


This would restore the protection provided by current EU law: device tracking requires consent

Consent definition

Bad

Amendment 92 -

Amendment 92
Marju Lauristin
S&D
Article 9 – paragraph 2

2. Without prejudice to paragraph 1, where technically possible and feasible, for the purposes of point (b) of Article 8(1), consent may be expressed by using the appropriate technical settings of a software application enabling access to the internet.

2. Without prejudice to paragraph 1, where technically possible and feasible, for the purposes of point (b) of Article 8(1), consent may be expressed by using technical specifications of electronic communications services. When such technical specifications are used by the user, they shall be binding on, and enforceable against, any other party.


Consent cannot be "freely given, specific informed, and unambiguous" through automated means. 


Amendment 98 -

Amendment 98
Marju Lauristin
S&D
Article 10 – paragraph 1 – point d (new)

(d) offer the user the possibility to express specific consent through the settings after the installation of the software.


Consent cannot be "freely given, specific informed, and unambiguous" through automated means. 

Amendment 662 -

Amendment 662
Gérard Deprez, Morten Løkkegaard, Jean-Marie Cavada, Petr Ježek, Pavel Telička
ALDE
Article 10 – paragraph 2 a (new)

2 a. The software shall not block data processing wich is legally allowed to Art. 8 (1) a), c) or d) or (2) a), irrespective of the browser settings.


This amendment would lead to an unacceptable situation where users are deprived of any control on their very own equipments.

Amendment 623 --

Amendment 623
Miltiadis Kyrkos
S&D
Article 9 – paragraph 2

2. Without prejudice to paragraph 1, where technically possible and feasible, for the purposes of point (b) of Article 8(1), consent may be expressed by using the appropriate technical settings of a software application enabling access to the internet.

2. Where technically possible and feasible, in particular for the purposes of point (b) of Article 8(1), consent may be expressed by using the appropriate technical settings of a software application enabling access to the internet, or by continuing the use of an information society service, having been provided with clear and comprehensive information that this action by the end-user signifies consent


This amendment would allow "implicit" consent - not expressed by an "affirmative action" (which is required by the GDPR)


Amendment 624 --

Amendment 624
Pál Csáky
EPP
Article 9 – paragraph 2

2. Without prejudice to paragraph 1, where technically possible and feasible, for the purposes of point (b) of Article 8(1), consent may be expressed by using the appropriate technical settings of a software application enabling access to the internet.

2. Where technically possible and feasible, in particular for the purposes of point (b) of Article 8(1), consent may be expressed by using the appropriate technical settings of a software application enabling access to the internet or by continuing the use of an information society service, having been provided with clear and comprehensive information that this action by the end-user signifies consent.


This amendment would allow "implicit" consent - not expressed by an "affirmative action" (which is required by the GDPR)


Amendment 625 --

Amendment 625
Gérard Deprez, Morten Løkkegaard, Jean-Marie Cavada, Petr Ježek, Pavel Telička
ALDE
Article 9 – paragraph 2

2. Without prejudice to paragraph 1, where technically possible and feasible, for the purposes of point (b) of Article 8(1), consent may be expressed by using the appropriate technical settings of a software application enabling access to the internet.

2. Where technically possible and feasible for the purposes of point (b) of Article 8(1) consent may be expressed by using the appropriate technical setting of software application enabling access to the internet or by the continued use of the information society service after having been provided with accessible and comprehensive information about this action of the end-user.

Justification: The user's continued use of the services provided to them, based on accessible information, should be regarded as consent.


This amendment would allow "implicit" consent - not expressed by an "affirmative action" (which is required by the GDPR)

Amendment 635 -

Amendment 635
Axel Voss, Heinz K. Becker, Anna Maria Corazza Bildt
EPP
Article 10

Article 10

deleted

Information and options for privacy settings to be provided

1. Software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, shall offer the option to prevent third parties from storing information on the terminal equipment of an end-user or processing information already stored on that equipment.

2. Upon installation, the software shall inform the end-user about the privacy settings options and, to continue with the installation, require the end-user to consent to a setting.

3. In the case of software which has already been installed on 25 May 2018, the requirements under paragraphs 1 and 2 shall be complied with at the time of the first update of the software, but no later than 25 August 2018.

Justification: Article 25 of Regulation (EU) 2016/679 governs data protection by design and by default.Article 10 of the proposal for a regulation only undermines Article 25 of Regulation (EU) 2016/679 and would hamper most business models.


