288 Amendments of Jan Philipp ALBRECHT related to 2017/0003(COD)
Amendment 44 #
Proposal for a regulation
Recital 1
Recital 1
(1) Article 7 of the Charter of Fundamental Rights of the European Union ("the Charter") protects the fundamental right of everyone to the respect for his or her private and family life, home and communications. Respect for the privacy of one’s communications is an essential dimension of this right. Confidentiality of electronic communications ensures that information exchanged between parties and the external elements of such communication, including when the information has been sent, from where, to whom, is not to be revealed to anyone other than to the parties involved in a communicationg parties. The principle of confidentiality should apply to current and future means of communication, including calls, internet access, instant messaging applications, e- mail, internet phone calls and inter- personal messaging provided through social media. It should also apply when the confidentiality of electronic communications and the privacy of the physical environment converge, i.e. where terminal devices for electronic communication can also listen into their physical environment or use other input channels such as Bluetooth signalling or movement sensors.
Amendment 49 #
Proposal for a regulation
Recital 2
Recital 2
(2) The content of eElectronic communications data may reveal highly sensitive information about the natural persons involved in the communication, from personal experiences and emotions to medical conditions, sexual preferences and political views, the disclosure of which could result in personal and social harm, economic loss or embarrassment. Similarly, mMetadata derived from electronic communications may also reveal very sensitive and personal information. These metadata includes the numbers called, the websites visited, geographical location, the time, date and duration when an individual made a call etc., allowing precise conclusions to be drawn regarding the private lives of the persons involved in the electronic communication, such as their social relationships, their habits and activities of everyday life, their interests, tastes etc. The protection of confidentiality of communications is an essential condition for the respect of other connected fundamental rights and freedoms, such as the protection of freedom of thought, conscience and religion, freedom of assembly, freedom of expression and information.
Amendment 53 #
Proposal for a regulation
Recital 3
Recital 3
(3) Electronic communications data may also reveal information concerning legal entities, such as business secrets or other sensitive information that has economic value. Therefore, the provisions of this Regulation should apply to both natural and legal persons. Furthermore, this Regulation should ensure that certain provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council21 , also apply to end-users who are legal persons. This includes the definition of consent under Regulation (EU) 2016/679. When reference is made to consent by an end-user, including legal persons, this definition should apply. In addition, legal persons should have the same rights as end-users that are natural persons regarding the supervisory authorities; furthermore, supervisory authorities under this Regulation should also be responsible for monitoring the application of this Regulation regarding legal persons. _________________ 21 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1–88).
Amendment 54 #
Proposal for a regulation
Recital 4
Recital 4
(4) Pursuant to Article 8(1) of the Charter and Article 16(1) of the Treaty on the Functioning of the European Union, everyone has the right to the protection of personal data concerning him or her. Regulation (EU) 2016/679 lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. Electronic communications data may includeare generally personal data as defined in Regulation (EU) 2016/679, at least where the users or end-users are natural persons.
Amendment 56 #
Proposal for a regulation
Recital 5
Recital 5
(5) The provisions of this Regulation particularise and complement the general rules on the protection of personal data laid down in Regulation (EU) 2016/679 as regards electronic communications data that qualify as personal data. This Regulation therefore does not lower the level of protection enjoyed by natural persons under Regulation (EU) 2016/679. Processing of electronic communications data by providersOn the contrary, it aims to provide additional, and complementary, safeguards taking into account the need for additional protection as regards the confidentiality of communications. Processing of electronic communications servicesdata should only be permitted in accordance with, and on a legal basis specifically provided by, this Regulation.
Amendment 60 #
Proposal for a regulation
Recital 6
Recital 6
(6) While the principles and main provisions of Directive 2002/58/EC of the European Parliament and of the Council22 remain generally sound, that Directive has not fully kept pace with the evolution of technological and market reality, resulting in an inconsistent or insufficient effective protection of privacy and confidentiality in relation to electronic communications. Those developments include the entrance on the market of electronic communications services that from a consumer perspective are substitutable to traditional services, but do not have to comply with the same set of rules. Another development concerns new techniques that allow for tracking of online behaviour of end-users, which are not covered by Directive 2002/58/EC. Directive 2002/58/EC should therefore be repealed and replaced by this Regulation. _________________ 22 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p.37).
Amendment 61 #
Proposal for a regulation
Recital 7
Recital 7
Amendment 66 #
Proposal for a regulation
Recital 8
Recital 8
(8) This Regulation should apply to providers of electronic communications services, to providers of publicly available directories, and to hardware and software providers permitting electronic communications, including the retrieval and presentation of information on the internet. This Regulation should also apply to natural and legal persons who use electronic communications services to send direct marketing commercial communications or collect information related to, processed by or stored in end- users’ terminal equipment.
Amendment 69 #
Proposal for a regulation
Recital 9
Recital 9
(9) This Regulation should apply to electronic communications data processed in connection with the provision and use of electronic communications services in the Union, regardless of whether or not the processing takes place in the Union. Moreover, in order not to deprive end-users in the Union of effective protection, this Regulation should also apply to electronic communications data processed in connection with the provision of electronic communications services from outside the Union to end-users in the Union. This should be the case irrespective of whether the electronic communications are connected to a payment or not.
Amendment 71 #
Proposal for a regulation
Recital 11
Recital 11
(11) The services used for communications purposes, and the technical means of their delivery, have evolved considerably. End-users increasingly replace traditional voice telephony, text messages (SMS) and electronic mail conveyance services in favour of functionally equivalent online services such as Voice over IP, messaging services and web-based e-mail services. In order toThis Regulation aims at ensureing an effective and equal protection of end-users when using functionally equivalent services, this Regulation uses the definition of electronic communications services set forth in the [Directive of the European Parliament and of the Council establishing the European Electronic Communications Code24 ]so as to ensure the confidentiality of their communication, irrespective of the technological medium chosen. That definition encompasses not only internet access services and services consisting wholly or partly in the conveyance of signals but also interpersonal communications services, which may or may not be number-based, such as for example, Voice over IP, messaging services and web-based e-mail services. The protection of confidentiality of communications is crucial also as regards interpersonal communications services that are ancillary to another service; therefore, such type of services also having a communication functionality should be covered by this Regulation. _________________ 24Commission proposal for a Directive of the European Parliament and of the Council establishing the European Electronic Communications Code (Recast) (COM/2016/0590 final - 2016/0288 (COD)), such as internal messaging, newsfeeds, timelines and similar functions in online services where messages are exchanged with other users within or outside that service; therefore, such type of services also having a communication functionality should be covered by this Regulation.
Amendment 76 #
Proposal for a regulation
Recital 12
Recital 12
(12) Connected devices and machines increasingly communicate with each other by using electronic communications networks (Internet of Things). The transmission of machine-to-machine communications involves the conveyance of signals over a network and, hence, usually constitutes an electronic communications service. In order to ensure full protection of the rights to privacy and confidentiality of communications, and to promote a trusted and secure Internet of Things in the digital single market, it is necessary to clarify that this Regulation should apply to the transmission of machine-to-machine communications. In the context of automated supply-chains and elsewhere in the manufacturing or industrial context, the communication by the machines involved may not be inter- personal and may not involve natural persons. However, its confidentiality still needs protection in order to protect internal business information. Therefore, the principle of confidentiality enshrined in this Regulation should also apply to the transmission of machine-to- machine communications. Specific safeguards could also be adopted under sectorial legislation, as for instance Directive 2014/53/EU.
Amendment 78 #
Proposal for a regulation
Recital 13
Recital 13
(13) The development of fast and efficient wireless technologies has fostered the increasing availability for the public of internet access via wireless networks accessible by anyone in public and semi- private spaces such as 'hotspowireless internet access points' situated at different places within a city, department stores, shopping malls and hospital, hospitals, airports, hotels and restaurants. Those access points might require a login or provide a password and might be provided also by public administrations, including Union bodies and agencies. To the extent that those communications networks are provided to an undefined group of end-users, the confidentiality of the communications transmitted through such networks should be protected. The fact that wireless electronic communications services may be ancillary to other services should not stand in the way of ensuring the protection of confidentiality of communications data and application of this Regulation. Therefore, this Regulation should apply to electronic communications data using electronic communications services and public communications networks. This regulation should also apply to closed social media profiles and groups that the users have defined as private. In contrast, this Regulation should not apply to closed groups of end-users such as corporate networks, access to which access is limited to members of the corporganisation.
Amendment 83 #
Proposal for a regulation
Recital 14
Recital 14
(14) Electronic communications data should be defined in a sufficiently broad and technology neutral way so as to encompass any information concerning the content transmitted or exchanged (electronic communications content) and the information concerning an end-user of electronic communications services processed for the purposes of transmitting, distributing or enabling the exchange of electronic communications content; including data to trace and identify the source and destination of a communication, geographical location and the date, time, duration and the type of communication. It should also include location data, such as for example, the location of the terminal equipment from or to which a phone call or an internet connection has been made or the wireless access points that a device is connected to. It should also include data necessary to identify users' terminal equipment and data emitted by terminal equipment when searching for access points or other equipment. Whether such signals and the related data are conveyed by wire, radio, optical or electromagnetic means, including satellite networks, cable networks, fixed (circuit- and packet- switched, including internet) and mobile terrestrial networks, electricity cable systems, the data related to such signals should be considered as electronic communications metadata and therefore be subject to the provisions of this Regulation. Electronic communications metadata may include information that is part of the subscription to the service when such information is processed for the purposes of transmitting, distributing or exchanging electronic communications content. The exclusion of services providing "content transmitted using electronic communications networks" from the definition of "electronic communications service" in Article 4 of this Regulation does not mean that service providers who offer both electronic communications services and content services are outside the scope of the provisions of the Regulation which applies to the providers of electronic communications services.
Amendment 85 #
Proposal for a regulation
Recital 14 a (new)
Recital 14 a (new)
Amendment 86 #
Proposal for a regulation
Recital 15
Recital 15
(15) Electronic communications data should be treated as confidential. This means that any processing of electronic communications data or any interference with the transmission of electronic communications data, whether directly by human intervention or through the intermediation of automated processing by machines, without the consent of all the communicating parties should be prohibited. The prohibition of interception of communications data should apply during their conveyance, i.e. until receipt of the content of the electronic communication by the intended addresseeWhen the processing is allowed under this Regulation, any other processing on the basis of Article 6 of Regulation (EU) 2016/679 should be considered as prohibited, including processing for another purpose on the basis of Article 6(4) of that Regulation. This should not prevent requesting additional consent for new processing operations. The prohibition of processing of communications data should apply during their conveyance and when they are stored afterwards, in order to reflect the growing trend that end-users do not store all communications data on their own terminal equipment, but use cloud- based storage space of the communications provider or other parties. Interception of electronic communications data may occur, for example, when someone other than the communicating parties, listens to calls, reads, scans or stores the content of electronic communications, or the associated metadata for purposes other than the exchange of communications. Interception also occurs when othirder parties monitor websites visited, timing of the visits, interaction with others, etc., without the consent of the end-user concerned. As technology evolves, the technical ways to engage in interception have also increased. Such ways may range from the installation of equipment that gathers data from terminal equipment over targeted areas, such as the so-called IMSI (International Mobile Subscriber Identity) catchers, to programs and techniques that, for example, surreptitiously monitor browsing habits for the purpose of creating end-user profiles. Other examples of interception include capturing payload data or content data from unencrypted wireless networks and routers, and analysis of customers' traffic data, including browsing habits, without the end-users' consent.
Amendment 89 #
Proposal for a regulation
Recital 16
Recital 16
(16) The prohibition of storage of communications is not intended to prohibit any automatic, intermediate and transient storage of this information insofar as this takes place for the sole purpose of carrying out the transmission in the electronic communications network. It should not prohibit either the processing of electronic communications data to ensure the security and continuity of the electronic communications services, including checking security threats such asrelated to the presence of malwarepective service, or the processing of metadata of the respective service to ensure the necessary quality of service requirements, such as latency, jitter etc.
Amendment 96 #
Proposal for a regulation
Recital 17
Recital 17
(17) The processing of electronic communications data can be useful for businesses, consumers and society as a whole. Vis-à-vis Directive 2002/58/EC, this Regulation broadens the possibilities for providers of electronic communications services to process electronic communications metadata, based on end-users consent. However, end-users attach great importance to the confidentiality of their communications, including their online activities, and that they want to control the use of electronic communications data for purposes other than conveying the communication. Therefore, this Regulation should require providers of electronic communications services to obtain end- users' consent to process electronic communications metadata, which should include data on the location of the device generated for the purposes of granting and maintaining access and connection to the service. Location data that is generated other than in the context of providing electronic communications services should not be considered as metadata. Examples of commercial usages of electronic communications metadata by providers of electronic communications services may include the provision of heatmaps; a graphical representation of data using colours to indicate the presence of individuals. To display the traffic movements in certain directions during a certain period of time, an identifier ismay be necessary to link the positions of individuals at certain time intervals. This identifier would be missing if anonymous data were to be used and such movement could not be displayed. Such usage of electronic communications metadata could, for example, benefit public authorities and public transport operators to define where to develop new infrastructure, based on the usage of and pressure on the existing structure. Where a type of processing of electronic communications metadata, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural personss foreseen, a data protection impact assessment and, as the case may be, a consultation of the supervisory authority should take place prior to the processing, in accordance with Articles 35 and 36 of Regulation (EU) 2016/679.
Amendment 100 #
Proposal for a regulation
Recital 17 a (new)
Recital 17 a (new)
(17a) This Regulation broadens the possibilities for providers of electronic communications services to process electronic communications metadata based on users' informed consent. However, users attach great importance to the confidentiality of their communications, including their online activities, and they want to control the use of their electronic communications data for purposes other than conveying the communication. Therefore, this Regulation should require providers of electronic communications services to obtain users' consent to process electronic communications data. For the purposes of this Regulation, the consent of a user should have the same meaning and be subject to the same conditions as the consent of the data subject under Regulation (EU) 2016/679.
Amendment 101 #
Proposal for a regulation
Recital 18
Recital 18
(18) End-users may consent to the processing of their metaelectronic communications data to receive specific services requested by them, such as protection services against fraudulent activities (by analysing usage data, location and customer account in real time). In the digital economy, services are often supplied against counter-performance other than money, for instance by end- users being exposed to advertisements. For the purposes of this Regulation, consent of an end-user, regardless of whether the latter is a natural or a legal person, should have the same meaning and be subject to the same conditions as the data subject's consent under Regulation (EU) 2016/679. Basic broadband internet access and voice communications services amalware, unsolicited communication, or fraudulent activities. Consent for processing electronic communications data will not be valid if the data subject has no genuine and free choice, or is unable to refuse or withdraw consent without detriment. As provided by Article 7 of Regulation (EU) 2016/679, consent is not freely given if it is required to be considered as essential services for individuals to be able to communicate and participate to the benefits of the digital economy. Consent for processing data from internet or voice communication usage will not be valid if the data subject has no genuine and free choice, or is unable to refuse or withdraw consent without detrimaccess any service or obtained through insistent and repetitive requests. In order to prevent such abusive requests, end-users should be able to order service providers to remember their choice not to consent.
