62 Amendments of Lucy ANDERSON related to 2017/0003(COD)
Amendment 45 #
Proposal for a regulation
Recital 1
Recital 1
(1) Article 7 of the Charter of Fundamental Rights of the European Union ("the Charter") protects the fundamental right of everyone to the respect for his or her private and family life, home and communications. Respect for the privacy of one’'s communications is an essential dimension of this right. Confidentiality of electronic communications ensures that information exchanged between parties and the external elements of such communication, including when the information has been sent, from where, to whom, is not to be revealed to anyone other than to the parties involved in a communication. The principle of confidentiality should apply to current and future means of communication, including calls, internet access, instant messaging applications, e-mail, internet phone calls and personal messaging provided through social media, in-platform messages between users of a social network and any private messaging systems online.
Amendment 64 #
Proposal for a regulation
Recital 8
Recital 8
(8) This Regulation should apply to providers of electronic communications services, to providers of publicly available directories, and to software providers of software and hardware permitting electronic communications, including the retrieval and presentation of information on the internet. This Regulation should also apply to natural and legal persons who use electronic communications services to send direct marketing commercial communications or collectprocess information related to or stored in end-users’' terminal equipment.
Amendment 70 #
Proposal for a regulation
Recital 9
Recital 9
(9) This Regulation should apply to electronic communications data processed in connection with the provision and use of electronic communications services in the Union, regardless of whether or not the processing takes place in the Union. Moreover, in order not to deprive end-users in the Union of effective protection, this Regulation should also apply to electronic communications data processed in connection with the provision of electronic communications services from outside the Union to end-users in the Union. This should be the case irrespective of whether the electronic communications are connected to a payment or not.
Amendment 77 #
Proposal for a regulation
Recital 13
Recital 13
(13) The development of fast and efficient wireless technologies has fostered the increasing availability for the public of internet access via wireless networks accessible by anyone in public and semi- private spaces such as 'hotspoWi-Fi access points' situated at different places within a city, for example department stores, shopping malls and hospitalcentres and hospitals, as well as airports, public transport, hotels and restaurants. Those Wi-Fi access points might require a login or a password and might be provided also by public administrations. To the extent that those communications networks are provided to an undefined group of end-users, the confidentiality of the communications transmitted through such networks should be protected. The fact that wireless electronic communications services may be ancillary to other services should not stand in the way of ensuring the protection of confidentiality of communications data and application of this Regulation. Therefore, this Regulation should apply to electronic communications data using electronic communications services and public communications networks. In addition, this Regulation should apply to closed social media profiles and groups that the user has restricted or defined as private. In contrast, this Regulation should not apply to closed groups of end-users such as corporate intranet networks, access to which is limited to members of the corporan organisation.
Amendment 87 #
Proposal for a regulation
Recital 15
Recital 15
(15) Electronic communications data should be treated as confidential. This means that any interference with the transmission of electronic communications data, whether directly by human intervention or through the intermediation of automated processing by machines, without the consent of all the communicating parties should be prohibited. When the processing is allowed under any exception to the prohibitions under this Regulation, any other processing on the basis of Article 6 of Regulation (EU) 2016/679 should be considered as prohibited, including processing for another purpose on the basis of Article 6(4) of that Regulation. This should not prevent requesting additional consent for new processing operations. The prohibition of interception of communications data should apply also during their conveyance, i.e. until receipt of the content of the electronic communication by the intended addressee, and to any temporary files in the network after receipt. Interception of electronic communications data may occur, for example, when someone other than the communicating parties, listens to calls, reads, scans or stores the content of electronic communications, or the associated metadata for purposes other than the exchange of communications. Interception also occurs when othirder parties monitor websites visited, timing of the visits, interaction with others, etc., without the consent of the end-user concerned. As technology evolves, the technical ways to engage in interception have also increased. Such ways may range from the installation of equipment that gathers data from terminal equipment over targeted areas, such as the so-called IMSI (International Mobile Subscriber Identity) catchers, to programs and techniques that, for example, surreptitiously monitor browsing habits for the purpose of creating end-user profiles. Other examples of interception include capturing payload data or content data from unencrypted wireless networks and routers, and analysis of customers' traffic data, including browsing habits without the end-users' consent.