This amendment would delete an interesting (and probably useful) informative measure proposed by the Commission. The provided justification makes no sense: GDPR 25 only applies to data controller while this measure does not. It has no impact on GDPR 25 at all


Amendment 636 -

Amendment 636
Brice Hortefeux, Rachida Dati
EPP
Article 10

Article 10

deleted

Information and options for privacy settings to be provided

1. Software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, shall offer the option to prevent third parties from storing information on the terminal equipment of an end-user or processing information already stored on that equipment.

2. Upon installation, the software shall inform the end-user about the privacy settings options and, to continue with the installation, require the end-user to consent to a setting.

3. In the case of software which has already been installed on 25 May 2018, the requirements under paragraphs 1 and 2 shall be complied with at the time of the first update of the software, but no later than 25 August 2018.


This amendment would delete an interesting (and probably useful) informative measure proposed by the Commission.


Amendment 637 -

Amendment 637
Daniel Dalton, John Procter, Helga Stevens
ECR
Article 10

Article 10

deleted

Information and options for privacy settings to be provided

1. Software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, shall offer the option to prevent third parties from storing information on the terminal equipment of an end-user or processing information already stored on that equipment.

2. Upon installation, the software shall inform the end-user about the privacy settings options and, to continue with the installation, require the end-user to consent to a setting.

3. In the case of software which has already been installed on 25 May 2018, the requirements under paragraphs 1 and 2 shall be complied with at the time of the first update of the software, but no later than 25 August 2018.


This amendment would delete an interesting (and probably useful) informative measure proposed by the Commission.

Amendment 643 -

Amendment 643
Anna Maria Corazza Bildt
EPP
Article 10 – paragraph 1

1. Software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, shall offer the option to prevent third parties from storing information on the terminal equipment of an end-user or processing information already stored on that equipment.

1. Software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, shall offer appropriate technical settings referred to in Art.9 (2) for end- users to express consent.


This amendment would delete an interesting (and probably useful) informative measure proposed by the Commission.


Amendment 644 -

Amendment 644
Michał Boni, Frank Engel, Tomáš Zdechovský, Csaba Sógor, Carlos Coelho, Elissavet Vozemberg-Vrionidi
EPP
Article 10 – paragraph 1

1. Software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, shall offer the option to prevent third parties from storing information on the terminal equipment of an end-user or processing information already stored on that equipment.

1. Software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, shall offer appropriate technical settings referred to in Article 9 (2) for end-user to express consent.


This amendment would delete an interesting (and probably useful) informative measure proposed by the Commission.


Amendment 647 -

Amendment 647
Marju Lauristin
S&D
Article 10 – paragraph 1 – point c (new)

(c) upon installation, inform and offer the user the possibility to change or confirm the privacy settings options defined in point (a) by requiring the user's consent to a setting;


This would allow user to choose to automaticly provide consent (which is not acceptable) or to accept to be unlawfully tracked (which makes no sense).

Amendment 661 -

Amendment 661
Pál Csáky
EPP
Article 10 – paragraph 2 a (new)

2 a. The software shall not block data processing which is legally allowed according to Art. 8 (1) a), c) or d) or (2) a), irrespective of the browser settings.


This amendment would lead to an unacceptable situation where users are deprived of any control on their very own equipments.

Good

Amendment 93 +

Amendment 93
Marju Lauristin
S&D
Article 9 – paragraph 3

3. End-users who have consented to the processing of electronic communications data as set out in point (c) of Article 6(2) and points (a) and (b) of Article 6(3) shall be given the possibility to withdraw their consent at any time as set forth under Article 7(3) of Regulation (EU) 2016/679 and be reminded of this possibility at periodic intervals of 6 months, as long as the processing continues.

3. Users who have consented to the processing of electronic communications data as set out in point (c) of Article 6(2) and points (a) and (b) of Article 6(3), point (b) of Article 8(1) and point (aa) of Article 8(2) shall be given the possibility to withdraw their consent at any time as set forth under Article 7(3) of Regulation (EU) 2016/679 and be reminded of this possibility at periodic intervals of 6 months, as long as the processing continues.