Amendment 105 #
Proposal for a regulation
Recital 19
Recital 19
(19) The content of electronic communications pertains to the essence of the fundamental right to respect for private and family life, home and communications protected under Article 7 of the Charter. Any interference with theprocessing of content data of electronic communications should be allowed only under very clear defined conditions, for specific purposes and be subject to adequate safeguards against abuse. This Regulation provides for the possibility ofor providers of electronic communications services to process electronic communications data in transit, with the informed consent of all the end- users concerned. For example, providers may offer services that entail the scanning of emails to remove certain pre-defined material. Given the sensitivity of the content ofelectronic communications data, this Regulation sets forth a presumption that the processing of such content data will result in high risks to the rights and freedoms of natural persons. When processing such type of data, the provider of the electronic communications service should always consult the supervisoarry aouthority prior to the processing. Such consultation should be in accordance with Article 36 (2) and (3) of Regulation (EU) 2016/679. The presumption does not encompass the processing of content data to provide a service requested by the end- user where the end-user has consented to such processing and it is carried out for the purposes and duration strictly necessary and proportionate for such service an impact assessment as provided for in Regulation (EU) 2016/679 and if necessary under that Regulation, consult the supervisory authority prior to the processing. After electronic communications content has been sent by the end-user and received by the intended end-user or end- users, it may be recorded or stored by the end-user, end- users or by a thirdnother party entrusted by them to record or store such data. Any processing of such data, which could be the electronic communications provider. Any processing of such stored communications data where the data is stored on behalf of the end-user must comply with this Regulation. The end- user may further process the data, and if it contains personal data, must comply with Regulation (EU) 2016/679.
Amendment 107 #
Proposal for a regulation
Recital 19 a (new)
Recital 19 a (new)
(19a) It should be possible to process electronic communications data for the purposes of providing services specifically requested by a user for personal or personal work-related purposes such as search or keyword indexing functionality, text-to-speech engines and translation services, including picture-to-voice or other automated content processing used as accessibility tools by persons with disabilities. This should be possible without the consent of all users who are part of the communication, but may take place with the consent of the user requesting the service. Such specific consent also precludes the provider from processing those data for different purposes.
Amendment 108 #
Proposal for a regulation
Recital 20
Recital 20
(20) Terminal equipment of end-users of electronic communications networks and any information relating to the usage of such terminal equipment, whether in particular is stored in or emitted by such equipment, requested from or processed in order to enable it to connect to another device and or network equipment, are part of the private sphere of the end-users requiring protection under the Charter of Fundamental Rights of the European Union and the European Convention for the Protection of Human Rights and Fundamental Freedoms. Given that such equipment contains or processes informationvery sensitive data that may reveal details of an individual's emotional, political,the behaviour, psychological features, emotional condition and political convictions, religious beliefs and social complexities of an individual, including the content of communications, pictures, the location of individuals by accessing the device’'s GPS capabilities, contact lists, and other information already stored in the device, the information processed by or related to such equipment requires enhanced privacy protection. Information related to the user's device may also be collected remotely for the purpose of identification and tracking, using techniques such as so-called 'device fingerprinting', often without the knowledge of the user, and may seriously intrude upon the privacy of these users. Furthermore, the so-called spyware, web bugs, hidden identifiers, tracking cookies and other similar unwanted tracking tools can enter end-user's terminal equipment without their knowledge in order to gain access to information, to store hidden information and to trace the activities. Information related to the end-user’s device may also be collected remotely for the purpose of identification and tracking, using techniques such as the so-called ‘device fingerprinting’, often without the knowledge of the end-user, and may seriously intrude upon the privacy of these end-user, to process data and use input and putput functionalities such as sensors, and to trace the activities. Techniques that surreptitiously monitor the actions of end- users, for example by tracking their activities online or the location of their terminal equipment, or subvert the operation of the end-users’' terminal equipment pose a serious threat to the privacy of end-users. Therefore, any such interference with the end-user's terminal equipment should be allowed only with the end-user's consent and for specific and transparent purposes.
Amendment 113 #
Proposal for a regulation
Recital 21
Recital 21
(21) Exceptions to the obligation to obtain consent to make use of the input, output, processing and storage capabilities of terminal equipment or to access information stored in terminal equipment should be limited to situations that involve no, or only very limited, intrusion of privacy. For instance, consent should not be requested for authorizing the technical storage or access which is strictly necessary and proportionate for the legitimate purpose of enabling the use of a specific service explicitly requested by the end-user. This may include the storing of cookiesinformation (such as cookies and identifiers) for the duration of a single established session on a website to keep track of the end-user’'s input when filling in online forms over several pages. Cookies can also be a legitimate and useful tool, for example, in measuring web traffic to a website. Information society service providers that engage in configuration checking to provide the service in compliance with the end-user's settings and the mere logging of the fact that the end-user’'s device is unable to receive content requested by the end-user should not constitute access to such a device or use of the device processing capabilitieillegitimate access.
Amendment 120 #
Proposal for a regulation
Recital 22
Recital 22
(22) The methods used for providing information and obtaining end-user's consent should be as user-friendly as possible. Given the ubiquitous use of tracking cookies and other tracking techniques, end-users are increasingly requested to provide consent to store such tracking cookies in their terminal equipment. As a result, end-users are overloaded with requests to provide consent. This Regulation should prevent the use of so-called "cookie walls" and "cookie banners" that do not help users to maintain control over their personal information and privacy or become informed about their rights. The use of technical means to provide consent, for example, through transparent and user- friendly settings, may address this problem. Therefore, this Regulation should provide for the possibility to express consent by using the appropriate settings of a browser or other applicationand to object by technical specifications using automated means, such as the appropriate settings of a hardware of software permitting the retrieval and presentation of information on the internet. Those settings should include choices concerning the use of processing and storage capabilities of the user's terminal equipment as well as a signal sent by the hardware or software indicating the user's preferences to other parties. The choices made by end- users when establishing its general privacy settings of a browser or other applicationhardware of software should be binding on, and enforceable against, any third parties. Web browsers are a type of software application that permits the retrieval and presentation of information on the internet. Other types of applications, such as the ones that permit calling and messaging or provide route guidance, have also the same capabilities. Web browsers mediate much of what occurs between the end-More particularly web browsers, applications or mobile operating systems may be userd and the website. From this perspective, they are in a privileged position to play an active role tos a user's personal privacy assistant communicating the user's choices, thus help theing end-users to control the flow of information to and fromprevent information related to or processed by their terminal equipment. More particularly web browsers may be used as gatekeepers, thus helping end-users to prevent information from their terminal equipment (for example smart phone, tablet or computer) from being accessed or stored (for example smart phone, tablet or computer) from being accessed, processed or stored. They should therefore not abuse their position as gate-keepers and still allow for possibilities for the user to individually give consent with regard to a certain specific service or service provider.
Amendment 131 #
Proposal for a regulation
Recital 23
Recital 23
(23) The principles of data protection by design and by default were codified under Article 25 of Regulation (EU) 2016/679. Currently, the default settings for cookies are set in most current browsers to ‘'accept all cookies’'. Therefore providers of hardware or software enabling the retrieval and presentation of information on the internet should have an obligation to configure the software so that it offers the option to prevent third parties fromand activates as default the option to prevent the cross-domain tracking and storing information on the terminal equipment by other parties; this is often presented as ‘'reject third party trackers and cookies’'. End-uUsers should be offered a set of privacy setting options, ranging from higher (for example, ‘'never accept trackers and cookies’') to lower (for example, ‘'always accept trackers and cookies’') and intermediate (for example, ‘'reject third party cookiall trackers and cookies that are not strictly necessary to provide a service explicitly requested by the user' or 'reject all cross- domain tracking'). Thes’e or ‘only accept first party cookies’). Such privacy settings should be presented in a an easily visible and intelligible manner. ptions may also be more fine-grained and, among other aspects, reflect the possibility that another party might act as a data processor in the meaning of Regulation (EU) 2016/679 for the provider of the service. Privacy settings should also include options to allow the user to decide, for example, whether Flash, JavaScript or similar software can be executed, if a website can collect geo- location data from the user, or if it can access specific hardware such as a webcam or microphone. Such privacy settings should be presented in an easily visible and intelligible manner, and users should be informed about the possibility to change the default privacy settings among the various options at the moment of installation or first use. Information provided should not dissuade users from selecting higher privacy settings and should include relevant information about the risks associated to allowing cross- domain trackers, including the compilation of long-term records of individuals' browsing histories and the use of such records to send targeted advertising or sharing with more third parties. Hardware and software manufacturers should be required to provide easy ways for users to change the privacy settings at any time during use and to allow the user to make exceptions for or to whitelist certain information society services or to specify for such services websites trackers and cookies are always or never allowed. In case of no active choice, or action from the user, the settings shall be set by default in a manner that rejects and blocks trackers, including cookies, that are not strictly necessary in order to provide an information society service specifically requested by the user.
Amendment 136 #
Proposal for a regulation
Recital 24
Recital 24
Amendment 136 #
Proposal for a regulation
Recital 1
Recital 1
(1) Article 7 of the Charter of Fundamental Rights of the European Union (“the Charter”) protects the fundamental right of everyone to the respect for his or her private and family life, home and communications. Respect for the privacy of one’s communications is an essential dimension of this right. Confidentiality of electronic communications ensures that information exchanged between parties and the external elements of such communication, including information regarding when the information has been sent, from where, to whom, is not to be revealed to anyone other than to the parties involved in a communicationg parties. The principle of confidentiality should apply to current and future means of communication, including calls, internet access, instant messaging applications, e-mail, internet phone calls and inter-personal messaging provided through social media. It should also apply when the confidentiality of electronic communications and the privacy of the physical environment converge, i.e. where terminal devices for electronic communication can also listen into their physical environment or use other input channels such as Bluetooth signalling or movement sensors.
Amendment 138 #
Proposal for a regulation
Recital 2
Recital 2
(2) The content of eElectronic communications data may reveal highly sensitive information about the natural persons involved in the communication, from personal experiences and emotions to medical conditions, sexual preferences and political views, the disclosure of which could result in personal and social harm, economic loss or embarrassment. For the content of communications, the Court of Justice has clarified that access on a generalised basis by parties other than the communication partners and the communications service provider must be regarded as compromising the essence of the fundamental right to respect for private life, which is never acceptable. Similarly, metadata derived from electronic communications may also reveal very sensitive and personal information. These metadata includes the numbers called, the websites visited, geographical location, the time, date and duration when an individual made a call etc., allowing precise conclusions to be drawn regarding the private lives of the persons involved in the electronic communication, such as their social relationships, their habits and activities of everyday life, their interests, tastes etc. Metadata can also be processed and analysed much easier than content, as it is already brought into a structured and standardised format. The protection of confidentiality of communications is an essential condition for the respect of other connected fundamental rights and freedoms, such as the protection of freedom of thought, conscience and religion, freedom of assembly, freedom of expression and information.
Amendment 144 #
Proposal for a regulation
Recital 3
Recital 3
(3) Electronic communications data may also reveal information concerning legal entities, such as business secrets or other sensitive information that has economic value. Therefore, the provisions of this Regulation should apply to both natural and legal persons. Furthermore, this Regulation should ensure that certain provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council21 , also apply to end-ussubscribers who are legal persons. This includes the confidentiality and security of their communications data and the definition of consent under Regulation (EU) 2016/679. When reference is made to consent by an end-us subscriber, including legal persons, this definition should apply. In addition, legal persons should have the same rights as end-ussubscribers that are natural persons regarding the supervisory authorities; furthermore, supervisory authorities under this Regulationestablished on the basis of Regulation (EU) 2016/679 should also be responsible for monitoring the application of this Regulation regarding legal persons. _________________ 21 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1–88).
Amendment 145 #
Proposal for a regulation
Recital 25
Recital 25
(25) Accessing electronic communications networks requires the regular emission of certain data packets in order to discover or maintain a connection with the network or other devices on the network. Furthermore, devices must have a unique address assigned in order to be identifiable on that network. Wireless and cellular telephone standards similarly involve the emission of active signals containing unique identifiers such as a MAC address, the IMEI (International Mobile Station Equipment Identity), the IMSI etc. A single wireless base station (i.e. a transmitter and receiver), such as a wireless access point, has a specific range within which such informationelectronic communications metadata may be captured. Service providers have emerged who offer tracking services based on the scanning of equipment related information with diverse functionalities, including people counting, providing data on the number of people waiting in line, ascertaining the number of people in a specific area, etc. This information may be used for more intrusive purposes, such as to send commercial messages to end-users, for example when they enter stores, with personalized offers. While some of these functionalities do not entail high privacy risks, others do, for example, those involving the tracking of individuals over time, including repeated visits to specified locations. Providers engaged in such practices should display prominent notices located on the edge of the area of coverage informing end-users prior to entering the defined area that the technology is in operation within a given perimeter, the purpose of the tracking, the person responsible for it and the existence of any measure the end-user of the terminal equipment can take to minimize or stop the collection. Additional information should be provided where personal data are collected pursuant to Article 13 of Regulation (EU) 2016/679only be permitted to process such electronic communications metadata based on the consent of the users concerned.
Amendment 148 #
Proposal for a regulation
Recital 26
Recital 26
(26) When the processing of electronic communications data by providers of electronic communications services falls within its scope, this Regulation should provide for the possibility for the Union or Member States under specific conditions to restrict by law certain obligations and rights when such a restriction is targeted at persons suspected of having committed a criminal offence and constitutes a necessary and proportionate measure in a democratic society to safeguard specific public interests, including national security, defence, public security and the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security and other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interests. Therefore, this Regulation should not affect the ability of Member States to carry out lawful interception of electronic communications or take other measures, if necessary and proportionate to safeguard the public interests mentioned above, in accordance with the Charter of Fundamental Rights of the European Union and the European Convention for the Protection of Human Rights and Fundamental Freedoms, as interpreted by the Court of Justice of the European Union and of the European Court of Human Rights. Providers of electronic communications services should provide for appropriate procedures to facilitate legitimate requests of competent authorities, where relevant also taking into account the role of the representative designated pursuant to Article 3(3)not be obliged by Union or Member States competent authorities to weaken any measures that ensure the integrity and confidentiality of electronic communications.
Amendment 148 #
Proposal for a regulation
Recital 4
Recital 4
(4) Pursuant to Article 8(1) of the Charter and Article 16(1) of the Treaty on the Functioning of the European Union, everyone has the right to the protection of personal data concerning him or her. Regulation (EU) 2016/679 lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. Electronic communications data may includeare generally personal data as defined in Regulation (EU) 2016/679, at least where the users or subscribers are natural persons.
Amendment 150 #
Proposal for a regulation
Recital 5
Recital 5
(5) The provisions of this Regulation particularise and complement the general rules on the protection of personal data laid down in Regulation (EU) 2016/679 as regards electronic communications data that qualify as personal data. This Regulation therefore does not lower the level of protection enjoyed by natural persons under Regulation (EU) 2016/679. Processing of electronic communications data by providersOn the contrary, it aims to provide additional, and complementary, safeguards taking into account the need for additional protection as regards the confidentiality of communications. Processing of electronic communications servicesdata should only be permitted in accordance with, and on a legal ground specifically provided under, this Regulation.
Amendment 155 #
Proposal for a regulation
Recital 29
Recital 29
(29) Technology exists that enables providers of electronic communications services to limit the reception of unwanted calls by end-users in different ways, including blocking silent calls and other fraudulent and nuisance calls or marketing calls with a specific code or prefix. Providers of publicly available number- based interpersonal communications services should deploy this technology and protect end-users against nuisance calls and do so free of charge. Providers should ensure that end- users are aware of the existence of such functionalities, for instance, by publicising the fact on their webpage.