Amendment 94 #
(17) The processing of electronic communications data can be useful for businesses, consumers and society as a whole. Vis-à-vis Directive 2002/58/EC, this Regulation broadens the possibilities for providers of electronic communications services to process electronic communications metadata, based on end-users consent. However, end-users attach great importance to the confidentiality of their communications, including their online activities, and that they want to control the use of electronic communications data for purposes other than conveying the communication. Therefore, this Regulation should require providers of electronic communications services to obtain end-users' consent to process electronic communications metadata, which should include data on the location of the device generated for the purposes of granting and maintaining access and connection to the service. Location data that is generated other than in the context of providing electronic communications services should not be considered as metadata. Examples of commercialExamples of such usages of electronic communications metadata by providers of electronic communications services may include the provision of heatmaps; a graphical representation of data using colours to indicate the presence of individuals. To display the traffic movements in certain directions during a certain period of time, an identifier is necessary to link the positions of individuals at certain time intervals. This identifier would be missing if anonymous data, provided that the data are immediately anonymised or anonymisation techniques are used where to bhe used and such movement could not be displayedr is mixed with others. Such usage of electronic communications metadata could, for example, benefit public authorities and public transport operators to define where to develop new infrastructure, based on the usage of and pressure on the existing structure. Where a type of processing of electronic communications metadata, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, a data protection impact assessment and, as the case may be, a consultation of the supervisory authority should take place prior to the processing, in accordance with Articles 35 and 36 of Regulation (EU) 2016/679.
Amendment 109 #
Proposal for a regulation
Recital 20
Recital 20
(20) Terminal equipment of end-users of electronic communications networks and any information relating to the usage of such terminal equipment, whether in particular is stored in or emitted by such equipment, requested from or processed in order to enable it to connect to another device and or network equipment, are part of the private sphere of the end-users requiring protection under the Charter of Fundamental Rights of the European Union and the European Convention for the Protection of Human Rights and Fundamental Freedoms. Given that such equipment contains or processes sensitive information that may reveal details of an individual's emotional, political, social complexities, including the content of communications, pictures, the location of individuals by accessing the device’'s GPS capabilities, contact lists, and other information already stored in the device, the information related to such equipment requires enhanced privacy protection. Furthermore, the so-called spyware, web bugs, hidden identifiers, tracking cookies and other similar unwanted tracking tools can enter end-user's terminal equipment without their knowledge in order to gain access to information, to store hidden information and to trace the activities. Information related to the end-user’s' device may also be collected remotely for the purpose of identification and tracking, using techniques such as the so-called ‘'device fingerprinting’', often without the knowledge of the end-user, and may seriously intrude upon their privacy of these end-users. T. Therefore, any such interference with the users' terminal equipment should be allowed only with their consent and for specific and transparent purposes. The use of exceptionally privacy invasive technologies and techniques that surreptitiously monitor the actions of end-users, for example by tracking their activities online or the location of their terminal equipment without the users' knowledge, or subvert the operation of the end-users’' terminal equipment, pose a serious threat to the privacy of end-users. Therefore, any such interference with the end-user's terminal equipment should be allowed only with the end-user's consent and for specific and transparent purposesusers' privacy and should be forbidden.
Amendment 115 #
Proposal for a regulation
Recital 21
Recital 21
(21) Exceptions to the obligation to obtain consent to make use of the processing and storage capabilities of terminal equipment or to access information stored in terminal equipment should be limited to situations that involve no, or only very limited, intrusion of privacy. For instance, consent should not be requested for authorizing the technical storage or access which is strictly necessary and proportionate for the legitimate purpose of enabling the use of a specific service explicitly requested by the end-user. This may include the storing of cookiesinformation (such as cookies and identifiers) for the duration of a single established session on a website to keep track of the end-user’'s input when filling in online forms over several pages. CookiesTracking techniques, if implemented with appropriate privacy safeguards, can also be a legitimate and useful tool, for example, in measuring web traffic to a website. Information society providers thatcould engage in configuration checking in order to provide the service in compliance with the end-user's settings and the mere logging ofrevealing the fact that the end-user’'s device is unable to receive content requested by the end- user, should not constitute access to such a device or use of the device processing capabilitieillegitimate access.