Clarification

Amendment 617 +

Amendment 617
Daniel Dalton, John Procter, Helga Stevens
ECR
Article 9 – paragraph 2

2. Without prejudice to paragraph 1, where technically possible and feasible, for the purposes of point (b) of Article 8(1), consent may be expressed by using the appropriate technical settings of a software application enabling access to the internet.

deleted


This amendment would prevent consent from being given through automated means, which is good since automated consent cannot be "specific" nor "informed" as requested by the GDPR

Amendment 618 +

Amendment 618
Brice Hortefeux, Rachida Dati
EPP
Article 9 – paragraph 2

2. Without prejudice to paragraph 1, where technically possible and feasible, for the purposes of point (b) of Article 8(1), consent may be expressed by using the appropriate technical settings of a software application enabling access to the internet.

deleted


This amendment would prevent consent from being given through automated means, which is good since automated consent cannot be "specific" nor "informed" as requested by the GDPR


Amendment 619 +

Amendment 619
Axel Voss, Heinz K. Becker
EPP
Article 9 – paragraph 2

2. Without prejudice to paragraph 1, where technically possible and feasible, for the purposes of point (b) of Article 8(1), consent may be expressed by using the appropriate technical settings of a software application enabling access to the internet.

deleted

Justification: Articles 4(11) and 7 of Regulation (EU) No 2016/679 define the conditions for consent and are perfectly sufficient here.The proposal goes beyond these definitions and thus creates a dual regime for consent and renders the situation less clear.Article 9(2) should therefore be deleted.


This amendment would prevent consent from being given through automated means, which is good since automated consent cannot be "specific" nor "informed" as requested by the GDPR


Amendment 620 ++

Amendment 620
Jan Philipp Albrecht, Judith Sargentini
Verts/ALE
Article 9 – paragraph 2

2. Without prejudice to paragraph 1, where technically possible and feasible, for the purposes of point (b) of Article 8(1), consent may be expressed by using the appropriate technical settings of a software application enabling access to the internet.

2. Without prejudice to paragraph 1, where technically feasible, for the purposes of point (b) of Article 8(1), consent may be expressed and withdrawn by using the appropriate technical specifications for electronic communications services or information society services which allow for specific consent for specific purposes and with regard to specific service providers actively selected by the user in each case, pursuant to paragraph 1. When such technical specifications are used by the user's terminal equipment or the software running on it, they may signal the user's preferences based on previous active selections by him or her. These signals shall be binding on, and enforceable against, any other party.

Justification: The GDPR carefully avoids automated consent in Recital 32, as it cannot be informed, specific and active.Recital 32 GDPR only refers to individual information society services.Therefore, consent should be given actively by the user in each case, and the software should only remember this for later visits.


This amendment would prevent consent from being given through automated means, which is good since automated consent cannot be "specific" nor "informed" as requested by the GDPR. Furthermore, this amendment would make browsers and such remembering user's choice, protecting them from harassing consent requests


Amendment 621 ++

Amendment 621
Cornelia Ernst
GUE/NGL
Article 9 – paragraph 2

2. Without prejudice to paragraph 1, where technically possible and feasible, for the purposes of point (b) of Article 8(1), consent may be expressed by using the appropriate technical settings of a software application enabling access to the internet.

2. Without prejudice to paragraph 1, where technically feasible, for the purposes of point (b) of Article 8(1), consent may be expressed and withdrawn by using the appropriate technical specifications for electronic communications services or information society services which allow for specific consent for specific purposes and with regard to specific service providers selected by the user. When such technical specifications are used by the user's terminal equipment or the software running on it, they shall be binding on, and enforceable against, any other party.


This amendment would prevent consent from being given through automated means, which is good since automated consent cannot be "specific" nor "informed" as requested by the GDPR. Furthermore, this amendment would make browsers and such remembering user's choice, protecting them from harassing consent requests


Amendment 633 ++

Amendment 633
Jan Philipp Albrecht, Judith Sargentini, Viviane Reding
Verts/ALE
Article 9 – paragraph 3 a (new)

3 a. Without prejudice to Article 7(4) of Regulation (EU) 2016/679, a user shall not be denied access to any electronic communications service, information society service or functionality of a terminal equipment, regardless of whether this is remunerated or not, on the mere grounds that he or she has not given his or her consent to

(a) the processing of electronic communications data, metadata or content pursuant to Article 6;or

(b) the use of input, output, processing and storage capabilities of terminal equipment and the processing of information related to or processed by the users' terminal equipment, or making information available through the terminal equipment, including information about and processed by its software and hardware, pursuant to Article 8(1)

that is technically not strictly necessary for the provision of that service or functionality.