Amendment 155 #
Proposal for a regulation
Recital 6
Recital 6
(6) While the principles and main provisions of Directive 2002/58/EC of the European Parliament and of the Council22 remain generally sound, that Directive has not fully kept pace with the evolution of technological and market reality, resulting in an inconsistent or insufficient effective protection of privacy and confidentiality in relation to electronic communications. Those developments include the entrance on the market of electronic communications services that from a consumer perspective are substitutable to traditional services, but do not have to comply with the same set of rules. Another development concerns new techniques that allow for tracking of online behaviour of end-users, which are not covered by Directive 2002/58/EC. Directive 2002/58/EC should therefore be repealed and replaced by this Regulation. _________________ 22 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p.37).
Amendment 158 #
Proposal for a regulation
Recital 7
Recital 7
Amendment 161 #
Proposal for a regulation
Recital 31
Recital 31
(31) If end-users that are natural persons give their consent to their data being included in such directories, they should be able to determine on a consent basis which categories of personal data are included in the directory (for example name, email address, home address, user name, phone number). In addition, providers of publicly available directories or the providers of electronic communications services should inform the end- users of the purposes of the directory and of the search functions of the directory before including them in that directory. End-users should be able to determine by consent on the basis of which categories of personal data their contact details can be searched. The categories of personal data included in the directory and the categories of personal data on the basis of which the end-user's contact details can be searched should not necessarily be the same.
Amendment 162 #
Proposal for a regulation
Recital 8
Recital 8
(8) This Regulation should apply to providers of electronic communications services, to providers of publicly available directories, and to hardware and software providers permitting electronic communications, including the retrieval and presentation of information on the internet. This Regulation should also apply to natural and legal persons who use electronic communications services to send direct marketing commercial communications or collect information related to, processed by or stored in end-ussubscribers’ terminal equipment.
Amendment 166 #
Proposal for a regulation
Recital 33
Recital 33
(33) Safeguards should be provided to protect end-users against unsolicited communications, including for direct marketing purposes, which intrude into the private life of end-users. The degree of privacy intrusion and nuisance is considered relatively similar independently of the wide range of technologies and channels used to conduct these electronic communications, whether using automated calling and communication systems, instant messaging applications, emails, SMS, MMS, Bluetooth, etc. It is therefore justified to require that consent of the end-user is obtained before commercial electronic communications for direct marketing purposes are sent to end-users in order to effectively protect individuals against the intrusion into their private life as well as the legitimate interest of end-users that are legal persons. Legal certainty and the need to ensure that the rules protecting against unsolicited electronic communications remain future- proof justify the need to define a single set of rules that do not vary according to the technology used to convey these unsolicited communications, while at the same time guaranteeing an equivalent level of protection for all citizens throughout the Union. However, it is reasonable to allow the use of e-mail contact details within the context of an existing customer relationship for the offering of similar products or services. Such possibility should only apply to the same company that has obtained the electronic contact details in accordance with Regulation (EU) 2016/679.
Amendment 168 #
Proposal for a regulation
Recital 9
Recital 9
(9) This Regulation should apply to electronic communications data processed in connection with the provision and use of electronic communications services in the Union, regardless of whether or not the processing takes place in the Union. Moreover, in order not to deprive end- ussubscribers in the Union of effective protection, this Regulation should also apply to electronic communications data processed in connection with the provision of electronic communications services from outside the Union to end-ussubscribers in the Union. This should be the case irrespective of whether the electronic communications are connected to a payment or not.
Amendment 171 #
Proposal for a regulation
Recital 10
Recital 10
(10) Radio equipment and its software which is placed on the internal market in the Union, must comply with Directive 2014/53/EU of the European Parliament and of the Council23. This Regulation should not affect the applicability of any of the requirements of Directive 2014/53/EU nor the power of the Commission to adopt delegated acts pursuant to Directive 2014/53/EU requiring that specific categories or classes of radio equipment incorporate safeguards to ensure that personal data and privacy of end-ussubscribers are protected. _________________ 23 Directive 2014/53/EU of the European Parliament and of the Council of 16 April 2014 on the harmonisation of the laws of the Member States relating to the making available on the market of radio equipment and repealing Directive 1999/5/EC (OJ L 153, 22.5.2014, p. 62).
Amendment 174 #
Proposal for a regulation
Recital 37
Recital 37
(37) Service providers who offer electronic communications services should process electronic communications data in such a way as to prevent unauthorised processing, including access, disclosure or alteration. They should ensure that such unauthorised access, disclosure or alteration is possible of being ascertained, and also ensure that electronic communications data are protected by using state of the art software and encryption technologies. Service providers should also inform end- users of measures they can take to protect their anonymity and the security of their communications, for instance by using specific types of software or encryption technologies. The requirement to inform end-users of particular security risks does not discharge a service provider from the obligation to take, at its own costs, appropriate and immediate measures to remedy any new, unforeseen security risks and restore the normal security level of the service. The provision of information about security risks to the subscriber should be free of charge. Security is appraised in the light of Article 32 of Regulation (EU) 2016/679.
Amendment 174 #
Proposal for a regulation
Recital 11
Recital 11
(11) The services used for communications purposes, and the technical means of their delivery, have evolved considerably. End-usUsers and subscribers increasingly replace traditional voice telephony, text messages (SMS) and electronic mail conveyance services in favour of functionally equivalent online services such as Voice over IP, messaging services and web-based e-mail services. In order to, also known as “over-the-top services” (OTTs). This Regulation aims at ensureing an effective and equal protection of end-ususers and subscribers when using functionally equivalent services, this Regulation uses the definition of electronic communications services set forth in the [Directive of the European Parliament and of the Council establishing the European Electronic Communications Code24 ]so as to ensure the confidentiality of their communication, irrespective of the technological medium chosen.. That definition encompasses not only internet access services and services consisting wholly or partly in the conveyance of signals but also interpersonal communications services, which may or may not be number-based, such as for example, Voice over IP, messaging services and web-based e-mail services. The protection of confidentiality of communications is crucial also as regards interpersonal communications services that are ancillary to another service; therefore, such type of services also having a communication functionality should be covered by this Regulation. _________________ 24 Commission proposal for a Directive of the European Parliament and of the Council establishing the European Electronic Communications Code (Recast) (COM/2016/0590 final - 2016/0288 (COD)), such as internal messaging, newsfeeds, timelines and similar functions in online services where messages are exchanged with other users within or outside that service; therefore, such type of services also having a communication functionality should be covered by this Regulation.
Amendment 179 #
Proposal for a regulation
Recital 43
Recital 43
(43) Directive 2002/58/EC and Commission Regulation (EU) 611/2013 should be repealed.
Amendment 180 #
Proposal for a regulation
Recital 12
Recital 12
(12) Connected devices and machines increasingly communicate with each other by using electronic communications networks (Internet of Things). The transmission of machine-to-machine communications involves the conveyance of signals over a network and, hence, usually constitutes an electronic communications service. In order to ensure full protection of the rights to privacy and confidentiality of communications, and to promote a trusted and secure Internet of Things in the digital single market, it is necessary to clarify that this Regulation should apply to the transmission of machine-to-machine communications. In the context of automated supply-chains and elsewhere in the manufacturing or industrial context, the communication by the machines involved may not be inter- personal and may not involve natural persons. However, its confidentiality still needs protection in order to protect internal business information. Therefore, the principle of confidentiality enshrined in this Regulation should also apply to the transmission of machine-to- machine communications. Specific safeguards could also be adopted under sectorial legislation, as for instance Directive 2014/53/EU. Or. en (see justification for new Article 5(2))
Amendment 181 #
Proposal for a regulation
Recital 13
Recital 13
(13) The development of fast and efficient wireless technologies has fostered the increasing availability for the public of internet access via wireless networks accessible by anyone in public and semi- private spaces such as ‘hotspowireless internet access points’ situated at different places within a city, department stores, shopping malls and hospital, hospitals, airports, hotels and restaurants. Those access points might require a login or provide a password and might be provided also by public administrations, including Union bodies and agencies. To the extent that those communications networks are provided to an undefined group of end-users, the confidentiality of the communications transmitted through such networks should be protected. The fact that wireless electronic communications services may be ancillary to other services should not stand in the way of ensuring the protection of confidentiality of communications data and application of this Regulation. Therefore, this Regulation should apply to electronic communications data using electronic communications services and public communications networks. This regulation should also apply to closed social media profiles and groups that the users have defined as private. In contrast, this Regulation should not apply to closed groups of end-ussubscribers such as corporate networks, access to which is limited to members of the corporan organisation.
Amendment 187 #
Proposal for a regulation
Recital 14
Recital 14
(14) Electronic communications data should be defined in a sufficiently broad and technology neutral way so as to encompass any information concerning the content transmitted or exchanged (electronic communications content) and the information concerning an end-us user or subscriber of electronic communications services processed for the purposes of transmitting, distributing or enabling the exchange of electronic communications content; including data to trace and identify the source and destination of a communication, geographical location and the date, time, duration and the type of communication. It should also include location data, such as for example, the location of the terminal equipment from or to which a phone call or an internet connection has been made or the wireless access points that a device is connected to. It should also include data necessary to identify users’ terminal equipment and data emitted by terminal equipment when searching for access points or other equipment. Whether such signals and the related data are conveyed by wire, radio, optical or electromagnetic means, including satellite networks, cable networks, fixed (circuit- and packet- switched, including internet) and mobile terrestrial networks, electricity cable systems, the data related to such signals should be considered as electronic communications metadata and therefore be subject to the provisions of this Regulation. Electronic communications metadata may include information that is part of the subscription to the service when such information is processed for the purposes of transmitting, distributing or exchanging electronic communications content. The exclusion of services providing “content transmitted using electronic communications networks” from the definition of “electronic communications service” in Article 4 of this Regulation does not mean that service providers who offer both electronic communications services and content services are outside the scope of the provisions of the Regulation which applies to the providers of electronic communications services.
Amendment 190 #
Proposal for a regulation
Recital 14 a (new)
Recital 14 a (new)
(14a) Modern electronic communications services, including the internet and the OTT services that run on top of it, function on the basis of the separation of layers of protocols and services, as defined by the Open Systems Interconnection model (OSI model, ISO/IEC 7498-1).An internet (TCP/IP) data packet for example is encapsulated in an underlying ethernet or wireless data packet for local routing between the terminal equipment and the nearest router, which means that the full TCP/IP packet is content as seen from the ethernet or wireless connection layer. One layer above, an e-mail including its content and metadata is encapsulated in one or more TCP/IP packets, therefore the full e-mail is treated as content on the level of the TCP/IP protocol layer. The e- mail, in turn, consists of metadata using the SMTP protocol, and content data in the body of the e-mail. That means that what is metadata on one protocol layer is content data for the layers below. Where this Regulation lays down different rules for the processing of content and metadata, this should be understood for the respective electronic communications service and the protocol layer it is operating on. An internet access provider, for example, should therefore not scan the content of the TCP/IP packets routed by it, in order to detect malicious e-mail senders or attachments, because for the internet layer, e-mail is fully content. The scanning of e-mails however could be done by the e-mail provider if it is necessary for the security of the service or if the user specifically requests this. This separation of protocol layers is crucial for maintaining the neutrality of the electronic communications services (net neutrality), which is protected under Regulation (EU) 2015/2120.
Amendment 191 #
Proposal for a regulation
Article 1 – paragraph 3
Article 1 – paragraph 3
3. The provisions of this Regulation particularise and complement Regulation (EU) 2016/679, by laying down specific rules for the purposes mentioned in paragraphs 1 and 2. Except where otherwise provided in this Regulation, the provisions of Regulation (EU) 2016/679 shall apply when personal data is processed.
Amendment 192 #
Proposal for a regulation
Article 2 – paragraph 1
Article 2 – paragraph 1
1. This Regulation applies to the processing of electronic communications data carried out in connection with the provision and the use of electronic communications services and to information related to the terminal equipment of end-users.:
Amendment 192 #
Proposal for a regulation
Recital 15
Recital 15
(15) Electronic communications data should be treated as confidential. This means that any processing of electronic communications data or any interference with the transmission of electronic communications data, whether directly by human intervention or through the intermediation of automated processing by machines, without the consent of the user requesting a specific service or of all the communicating parties should be prohibited. The prohibition of interception of communications data should apply during their conveyance, i.e. until receipt of the content of the electronic communication by the intended addresseeWhen the processing is allowed under this Regulation, any other processing on the basis of Article 6 of Regulation (EU) 2016/679 should be considered as prohibited, including processing for another purpose on the basis of Article 6(4) of that Regulation. This should not prevent requesting additional consent for new processing operations. The prohibition of processing of communications data should apply during their conveyance and when they are stored afterwards, in order to reflect the growing trend that subscribers do not store all communications data on their own terminal equipment, but use cloud- based storage space of the communications provider or other parties. Interception of electronic communications data may occur, for example, when someone other than the communicating parties, listens to calls, reads, scans or stores the content of electronic communications, or the associated metadata for purposes other than the exchange of communications. Interception also occurs when othirder parties monitor websites visited, timing of the visits, interaction with others, etc., without the consent of the end-user concerned. As technology evolves, the technical ways to engage in interception have also increased. Such ways may range from the installation of equipment that gathers data from terminal equipment over targeted areas, such as the so-called IMSI (International Mobile Subscriber Identity) catchers, to programs and techniques that, for example, surreptitiously monitor browsing habits for the purpose of creating end-user profiles. Other examples of interception include capturing payload data or content data from unencrypted wireless networks and routers, and analysis of users’ traffic data, including browsing habits, without the end-users’ consent.
Amendment 197 #
Proposal for a regulation
Article 2 – paragraph 1 – point a (new)
Article 2 – paragraph 1 – point a (new)
(a) the processing of electronic communications data carried out in connection with the provision and the use of electronic communications services, irrespective of whether a payment of the end-user is required;
Amendment 198 #
Proposal for a regulation
Article 2 – paragraph 1 – point b (new)
Article 2 – paragraph 1 – point b (new)
(b) the processing of information related to or processed by the terminal equipment of end-users;
Amendment 199 #
Proposal for a regulation
Article 2 – paragraph 1 – point c (new)
Article 2 – paragraph 1 – point c (new)
(c) the placing on the market of hardware and software permitting electronic communications by end-users, including the retrieval and presentation of information on the Internet;
Amendment 200 #
Proposal for a regulation
Article 2 – paragraph 1 – point d (new)
Article 2 – paragraph 1 – point d (new)
(d) the provision of publicly available directories of users of electronic communication;
Amendment 201 #
(e) the sending of direct marketing commercial electronic communications to end-users.
Amendment 204 #
(16) The prohibition of storage of communications is not intended to prohibit any automatic, intermediate and transient storage of this information insofar as this takes place for the sole purpose of carrying out the transmission in the electronic communications network. It should not prohibit either the processing of electronic communications data to ensure the security and continuity of the electronic communications services, including checking security threats such asrelated to the presence of malwarepective service, or the processing of metadata of the respective service to ensure the necessary quality of service requirements, such as latency, jitter etc. Or. en (related to the clarifications in Recital 14a(new) and Article 4.)
Amendment 205 #
Proposal for a regulation
Article 2 – paragraph 3
Article 2 – paragraph 3
3. The processing of electronic communications data by the Union institutions, bodies, offices and agencies insofar as they are not publicly available and not originating or having as destination publicly available communications services, is governed by Regulation (EU) 00/0000 [new Regulation replacing Regulation 45/2001].
