BETA

36 Amendments of Kaja KALLAS related to 2017/0003(COD)

Amendment 62 #
Proposal for a regulation
Recital 7
(7) The Member States should be allowed, within the limits of this Regulation, to maintain or introduce national provisionsEuropean Data Protection Board should, where necessary, issue guidance and opinions within the limits of this Regulation to further specify and clarify the application of the rules of this Regulation in order to ensure an effective application and interpretation of those rules. Therefore, the margin of discretion, which Member States have in this regard, shouldCooperation and consistency between Member States, in particular between national data protection authorities, is essential to maintain a balance between the protection of private life and personal data and the free movement of electronic communications data in the Union.
2017/07/03
Committee: IMCO
Amendment 81 #
Proposal for a regulation
Recital 13
(13) The development of fast and efficient wireless technologies has fostered the increasing availability for the public of internet access via wireless networks accessible by anyone in public and semi- private spaces such as 'hotspots' situated at different places within a city, department stores, shopping malls and hospitals. To the extent that those communications networks are provided to an undefined group of end-users, the confidentiality of the communications transmitted through such networks should be protected. The fact that wireless electronic communications services may be ancillary to other services should not stand in the way of ensuring the protection of confidentiality of communications data and application of this Regulation. Therefore, this Regulation should apply to electronic communications data using electronic communications services and public communications networks. In contrast, this Regulation should not apply to closed groups of end-users such as corporate networks, access to which is limited to members of the corporation. The mere act of requiring a password should not be considered as providing access to a closed group of end-users if the access is provided to an undefined group of end- users.
2017/07/03
Committee: IMCO
Amendment 106 #
Proposal for a regulation
Recital 19
(19) The content of electronic communications pertains to the essence of the fundamental right to respect for private and family life, home and communications protected under Article 7 of the Charter. Any interference with the content of electronic communications should be allowed only under very clear defined conditions, for specific purposes and be subject to adequate safeguards against abuse. This Regulation provides for the possibility of providers of electronic communications services to process electronic communications data in transit, with the informed consent of all the end- users concerned. For example, providers may offer services that entail the scanning of emails to remove certain pre-defined material. For services that are provided to users engaged in purely personal or household activities, the consent of the end-user requesting the service should be sufficient. Given the sensitivity of the content of communications, this Regulation sets forth a presumption that the processing of such content data will result in high risks to the rights and freedoms of natural persons. When processing such type of data, the provider of the electronic communications service should always consult the supervisory authority prior to the processing. Such consultation should be in accordance with Article 36 (2) and (3) of Regulation (EU) 2016/679. The presumption does not encompass the processing of content data to provide a service requested by the end-user where the end-user has consented to such processing and it is carried out for the purposes and duration strictly necessary and proportionate for such service. After electronic communications content has been sent by the end-user and received by the intended end-user or end-users, it may be recorded or stored by the end-user, end- users or by a third party entrusted by them to record or store such data. Any processing of such data must comply with Regulation (EU) 2016/679.
2017/07/03
Committee: IMCO
Amendment 122 #
Proposal for a regulation
Recital 22
(22) The methods used for providing information and obtaining end-user's consent should be as user-friendly as possible. Given the ubiquitous use of tracking cookies and other tracking techniques, end-users are increasingly requested to provide consent to store such tracking cookies in their terminal equipment. As a result, end-users are overloaded with requests to provide consent. The use of technical means to provide consent, for example, through transparent and user-friendly settings, may address this problem. Therefore, this Regulation should provide for the possibility to express consent by using the appropriate settings of a browser or other application. The choices made by end- users when establishing its general privacy settings of a browser or other application should be binding on, and enforceable against, any thirunauthorised parties. Web browsers are a type of software application that permits the retrieval and presentation of information on the internet. Other types of applications, such as the ones that permit calling and messaging or provide route guidance, have also the same capabilities. Web browsers mediate much of what occurs between the end-user and the website. From this perspective, they are in a privileged position to play an active role to help the end-user to control the flow of information to and from the terminal equipment. More particularly web browsers may be used as gatekeepers, thus helping end-users to prevent information from their terminal equipment (for example smart phone, tablet or computer) from being accessed or storedOn the other hand, in light of the pace of innovation, the increasing use and range of devices that permit communications and the increase of cross-device tracking, it is necessary for this Regulation to remain technology neutral to meet its objectives.