Amendment 119 #
Proposal for a regulation
Recital 22
Recital 22
(22) The methods used for providing information and obtaining end-user's consent should be as user-friendly as possible. Given the ubiquitous use of tracking cookies and other tracking techniques, end-users are increasingly requested to provide consent to store such tracking cookies in their terminal equipment. As a result, end-users are overloaded with requests to provide consent. The use of technical means to provide consent, for example, through transparent and user-friendly settings, may address this problem. Therefore, this Regulation should prevent the use of so- called "cookie walls" and "cookie banners" that do not help users to maintain control over their personal information and privacy or become informed about their rights. This Regulation should provide for the possibility to express consent by technical specifications, for instance by using the appropriate settings of a browser or other application. Those settings should include choices concerning the storage of information on the user's terminal equipment as well as a signal sent by the browser or other application indicating the user's preferences to other parties. The choices made by end- users when establishing itsthe general privacy settings of a browser or other application should be binding on, and enforceable against, any third parties. Web browsers are a type of software application that permits the retrieval and presentation of information on the internet. Other typIn this sense, settings must be granular enough to control all data processing that the user consents to and to cover all relevant functionalities (for example, whether websites ofr applications, such as the ones that permit calling and messaging or provide route guidance, have also the same capabilities. Web browsers mediate much of what occurs between the end-user and the website. From this perspective, they are in a privileged position to play an active role to help the end-user to control the flow of information to and from the terminal equipment. More particularly web browsers may be used as gatekeepers, thus helping end-users to prevent information from their terminal equipment (for example smart phone, tablet or computer) from being accessed or storeds can collect location data from the user or can access specific hardware such as a webcam or microphone). Devices and software applications enabling electronic communications should implement technical mechanisms such as the Do Not Track standard to ensure that users' privacy is protected by default and that users are given genuine choice and control.
Amendment 125 #
Proposal for a regulation
Recital 23
Recital 23
(23) The principles of data protection by design and by default weare codified under Article 25 of Regulation (EU) 2016/679. Currently, the default settings for cookies are set in most current browsers to ‘accept all cookies’. Therefore providers of software enabling the retrieval and presentation of information on the internetHardware manufacturers and providers of software permitting electronic communications should have an obligation to configure thedevices and software so that it offers the option to prevent third parties from storing information on the terminal equipment; this is often presented as ‘rejecttheir default settings provide the highest level of privacy protection possible, protecting users' against cross-domain tracking and unauthorised interferences with theird party cookies’. End-users should be offered a set of privacy setting options, ranging from higher (for example, ‘never accept cookies’) to lower (for example, ‘always accept cookies’) and intermediate (for example, ‘reject third party cookies’ or ‘only accept first party cookies’). Such communications and terminal equipment. Users should be informed about the default privacy settings and any available options to change those settings during installation or first use of the device or software and when they make significant changes to it. Privacy settings should be presented in an objective, easily visible and intelligible manner. They should be easily accessible and modifiable during the use of the device or software. Information provided should not incentivise users to select lower privacy settings and should binclude presented in a an easily visible and intelligible mannerlevant information about the risks associated with each setting.
Amendment 133 #
Proposal for a regulation
Recital 23 a (new)
Recital 23 a (new)
(23a) Children merit specific protection with regard to their online privacy. They usually start using the internet at an early age and become very active users. Yet, they may be less aware of the risks and consequences associated to their online activities, as well as less aware of their rights. Specific safeguards are necessary in relation to the use of children's data, notably for the purposes of marketing and the creation of personality or user profiles.