Amendment 206 #
Proposal for a regulation
Article 3 – paragraph 1 – introductory part
Article 3 – paragraph 1 – introductory part
1. This Regulation applies to: the activities referred to in Article 2 where the user or end-user is in the Union or where the communications services, hardware, software, directories, or direct marketing commercial electronic communications are provided from the territory of the Union.
Amendment 207 #
Proposal for a regulation
Article 3 – paragraph 1 – point a
Article 3 – paragraph 1 – point a
Amendment 209 #
Proposal for a regulation
Article 3 – paragraph 1 – point b
Article 3 – paragraph 1 – point b
Amendment 209 #
Proposal for a regulation
Recital 17
Recital 17
(17) The processing of electronic communications data can be useful for businesses, consumers and society as a whole. Vis-à-vis Directive 2002/58/EC, this Regulation broadens the possibilities for providers of electronic communications services to process electronic communications metadata, based on end-users consent. However, end-users attach great importance to the confidentiality of their communications, including their online activities, and that they want to control the use of electronic communications data for purposes other than conveying the communication. Therefore, this Regulation should require providers of electronic communications services to obtain end-users’ consent to process electronic communications metadata, which should include data on the location of the device generated for the purposes of granting and maintaining access and connection to the service. Location data that is generated other than in the context of providing electronic communications services should not be considered as metadata. Examples of commercial usages of electronic communications metadata by providers of electronic communications services may include the provision of heatmaps; a graphical representation of data using colors to indicate the presence of individuals. To display the traffic movements in certain directions during a certain period of time, an identifier ismay be necessary to link the positions of individuals at certain time intervals. This identifier would be missing if anonymous data were to be used and such movement could not be displayed. Such usage of electronic communications metadata could, for example, benefit public authorities and public transport operators to define where to develop new infrastructure, based on the usage of and pressure on the existing structure. Where a type of processing of electronic communications metadata, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural personss foreseen, a data protection impact assessment and, as the case may be, a consultation of the supervisory authority should take place prior to the processing, in accordance with Articles 35 and 36 of Regulation (EU) 2016/679.
Amendment 211 #
Proposal for a regulation
Article 3 – paragraph 1 – point c
Article 3 – paragraph 1 – point c
Amendment 214 #
Proposal for a regulation
Recital 17 a (new)
Recital 17 a (new)
(17a) This Regulation broadens the possibilities for providers of electronic communications services to process electronic communications metadata, which should include data on the location of the device generated for the purposes of granting and maintaining access and connection to the service. However, users attach great importance to the confidentiality of their communications, including their online activities, and they want to control the use of their electronic communications data for purposes other than conveying the communication. Therefore, this Regulation should require providers of electronic communications services to obtain users’ consent to process electronic communications data. For the purposes of this Regulation, the consent of a user should have the same meaning and be subject to the same conditions as the consent of the data subject under Regulation (EU) 2016/679.
Amendment 215 #
Proposal for a regulation
Recital 18
Recital 18
(18) End-uUsers may consent to the processing of their metaelectronic communications data to receive specific services requested by them, such as protection services against fraudulent activities (by analysing usage data, location and customer account in real time). In the digital economy, services are often supplied against counter-performance other than moneymalware, unsolicited communication, or fraudulent activities. Consent for processing electronic communications data will not be valid if the data subject has no genuine and free choice, for instance by end- users being exposed to advertises unable to refuse or withdraw consent without detriments. For the purposes of this Regulation, consent of an end-user, regardless of whether the latter is a natural or a legal person, should have the same meaning and be subject to the same conditions as the data subject’s consent under Regulation (EU) 2016/679. Basic broadband internet access and voice communications services are to be considered as essential services for individuals to be able to communicate and participate to the benefits of the digital economy. Consent for processing data from internet or voice communication usage will not be valid if the data subject has no genuine and free choice, or is unable to refuse orWithout prejudice to Article 7 of Regulation (EU) 2016/679, consent should not be considered as freely given if it is required to access any service or obtained through insisting and repetitive requests. In order to prevent such abusive requests, users should be able to order service providers to remember their choice not to consent and to adhere to technical specifications signalling not to consent, withdrawal of consent without detriment, or an objection.
Amendment 216 #
Proposal for a regulation
Article 3 – paragraph 4
Article 3 – paragraph 4
4. The representative shall have the power to answer questions and provide information in addition to or instead of the provider it represents, in particular, to supervisory authorities, and end-users, on all issues related to processing electronic communications datathe activities referred to in Article 2 for the purposes of ensuring compliance with this Regulation.
Amendment 218 #
5. The designation of a representative pursuant to paragraph 2 shall be without prejudice to legal actions, which could be initiated against a natural or legal person who processes electronic communications data in connection with the provision of electronic communications services from outside the Union to end-users inundertake the activities referred to in Article 2 from outside the Union.
Amendment 219 #
Proposal for a regulation
Article 4 – paragraph 1 – point b
Article 4 – paragraph 1 – point b
(b) the definitions of ‘electronic communications network’, ‘electronic communications service’, ‘interpersonal communications service’, ‘number-based interpersonal communications service’, ‘number-independent interpersonal communications service’, ‘end-user’ and ‘call’ in points (1), (4), (5), (6), (7), (14) and (21) respectively'call' in point (21) of Article 2 of [Directive establishing the European Electronic Communications Code];
Amendment 219 #
Proposal for a regulation
Recital 19
Recital 19
(19) The content of electronic communications pertains to the essence of the fundamental right to respect for private and family life, home and communications protected under Article 7 of the Charter. Any interference with theprocessing of content data of electronic communications should be allowed only under very clear defined conditions, for specific purposes and be subject to adequate safeguards against abuse. This Regulation provides for the possibility of providers of electronic communications services to process electronic communications data in transit, with the informed consent of all the end- users concerned. For example, providers may offer services that entail the scanning of emails to remove certain pre-defined material. Given the sensitivity of the content ofelectronic communications data, this Regulation sets forth a presumption that the processing of such content data will result in high risks to the rights and freedoms of natural persons. When processing such type of data, the provider of the electronic communications service should always consult the supervisory authority prior to the processing. Such consultation should be in accordance with Article 36 (2) and (3) of Regulation (EU) 2016/679. The presumption does not encompass the processing of content data to provide a service requested by the end- user where the end-user has consented to such processing and it is carried out for the purposes and duration strictly necessary and proportionate for such servicearry out an impact assessment as provided for in Regulation (EU) 2016/679 and if necessary under that Regulation, consult the supervisory authority prior to the processing. After electronic communications content has been sent by the end-user and received by the intended end-user or end- users, it may be recorded or stored by the end-user, end- users or by a thirdnother party entrusted by them to record or store such data. Any processing of such data, which could be the electronic communications provider. Any processing of such stored communications data where the data is stored on behalf of the end-user must comply with this Regulation. The end- user may further process the data, and if it contains personal data, must comply with Regulation (EU) 2016/679.
Amendment 220 #
Proposal for a regulation
Article 4 – paragraph 2
Article 4 – paragraph 2
Amendment 224 #
Proposal for a regulation
Article 4 – paragraph 3 – point b
Article 4 – paragraph 3 – point b
(b) ‘'electronic communications content’' means the content transmitted, distributed or exchanged by means of electronic communications services, such as text, voice, videos, images, and sound, including electronic communications metadata of other electronic communications services or protocols that are transmitted by using the respective service;
Amendment 224 #
Proposal for a regulation
Recital 19 a (new)
Recital 19 a (new)
(19a) It should be possible to process electronic communications data for the purposes of providing services specifically requested by a user for personal or personal work-related purposes such as search or keyword indexing functionality, text-to-speech engines and translation services, including picture-to-voice or other automated content processing used as accessibility tools by persons with disabilities. This should be possible without the consent of all users who are part of the communication, but may take place with the consent of the user requesting the service. Such specific consent also precludes the provider from processing those data for different purposes.
Amendment 226 #
Proposal for a regulation
Recital 20
Recital 20
(20) Terminal equipment of end-users of electronic communications networks and any information relating to the usage of such terminal equipment, whether in particular is stored in or emitted by such equipment, requested from or processed in order to enable it to connect to another device and or network equipment, are part of the private sphere of the end-users requiring protection under the Charter of Fundamental Rights of the European Union and the European Convention for the Protection of Human Rights and Fundamental Freedoms. Given that such equipment contains or processes informationvery sensitive data that may reveal details of an individual’s emotional, political,the behaviour, psychological features, emotional condition and political convictions, religious beliefs and social complexities of an individual, including the content of communications, pictures, the location of individuals by accessing the device’s GPS capabilities, contact lists, and other information already stored in the device, the information processed by or related to such equipment requires enhanced privacy protection. Information related to the user’s device may also be collected remotely for the purpose of identification and tracking, using techniques such as the so-called ‘device fingerprinting’, often without the knowledge of the user, and may seriously intrude upon the privacy of these users. Furthermore, the so-called spyware, web bugs, hidden identifiers, tracking cookies and other similar unwanted tracking tools can enter end-user’s terminal equipment without their knowledge in order to gain access to information, to store hidden information and to trace the activities. Information related to the end-user’s device may also be collected remotely for the purpose of identification and tracking, using techniques such as the so-called ‘device fingerprinting’, often without the knowledge of the end-user, and may seriously intrude upon the privacy of these end-user, to process data and use input and output functionalities such as sensors, and to trace the activities. Techniques that surreptitiously monitor the actions of end- users, for example by tracking their activities online or the location of their terminal equipment, or subvert the operation of the end-users’ terminal equipment pose a serious threat to the privacy of end-users. Therefore, any such interference with the end-user’s terminal equipment should be allowed only with the end-user’s consent and for specific and transparent purposes.
Amendment 227 #
Proposal for a regulation
Article 4 – paragraph 3 – point c
Article 4 – paragraph 3 – point c
(c) ‘'electronic communications metadata’' means data processed in an electronic communications network for the purposes of transmitting, distributing or exchanging electronic communications content; including data used to trace and identify the source and destination of a communication, data on the location of the device generated in the context of providing electronic communications services, and the date, time, duration and the type of communicationelectronic identifiers and other data broadcasted or emitted by the terminal equipment to identify users' communication or to enable it to connect to an electronic communications service or to another terminal equipment, data on the location of the terminal equipment processed in the context of providing electronic communications services, and the date, time, duration and the type of communication; where metadata of other electronic communications services or protocols are transmitted, distributed or exchanged by using the respective service, they shall be considered electronic communications content for the respective service;
Amendment 233 #
Proposal for a regulation
Article 4 – paragraph 3 – point f
Article 4 – paragraph 3 – point f
(f) ‘'direct marketing communications’' means any form of advertising, whether in written, audio, video, oral oral, sent any other format, sent, broadcast, served or presented to one or more identified or identifiable end-users of electronic communications services, including the use of automated calling and communication systems with or without human interaction, electronic mail, SMS, etc.;
Amendment 234 #
Proposal for a regulation
Article 4 – paragraph 3 – point h a (new)
Article 4 – paragraph 3 – point h a (new)
Amendment 235 #
Proposal for a regulation
Article 4 – paragraph 3 – point h b (new)
Article 4 – paragraph 3 – point h b (new)
(h b) 'electronic communications service' means a service provided via electronic communications networks, whether for remuneration or not, which encompasses one or more of the following: an 'internet access service' as defined in Article 2(2) or Regulation (EU) 2015/2120; an interpersonal communications service; a service consisting wholly or mainly in the conveyance of the signals, such as a transmission service used for the provision of a machine-to-machine service and for broadcasting, but excludes information conveyed as part of a broadcasting service to the public over an electronic communications network or service except to the extent that the information can be related to the identifiable subscriber or user receiving the information; it includes services enabling interpersonal and interactive communication merely as a minor ancillary feature that is intrinsically linked to another service; it also includes services which are not publicly available, but provide access to a publicly available electronic communications network;
Amendment 236 #
Proposal for a regulation
Article 4 – paragraph 3 – point h c (new)
Article 4 – paragraph 3 – point h c (new)
(h c) 'interpersonal communications service' means a service, whether provided for remuneration or not, that enables direct interpersonal and interactive exchange of information between a finite number of persons whereby the persons initiating or participating in the communication determine the recipient(s);
Amendment 237 #
Proposal for a regulation
Article 4 – paragraph 3 – point h d (new)
Article 4 – paragraph 3 – point h d (new)
(h d) 'number-based interpersonal communications service' means an interpersonal communications service which connects to the public switched telephone network, either by means of assigned numbering resources, i.e. number or numbers in national or international telephone numbering plans, or by enabling communication with a number or numbers in national or international telephone numbering plans;
Amendment 237 #
Proposal for a regulation
Recital 21
Recital 21
(21) Exceptions to the obligation to obtain consent to make use of the input, output, processing and storage capabilities of terminal equipment or to access information stored in terminal equipment should be limited to situations that involve no, or only very limited, intrusion of privacy. For instance, consent should not be requested for authorizing the technical storage or access which is strictly necessary and proportionate for the legitimate purpose of enabling the use of a specific service explicitly requested by the end-ususer or subscriber. This may include the storing of cookiesinformation (such as cookies and identifiers) for the duration of a single established session on a website to keep track of the end-user’s input when filling in online forms over several pages. Cookies can also be a legitimate and useful tool, for example, in measuring web traffic to a website. Information society service providers that engage in configuration checking to provide the service in compliance with the end-user’s settings and the mere logging of the fact that the end-user’s device is unable to receive content requested by the end- user should not constitute access to such a device or use of the device processing capabilitieillegitimate access.
Amendment 238 #
Proposal for a regulation
Article 4 – paragraph 3 – point h e (new)
Article 4 – paragraph 3 – point h e (new)
(h e) 'number-independent interpersonal communications service' means an interpersonal communications service which does not connect with the public switched telephone network, either by means of assigned numbering resources, i.e. a number or numbers in national or international telephone numbering plans, or by enabling communication with a number or numbers in national or international telephone numbering plans;
Amendment 239 #
Proposal for a regulation
Article 4 – paragraph 3 – point h f (new)
Article 4 – paragraph 3 – point h f (new)
(h f) 'end-user' means a legal entity or a natural person using or requesting a publicly available electronic communications service;
Amendment 240 #
Proposal for a regulation
Article 4 – paragraph 3 – point h g (new)
Article 4 – paragraph 3 – point h g (new)
(h g) 'user' means any natural person using a publicly available electronic communications service, for private or business purposes, without necessarily having subscribed to this service;
Amendment 241 #
Proposal for a regulation
Chapter 2 – title
Chapter 2 – title
PROTECTION OF ELECTRONIC COMMUNICATIONS OF NATURAL AND LEGAL PERSONS AND OF INFORMATION STORED INPROCESSED BY AND RELATED TO THEIR TERMINAL EQUIPMENT
Amendment 242 #
Proposal for a regulation
Recital 22
Recital 22
(22) The methods used for providing information and obtaining end-user’s consent should be as user-friendly as possible. Given the ubiquitous use of tracking cookies and other tracking techniques, end-users are increasingly requested to provide consent to store such tracking cookies in their terminal equipment. As a result, end-users are overloaded with requests to provide consent. This Regulation should prevent the use of so- called “cookie walls” and “cookie banners” that do not help users to maintain control over their personal information and privacy or become informed about their rights. The use of technical means to provide consent, for example, through transparent and user- friendly settings, may address this problem. Therefore, this Regulation should provide for the possibility to express consent by using the appropriate settings of a browser or other applicationor withdraw consent and to object by technical specifications using automated means, such as the appropriate settings of a hardware or software permitting the retrieval and presentation of information on the internet. Those settings should include choices concerning the use of processing and storage capabilities of the user’s terminal equipment as well as a signal sent by the hardware or software indicating the user’s preferences to other parties. The choices made by end- users when establishing its general privacy settings of a browser or other applicationhardware of software should be binding on, and enforceable against, any third parties. Web browsers are a type of software application that permits the retrieval and presentation of information on the internet. Other types of applications, such as the ones that permit calling and messaging or provide route guidance, have also the same capabilities. Web browsers mediate much of what occurs between the end-More particularly web browsers, applications or mobile operating systems may be userd and the website. From this perspective, they are in a privileged position to play an active role to help the end-s a user’s personal privacy assistant communicating the user’s choices, thus helping users to control the flow of information to and fromprevent information related to or processed by their terminal equipment. More particularly web browsers may be used as gatekeepers, thus helping end-users to prevent information from their terminal equipment (for example smart phone, tablet or computer) from being accessed or stored (for example smart phone, tablet or computer) from being accessed, processed or stored. They should therefore not abuse their position as gate- keepers and still allow for possibilities for the user to individually give consent with regard to a certain specific service or service provider.