2017/07/03
Committee: IMCO
Amendment 130 #
Proposal for a regulation
Recital 23
(23) The principles of data protection by design and by default were codified under Article 25 of Regulation (EU) 2016/679. Currently, the default settings for cookies are set in most current browsers to 'accept all cookies'. Therefore providers of software enabling the retrieval and presentation of information on the internet should have an obligation to configure the software so that it offers the option to prevent third parties from storing informatfor end-users to choose whether to reject or to accept cookies that are not necessary for the provision onf the tserminal equipment; this is often presented as ‘reject third party cookies’vice requested by the end-user, after being informed of the function of the cookies, how they are used, and how the information gathered is shared. End-users should be offered a set of privacy setting options, ranging from higher (for example, 'never accept cookies') to lower (for example, 'always accept cookies') and intermediate (for example, ‘reject third party cookies’ or ‘only accept first party cookies’). Such poptions according to the types of information they are willing to share, the parties they agree to share it with, the purposes of a cookie, and the possibility to opt out from cross- device tracking. Where the end-user accepts cookies for purpose of targeted advertising, the end-user should also be able to correct the information gathered about him or her to prevent the possible harm caused by inaccurate information. Privacy settings should be presented in a an easily visible and intelligible manner.
2017/07/03
Committee: IMCO
Amendment 134 #
Proposal for a regulation
Recital 23 a (new)
(23a) In order to improve trust between end-users and parties concerned with the processing of information stored in terminal equipment, and to limit the amount of tracking that negatively impacts privacy, the ability for end-users to develop their own profile, with for instance self-authored tools, should be promoted as an alternative to tracking.
2017/07/03
Committee: IMCO
Amendment 139 #
Proposal for a regulation
Recital 24
(24) For web browsers or other applications to be able to obtain end-users' consent as defined under Regulation (EU) 2016/679, for example, to the storage of third party tracking cookies that are not necessary for the provision of a specific service requested by an end user, they should, among others, require a clear affirmative action from the end-user of terminal equipment to signify his or her freely given, specific informed, and unambiguous agreement to the storage and access of such cookies in and from the terminal equipment. Such action may be considered to be affirmative, for example, if end-users are required to actively select ‘accept third party cookies’cookies that process data beyond what is necessary for the service to function to confirm their agreement and are given the necessary information to make the choice. Consent should not be valid for cross-device tracking if the end-user was not informed and is not able to opt out. To this end, it is necessary to require providers of software enabling access to internet that, at the moment of installation, end-users are informed about the possibility to choose the privacy settings among the various options and ask them to make a choice. Information provided should not dissuade end-users from selecting higher privacy settings and should include relevant information about the risks associated to allowing third partycertain cookies to be stored in the computer, including the compilation of long-term records of individuals' browsing histories and the use of such records to send targeted advertising. Web browsers or other applications are encouraged to provide easy ways for end-users to change the privacy settings at any time during use and to allow the user to make exceptions for or to whitelist certain websites or to specify for which websites (third) party cookies are always or never allowedparties or cookies that are always or never allowed. In cases where a business model is based on targeted advertising, consent should not be considered as freely given if the access to the service is made conditional to data processing. The end-user should therefore be able to choose between accepting cookies or being provided the service in exchange for payment.
2017/07/03
Committee: IMCO
Amendment 146 #
Proposal for a regulation
Recital 25
(25) Accessing electronic communications networks requires the regular emission of certain data packets in order to discover or maintain a connection with the network or other devices on the network. Furthermore, devices must have a unique address assigned in order to be identifiable on that network. Wireless and cellular telephone standards similarly involve the emission of active signals containing unique identifiers such as a MAC address, the IMEI (International Mobile Station Equipment Identity), the IMSI etc. A single wireless base station (i.e. a transmitter and receiver), such as a wireless access point, has a specific range within which such information may be captured. Service providers have emerged who offer tracking services based on the scanning of equipment related information with diverse functionalities, including people counting, providing data on the number of people waiting in line, ascertaining the number of people in a specific area, etc. This information may be used for more intrusive purposes, such as to send commercial messages to end-users, for example when they enter stores, with personalized offers. While some of these functionalities do not entail high privacy risks, others do, for example, those involving the tracking of individuals over time, including repeated visits to specified locations. Providers engaged in such practices should display prominent notices located on the edge of the area of coverage informing end-users prior to entering the defined area that the technology is in operation within a given perimeter, the purpose of the tracking, the person responsible for it and the existence of any measure thask for the consent of the end-users concerned, or where consent is not possible, such practices should be limited to what is strictly necessary for the purpose of statistical counting, be limited in time and space eand-user of the terminal equipment can take to minimize or stop the collection. Additional information should be provided where personal data are collected pursuant to Article 13 of Regulation (EU) 2016/679 the data made anonymous or erased as soon as it is no longer needed for this purpose.