Amendment 143 #
Proposal for a regulation
Recital 25
Recital 25
(25) Accessing electronic communications networks requires the regular emission of certain data packets in order to discover or maintain a connection with the network or other devices on the network. Furthermore, devices must have a unique address assigned in order to be identifiable on that network. Wireless and cellular telephone standards similarly involve the emission of active signals containing unique identifiers such as a MAC address, the IMEI (International Mobile Station Equipment Identity), the IMSI etc. A single wireless base station (i.e. a transmitter and receiver), such as a wireless access point, has a specific range within which such information may be captured. Service providers have emerged who offer tracking services based on the scanning of equipment related information with diverse functionalities, including people counting, providing data on the number of people waiting in line, ascertaining the number of people in a specific area, etc. This information may be used for more intrusive purposes, such as to send commercial messages to end-users, for example when they enter stores, with personalized offers. While some of these functionalities domay not entail high privacy risks, others do, for example, those involving the tracking of individuals over time, including repeated visits to specified locations. Providers engaged in such practices should display prominent notices locaUsers' privacy should be adequately protected oin the edge of the area of coverage informing end-users prior to entering the defined area that the technology is in operation within a given perimeter, these situations. Information emitted by terminal equipment of users when connecting to a network or other device should only be processed should only be allowed for specific and transparent purpose os if the tracking, the person responsible for it and the existence of any measure the end-user of the terminal equipment can take to minimize or stop the collection. Additional information should be provided where personal data are collected pursuant tousers have consented or if the processing is necessary for statistical counting, as long as such counting is carried out for public utility purposes, there are no other means to achieve the envisaged purpose and that the measures established in Article 35 and Article 136 of Regulation (EU) 2016/679 have been fulfilled.
Amendment 162 #
Proposal for a regulation
Recital 32
Recital 32
(32) In this Regulation, direct marketing refers to any form of advertising by which a natural or legal person sends or presents direct marketing communications directly to one or more identified or identifiable end-users using electronic communications services, regardless of the form that such marketing takes. In addition to the offering of products and services for commercial purposes, this should also include messages sent by political parties that contact natural persons via electronic communications services in order to promote their parties. The same should apply to messages sent by other non-profit organisations to support the purposes of the organisation.
Amendment 175 #
Proposal for a regulation
Recital 39
Recital 39
(39) Each supervisory authority should be competent on the territory of its own Member State to exercise the powers and to perform the tasks set forth in this Regulation. In order to ensure consistent monitoring and enforcement of this Regulation throughout the Union, the supervisory authorities should have the same tasks and effective powers in each Member State, without prejudice to the powers of prosecutorial authorities under Member State law, to bring infringements of this Regulation to the attention of the judicial authorities and engage in legal proceedings. Member States and their supervisory authorities are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation. Supervisory authorities should cooperate with the relevant authorities in other enforcement areas as appropriate.
Amendment 196 #
Proposal for a regulation
Article 2 – paragraph 1
Article 2 – paragraph 1
1. This Regulation applies to the processing of electronic communications data carried out in connection with the provision and the use of electronic communications services and to information related to or processed by the terminal equipment of end-users.
Amendment 212 #
Proposal for a regulation
Article 3 – paragraph 1 – point c
Article 3 – paragraph 1 – point c
(c) the protection of information related to or processed by the terminal equipment of end- users located in the Union.
Amendment 215 #
Proposal for a regulation
Article 3 – paragraph 2
Article 3 – paragraph 2
2. Where the provider of an electronic communications service, provider of a publicly available directory, software provider enabling electronic communications or person sending direct marketing commercial communications or collecting (other) information related to or stored in the end-users terminal equipment is not established in the Union it shall designate in writing a representative in the Union.