Amendment 243 #
Proposal for a regulation
Article 5 – title
Article 5 – title
Confidentiality of electronic communications data
Amendment 248 #
Proposal for a regulation
Article 5 – paragraph 1
Article 5 – paragraph 1
Electronic communications data shall be confidential. Any processing of electronic communications data, including any interference with electronic communications data, such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or processing of electronic communications data, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation. This includes electronic communications data that is stored after the transmission has been completed.
Amendment 250 #
Proposal for a regulation
Recital 23
Recital 23
(23) The principles of data protection by design and by default were codified under Article 25 of Regulation (EU) 2016/679. Currently, the default settings for cookies are set in most current browsers to ‘accept all cookies’. Therefore providers of hardware or software enabling the retrieval and presentation of information on the internet should have an obligation to configure the software so that it offers the option to prevent third parties fromand activates as default the option to prevent the cross-domain tracking and storing information on the terminal equipment by other parties; this is often presented as ‘reject third party trackers and cookies’. End-uUsers should be offered a set of privacy setting options, ranging from higher (for example, ‘never accept trackers and cookies’) to lower (for example, ‘always accept trackers and cookies’) and intermediate (for example, ‘reject third party cookiall trackers and cookies that are not strictly necessary to provide a service explicitly requested by the user’ or ‘reject all cross- domain tracking’). Thes’e or ‘only accept first party cookies’). Such privacy settings should be presented in an easily visible and intelligible manner. ptions may also be more fine-grained and, among other aspects, reflect the possibility that another party might act as a data processor within the meaning of Regulation (EU) 2016/679 for the provider of the service. Privacy settings should also include options to allow the user to decide for example, whether multimedia players, interactive programming language viewers, or similar software can be executed, if a website can collect geo-location data from the user, or if it can access specific hardware such as a webcam or microphone. Such privacy settings should be presented in an easily visible and intelligible manner, and at the moment of installation or first use, users should be informed about the possibility to change the default privacy settings among the various options. Information provided should not dissuade users from selecting higher privacy settings and should include relevant information about the risks associated to allowing cross-domain trackers, including the compilation of long-term records of individuals’ browsing histories and the use of such records to send targeted advertising or sharing with more third parties. Hardware and software manufacturers should be required to provide easy ways for users to change the privacy settings at any time during use and to allow the user to make exceptions for or to whitelist certain information society services or to specify for such services websites trackers and cookies are always or never allowed. In case of no active choice, or action from the user, the settings shall be set by default in a manner that rejects and blocks trackers, including cookies, that are not strictly necessary in order to provide an information society service specifically requested by the user.
Amendment 251 #
Proposal for a regulation
Article 5 – paragraph 1 a (new)
Article 5 – paragraph 1 a (new)
Confidentiality of electronic communications shall also apply to data related to or processed by terminal equipment and to machine-to-machine communication.
Amendment 256 #
Proposal for a regulation
Article 6 – paragraph 1 – introductory part
Article 6 – paragraph 1 – introductory part
1. Providers of electronic communications networks and services may process electronic communications data only if:
Amendment 259 #
Proposal for a regulation
Recital 24
Recital 24
Amendment 260 #
Proposal for a regulation
Article 6 – paragraph 1 – point a
Article 6 – paragraph 1 – point a
(a) it is technically strictly necessary to achieve the transmission of the communication, for the duration necessary for that purpose; or
Amendment 263 #
Proposal for a regulation
Article 6 – paragraph 1 – point b
Article 6 – paragraph 1 – point b
(b) it is technically strictly necessary to maintain or restore the security ofavailability, integrity and confidentiality of the respective electronic communications networks andor services, or to detect technical faults and/or errors in the transmission of electronic communications, for the duration necessary for that purpose.; or
Amendment 266 #
Proposal for a regulation
Recital 25
Recital 25
(25) Accessing electronic communications networks requires the regular emission of certain data packets in order to discover or maintain a connection with the network or other devices on the network. Furthermore, devices must have a unique address assigned in order to be identifiable on that network. Wireless and cellular telephone standards similarly involve the emission of active signals containing unique identifiers such as a MAC address, the IMEI (International Mobile Station Equipment Identity), the IMSI etc. A single wireless base station (i.e. a transmitter and receiver), such as a wireless access point, has a specific range within which such informationelectronic communications metadata may be captured. Service providers have emerged who offer tracking services based on the scanning of equipment related information with diverse functionalities, including people counting, providing data on the number of people waiting in line, ascertaining the number of people in a specific area, etc. This information may be used for more intrusive purposes, such as to send commercial messages to end-users, for example when they enter stores, with personalized offers. While some of these functionalities do not entail high privacy risks, others do, for example, those involving the tracking of individuals over time, including repeated visits to specified locations. Providers engaged in such practices should display prominent notices located on the edge of the area of coverage informing end-users prior to entering the defined area that the technology is in operation within a given perimeter, the purpose of the tracking, the person responsible for it and the existence of any measure the end-user of the terminal equipment can take to minimize or stop the collection. Additional information should be provided where personal data are collected pursuant to Article 13 of Regulation (EU) 2016/679only be permitted to process such electronic communications metadata based on the consent of the users concerned.
Amendment 267 #
Proposal for a regulation
Article 6 – paragraph 1 – point b a (new)
Article 6 – paragraph 1 – point b a (new)
(b a) the user concerned has given his or her consent to the processing of his or her electronic communications data, provided that it is technically strictly necessary for the provision of a service explicitly requested by a user for his or her purely individual usage, solely for the provision of the explicitly requested service and only for the duration necessary for that purpose and without the consent of all users, only where such processing produces effects solely in relation to the user who requested the service and does not adversely affect the fundamental rights of other users.
Amendment 267 #
Proposal for a regulation
Recital 25
Recital 25
(25) Accessing electronic communications networks requires the regular emission of certain data packets in order to discover or maintain a connection with the network or other devices on the network. Furthermore, devices must have a unique address assigned in order to be identifiable on that network. Wireless and cellular telephone standards similarly involve the emission of active signals containing unique identifiers such as a MAC address, the IMEI (International Mobile Station Equipment Identity), the IMSI etc. A single wireless base station (i.e. a transmitter and receiver), such as a wireless access point, has a specific range within which such informationelectronic communications metadata may be captured. Service providers have emerged who offer tracking services based on the scanning of equipment related information with diverse functionalities, including people counting, providing data on the number of people waiting in line, ascertaining the number of people in a specific area, etc. This information may be used for more intrusive purposes, such as to send commercial messages to end-users, for example when they enter stores, with personalized offers. While some of these functionalities do not entail high privacy risks, others do, for example, those involving the tracking of individuals over time, including repeated visits to specified locations. Providers engaged in such practices should display prominent notices located on the edge of the area of coverage informing end-users prior to entering the defined area that the technology is in operation within a given perimeter, the purpose of the tracking, the person responsible for it and the existence of any measure the end-user of the terminal equipment can take to minimize or stop the collection. Additional information should be provided where personal data are collected pursuant to Article 13 of Regulation (EU) 2016/679only be permitted to process such electronic communications metadata based on the consent of the users concerned.
Amendment 270 #
Proposal for a regulation
Article 6 – paragraph 1 – subparagraph 1 (new)
Article 6 – paragraph 1 – subparagraph 1 (new)
Amendment 272 #
Proposal for a regulation
Recital 26
Recital 26
(26) When the processing of electronic communications data by providers of electronic communications services falls within its scope, this Regulation should provide for the possibility for the Union or Member States under specific conditions to temporarily restrict by law certain obligations and rights when such a restriction is targeted at persons suspected of having committed a criminal offence and constitutes a necessary and proportionate measure in a democratic society to safeguard specific public interests, including national security, defence, public security and the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security and other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interests. Therefore, this Regulation should not affect the ability of Member States to carry out lawful interception of electronic communications or take other measures, if necessary and proportionate to safeguard the public interests mentioned above, in accordance with the Charter of Fundamental Rights of the European Union and the European Convention for the Protection of Human Rights and Fundamental Freedoms, as interpreted by the Court of Justice of the European Union and of the European Court of Human Rights. Providers of electronic communications services should provide for appropriate procedures to facilitate legitimate requests of competent authorities, where relevant also taking into account the role of the representative designated pursuant to Article 3(3)not be obliged by Union or Member States competent authorities to weaken any measures that ensure the integrity and confidentiality of electronic communications.
Amendment 274 #
Proposal for a regulation
Article 6 – paragraph 2 – introductory part
Article 6 – paragraph 2 – introductory part
2. Providers of electronic communications services may process electronic communications metadata only if:
Amendment 276 #
Proposal for a regulation
Article 6 – paragraph 2 – point a
Article 6 – paragraph 2 – point a
(a) it is technically strictly necessary to meet mandatory quality of service requirements pursuant to [Directive establishing the European Electronic Communications Code] or Regulation (EU) 2015/212028 for the duration necessary for that purpose; or _________________ 28 Regulation (EU) 2015/2120 of the European Parliament and of the Council of 25 November 2015 laying down measures concerning open internet access and amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services and Regulation (EU) No 531/2012 on roaming on public mobile communications networks within the Union (OJ L 310, 26.11.2015, p. 1–18).
Amendment 279 #
Proposal for a regulation
Recital 28
Recital 28
(28) There is justification for overriding the elimination of calling line identification presentation in specific cases. End-usSubscribers’ rights to privacy with regard to calling line identification should be restricted where this is necessary to trace nuisance calls and with regard to calling line identification and location data where this is necessary to allow emergency services, such as eCall, to carry out their tasks as effectively as possible.
Amendment 280 #
Proposal for a regulation
Article 6 – paragraph 2 – point b
Article 6 – paragraph 2 – point b
(b) it is strictly necessary for billing, calculating interconnection payments, detecting or stopping fraudulent, or abusive use of, or subscription to, electronic communications services; or
Amendment 281 #
Proposal for a regulation
Recital 29
Recital 29
(29) Technology exists that enables providers of electronic communications services to limit the reception of unwanted calls by end-ussubscribers in different ways, including blocking silent calls and other fraudulent and nuisance calls or marketing calls with a specific code or prefix. Providers of publicly available number- based interpersonal communications services should deploy this technology and protect end-ussubscribers against nuisance calls and free of charge. Providers should ensure that end-ussubscribers are aware of the existence of such functionalities, for instance, by publicising the fact on their webpage.
Amendment 284 #
Proposal for a regulation
Article 6 – paragraph 2 – point c
Article 6 – paragraph 2 – point c
(c) the end-user or users concerned hasve given his or hertheir specific consent to the processing of his or hetheir communications metadata by the respective electronic communications service for one or more specified purposes, including for the provision of specific services to such end- users, provided that the purpose or purposes concerned could not be fulfilled by processing informationdata that is made anonymous, and the consent has not been a condition to access or use a service.
Amendment 287 #
Proposal for a regulation
Recital 30
Recital 30
(30) Publicly available directories of end-ussubscribers of electronic communications services are widely distributed. Publicly available directories means any directory or service containing end-ussubscribers information such as phone numbers (including mobile phone numbers), email address contact details and includes inquiry services. The right to privacy and to protection of the personal data of a natural person requires that end-ussubscribers that are natural persons are asked for consent before their personal data are included in a directory. The legitimate interest of legal entities requires that end-ussubscribers that are legal entities have the right to object to the data related to them being included in a directory.
Amendment 289 #
Proposal for a regulation
Article 6 – paragraph 3 – introductory part
Article 6 – paragraph 3 – introductory part
3. Providers of the electronic communications services may process electronic communications content only if:
Amendment 292 #
Proposal for a regulation
Article 6 – paragraph 3 – point a
Article 6 – paragraph 3 – point a
(a) for the sole purpose of the provision of a specific service to an end- user, if the end-user or end-users concerned have given their consent to the processing of his or her electronic communications content andthe user concerned has given his or her consent to the processing of his or her electronic communications content for the sole purpose of the provision of a specific service explicitly requested by the end-user, for the duration necessary for that purpose, provided that the provision of that specific service cannot be fulfilled without the processing of such content by the provider, and the consent has not been a condition to access or use a service; or
Amendment 292 #
Proposal for a regulation
Recital 31
Recital 31
(31) If end-ussubscribers that are natural persons give their consent to their data being included in such directories, they should be able to determine on a consent basis which categories of personal data are included in the directory (for example name, email address, home address, user name, phone number). In addition, providers of publicly available directories or the providers of electronic communications services should inform the end-ussubscribers of the purposes of the directory and of the search functions of the directory before including them in that directory. End-usSubscribers should be able to determine by consent on the basis of which categories of personal data their contact details can be searched. The categories of personal data included in the directory and the categories of personal data on the basis of which the end-ussubscriber’s contact details can be searched should not necessarily be the same.
Amendment 298 #
Proposal for a regulation
Recital 32
Recital 32
(32) In this Regulation, direct marketing refers to any form of advertising by which a natural or legal person sends or presents direct marketing communications directly to one or more identified or identifiable end-ussubscribers using electronic communications services. In addition to the offering of products and services for commercial purposes, this should also include messages sent by political parties that contact natural persons via electronic communications services in order to promote their parties. The same should apply to messages sent by other non-profit organisations to support the purposes of the organisation.
Amendment 301 #
Proposal for a regulation
Article 6 – paragraph 3 – point b
Article 6 – paragraph 3 – point b
(b) if all end-users concerned have given their consent to the processing of their electronic communications content for one or more specified purposes that cannot be fulfilled by processing information that is made anonymous, and the provider has consulted the supervisory authority. Points (2) and (3) of Article 36 of Regulation (EU) 2016/679 shall apply to the consultation of the supervisory authority.