2017/07/03
Committee: IMCO
Amendment 150 #
Proposal for a regulation
Recital 26
(26) When the processing of electronic communications data by providers of electronic communications services falls within its scope, this Regulation should provide for the possibility for the Union or Member States under specific conditions to restrict by law certain obligations and rights when such a restriction constitutes a necessary and proportionate measure in a democratic society to safeguard specific public interests, including national security, defence, public security and the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security and other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interests. Therefore, this Regulation should not affect the ability of Member States to carry out lawful interception of electronic communications or take other measures, if necessary and proportionate to safeguard the public interests mentioned above, in accordance with the Charter of Fundamental Rights of the European Union and the European Convention for the Protection of Human Rights and Fundamental Freedoms, as interpreted by the Court of Justice of the European Union and of the European Court of Human Rights. Providers of electronic communications services should provide for appropriate procedures to facilitate legitimate requests of competent authorities, where relevant also taking into account the role of the representative designated pursuant to Article 3(3).
2017/07/03
Committee: IMCO
Amendment 151 #
Proposal for a regulation
Recital 26 a (new)
(26a) In order to safeguard the security and integrity of networks and services, the use of end-to-end encryption should be promoted and, where necessary, be mandatory in accordance with the principles of security and privacy by design. Member States should not impose any obligation on encryption providers, on providers of electronic communications services or on any other organisations (at any level of the supply chain) that would result in the weakening of the security of their networks and services, such as the creation or facilitation of "backdoors".
2017/07/03
Committee: IMCO
Amendment 173 #
Proposal for a regulation
Recital 37
(37) SThe service providers who offer electronic communications services should inform end- users of measures they can take to protect the security of their communications for instance by using specific types of software or encryption technologies. The requirement to inform end-users of particular security risks does not discharge a service provider from the obligation to take, at its own costs, appropriate and immediate measures to remedy any new, unforeseen security risks and restore the normal security level of the service. The provision of information about security risks to the subscriber should be free of charge. Security is appraised in the light of Article 32 of Regulationare under obligation to provide services that are secure and notify security breaches in accordance with Regulation (EU) 2016/679, [Directive of the European Parliament and of the Council establishing the European Electronic Communications Code] and Directive (EU) 2016/6791148.
2017/07/03
Committee: IMCO
Amendment 178 #
Proposal for a regulation
Recital 41
(41) In order to fulfil the objectives of this Regulation, namely to protect the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data and to ensure the free movement of personal data within the Union, the power to adopt acts in accordance with Article 290 of the Treaty should be delegated to the Commission to supplement this Regulation. In particular, delegated acts should be adopted in respect of the information to be presented, including by means of standardised icons in order to give an easily visible and intelligible overview of the collection of information emitted by terminal equipment, its purpose, the person responsible for it and of any measure the end-user of the terminal equipment can take to minimise the collection. Delegated acts are also necessary to specify a code to identify direct marketing calls including those made through automated calling and communication systems. It is of particular importance that the Commission carries out appropriate consultations and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement on Better Law-Making of 13 April 201625 . In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States' experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts. Furthermore, in order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission when provided for by this Regulation. Those powers should be exercised in accordance with Regulation (EU) No 182/2011. _________________ 25Interinstitutional Agreement between the European Parliament, the Council of the European Union and the European Commission on Better Law-Making of 13 April 2016 (OJ L 123, 12.5.2016, p. 1–14).
2017/07/03
Committee: IMCO
Amendment 270 #
Proposal for a regulation
Recital 26
(26) When the processing of electronic communications data by providers of electronic communications services falls within its scope, this Regulation should provide for the possibility for the Union or Member States under specific conditions to restrict by law certain obligations and rights when such a restriction constitutes a necessary and proportionate measure in a democratic society to safeguard specific public interests, including national security, defence, public security, and the prevention, investigation, detection orand prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security and other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interestsof unauthorised use of the electronic communications system. Therefore, this Regulation should not affect the ability of Member States to carry out lawful interception of electronic communications or take other measures, if necessary and proportionate to safeguard the public interests mentioned above, in accordance with the Charter of Fundamental Rights of the European Union and the European Convention for the Protection of Human Rights and Fundamental Freedoms, as interpreted by the Court of Justice of the European Union and of the European Court of Human Rights. Providers of electronic communications services should provide for appropriate procedures to facilitate legitimate requests of competent authorities, where relevant also taking into account the role of the representative designated pursuant to Article 3(3).