Amendment 229 #
Proposal for a regulation
Article 4 – paragraph 3 – point c
Article 4 – paragraph 3 – point c
(c) ‘'electronic communications metadata’' means all data processed in an electronic communications network for the purposes of transmitting, distributing or exchanging electronic communications content; including data used to trace and identify the source and destination of a communication, data on the location of the device generated in the context of providing electronic communications services, and the date, time, duration and the type of communication;
Amendment 230 #
Proposal for a regulation
Article 4 – paragraph 3 – point e
Article 4 – paragraph 3 – point e
(e) ‘'electronic mail’essage' means any electronic message containing information such as text, voice, video, sound or image sent over an electronic communications network which can be stored in the network or in related computing facilities, or in the terminal equipment of its recipient;
Amendment 232 #
Proposal for a regulation
Article 4 – paragraph 3 – point f
Article 4 – paragraph 3 – point f
(f) ‘'direct marketing communications’' means any form of advertising, whether in written or oral, sent or video format, sent, served or presented to one or more identified or identifiable end-users of electronic communications services, including the use of automated calling and communication systems with or without human interaction, electronic -mail, SMS, etc.;
Amendment 246 #
Proposal for a regulation
Article 5 – paragraph 1
Article 5 – paragraph 1
Electronic communications data shall be confidential. Any interference, with electronic communications data rest or in transit, such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or any processing of electronic communications data, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation.
Amendment 252 #
Proposal for a regulation
Article 5 – paragraph 1 a (new)
Article 5 – paragraph 1 a (new)
Confidentiality of electronic communications shall also include terminal equipment and machine-to- machine communications when related to a user.
Amendment 257 #
Proposal for a regulation
Article 6 – paragraph 1 – introductory part
Article 6 – paragraph 1 – introductory part
1. Providers of electronic communications networks and services may process electronic communications data only if:
Amendment 259 #
Proposal for a regulation
Article 6 – paragraph 1 – point a
Article 6 – paragraph 1 – point a
(a) it is technically strictly necessary to achieve the transmission of the communication, for the duration necessary for that purpose; or
Amendment 264 #
Proposal for a regulation
Article 6 – paragraph 1 – point b
Article 6 – paragraph 1 – point b
(b) it is technically strictly necessary to maintain or restore the availability, integrity, confidentiality and security of electronic communications networks and services, or detect technical faults and/or errors in the transmission of electronic communications, for the duration necessary for that purpose.
Amendment 277 #
Proposal for a regulation
Article 6 – paragraph 2 – point a
Article 6 – paragraph 2 – point a
(a) it is strictly necessary to meet mandatory quality of service requirements pursuant to [Directive establishing the European Electronic Communications Code] or Regulation (EU) 2015/212028 for the duration technically necessary for that purpose; or _________________ 28 Regulation (EU) 2015/2120 of the European Parliament and of the Council of 25 November 2015 laying down measures concerning open internet access and amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services and Regulation (EU) No 531/2012 on roaming on public mobile communications networks within the Union (OJ L 310, 26.11.2015, p. 1–18).
Amendment 279 #
(b) it is strictly necessary for billing, calculating interconnection payments, detecting or stopping fraudulent use, or abusive use of, or subscription to, electronic communications services; or
Amendment 283 #
Proposal for a regulation
Article 6 – paragraph 2 – point c
Article 6 – paragraph 2 – point c
(c) the end-userafter receiving all relevant information about the intended processing in clear and easily understandable language, provided separately from the terms and conditions of the provider, the user or users concerned hasve given his or hertheir specific consent to the processing of his or hetheir communications metadata for one or more specified purposes, including for the provision of specific services to such end- users, provided that the purpose or purposes concerned could not be fulfilled bywithout the processing information that is made anonymous. of such metadata. If the processing is likely to result in a high risk to the rights and freedoms of natural persons, Articles 35 and 36 of Regulation 2016/679 shall apply
Amendment 293 #
Proposal for a regulation
Article 6 – paragraph 3 – point a
Article 6 – paragraph 3 – point a
(a) for the sole purpose of the provision of a specific service to an end- user, if the end-user or end-requested by the user, if the users concerned have given their specific consent to the processing of his or their electronic communications content and the provision of that specific service cannot be fulfilled without the processing of such content; or
Amendment 300 #
Proposal for a regulation
Article 6 – paragraph 3 – point b
Article 6 – paragraph 3 – point b
(b) if all end-users concerned have given their explicit consent to the processing of their electronic communications content for one or more specified purposes that cannot be fulfilled by processing information that is made anonymous, and the provider has consulted the supervisory authority. Points (2) and (3) of Article 36 of Regulation (EU) 2016/679 shall apply to the consultation of the supervisory authority.