Justification: based on LIBE AM 83 rapporteur, moved to the Article on consent where it belongs.This is complementary to 7(4) GDPR.7(4) GDPR is about invalidity of forced consent, this here is about not forcing consent as a condition for access (“consent wall”).


Would clearly ensure that consent is "freely given"


Amendment 639 +

Amendment 639
Jan Philipp Albrecht, Judith Sargentini
Verts/ALE
Article 10 – paragraph 1

1. Software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, shall offer the option to prevent third parties from storing information on the terminal equipment of an end-user or processing information already stored on that equipment.

1. Hardware and software placed on the market that enable the access to and use of electronic communications services or the access to and use of information society services shall be able to prevent other parties from using input, output, processing and storage capabilities of terminal equipment and the processing of information related to or processed by a users' terminal equipment, or making information available through the terminal equipment, including information about and processed by its software and hardware.

Justification: WP 29 notes that the definition of “third parties” in the GDPR doesn’t include the controllers.Therefore this expression should be avoided in the context of this Regulation.See related amendments to Articles 7 and 14.Rest of the text aligned with Article 8(1).The Commission proposal and also AMs 94-98 LIBE rapporteur only refer to cookies, which is not future proof and already outdated with browser fingerprinting etc.


Useful clarifications


Amendment 640 +

Amendment 640
Cornelia Ernst
GUE/NGL
Article 10 – paragraph 1

1. Software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, shall offer the option to prevent third parties from storing information on the terminal equipment of an end-user or processing information already stored on that equipment.

1. Hardware and software that enable the access to and use of electronic communications services or the access to, and use of, information society services shall be able to prevent other parties from using input, output, processing and storage capabilities of terminal equipment and the processing of information related to, or processed by, a user's terminal equipment, or making information available through the terminal equipment, including information about, and processed by, its software and hardware.


Useful clarifications


Amendment 641 /

Amendment 641
Sophia in 't Veld
ALDE
Article 10 – paragraph 1

1. Software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, shall offer the option to prevent third parties from storing information on the terminal equipment of an end-user or processing information already stored on that equipment.

1. The default setting of software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, shall not allow the storing of information on the terminal equipment of an end-user, the processing of information already stored on that equipment, or sharing of personal data. Such software setting options shall allow end-users to provide or withdraw consent for each distinct category of purposes.


This is a mixed amendment. Bad : allows automated consent. Good: but provide that, by default, consent is not automatically given


Amendment 645 +

Amendment 645
Marju Lauristin
S&D
Article 10 – paragraph 1 – point a (new)

(a) by default, offer privacy protective settings to prevent other parties from storing information on the terminal equipment of a user and from processing information already stored on that equipment, except for the purposes laid down by Article 8 paragraph (1), points (a), (c) and (d);


This amendment would clearly provide that softwares shall not allow unlawful tracking. But it is not really clear how softwares may identify lawful tracking (especially those not based on consent).


Amendment 655 +

Amendment 655
Jan Philipp Albrecht, Judith Sargentini, Viviane Reding
Verts/ALE
Article 10 – paragraph 2

2. Upon installation, the software shall inform the end-user about the privacy settings options and, to continue with the installation, require the end-user to consent to a setting.

2. By default, such hardware or software shall have activated privacy settings that prevent other parties from exercising the activities referred to in paragraph 1. If the hardware or software allows for deviating settings, the user shall be informed about the privacy settings options during first use or installation and shall be offered the possibility to change or confirm them.


This would make tracking disabled by default

State surveillance

Bad

Amendment 673 --

Amendment 673
Daniel Dalton, John Procter
ECR
Article 11 – paragraph 1

1. Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 5 to 8 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the general public interests referred to in Article 23(1)(a) to (e) of Regulation (EU) 2016/679 or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interests.

1. Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 5 to 8 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the general public interests referred to in Article 23(1) of Regulation (EU) 2016/679 or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interests.


This would allow State surveillance for almost any imaginable purpose


Good

Amendment 669 ++

Amendment 669
Cornelia Ernst
GUE/NGL
Article 11

Article 11

deleted

Restrictions

1. Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 5 to 8 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the general public interests referred to in Article 23(1)(a) to (e) of Regulation (EU) 2016/679 or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interests.