2017/07/14
Committee: LIBE
Amendment 273 #
Proposal for a regulation
Article 6 – paragraph 2 – introductory part
2. Providers of electronic communications networks and services may process electronic communications metadata if:
2017/07/12
Committee: IMCO
Amendment 295 #
Proposal for a regulation
Article 6 – paragraph 3 – point a a (new)
(a a) for the sole purpose of the provision of a specific service explicitly requested by an end-user in the course of a purely personal or household activity, if the end-user concerned has consented to the processing of his or her electronic communications content and that service cannot be provided without the processing of such content; or
2017/07/12
Committee: IMCO
Amendment 306 #
Proposal for a regulation
Article 7 – paragraph 1
1. Without prejudice to point (b) of Article 6(1) and points (a), (aa) and (b) of Article 6(3), the provider of the electronic communications service shall erase electronic communications content or make that data anonymous after receipt of electronic communication content by the intended recipient or recipients. Such data may be recorded or stored by the end-users or by a third party entrusted by them to record, store or otherwise process such data, in accordance with Regulation (EU) 2016/679.
2017/07/12
Committee: IMCO
Amendment 335 #
Proposal for a regulation
Article 8 – paragraph 1 – point d
(d) if it is necessary for web audience measuring, provided that such measurement is carried out by the providerin order to obtain information about the technical quality or effectiveness of thean information society service requested bythat has been delivered, and has no or little impact on the privacy of the end-user concerned.
2017/07/12
Committee: IMCO
Amendment 364 #
Proposal for a regulation
Article 8 – paragraph 2 – subparagraph 1 – point a a (new)
(a a) the end-user has given his or her consent;
2017/07/12
Committee: IMCO
Amendment 368 #
Proposal for a regulation
Article 8 – paragraph 2 – subparagraph 1 – point b
(b) a clear and prominent notice is displayed informing of, at least, the modalities of the collectionit is strictly necessary for the purpose of statistical counting, its purpose, the person responsible for it and the other information required under Article 13 of Regulation (EU) 2016/679 where personal data are collected, as well as any measure the end-user of the terminal equipment can take to stop or minimise the collectionlimited in time and space to the extent strictly necessary for this purpose and the data is made anonymous or erased as soon as it is no longer needed for this purpose.
2017/07/12
Committee: IMCO
Amendment 371 #
Proposal for a regulation
Article 8 – paragraph 2 – subparagraph 2
The collection of such information shall be conditional on the application of appropriate technical and organisational measures to ensure a level of security appropriate to the risks, as set out in Article 32 of Regulation (EU) 2016/679, have been applied.deleted
2017/07/12
Committee: IMCO
Amendment 378 #
Proposal for a regulation
Article 8 – paragraph 3
3. The information to be provided pursuant to point (b) of paragraph 2 may be provided in combination with standardized icons in order to give a meaningful overview of the collection in an easily visible, intelligible and clearly legible manner.deleted
2017/07/12
Committee: IMCO
Amendment 381 #
Proposal for a regulation
Article 8 – paragraph 4
4. The Commission shall be empowered to adopt delegated acts in accordance with Article 27 determining the information to be presented by the standardized icon and the procedures for providing standardized icons.
2017/07/12
Committee: IMCO
Amendment 396 #
Proposal for a regulation
Article 9 – paragraph 2
2. Without prejudice to paragraph 1, where technically possible and feasible, for the purposes of point (b) of Article 8(1), and point (aa) of Article 8(2) consent may be expressed by using the appropriate technical settings of a software application enabling access to the internet.
2017/07/12
Committee: IMCO
Amendment 401 #
Proposal for a regulation
Article 9 – paragraph 3
3. End-users who have consented to the processing of electronic communications data as set out in point (c) of Article 6(2) and points (a), (aa) and (b) of Article 6(3) shall be given the possibility to withdraw their consent at any time as set forth under Article 7(3) of Regulation (EU) 2016/679 and be reminded of this possibility at periodic intervals of 6 months, as long as the processing continues. It shall be as easy to withdraw as to give consent.