Amendment 302 #
Proposal for a regulation
Article 6 – paragraph 3 a (new)
Article 6 – paragraph 3 a (new)
3 a. Neither providers of electronic communications services, nor any other party, shall further process electronic communications data collected on the basis of this Regulation.
Amendment 303 #
Proposal for a regulation
Article 6 – paragraph 3 b (new)
Article 6 – paragraph 3 b (new)
3 b. Communications data generated in the provision of an electronic communications service specifically intended for children's use or targeted at them shall not be processed for any profiling, marketing or advertising purposes.
Amendment 316 #
Proposal for a regulation
Article 8 – paragraph 1 – introductory part
Article 8 – paragraph 1 – introductory part
1. The use of processing and storage capabilities of terminal equipment and the collectionprocessing of information from end-users’ terminal equipment, including about' terminal equipment, or making information available through the terminal equipment, including information about or generated by its software and hardware, other than by the end-user concerned shall be prohibited, except on the following grounds:
Amendment 318 #
Proposal for a regulation
Article 8 – paragraph 1 – point a
Article 8 – paragraph 1 – point a
(a) it is strictly technically necessary for the sole purpose of carrying out the transmission of an electronic communication over an electronic communications network; or
Amendment 322 #
Proposal for a regulation
Article 8 – paragraph 1 – point b
Article 8 – paragraph 1 – point b
(b) the end-user has given his or her consent and such consent is not imposed as a pre-condition for accessing or using a service; or
Amendment 326 #
Proposal for a regulation
Article 8 – paragraph 1 – point c
Article 8 – paragraph 1 – point c
(c) it is strictly technically necessary for providing an information society service requested by the end-user; or
Amendment 339 #
Proposal for a regulation
Article 8 – paragraph 1 – point d
Article 8 – paragraph 1 – point d
(d) if it is technically necessary for web audience measuring of the information society service requested by the user, provided that such measurement is carried out by the provider of the information society service requested by the end-, or on behalf of the provider, or by an independent web analytics agency acting in the public interest or for scientific purpose; and further provided that no personal data is made accessible to any other party and that such web audience measurement does not adversely affect the fundamental rights of the user.;
Amendment 359 #
Proposal for a regulation
Article 8 – paragraph 1 a (new)
Article 8 – paragraph 1 a (new)
1 a. No user shall be denied access to any information society service or functionality, regardless of whether this service is remunerated or not, on grounds that he or she has not given his or her consent under Article 8(1)(b) to the processing of personal information and/or the use of storage capabilities of his or her terminal equipment that is not necessary for the provision of that service or functionality.
Amendment 361 #
Proposal for a regulation
Article 8 – paragraph 2 – subparagraph 1 – introductory part
Article 8 – paragraph 2 – subparagraph 1 – introductory part
The collectionprocessing of information emitted by terminal equipment to enable it to connect to another device and, or to network equipment shall be prohibited, except if:
Amendment 362 #
Proposal for a regulation
Article 8 – paragraph 2 – subparagraph 1 – point a
Article 8 – paragraph 2 – subparagraph 1 – point a
(a) it is done exclusively in order to, for the time necessary for, and for the sole purpose of establishing a connection requested by the user; or
Amendment 363 #
Proposal for a regulation
Article 8 – paragraph 2 – subparagraph 1 – point a a (new)
Article 8 – paragraph 2 – subparagraph 1 – point a a (new)
(a a) the user has been informed and has given consent; or
Amendment 365 #
Proposal for a regulation
Article 8 – paragraph 2 – subparagraph 1 – point a b (new)
Article 8 – paragraph 2 – subparagraph 1 – point a b (new)
(a b) the data are anonymised and the risks are adequately mitigated; or
Amendment 366 #
Proposal for a regulation
Article 8 – paragraph 2 – subparagraph 1 – point a c (new)
Article 8 – paragraph 2 – subparagraph 1 – point a c (new)
(a c) it is necessary for the purpose carrying out statistical counting for reasons of public interest of public utility and this purpose cannot not be fulfilled by processing information that is made anonymous.