2. Providers of electronic communications services shall establish internal procedures for responding to requests for access to end-users’ electronic communications data based on a legislative measure adopted pursuant to paragraph 1. They shall provide the competent supervisory authority, on demand, with information about those procedures, the number of requests received, the legal justification invoked and their response.


This would get State surveillance out of this Regulation, making the legislative debate way clearer


Amendment 670 ++

Amendment 670
Jan Philipp Albrecht, Judith Sargentini
Verts/ALE
Article 11

Article 11

deleted

Restrictions

1. Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 5 to 8 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the general public interests referred to in Article 23(1)(a) to (e) of Regulation (EU) 2016/679 or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interests.

2. Providers of electronic communications services shall establish internal procedures for responding to requests for access to end-users’ electronic communications data based on a legislative measure adopted pursuant to paragraph 1. They shall provide the competent supervisory authority, on demand, with information about those procedures, the number of requests received, the legal justification invoked and their response.

Justification: Following the LIBE rapporteur:Art. 11a for restrictions of user rights, Art. 11b for restrictions of confidentiality, added Art. 11c on documentation and reporting.


This would get State surveillance out of this Regulation, making the legislative debate way clearer

Amendment 671 /

Amendment 671
Sophia in 't Veld, Kaja Kallas
ALDE
Article 11 – paragraph 1

1. Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 5 to 8 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the general public interests referred to in Article 23(1)(a) to (e) of Regulation (EU) 2016/679 or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interests.

1. Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 5 to 8 where such a restriction fully respects fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard national security, defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communications system.

Justification: This amendment stays as close to the status quo as possible.


Excludes economic purposes from State surveillance (which is good) but do not implement CJUE case law


Amendment 672 /

Amendment 672
Michał Boni, Frank Engel, Tomáš Zdechovský, Carlos Coelho, Pál Csáky, Elissavet Vozemberg-Vrionidi
EPP
Article 11 – paragraph 1

1. Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 5 to 8 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the general public interests referred to in Article 23(1)(a) to (e) of Regulation (EU) 2016/679 or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interests.

1. Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 5 to 8 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the general public interests referred to in Article 23(1)(a) to (d) of Regulation (EU) 2016/679 or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interests.


Excludes economic purposes from State surveillance (which is good) but do not implement CJUE case law


Amendment 674 ++

Amendment 674
Sophia in 't Veld, Angelika Mlinar, Kaja Kallas
ALDE
Article 11 – paragraph 1 a (new)

1 a. The Union or Member States shall not impose any obligation on undertakings that would result in the weakening of the security and encryption of their networks and services.


Would clearly forbid backdoors (in networks and services only, not in device, though)


Amendment 675 ++

Amendment 675
Sophia in 't Veld, Kaja Kallas
ALDE
Article 11 – paragraph 2

2. Providers of electronic communications services shall establish internal procedures for responding to requests for access to end-users’ electronic communications data based on a legislative measure adopted pursuant to paragraph 1. They shall provide the competent supervisory authority, on demand, with information about those procedures, the number of requests received, the legal justification invoked and their response.

2. Providers of electronic communications services shall publish information about the number of requests received, the legal justification invoked and their response.

Justification: Mandatory Transparency Reports.


Would add some transparency (which is not enough at all on its own, but would still be a huge progress)


Amendment 678 +

Amendment 678
Jan Philipp Albrecht, Judith Sargentini
Verts/ALE
Article 11 a (new)

Article 11 a

Restrictions on the rights of the user or subscriber

1.Union or Member State law to which the provider is subject may temporarily restrict by way of a legislative measure the scope of the obligations and principles relating to processing of electronic communications data provided for in Articles 6, 7 and 8 of this Regulation in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22 of Regulation (EU) 2016/679, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the following general public interests:

(a) national security;

(c) defence;

(d) the prevention, investigation, detection or prosecution of serious criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

2.In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, pursuant to Article 23(2) of Regulation (EU) 2016/679.


This would limit national derogations to the rights to be informed, to access and to obtain erasure of ones information


Amendment 679 +

Amendment 679
Cornelia Ernst
GUE/NGL
Article 11 a (new)

Article 11 a

Restrictions on the rights of the user or subscriber

1.Union or Member State law to which the provider is subject may temporarily restrict by way of a legislative measure the scope of the obligations and principles relating to processing of electronic communications data provided for in Articles 6, 7 and 8 of this Regulation in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22 of Regulation (EU) 2016/679, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the following general public interests:

(a) national security;

(b) defence;

(c) the prevention, investigation, detection or prosecution of serious criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

2.In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, pursuant to Article 23(2) of Regulation (EU) 2016/679.