2017/07/12
Committee: IMCO
Amendment 416 #
Proposal for a regulation
Article 10 – paragraph 1
1. Software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, shall offer the option to prevent third parties from storing information on the terminal equipment of an end-user or processing information already stored on that equipment that is not necessary for the provision of the specific service requested by the end-user. It shall also offer the option to an end-user to choose the extent and types of information the end-user consents to being processed, on the basis of the purpose of the cookie and of the extent to which the information collected is shared with third parties. It shall, in addition, offer the option to opt out from cross- device tracking.
2017/07/12
Committee: IMCO
Amendment 421 #
Proposal for a regulation
Article 10 – paragraph 2
2. Upon installation, tThe software shall inform the end- user about the privacy settings options and, to continue with the installation, require the end-user to consent to a settingupon installation and after any update to the software that affects the storing of information on the terminal equipment of the end-user or the processing of information already stored on that equipment.
2017/07/12
Committee: IMCO
Amendment 435 #
Proposal for a regulation
Article 11 – paragraph 1
1. Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 5 to 8 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the general public interests referred to in Article 23(1)(a) to (e) of Regulation (EU) 2016/679 or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interestnational security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences.
2017/07/12
Committee: IMCO
Amendment 439 #
Proposal for a regulation
Article 11 – paragraph 1 a (new)
1 a. Member States shall not impose any obligation on undertakings that would result in the weakening of the security and encryption of their networks and services.
2017/07/12
Committee: IMCO
Amendment 459 #
Proposal for a regulation
Article 15 – paragraph 4
4. The possibility for end-users not to be included in a publicly available directory, or to verify, correct and delete any data related to them shall be provided free of charge and in an easily accessible manner.
2017/07/12
Committee: IMCO
Amendment 472 #
Proposal for a regulation
Article 16 – paragraph 2
2. Where a natural or legal person obtains electronic contact details for electronic mail from its customer, in the context of the sale of a product or a service, in accordance with Regulation (EU) 2016/679, that natural or legal person may use these electronic contact details for direct marketing of its own similar products or services only if customers are clearly and distinctly given the opportunity to object, free of charge and in an easy manner, to such use. The right to object shall be given at the time of collection and each time a message is sent.
2017/07/12
Committee: IMCO
Amendment 488 #
Proposal for a regulation
Article 17
Information about detected security risks In the case of a particular risk that may compromise the security of networks and electronic communications services, the provider of an electronic communications service shall inform end-users concerning such risk and, where the risk lies outside the scope of the measures to be taken by the service provider, inform end-users of any possible remedies, including an indication of the likely costs involved.Article 17 deleted
2017/07/12
Committee: IMCO
Amendment 522 #
Proposal for a regulation
Chapter 6 – title
DELEGATED ACTS AND IMPLEMENTING ACTS
2017/07/12
Committee: IMCO
Amendment 523 #
Proposal for a regulation
Article 25
1. The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article. 2. The power to adopt delegated acts referred to in Article 8(4) shall be conferred on the Commission for an indeterminate period of time from [the data of entering into force of this Regulation]. 3. The delegation of power referred to in Article 8(4) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force. 4. Before adopting a delegated act, the Commission shall consult experts designated by each Member State in accordance with the principles laid down in the Inter-institutional Agreement on Better Law-Making of 13 April 2016. 5. As soon as it adopts a5 delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council. 6. A delegated act adopted pursuant to Article 8(4) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of two months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or of the Council.Exercise of the delegation
2017/07/12
Committee: IMCO
Amendment 671 #
Proposal for a regulation
Article 11 – paragraph 1
1. Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 5 to 8 where such a restriction fully respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the general public interests referred to in Article 23(1)(a) to (e) of Regulation (EU) 2016/679 or a monitoring, inspnational security, defence, public security, and the prevention, investigation, detection and prosecution or regulatory function connected to the exercise of official authority for such interestsf criminal offences or of unauthorised use of the electronic communications system.
2017/07/14
Committee: LIBE
Amendment 674 #
Proposal for a regulation
Article 11 – paragraph 1 a (new)
1 a. The Union or Member States shall not impose any obligation on undertakings that would result in the weakening of the security and encryption of their networks and services.
2017/07/14
Committee: LIBE
Amendment 675 #
Proposal for a regulation
Article 11 – paragraph 2
2. Providers of electronic communications services shall establish internal procedures for responding to requests for access to end-users’ electronic communications data based on a legislative measure adopted pursuant to paragraph 1. They shall provide the competent supervisory authority, on demand, witpublish information about those procedures, the number of requests received, the legal justification invoked and their response.
2017/07/14
Committee: LIBE