Amendment 367 #
Proposal for a regulation
Article 8 – paragraph 2 – subparagraph 1 – point b
Article 8 – paragraph 2 – subparagraph 1 – point b
Amendment 372 #
Proposal for a regulation
Article 8 – paragraph 2 – subparagraph 2
Article 8 – paragraph 2 – subparagraph 2
Amendment 375 #
Proposal for a regulation
Article 8 – paragraph 2 a (new)
Article 8 – paragraph 2 a (new)
2 a. For the purposes of point (c) of the previous paragraph, the following safeguards shall be implemented to mitigate risks: (a) Tracking shall be limited to pseudonymous data (b) Tracking shall be limited in space and time to the strict minimum necessary to fulfil the established purpose (c) The data collected shall be deleted or anonymised immediately after the established purpose is fulfilled (d) Users shall have the possibility to easily opt-out (e) The processing information shall be conditional on the application of appropriate technical and organisational measures to ensure a level of security appropriate to the risks, as set out in Article 32 of Regulation (EU) 2016/679, have been applied.
Amendment 376 #
Proposal for a regulation
Article 8 – paragraph 2 b (new)
Article 8 – paragraph 2 b (new)
2 b. A data protection impact assessment and a consultation of the supervisory authority should always take place prior to the processing of communications data under points (b) and (c) of paragraph 2. Articles 35 and 36 of Regulation (EU) 2016/679 shall apply with regard to the impact assessment and the consultation to the supervisory authority.
Amendment 394 #
Proposal for a regulation
Article 9 – paragraph 2
Article 9 – paragraph 2
2. Without prejudice to paragraph 1, where technically possible and feasible, for the purposes of point (b) of Article 8(1) and point (b) of Article 8(2), consent may be expressed by using the appropriate technical settings of a software application enabling access to the internetor a device enabling electronic communications. The choices made by users should be binding on and enforceable against any third parties. If users are required to give consent that contradicts the settings of their software, such consent shall always have to be given explicitly.
Amendment 398 #
Proposal for a regulation
Article 9 – paragraph 3
Article 9 – paragraph 3
3. End-uUsers who have consented to the processing of electronic communications data as set out in point (c) of Article 6(2) and1), point (c) of Article 6(2), points (a) andof Article 6(3), point (b) of Article 8(1) and point (b) of Article 6(38(2) shall be given the possibility to withdraw their consent at any time as set forth under Article 7(3) of Regulation (EU) 2016/679 and be reminded of this possibility at periodic intervals of 6 months, as long as the processing continues.
Amendment 403 #
Proposal for a regulation
Article 9 – paragraph 3 a (new)
Article 9 – paragraph 3 a (new)
3 a. Users shall not be denied access to an information society service or functionality, irrespective of whether the service is provided for remuneration or not, on grounds that they have not given their consent under point (c) of Article 6(1), point (c) of Article 6(2), point (a) of Article 6(3), point (b) of Article 8(1) or point (b) of Article 8(2) to the processing of information or the use of the processing or storage capabilities of their terminal equipment that is not necessary for the provision of that service or functionality. In particular, processing of data for the purposes of providing behaviourally targeted advertising shall not be considered as necessary for the performance of a service.
Amendment 410 #
Proposal for a regulation
Article 10 – title
Article 10 – title
Amendment 414 #
Proposal for a regulation
Article 10 – paragraph 1
Article 10 – paragraph 1
1. SThe default settings of hardware and software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, shall offer the option to prevent third parties from storing information on the terminal equipment of an end-user or processing information already stored on that equipmentbe configured to provide the highest level of privacy protection and protect users' against unauthorised interferences. In particular, default settings shall prevent the tracking of users' online behaviour by other parties. For this purpose, privacy settings shall include a signal which is sent to other parties to inform them about the users' settings. Such settings shall be binding on and enforceable against any other party.