This would limit national derogations to the rights to be informed, to access and to obtain erasure of ones information


Amendment 680 +

Amendment 680
Cornelia Ernst
GUE/NGL
Article 11 b (new)

Article 11 b

Restrictions of the confidentiality of communications

1.Union or Member State law to which the provider is subject may temporarily restrict by way of a legislative measure the scope of the rights provided for in Article 5 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the following general public interests:

(a) national security;

(b) defence;

(c) the prevention, investigation, detection or prosecution of serious criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

2.In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, pursuant to Article 23(2) of Regulation (EU) 2016/679.It shall also require prior judicial authorisation for any access to content or metadata.

3.No legislative measure referred to in paragraph 1 may allow for the weakening of the integrity and confidentiality of electronic communications by mandating a manufacturer of hardware or software, including terminal equipment or software providing for the use of electronic communications, or a provider of electronic communications services, to create and build in backdoors that weaken the cryptographic methods used or the security and integrity of the terminal equipment.


It would requires prior judicial authorization for any restriction of the confidentiality of communications and not allow such restriction for economic purposes. Also, it would forbid any kind of backdoor. However, it would allow restrictions for "national security" and "defence" purposes which, as long as they are broader than the prevention of serious crime, cover extremely broad, vague and unpredictable purposes. Also, this amendments does not specifically limit the duration of the derogations.


Amendment 681 +

Amendment 681
Jan Philipp Albrecht, Judith Sargentini
Verts/ALE
Article 11 b (new)

Article 11 b

Restrictions of the confidentiality of communications

1.Union or Member State law to which the provider is subject may temporarily restrict by way of a legislative measure the scope of the rights provided for in Article 5 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the following general public interests:

(a) national security;

(b) defence;

(c) the prevention, investigation, detection or prosecution of serious criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

2.In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, pursuant to Article 23(2) of Regulation (EU) 2016/679.It shall also require prior judicial authorisation for any access to content or metadata.

3.No legislative measure referred to in paragraph 1 may allow for the weakening of the integrity and confidentiality of electronic communications by mandating a manufacturer of hardware or software, including terminal equipment or software providing for the use of electronic communications, or a provider of electronic communications services, to create and build in backdoors that weaken the cryptographic methods used or the security and integrity of the terminal equipment.


It would requires prior judicial authorization for any restriction of the confidentiality of communications and not allow such restriction for economic purposes. Also, it would forbid any kind of backdoor. However, it would allow restrictions for "national security" and "defence" purposes which, as long as they are broader than the prevention of serious crime, cover extremely broad, vague and unpredictable purposes. Also, this amendments does not specifically limit the duration of the derogations.


Amendment 682 ++

Amendment 682
Cornelia Ernst
GUE/NGL
Article 11 c (new)

Article 11 c

Documentation and reporting of restrictions

1.Providers of electronic communications services shall keep documentation about requests made by competent authorities to access communications content or metadata pursuant to Article 11b(2).This documentation shall include for each request:

(a) the in-house staff member who handled the request;

(b) the identity of the body making the request;

(c) the purpose for which the information was sought;

(d) the date and time of the request;

(e) the legal basis and authority for the request, including the identity and status or function of the official submitting the request;

(f) the judicial authorisation of the request;

(g) the number of subscribers to whose data the request related;

(h) the data provided to the requesting authority;and

(i) the period covered by the data.

The documentation shall be made available to the competent supervisory authority upon request.

2.Providers of electronic communications services shall publish once per year a report with statistical information about data access requests by law enforcement authorities pursuant to Articles 11a and 11b.The report shall include, at least

(a) the number of requests;

(b) the categories of purposes for the request;

(b) the categories of data requested;

(c) the legal basis and authority for the request;

(d) the number of subscribers to whose data the request related;

(e) the period covered by the data;

(f) the number of negative and positive responses to those requests.

3.Member States' competent authorities shall publish once per year a report with statistical information per month about data access requests pursuant to Articles 11a and 11b, including requests that were not authorised by a judge, including, but not limited to, the following points:

(a) the number of requests;

(b) the categories of purposes for the request;

(b) the categories of data requested;

(c) the legal basis and authority for the request;

(d) the number of subscribers to whose data the request related;

(e) the period covered by the data;

(f) the number of negative and positive responses to those requests.

