On September 8th, the Council of the EU released its proposed amendments to the draft ePrivacy Regulation (“Regulation”) which has already been the subject of different opinions and draft amendments over the last few months, as highlighted in our previous news.
As clarified in the text, this document is only a first redraft of the EU Council focusing on the operative part of the draft ePrivacy Regulation (articles) while the recitals will be examined at a later stage.
Subject matter – the wording concerning the “free movement of electronic communications data and electronic communications services” (see, art. 1, c. 2) has been aligned with the wording used in the General Data Protection Regulation (GDPR) regarding the free movement of personal data within the EU.
Scope – the Presidency has clarified the material and territorial scope of the Regulation by specifying that the Regulation applies to content data “in transmission”, and has added new elements with the aim to reference all the services covered by the Regulation (see, artt. 2 and 3).
Representatives – the Presidency has tried to streamline the provisions on the representative, also bearing in mind the corresponding provisions of the GDPR. In this regard, the proposal provides for an obligation to appoint a representative for providers of electronic communication services not established in the EU (see art. 3, point 2-5).
Definitions – only minor changes and clarifications have been made with regard to definitions (such as in art. 4, c. 1, point e) where the word “mail” has been replaced by “message” as it seemed to be too restrictive and not in line with the content of the definition.).
Consent – the original art. 9 of the Regulation (now it is the new art. 4a) has moved to the general part since it applies to the whole Regulation, simplified compared to the original version and aligned with the GDPR. The possibility to withdraw the consent is already provided by the GDPR (see art. 7 GDPR) and the new art. 4a adds the obligation to remind the end-user of that possibility. The obligation to remind end-users of the possibility to withdraw their consent at periodic intervals has been extended from 6 to not longer than 12 months, as long as the processing continues.
Confidentiality – the proposed has included a new art. 5, c. 2, under which “confidentiality of electronic communications data in machine-to-machine communications shall only apply when such communication is related to end-user”. The purpose of the amendment is to clarify that, in the case of M2M communications – i.e. (according to a definition established by the Italian Communications Guarantee Authority) consisting of the automatic transfer of machine-to-machine information with limited or no human interaction –, the principle of confidentiality shall only apply when the information contained in such communication is related to “end-user” (in accordance with the (draft) Directive establishing the European Electronic Communications Code: “a user not providing public communications networks or publicly available electronic communications services”).
Supervisory Authority – many delegations asked for more flexibility with regard to the supervisory authority and, for this, the Presidency proposes to keep the Data Protection Authorities (“DPAs”) as authorities for monitoring the application of Chapter II (i.e. “Protection of electronic communications of natural and legal persons and of information stored in their terminal equipment”) while providing flexibility to Member States to designate supervisory authorities responsible for monitoring the application of Chapter III (i.e. “Natural and legal persons’ rights to control electronic communications”). During the next meetings this issue will be discussed again.
For further information: link