Amendment 301 #
Proposal for a regulation
Recital 33
Recital 33
(33) Safeguards should be provided to protect end-ussubscribers against unsolicited communications, including for direct marketing purposes, which intrude into the private life of end-users. The degree of privacy intrusion and nuisance is considered relatively similar independently of the wide range of technologies and channels used to conduct these electronic communications, whether using automated calling and communication systems, instant messaging applications, emails, SMS, MMS, Bluetooth, etc. It is therefore justified to require that consent of the end-ussubscriber is obtained before commercial electronic communications for direct marketing purposes are sent to end-ussubscribers in order to effectively protect individuals against the intrusion into their private life as well as the legitimate interest of subscribers that are legal persons. Legal certainty and the need to ensure that the rules protecting against unsolicited electronic communications remain future- proof justify the need to define a single set of rules that do not vary according to the technology used to convey these unsolicited communications, while at the same time guaranteeing an equivalent level of protection for all citizens throughout the Union. However, it is reasonable to allow the use of e-mail contact details within the context of an existing customer relationship for the offering of similar products or services. Such possibility should only apply to the same company that has obtained the electronic contact details in accordance with Regulation (EU) 2016/679.
Amendment 304 #
Proposal for a regulation
Article 7 – paragraph 1
Article 7 – paragraph 1
1. Without prejudice to points (b) and (c) of Article 6(1) and points (a) and (b) of Article 6(3), the provider of the electronic communications service shall erase electronic communications content or make that data anonymous after receipt of electronic communication content by the intended recipient or recipients. Such data may be recorded or stored by the end-users or by a third partparty, which could be the provider of the electronic communication service, specifically entrusted by them end-user to record, store or otherwise process such data,. The end-user may further process the content in accordance with Regulation (EU) 2016/679, if applicable.
Amendment 306 #
Proposal for a regulation
Recital 34
Recital 34
(34) When end-ussubscribers have provided their consent to receiving unsolicited communications for direct marketing purposes, they should still be able to withdraw their consent at any time in an easy manner. To facilitate effective enforcement of Union rules on unsolicited messages for direct marketing, it is necessary to prohibit the masking of the identity and the use of false identities, false return addresses or numbers while sending unsolicited commercial communications for direct marketing purposes. Unsolicited marketing communications should therefore be clearly recognizable as such and should indicate the identity of the legal or the natural person transmitting the communication or on behalf of whom the communication is transmitted and provide the necessary information for recipients to exercise their right to oppose to receiving further written and/or oral marketing messages.
Amendment 308 #
Proposal for a regulation
Article 7 – paragraph 2
Article 7 – paragraph 2
2. Without prejudice to point (b) and (c) of Article 6(1) and points (a) and (c) of Article 6(2), the provider of the electronic communications service shall erase electronic communications metadata or make that data anonymous when it is no longer needed for the purpose of the transmission of a communication.
Amendment 309 #
Proposal for a regulation
Recital 35
Recital 35
(35) In order to allow easy withdrawal of consent, legal or natural persons conducting direct marketing communications by email should present a link, or a valid electronic mail address, which can be easily used by end-ussubscribers to withdraw their consent. Legal or natural persons conducting direct marketing communications through voice-to-voice calls and through calls by automating calling and communication systems should display their identity line on which the company can be called orand present a specific code identifying the fact that the call is a marketing call.
Amendment 311 #
Proposal for a regulation
Article 7 – paragraph 3
Article 7 – paragraph 3
3. Where the processing of electronic communications metadata takes place for the purpose of billing in accordance with point (b) of Article 6(2), the relevant metadataonly the metadata that is strictly necessary for this purpose may be kept until the end of the period during which a bill may lawfully be challenged or a payment may be pursued in accordance with national law.
Amendment 312 #
Proposal for a regulation
Recital 36
Recital 36
Amendment 313 #
Proposal for a regulation
Article 8 – title
Article 8 – title
Protection of information stored in and, related to and processed by end-users’' terminal equipment
Amendment 315 #
Proposal for a regulation
Article 8 – paragraph 1 – introductory part
Article 8 – paragraph 1 – introductory part
1. The use of input, output, processing and storage capabilities of terminal equipment and the collectionprocessing of information from end-users’ terminal equipment, including about' terminal equipment, or making information available through the terminal equipment, including information about and processed by its software and hardware, other than by the end-user concerned shall be prohibited, except on the following grounds:
Amendment 316 #
Proposal for a regulation
Recital 37
Recital 37
(37) Service providers who offer electronic communications services should inform end- usprocess electronic communications data in such a way as to prevent unauthorised processing, including access, disclosure or alteration. They should ensure that such unauthorised access, disclosure or alteration can be detected, and also ensure that electronic communications data are protected by using state-of the art software and encryption technologies. Service providers should also inform subscribers of measures they can take to protect their anonymity and the security of their communications for instance by using specific types of software or encryption technologies. The requirement to inform end-ussubscribers of particular security risks does not discharge a service provider from the obligation to take, at its own costs, appropriate and immediate measures to remedy any new, unforeseen security risks and restore the normal security level of the service. The provision of information about security risks to the subscriber should be free of charge. Security is appraised in the light of Article 32 of Regulation (EU) 2016/679.
Amendment 317 #
Proposal for a regulation
Article 8 – paragraph 1 – point a
Article 8 – paragraph 1 – point a
(a) it is strictly technically necessary for the sole purpose of carrying out the transmission of an electronic communication over an electronic communications networkservice; or
Amendment 320 #
Proposal for a regulation
Recital 38
Recital 38
(38) To ensure full consistency with Regulation (EU) 2016/679, the enforcement of the provisions of this Regulation should be entrusted to the same authorities responsible for the enforcement of the provisions Regulation (EU) 2016/679, and this Regulation relies on the consistency mechanism of Regulation (EU) 2016/679. Member States should be able to have more than one supervisory authority, to reflect their constitutional, organisational and administrative structure. The supervisory authorities should also be responsible for monitoring the application of this Regulation regarding electronic communications data for legal entities. Such additional tasks should not jeopardise the ability of the supervisory authority to perform its tasks regarding the protection of personal data under Regulation (EU) 2016/679 and this Regulation. Each supervisory authority should be provided with the additional financial and human resources, premises and infrastructure necessary for the effective performance of the tasks under this Regulation.
Amendment 321 #
Proposal for a regulation
Article 8 – paragraph 1 – point b
Article 8 – paragraph 1 – point b
(b) the end-user has given his or her consent for a specific purpose, and the consent has not been a condition to access or use a service, for the duration necessary for that purpose; or
Amendment 323 #
Proposal for a regulation
Recital 41
Recital 41
(41) In order to fulfil the objectivesmplementing powers should be conferred ofn this Regulation, namely to protect the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data and to ensure the free movement of personal data within the Union, the power to adopt acts in accordance with Article 290 of the Treatye Commission to specify a code to identify direct marketing calls including those made through automated calling and communication systems. Furthermore, implementing powers should be delegatconferred ton the Commission to supplement this Regulation. In particular, delegated acts should be adopted in respect of the information to be presented, including by means of standardised icons in order to give an easily visible and intelligible overview of the collection of information emitted by terminal equipment, its purpose, the person responsible for it and of any measure the end-with regard to the establishment of procedures and the circumstances where providers of publicly available number- based interpersonal communication services shall override the elimination of the presentation of the calling line identification on a temporary basis, where users of the terminal equipment can take to minimise the collection. Delegated acts are also necessary to specify a code to identify direct marketing calls including those made through automated calling and communication systemsr subscribers request the tracing of malicious or nuisance calls. Those powers should be exercised in accordance with Regulation (EU) No 182/2011. It is of particular importance that the Commission carries out appropriate consultations and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement on Better Law-Making of 13 April 201625 . In particular, to ensure equal participation in the preparation of delegated actimplementing measures, the European Parliament and the Council receive all documents at the same time as Member States’ experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts. Furthermore, in order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission when provided for by this Regulation. Those powers should be exercised in accordance with Regulation (EU) No 182/2011. _________________ 25 Interinstitutional Agreement between the European Parliament, the Council of the European Union and the European Commission on Better Law-Making of 13 April 2016 (OJ L 123, 12.5.2016, p. 1–14).
Amendment 325 #
Proposal for a regulation
Article 8 – paragraph 1 – point c
Article 8 – paragraph 1 – point c
(c) it is strictly technically necessary for providing an information society service specifically requested by the end-ususer, for the duration necessary for that provision of the service, provided that the provision of that specific service cannot be fulfilled without the processing of such content by the provider; or
Amendment 332 #
Proposal for a regulation
Article 2 – paragraph 1
Article 2 – paragraph 1
1. This Regulation applies to the processing of electronic communications data carried out in connection with the provision and the use of electronic communications services and to information related to the terminal equipment of end-users.:
Amendment 334 #
Proposal for a regulation
Article 8 – paragraph 1 – point d
Article 8 – paragraph 1 – point d
Amendment 336 #
Proposal for a regulation
Article 2 – paragraph 1 – point a (new)
Article 2 – paragraph 1 – point a (new)
(a) the processing of electronic communications data carried out in connection with the provision and the use of electronic communications services, irrespective of whether a payment is required;
Amendment 337 #
Proposal for a regulation
Article 2 – paragraph 1 – point b (new)
Article 2 – paragraph 1 – point b (new)
(b) the processing of information related to or processed by the terminal equipment of end-users;
Amendment 338 #
Proposal for a regulation
Article 2 – paragraph 1 – point c (new)
Article 2 – paragraph 1 – point c (new)
(c) the placing on the market of hardware and software permitting electronic communications by users and subscribers, including the retrieval and presentation of information on the Internet;
Amendment 339 #
Proposal for a regulation
Article 2 – paragraph 1 – point d (new)
Article 2 – paragraph 1 – point d (new)
(d) the provision of publicly available directories of subscribers of electronic communication;
Amendment 340 #
Proposal for a regulation
Article 2 – paragraph 1 – point e (new)
Article 2 – paragraph 1 – point e (new)
(e) the sending of direct marketing commercial electronic communications to end-users.
Amendment 344 #
Proposal for a regulation
Article 2 – paragraph 3
Article 2 – paragraph 3
3. The processing of electronic communications data by the Union institutions, bodies, offices and agencies insofar as they are not publicly available and not originating or having as destination publicly available communications services, is governed by Regulation (EU) 00/0000 [new Regulation replacing Regulation 45/2001].
Amendment 345 #
Proposal for a regulation
Article 3 – paragraph 1 – introductory part
Article 3 – paragraph 1 – introductory part
1. This Regulation applies to: the activities referred to in Article 2 where the user or subscriber is in the Union, where the communications services, hardware, software, directories, or direct marketing commercial electronic communications are provided from the territory of the Union, or where the the processing of information related to or processed by the terminal equipment of users or subscribers takes place in the Union.
Amendment 346 #
Proposal for a regulation
Article 8 – paragraph 1 – point d a (new)
Article 8 – paragraph 1 – point d a (new)
(d a) it is strictly technically necessary for a security update, provided that: (i) such updates are discreetly packaged and do not in any way change the functionality of the hardware or software or the privacy settings chosen by the user; (ii) the user is informed in advance each time such an update is being installed; and (iii) the user has the possibility to postpone or turn off the automatic installation of such updates;
Amendment 346 #
Proposal for a regulation
Article 3 – paragraph 1 – point a
Article 3 – paragraph 1 – point a
Amendment 350 #
Proposal for a regulation
Article 3 – paragraph 1 – point b
Article 3 – paragraph 1 – point b
Amendment 351 #
Proposal for a regulation
Article 8 – paragraph 1 – point d b (new)
Article 8 – paragraph 1 – point d b (new)
(d b) in the context of employment relationships, it is strictly technically necessary for the execution of an employee's task, where: (i) the employer provides and/or is the end-user of the terminal equipment; (ii) the employee is the user of the terminal equipment; (iii) it is not further used for monitoring the employee.
Amendment 351 #
Proposal for a regulation
Article 3 – paragraph 1 – point c
Article 3 – paragraph 1 – point c
Amendment 356 #
Proposal for a regulation
Article 3 – paragraph 2
Article 3 – paragraph 2
2. Where the provider of an electronic communications service, of publicly available directories, of hardware of software permitting electronic communications, or the person sending direct marketing commercial communications, or the person processing information related to or processed by the terminal equipment of users or subscribers is not established in the Union, it shall designate in writing a representative in the Union.
Amendment 360 #
Proposal for a regulation
Article 8 – paragraph 2
Article 8 – paragraph 2
Amendment 360 #
Proposal for a regulation
Article 3 – paragraph 3
Article 3 – paragraph 3
3. The representative shall be established in one of the Member States where the end-ususers or subscribers of such electronic communications services are located.
Amendment 361 #
Proposal for a regulation
Article 3 – paragraph 4
Article 3 – paragraph 4
4. The representative shall have the power to answer questions and provide information in addition to or instead of the provider it represents, in particular, to supervisory authorities, and end-ususers, and subscribers, on all issues related to processing electronic communications datathe activities referred to in Article 2 for the purposes of ensuring compliance with this Regulation.
Amendment 362 #
Proposal for a regulation
Article 3 – paragraph 5
Article 3 – paragraph 5
5. The designation of a representative pursuant to paragraph 2 shall be without prejudice to legal actions, which could be initiated against a natural or legal person who processes electronic communications data in connection with the provision of electronic communications services from outside the Union to end-users inundertake the activities referred to in Article 2 from outside the Union.