Amendment 420 #
Proposal for a regulation
Article 10 – paragraph 2
Article 10 – paragraph 2
2. Upon installation, the softwarefirst use or whenever any significant modifications are introduced, the user shall be inform the end-usered about the default privacy settings options and, to continue with the installation, require the end-user to consent to a settingand other available options, if any. Information shall be presented in an easily visible and intelligible manner. It shall not incentivise users to select lower privacy settings and shall include relevant information about the risks associated with each setting. Settings must be easily accessible and modifiable at any time during the use of the device or software.
Amendment 427 #
Proposal for a regulation
Article 10 – paragraph 2 a (new)
Article 10 – paragraph 2 a (new)
2 a. Hardware and software which enables electronic communications and is specifically intended for children's use or targeted at children shall not allow tracking of its user's behaviour and activities for profiling, marketing or advertising purposes.
Amendment 466 #
Proposal for a regulation
Article 16 – paragraph 1
Article 16 – paragraph 1
1. NThe use by natural or legal persons may useof electronic communications services, including voice-to-voice calls, automated calling and communications systems, including semi-automated systems that connect the call person to an individual, faxes, e-mail or other use of electronic communications services for the purposes of presendting unsolicited or direct marketing communications to end-users who are natural persons that, shall be allowed only in respect of users who have given their prior explicit consent.
Amendment 470 #
Proposal for a regulation
Article 16 – paragraph 2
Article 16 – paragraph 2
2. Where a natural or legal person obtains electronic contact details for electronic -mail from its customer, in the context of the sale of a product or a service, in accordance with Regulation (EU) 2016/679, that natural or legal person may use these electronic contact details for direct marketing of its own similar products or services only if customers are clearly and distinctly given the opportunity to object, free of charge and in an easy manner, to such use. The right to object shall be given at the time of collection and each time a message is sent.
Amendment 475 #
Proposal for a regulation
Article 16 – paragraph 3 – point a
Article 16 – paragraph 3 – point a
(a) present the identity of a line on which they can be contacted; orand
Amendment 479 #
Proposal for a regulation
Article 16 – paragraph 3 a (new)
Article 16 – paragraph 3 a (new)
3 a. Unsolicited marketing communications shall be clearly recognisable as such and shall indicate the identity of the legal or natural person transmitting the communication or on behalf of whom the communication is transmitted. Such communications shall provide the necessary information for recipients to exercise their right to refuse further written or oral marketing messages.
Amendment 483 #
Proposal for a regulation
Article 16 – paragraph 4
Article 16 – paragraph 4
4. Notwithstanding paragraph 1, Member States may provide by law that the placing of direct marketing voice-to-voice calls to end-users who are natural personusers shall only be allowed in respect of end- users who are natural persons who have not expressed their objection to receiving those communications. Member States shall provide that users can objection to receiving thosee unsolicited communications via a national Do Not Call Register, thereby also ensuring that the user is only required to opt out once.
Amendment 486 #
Proposal for a regulation
Article 16 – paragraph 6
Article 16 – paragraph 6
6. Any natural or legal person using electronic communications services to transmit direct marketing communications shall inform end-users of the marketing nature of the communication and the identity of the legal or natural person on behalf of whom the communication is transmitted and shall provide the necessary information for recipients to exercise their right to withdraw their consent, in an easy manner that is as easy as giving the consent and free of charge, to receiving further marketing communications.
Amendment 504 #
Proposal for a regulation
Article 21 – paragraph 1
Article 21 – paragraph 1
Amendment 508 #
Proposal for a regulation
Article 21 – paragraph 2
Article 21 – paragraph 2
2. Any natural or legal person other than end-users adversely affected by infringements of this Regulation and having a legitimate interest in the cessation or prohibition of alleged infringements, including a provider of electronic communications services protecting its legitimate business interests, shall have a right to bring legal proceedings in respect of such infringements.