The reports shall also contain statistical information per month about any other restrictions pursuant to Articles 11a and 11b.


Would add some transparency (which is not enough at all on its own, but would still be a huge progress)


Amendment 683 ++

Amendment 683
Jan Philipp Albrecht, Judith Sargentini
Verts/ALE
Article 11 c (new)

Article 11 c

Documentation and reporting of restrictions

1.Providers of electronic communications services shall keep documentation about requests made by competent authorities to access communications content or metadata pursuant to Article 11b(2).This documentation shall include for each request:

(a) the in-house staff member who handled the request;

(b) the identity of the body making the request;

(c) the purpose for which the information was sought;

(d) the date and time of the request;

(e) the legal basis and authority for the request, including the identity and status or function of the official submitting the request;

(f) the judicial authorisation of the request;

(g) the number of subscribers to whose data the request related;

(h) the data provided to the requesting authority;and

(i) the period covered by the data.

The documentation shall be made available to the competent supervisory authority upon request.

2.Member States' competent authorities shall publish once per year a report with statistical information per month about data access requests pursuant to Article 11b(2), including requests that were not authorised by a judge, including, but not limited to, the following points:

(a) the number of requests;

(b) the categories of purposes for the request;

(b) the categories of data requested;

(c) the legal basis and authority for the request;

(d) the number of subscribers to whose data the request related;

(e) the period covered by the data;

The reports shall also contain statistical information per month about any other restrictions pursuant to Articles 11a and 11b.

Justification: Reports by Member States’ authorities are more comprehensive, as they consolidate all requests to all communications service providers.This also avoids additional burdens for providers.


Would add some transparency (which is not enough at all on its own, but would still be a huge progress)

Sanctions

Good

Amendment 807 +

Amendment 807
Cornelia Ernst
GUE/NGL
Article 23 – paragraph 3

3. Infringements of the principle of confidentiality of communications, permitted processing of electronic communications data, time limits for erasure pursuant to Articles 5, 6, and 7 shall, in accordance with paragraph 1 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

3. Infringements of the following provisions of this Regulation shall, in accordance with paragraph 1, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:


Harmonize sanctions

Amendment 808 +

Amendment 808
Jan Philipp Albrecht, Judith Sargentini
Verts/ALE
Article 23 – paragraph 3

3. Infringements of the principle of confidentiality of communications, permitted processing of electronic communications data, time limits for erasure pursuant to Articles 5, 6, and 7 shall, in accordance with paragraph 1 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

3. Infringements of the following provisions of this Regulation shall, in accordance with paragraph 1, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:


Harmonize sanctions


Amendment 809 +

Amendment 809
Cornelia Ernst
GUE/NGL
Article 23 – paragraph 3 – subparagraph 1 (new)

(a) the principle of confidentiality of communications pursuant to Article 5;

(b) the permitted processing of electronic communications data, pursuant to Article 6,

(c) the time limits for erasure and the confidentiality obligations pursuant to Article 7;

(d) the obligations of any legal or natural person who process electronic communications data pursuant to Article 8;

(e) the requirements for consent pursuant to Article 9;

(f) the obligations of the provider of software or hardware enabling electronic communications, pursuant to Article 10;

(g) the obligations of the providers of electronic communications services, of the providers of information society services, or of the manufacturers of hardware and software permitting the retrieval and presentation of information on the internet pursuant to Article 17.


Harmonize sanctions


Amendment 810 +

Amendment 810
Jan Philipp Albrecht, Judith Sargentini
Verts/ALE
Article 23 – paragraph 3 – subparagraph 1 (new)

(a) the principle of confidentiality of communications pursuant to Article 5;

(b) the permitted processing of electronic communications data, pursuant to Article 6,

(c) the time limits for erasure and the confidentiality obligations pursuant to Article 7;

(d) the obligations of any legal or natural person who process electronic communications data pursuant to Article 8;

(e) the requirements for consent pursuant to Article 9;

(f) the obligations of the provider of software enabling electronic communications, pursuant to Article 10;

(g) the obligations of the providers of electronic communications services, of the providers of information society services, or of the manufacturers of hardware and software permitting the retrieval and presentation of information on the internet pursuant to Article 17.


Harmonize sanctions