Amendment 365 #
Proposal for a regulation
Article 4 – paragraph 1 – point b
Article 4 – paragraph 1 – point b
(b) the definitions of ‘electronic communications network’, ‘electronic communications service’, ‘interpersonal communications service’, ‘number-based interpersonal communications service’, ‘number-independent interpersonal communications service’, ‘end-user’ and ‘call’ in points (1), (4), (5), (6), (7), (14) and (21) respectively'call' in point (21) of Article 2 of [Directive establishing the European Electronic Communications Code];
Amendment 369 #
Proposal for a regulation
Article 4 – paragraph 2
Article 4 – paragraph 2
Amendment 377 #
Proposal for a regulation
Article 8 – paragraph 3
Article 8 – paragraph 3
Amendment 377 #
Proposal for a regulation
Article 4 – paragraph 3 – point a a (new)
Article 4 – paragraph 3 – point a a (new)
(a a) (-a) 'electronic communications network' means a transmission system, whether or not based on a permanent infrastructure or centralised administration capacity, and, where applicable, switching or routing equipment and other resources, including network elements which are not active, which permit the conveyance of signals by wire, radio, optical or other electromagnetic means, including satellite networks, electricity cable systems, to the extent that they are used for the purpose of transmitting signals, networks used for radio and television broadcasting, and cable television networks, irrespective of the type of information conveyed; (-aa) 'electronic communications service' means a service provided via electronic communications networks, whether for remuneration or not, which encompasses one or more of the following:an 'internet access service' as defined in Article 2(2) or Regulation (EU) 2015/2120;an interpersonal communications service;a service consisting wholly or mainly in the conveyance of the signals, such as a transmission service used for the provision of a machine-to-machine service and for broadcasting, but excludes information conveyed as part of a broadcasting service to the public over an electronic communications network or service except to the extent that the information can be related to the identifiable subscriber or user receiving the information;it includes services enabling interpersonal and interactive communication merely as a minor ancillary feature that is intrinsically linked to another service;it also includes services which are not publicly available, but provide access to a publicly available electronic communications network; (-ab) 'interpersonal communications service' means a service, whether provided for remuneration or not, that enables direct interpersonal and interactive exchange of information between a finite number of persons whereby the persons initiating or participating in the communication determine the recipient(s); (-ac) 'number-based interpersonal communications service' means an interpersonal communications service which connects to the public switched telephone network, either by means of assigned numbering resources, i.e. number or numbers in national or international telephone numbering plans, or by enabling communication with a number or numbers in national or international telephone numbering plans; (-ad) 'number-independent interpersonal communications service' means an interpersonal communications service which does not connect with the public switched telephone network, either by means of assigned numbering resources, i.e. a number or numbers in national or international telephone numbering plans, or by enabling communication with a number or numbers in national or international telephone numbering plans; (-ae) 'subscriber' means a legal entity or a natural person using or requesting a publicly available electronic communications service; (-af) 'user' means any natural person using a publicly available electronic communications service, for private or business purposes, without necessarily having subscribed to this service; (this should be before point (a))
Amendment 378 #
Proposal for a regulation
Article 4 – paragraph 3 – point b
Article 4 – paragraph 3 – point b
(b) ‘'electronic communications content’' means the content transmitted, distributed or exchanged by means of electronic communications services, such as text, voice, videos, images, and sound, including electronic communications metadata of other electronic communications services or protocols that are transmitted by using the respective service;
Amendment 381 #
Proposal for a regulation
Article 4 – paragraph 3 – point c
Article 4 – paragraph 3 – point c
(c) ‘'electronic communications metadata’' means all data processed in an electronic communications network for the purposes of transmitting, distributing or exchanging electronic communications content; including data used to trace and identify the source and destination of a communication, electronic identifiers and any other data broadcasted or emitted by the terminal equipment, data on the location of the device generatterminal equipment processed in the context of providing electronic communications services, and the date, time, duration and the type of communication; where metadata of other electronic communications services or protocols are transmitted, distributed or exchanged by using the respective service, they shall be considered electronic communications content for the respective service;
Amendment 382 #
Proposal for a regulation
Article 8 – paragraph 4
Article 8 – paragraph 4
Amendment 384 #
Proposal for a regulation
Article 4 – paragraph 3 – point d
Article 4 – paragraph 3 – point d
(d) ‘publicly available directory’ means a directory of end-ussubscribers of electronic communications services, whether in printed or electronic form, which is published or made available to the public or to a section of the public, including by means of a directory enquiry service;
Amendment 386 #
Proposal for a regulation
Article 4 – paragraph 3 – point f
Article 4 – paragraph 3 – point f
(f) ‘'direct marketing communications’' means any form of advertising, whether in written or oral, sent, audio, video, oral or any other format, sent, broadcast, served or presented to one or more identified or identifiable end-ussubscribers of electronic communications services, including the use of automated calling and communication systems with or without human interaction, electronic mail, SMS, fax, etc.;
Amendment 388 #
Proposal for a regulation
Article 4 – paragraph 3 – point g
Article 4 – paragraph 3 – point g
(g) ‘'direct marketing voice-to-voice calls’' means live calls, which do not entail the use of automated calling systems and communication systems, including calls made using automated calling and communication systems which connect the called person to an individual;
Amendment 390 #
Proposal for a regulation
Article 4 – paragraph 3 – point h
Article 4 – paragraph 3 – point h
(h) ‘automated calling and communication systems’ means systems capable of automatically initiating calls to one or more recipients in accordance with instructions set for that system, and transmitting sounds which are not live speech, including calls made using automated calling and communication systems which connect the called person to an individual.
Amendment 393 #
Proposal for a regulation
Chapter 2 – title
Chapter 2 – title
PROTECTION OF ELECTRONIC COMMUNICATIONS OF NATURAL AND LEGAL PERSONS AND OF INFORMATION STORED INPROCESSED BY AND RELATED TO THEIR TERMINAL EQUIPMENT
Amendment 395 #
Proposal for a regulation
Article 9 – paragraph 2
Article 9 – paragraph 2
2. Without prejudice to paragraph 1, where technically possible and feasible, for the purposes of point (b) of Article 8(1), consent may be expressed by using the appropriate technical settings of a software application enabling access to the internetpecifications for electronic communications services or information society services which allow for specific consent for specific purposes. When such technical specifications are used by the user's terminal equipment or the software running on it, they shall be binding on, and enforceable against, any other party.
Amendment 396 #
Proposal for a regulation
Article 5 – title
Article 5 – title
Confidentiality of electronic communications data
Amendment 399 #
Proposal for a regulation
Article 9 – paragraph 3
Article 9 – paragraph 3
3. End-uUsers who have consented to the processing of electronic communications data as set out in point (c) of Article 6(2) and points (a) and (b) ofgiven their consent pursuant to Article 6 or Article 6(3)8 shall be given the possibility to withdraw their consent at any time as set forth under Article 7(3) of Regulation (EU) 2016/679 and be reminded of this possibility at periodic intervals of 6 months, as long as the processing continues.
Amendment 399 #
Proposal for a regulation
Article 5 – paragraph 1
Article 5 – paragraph 1
1. Electronic communications data shall be confidential. Any processing of electronic communications data, including any interference with electronic communications data, such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or processing of electronic communications data, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation. This includes electronic communications data that is stored after the transmission has been completed.
Amendment 402 #
Proposal for a regulation
Article 9 – paragraph 3 a (new)
Article 9 – paragraph 3 a (new)
Amendment 409 #
Proposal for a regulation
Article 5 – paragraph 1 a (new)
Article 5 – paragraph 1 a (new)
2.Confidentiality of electronic communications shall also apply to data related to or processed by terminal equipment and to machine-to-machine communication.
Amendment 412 #
Proposal for a regulation
Article 10 – title
Article 10 – title
Amendment 413 #
Proposal for a regulation
Article 10 – paragraph 1
Article 10 – paragraph 1
1. SHardware and software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, shall offer the option to prevent third parties from storingthat enable access to and use of electronic communications services or access to and use of information society services shall be able to prevent other parties from the use of input, output, processing and storage capabilities of terminal equipment and the processing of information on thefrom users' terminal equipment, of an end-user or processing information already stored on that equipmentr making information available through the terminal equipment, including information about and processed by its software and hardware.
Amendment 415 #
Proposal for a regulation
Article 6 – paragraph 1 – introductory part
Article 6 – paragraph 1 – introductory part
1. PNotwithstanding Article 6 of Regulation (EU) 2016/679, providers of electronic communications networks and services may process electronic communications data if: only if: Or. en (See also the clarification in Recital 15.)
Amendment 419 #
Proposal for a regulation
Article 10 – paragraph 2
Article 10 – paragraph 2
2. Upon installation, the software shall inform the end-user about the privacy settings options and, to continue with the installation, requiBy default, such hardware or software shall have activated privacy settings that prevent other parties from exercising the activities referred to in paragraph 1. If the hardware or software allows for deviating settings, the user shall be informed about the privacy settings options during first use or installation and shall be offered the end-user to consent to a settingpossibility to change or confirm them.
Amendment 421 #
Proposal for a regulation
Article 6 – paragraph 1 – point a
Article 6 – paragraph 1 – point a
(a) it is technically strictly necessary to achieve the transmission of the communication, for the duration necessary for that purpose; or
Amendment 426 #
Proposal for a regulation
Article 10 – paragraph 2 a (new)
Article 10 – paragraph 2 a (new)
Amendment 426 #
Proposal for a regulation
Article 6 – paragraph 1 – point b
Article 6 – paragraph 1 – point b
(b) it is technically strictly necessary to maintain or restore the security ofavailability, integrity and confidentiality of the respective electronic communications networks and or services, or to detect technical faults and/or errors in the transmission of electronic communications, for the duration necessary for that purpose.; or
Amendment 430 #
Proposal for a regulation
Article 10 – paragraph 3
Article 10 – paragraph 3
3. In the case of software which has already been installed on 25 May 2018, the requirements under paragraphs 1, 2 and 2a shall be complied with at the time of the first update of the software, but no later than 25 August 2018.
Amendment 433 #
Proposal for a regulation
Article 11
Article 11
Amendment 437 #
Proposal for a regulation
Article 6 – paragraph 1 – point b a (new)
Article 6 – paragraph 1 – point b a (new)
(b a) the user concerned has given his or her consent to the processing of his or her electronic communications data, provided that it is technically strictly necessary for the provision of a service explicitly requested by a user for his or her purely individual usage, solely for the provision of the explicitly requested service and only for the duration necessary for that purpose and without the consent of all users, only where such processing produces effects solely in relation to the user who requested the service and does not adversely affect the fundamental rights of other users.
Amendment 440 #
Proposal for a regulation
Article 11 a (new)
Article 11 a (new)
Article 11 a Restrictions on the rights of the user or end-user 1. Union or Member State law to which the provider is subject may restrict by way of a legislative measure the scope of the obligations and principles relating to processing of electronic communications data provided for in Articles 6, 7 and 8 of this Regulation in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22 of Regulation (EU) 2016/679, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the following general public interests: (a) national security; (b) defence; (c) the prevention, investigation, detection or prosecution of serious criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. 2. In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, pursuant to Article 23(2) of Regulation (EU) 2016/679.
Amendment 441 #
Proposal for a regulation
Article 11 b (new)
Article 11 b (new)
Article 11 b Restrictions on the confidentiality of communications 1. Union or Member State law to which the provider is subject may restrict by way of a legislative measure the scope of the rights provided for in Article 5 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the following general public interests: (a) national security; (b) defence; (c) the prevention, investigation, detection or prosecution of serious criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. 2. In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, pursuant to Article 23(2) of Regulation (EU) 2016/679. 3. No legislative measure referred to in paragraph 1 may allow for the weakening of the integrity and confidentiality of electronic communications by mandating a manufacturer of hardware or software, including terminal equipment or software providing for the use of electronic communications, or a provider of electronic communications services, to create and build in backdoors that weaken the cryptographic methods used or the security and integrity of the terminal equipment.
Amendment 443 #
Proposal for a regulation
Article 13 – paragraph 1
Article 13 – paragraph 1
1. Regardless of whether the calling user or end-user has prevented the presentation of the calling line identification, where a call is made to emergency services, providers of publicly available number-based interpersonal communications services shall override the elimination of the presentation of the calling line identification and the denial or absence of consent of an end- user for the processing of metadata, on a per-line basis for organisations dealing with emergency communications, including public safety answering points, for the purpose of responding to such communications.
Amendment 444 #
Proposal for a regulation
Article 13 – paragraph 2
Article 13 – paragraph 2
2. Member States shall establish more specific provisionsThe Commission shall be empowered to adopt implementing measures in accordance with Article 26(1 ) with regard to the establishment of procedures and the circumstances where providers of publicly available number- based interpersonal communication services shall override the elimination of the presentation of the calling line identification on a temporary basis, where users or end-users request the tracing of malicious or nuisance calls.
Amendment 445 #
Proposal for a regulation
Article 14 – paragraph 1 – point a
Article 14 – paragraph 1 – point a
(a) to block incoming calls from specific numbers, or numbers having a specific code or prefix identifying the fact that the call is a marketing call referred to in Article 16(3)(b), or from anonymous sources;
Amendment 445 #
Proposal for a regulation
Article 6 – paragraph 1 a (new)
Article 6 – paragraph 1 a (new)
1 a. Before processing electronic communications data, the provider shall carry out a data protection impact assessment pursuant to Article 35 of Regulation (EU) 2016/679, and if necessary a prior consultation with the supervisory authority pursuant to Article 36 of Regulation (EU) 2016/679.
Amendment 450 #
Proposal for a regulation
Article 15 – paragraph 1
Article 15 – paragraph 1
1. The providers of publicly available directories or the electronic communication service providers shall obtain the consent of end- users who are natural persons to include their personal data in the directory and, consequently, shall obtain consent from these end-users for inclusion of data per category of personal data, to the extent that such data are relevantnecessary for the purpose of the directory as determined by the provider of the directory. Providers shall give end-users who are natural persons the means to verify, correct and delete such data.
Amendment 451 #
Proposal for a regulation
Article 6 – paragraph 2 – introductory part
Article 6 – paragraph 2 – introductory part
2. Providers of electronic communications services may process electronic communications metadata only if:
Amendment 455 #
Proposal for a regulation
Article 6 – paragraph 2 – point a
Article 6 – paragraph 2 – point a
(a) it is technically strictly necessary to meet mandatory quality of service requirements pursuant to [Directive establishing the European Electronic Communications Code] or Regulation (EU) 2015/212028 for the duration necessary for that purpose; or _________________ 28 Regulation (EU) 2015/2120 of the European Parliament and of the Council of 25 November 2015 laying down measures concerning open internet access and amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services and Regulation (EU) No 531/2012 on roaming on public mobile communications networks within the Union (OJ L 310, 26.11.2015, p. 1–18).
Amendment 461 #
Proposal for a regulation
Article 6 – paragraph 2 – point b
Article 6 – paragraph 2 – point b
(b) it is strictly necessary for billing, calculating interconnection payments, detecting or stopping fraudulent, or abusive use of, or subscription to, electronic communications services; or
Amendment 466 #
Proposal for a regulation
Article 6 – paragraph 2 – point c
Article 6 – paragraph 2 – point c
(c) the end-user or users concerned hasve given his or hertheir specific consent to the processing of his or their communications metadata by the respective electronic communications service for one or more specified purposes, including for the provision of specific services to such end-users, provided that the purpose or purposes concerned could not be fulfilled by processing informationdata that is made anonymous, and the consent has not been a condition to access or use a service.
Amendment 467 #
Proposal for a regulation
Article 16 – paragraph 1
Article 16 – paragraph 1
1. Natural or legal persons may use electronic communications services for the purposes of sendingpresenting or sending unsolicited or direct marketing communications to end-users who are natural persons thatand have given their explicit consent.
Amendment 469 #
Proposal for a regulation
Article 16 – paragraph 2
Article 16 – paragraph 2
2. Where a natural or legal person obtains electronic contact details for electronic -mail from its customer, in the context of the sale of a product or a service, in accordance with Regulation (EU) 2016/679, that natural or legal person may use these electronic contact details for direct marketing of its own similar products or services only if customers are clearly and distinctly given the opportunity to object, free of charge and in an easy manner, to such use. The customer shall be informed about the right to object and shall be given an easy way to exercise it at the time of collection and each time a message is sent.
Amendment 476 #
Proposal for a regulation
Article 16 – paragraph 3 – point a
Article 16 – paragraph 3 – point a
(a) present the identity of a line on which they can be contacted; orand
Amendment 480 #
Proposal for a regulation
Article 16 – paragraph 3 a (new)
Article 16 – paragraph 3 a (new)
3 a. Unsolicited marketing communications shall be clearly recognisable as such and shall indicate the identity of the legal or natural person transmitting the communication or on behalf of whom the communication is transmitted. Such communications shall provide the necessary information for recipients to exercise their right to refuse further written or oral marketing messages.
Amendment 482 #
Proposal for a regulation
Article 16 – paragraph 4
Article 16 – paragraph 4
Amendment 483 #
Proposal for a regulation
Article 6 – paragraph 3 – introductory part
Article 6 – paragraph 3 – introductory part
3. Providers of the electronic communications services may process electronic communications content only if:
Amendment 484 #
Proposal for a regulation
Article 16 – paragraph 5
Article 16 – paragraph 5
5. Member States shall ensure , in the framework of Union law and applicable national law, that the legitimate interest of end-users that are legal persons with regard to unsolicited communications sent to them by means set forth under paragraph 1 are sufficiently protected. Member States shall specifically provide that the placing of direct marketing voice-to-voice calls to end-users who are legal persons shall only be allowed in respect of end-users who have not expressed their objection or have consented to receiving those communications. Member States shall provide that end-users can object to receiving the unsolicited communications via a national Do Not Call Register, thereby also ensuring that the user is only required to opt out once.
Amendment 485 #
Proposal for a regulation
Article 16 – paragraph 6
Article 16 – paragraph 6
6. Any natural or legal person using electronic communications services to transmit direct marketing communications shall inform end-users of the marketing nature of the communication and the identity of the legal or natural person on behalf of whom the communication is transmitted and shall provide the necessary information for recipients to exercise their right to withdraw their consent, in an easy manner or to object, in a manner that is as easy as giving the consent and free of charge, to receiving further marketing communications.
Amendment 486 #
Proposal for a regulation
Article 6 – paragraph 3 – point a
Article 6 – paragraph 3 – point a
(a) for the sole purpose of the provision of a specific service to an end- user, if the end-user or end-users concerned have given their consent to the processing of his or her electronic communications content andthe user concerned has given his or her consent to the processing of his or her electronic communications content for the sole purpose of the provision of a specific service explicitly requested by the user, for the duration necessary for that purpose, , provided that the provision of that specific service cannot be fulfilled without the processing of such content by the provider, and the consent has not been a condition to access or use a service; or
Amendment 489 #
Proposal for a regulation
Article 17 – title
Article 17 – title
Integrity of the communications and information about detected security risks
Amendment 490 #
Proposal for a regulation
Article 17 – paragraph 1
Article 17 – paragraph 1
Amendment 492 #
Proposal for a regulation
Article 17 – paragraph 1 a (new)
Article 17 – paragraph 1 a (new)
Providers of electronic communications services and manufacturers of terminal equipment shall not use any means, no matter if technical, operational, or by terms of use or by contracts, that could prevent users and end-users from applying the best available techniques against intrusions and interceptions and to secure their networks, terminal equipment and electronic communications. Breaking, decrypting, restricting or circumventing such measure taken by users or end-users shall be prohibited.
Amendment 492 #
Proposal for a regulation
Article 6 – paragraph 3 – point b
Article 6 – paragraph 3 – point b
(b) if all end-users concerned have given their consent to the processing of their electronic communications content for one or more specified purposes that cannot be fulfilled by processing information that is made anonymous, and the provider has consulted the supervisory authority. Points (2) and (3) of Article 36 of Regulation (EU) 2016/679 shall apply to the consultation of the supervisory authority.
Amendment 493 #
Proposal for a regulation
Article 17 – paragraph 1 b (new)
Article 17 – paragraph 1 b (new)
In the case of a particular risk that may compromise the security of networks, electronic communications services, or terminal equipment, the relevant provider or manufacturer shall inform end-users of such a risk and, where the risk lies outside the scope of the measures to be taken by the service provider, inform end- users of any possible remedies. It shall also inform the relevant manufacturer and service provider.
Amendment 494 #
Proposal for a regulation
Article 17 – paragraph 1 c (new)
Article 17 – paragraph 1 c (new)
As regards the security of networks and services and related security obligations, the obligations of Article 40 of the [European Electronic Communications Code] shall apply mutatis mutandis to all services in the scope of this Regulation.
Amendment 495 #
Proposal for a regulation
Article 17 – paragraph 1 d (new)
Article 17 – paragraph 1 d (new)
This Article shall be without prejudice to the security obligations provided for in Articles 32 to 34 of Regulation (EU) 2016/679.
Amendment 498 #
Proposal for a regulation
Article 18 – paragraph 1
Article 18 – paragraph 1
1. The independent supervisory authority or authorities responsible for monitoring the application of Regulation (EU) 2016/679 shall also be responsible for monitoring the application of this Regulation. Chapter VI and VII of Regulation (EU) 2016/679 shall apply mutatis mutandis. The tasks and powers of the supervisory authorities shall be exercised with regard to users and end- users.
Amendment 499 #
Proposal for a regulation
Article 7 – paragraph 1
Article 7 – paragraph 1
1. Without prejudice to point (b) of Article 6(1) and points (a) and (b) of Article 6(3), the provider of the electronic communications service shall erase electronic communications content or make that data anonymous after receipt of electronic communication contenafter receipt by the intended recipient or recipients. Such data may be recorded or stored by the end-users or by a third partparty, which could be the provider of the electronic communication service, specifically entrusted by them subscriber to record, store or otherwise process such data,. The subscriber may further process the data in accordance with Regulation (EU) 2016/679, if applicable.
Amendment 500 #
Proposal for a regulation
Article 18 – paragraph 2
Article 18 – paragraph 2
2. The supervisory authority or authorities referred to in paragraph 1 shall cooperate whenever appropriate with national regulatory authorities established pursuant to the [Directive Establishing the European Electronic Communications Code], and vice versa.
Amendment 501 #
Proposal for a regulation
Article 19 – paragraph 1 – point b a (new)
Article 19 – paragraph 1 – point b a (new)
(b a) draw up guidelines for supervisory authorities concerning the application of Article 9(1) and the particularities of expression of consent by legal entities;
Amendment 502 #
Proposal for a regulation
Article 19 – paragraph 1 – point b b (new)
Article 19 – paragraph 1 – point b b (new)
(b b) issue guidelines, recommendations and best practices in accordance with point (b) of this paragraph for the purpose of further specifying the criteria and requirements for types of services that may be requested for purely individual or work-related usage as referred to in Article 6(3a);
Amendment 503 #
Proposal for a regulation
Article 19 – paragraph 1 – point b c (new)
Article 19 – paragraph 1 – point b c (new)
(b c) issue guidelines, recommendations and best practices in accordance with point (b) of this paragraph for the purpose of further specifying the criteria and requirements for: (i) security updates referred to in Article 8(1)(e); (ii) the interference in the context of employment relationships referred to in Article 8(1)(f); (iv) the collection processing of information emitted by the terminal equipment referred to in Article 8(2)(c); (v) technical specifications and signalling methods that fulfil the conditions for consent and objection pursuant to Article 8(2a). (vi) software settings referred to in Article 10(1) and (2); and (vii) technical measures according to ensure confidentiality and integrity of the communication pursuant to Article 17(1).
Amendment 505 #
Proposal for a regulation
Article 21 – paragraph 1
Article 21 – paragraph 1
1. Without prejudice to any other administrative or judicial remedy, every user and end-user of electronic communications services and, where applicable, every body, organisation or association, shall have the same remedies provided for in Articles 77, 78, 79, and 7980 of Regulation (EU) 2016/679.
Amendment 506 #
Proposal for a regulation
Article 7 – paragraph 2
Article 7 – paragraph 2
2. Without prejudice to point (b) and (c) of Article 6(1) and points (a) and (c) of Article 6(2), the provider of the electronic communications service shall erase electronic communications metadata or make that data anonymous when it is no longer needed for the purpose of the transmission of a communication.
Amendment 508 #
Proposal for a regulation
Article 7 – paragraph 3
Article 7 – paragraph 3
3. Where the processing of electronic communications metadata takes place for the purpose of billing in accordance with point (b) of Article 6(2), the relevant metadata may be keptonly the metadata that is strictly necessary for this purpose may be kept at the request of the subscriber until the end of the period during which a bill may lawfully be challenged or a payment may be pursued in accordance with national law.
Amendment 512 #
Proposal for a regulation
Article 23 – paragraph 2 – point a
Article 23 – paragraph 2 – point a
(a) the obligations of any legal or natural person who process electronic communications datathe providers of publicly available directories pursuant to Article 815;
Amendment 513 #
Proposal for a regulation
Article 23 – paragraph 2 – point b
Article 23 – paragraph 2 – point b
(b) the obligations of the provider of software enablingany legal or natural person who uses electronic communications, services pursuant to Article 106;
Amendment 513 #
Proposal for a regulation
Article 8 – title
Article 8 – title
Protection of information stored in and, related to eand- processed by users’' terminal equipment
Amendment 514 #
Proposal for a regulation
Article 23 – paragraph 2 – point c
Article 23 – paragraph 2 – point c
(c) the obligations of the providers of publicly available directorinumber-based interpersonal communication services pursuant to Articles 152, 13 and 14;
Amendment 515 #
Proposal for a regulation
Article 23 – paragraph 2 – point d
Article 23 – paragraph 2 – point d
(d) the obligations of any legal or natural person who usesthe provider of an electronic communications services pursuant to Article 167.
Amendment 515 #
Proposal for a regulation
Article 8 – paragraph 1 – introductory part
Article 8 – paragraph 1 – introductory part
1. The use of input, output, processing and storage capabilities of terminal equipment and the collectionprocessing of information from end-users’ terminal equipment, including about' terminal equipment, or making information available through the terminal equipment, including information about and processed by its software and hardware, other than by the end-user concerned shall be prohibited, except on the following grounds:
Amendment 516 #
Proposal for a regulation
Article 23 – paragraph 3
Article 23 – paragraph 3
3. Infringements of the principle of confidentiality of communications, permitted processing of electronic communications data, time limits for erasure pursuant to Articles 5, 6, and 7following provisions of this Regulation shall, in accordance with paragraph 1 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.higher: - the principle of confidentiality of communications pursuant to Article 5; - the permitted processing of electronic communications data, pursuant to Article 6, - the time limits for erasure and the confidentiality obligations pursuant to Article 7; - the obligations of any legal or natural person who process electronic communications data pursuant to Article 8; - the requirements for consent pursuant to Article 9; - the obligations of the provider of software enabling electronic communications, pursuant to Article 10;
Amendment 518 #
Proposal for a regulation
Article 23 – paragraph 4
Article 23 – paragraph 4
Amendment 521 #
Proposal for a regulation
Article 8 – paragraph 1 – point a
Article 8 – paragraph 1 – point a
(a) it is strictly technically necessary for the sole purpose of carrying out the transmission of an electronic communication over an electronic communications networkservice; or
Amendment 523 #
Proposal for a regulation
Article 8 – paragraph 1 – point b
Article 8 – paragraph 1 – point b
(b) the end-user has given his or her consent for a specific purpose, and the consent has not been a condition to access or use a service or use a terminal equipment, for the duration strictly technically necessary for that purpose; or
Amendment 524 #
Proposal for a regulation
Article 25 – paragraph 6
Article 25 – paragraph 6
6. A delegated act adopted pursuant to Article 8(4) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of twohree months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by twohree months at the initiative of the European Parliament or of the Council.
Amendment 525 #
1. The Commission shall be assisted by the Communications Committee established under Article 11093 of the [Directive establishing the European Electronic Communications Code]Regulation (EU) 2016/679. That committee shall be a committee within the meaning of Regulation (EU) No 182/201129 . _________________ 29 Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13–18).
Amendment 526 #
Proposal for a regulation
Article 27 – paragraph 1
Article 27 – paragraph 1
1. Directive 2002/58/EC isand Commission Regulation 611/2013 are repealed with effect from 25 May 2018.
Amendment 535 #
Proposal for a regulation
Article 8 – paragraph 1 – point c
Article 8 – paragraph 1 – point c
(c) it is strictly technically necessary for providing an information society service specifically requested by the end-ususer, for the duration necessary for that provision of the service, provided that the provision of that specific service cannot be fulfilled without the processing of such information by the provider; or
Amendment 539 #
Proposal for a regulation
Article 8 – paragraph 1 – point d
Article 8 – paragraph 1 – point d
Amendment 553 #
Proposal for a regulation
Article 8 – paragraph 1 – point d a (new)
Article 8 – paragraph 1 – point d a (new)
(d a) it is strictly technically necessary for a security update, provided that: (i) such updates are discreetly packaged and do not in any way change the functionality of the hardware or software or the privacy settings chosen by the user; (ii) the user is informed in advance each time such an update is being installed;and (iii) the user has the possibility to postpone or turn off the automatic installation of such updates;
Amendment 562 #
Proposal for a regulation
Article 8 – paragraph 1 – point d b (new)
Article 8 – paragraph 1 – point d b (new)
(d b) in the context of employment relationships, it is strictly technically necessary for the execution of an employee's task, where: (i) the employer provides and/or is the subscriber of the terminal equipment; (ii) the employee is the user of the terminal equipment;and (iii) it is not further used for monitoring the employee.
Amendment 583 #
Proposal for a regulation
Article 8 – paragraph 2
Article 8 – paragraph 2
Amendment 597 #
Proposal for a regulation
Article 8 – paragraph 3
Article 8 – paragraph 3
Amendment 605 #
Proposal for a regulation
Article 8 – paragraph 4
Article 8 – paragraph 4
Amendment 610 #
Proposal for a regulation
Article 9 – paragraph 1
Article 9 – paragraph 1
1. The definition of and conditions for consent provided for under Articles 4(11) and 7 of Regulation (EU) 2016/679/EUin Regulation (EU) 2016/679/EU, including, inter alia, in its Articles 4(11), 7 and 8, shall apply.
Amendment 620 #
Proposal for a regulation
Article 9 – paragraph 2
Article 9 – paragraph 2
2. Without prejudice to paragraph 1, where technically possible and feasible, for the purposes of point (b) of Article 8(1), consent may be expressed and withdrawn by using the appropriate technical settings of a software application enabling access to thpecifications for electronic communications services or information society services which allow for specific consent for specific purposes and with regard to specific service providers actively selected by the user in each case, pursuant to paragraph 1. When such technical specifications are used by the user's terminal equipment or the software running on it, they may signal the user's preferences based on previous active selections by him or her. These signals shall be binternetding on, and enforceable against, any other party.
Amendment 632 #
Proposal for a regulation
Article 9 – paragraph 3
Article 9 – paragraph 3
3. End-users who have consented to the processing of electronic communications data as set out in point (c) of Article 6(2) and points (a) and (b) ofWithout prejudice to paragraph 2, users who have given their consent pursuant to Article 6 or Article 6(3)8 shall be gihaven the possibilityright to withdraw their consent at any time as set forth under Article 7(3) of Regulation (EU) 2016/679 and shall be reminded of this possibility by the providers at periodic intervals of 6 months, as long as the processing continues.
Amendment 633 #
Proposal for a regulation
Article 9 – paragraph 3 a (new)
Article 9 – paragraph 3 a (new)
3 a. Without prejudice to Article 7(4) of Regulation (EU) 2016/679, a user shall not be denied access to any electronic communications service, information society service or functionality of a terminal equipment, regardless of whether this is remunerated or not, on the mere grounds that he or she has not given his or her consent to (a) the processing of electronic communications data, metadata or content pursuant to Article 6;or (b) the use of input, output, processing and storage capabilities of terminal equipment and the processing of information related to or processed by the users' terminal equipment, or making information available through the terminal equipment, including information about and processed by its software and hardware, pursuant to Article 8(1) that is technically not strictly necessary for the provision of that service or functionality.
Amendment 634 #
Proposal for a regulation
Article 9 – paragraph 3 b (new)
Article 9 – paragraph 3 b (new)
3 b. Any processing based on consent must not adversely affect the rights and freedoms of individuals whose personal data are related to or transmitted by the communication, in particular their rights to privacy and the protection of personal data.
Amendment 638 #
Proposal for a regulation
Article 10 – title
Article 10 – title
Amendment 639 #
Proposal for a regulation
Article 10 – paragraph 1
Article 10 – paragraph 1
1. SHardware and software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, shall offer the optionthat enable the access to and use of electronic communications services or the access to and use of information society services shall be able to prevent othirder parties from ustoring information on the terminal equipment of an end-user or processing information already stored on that equipmentput, output, processing and storage capabilities of terminal equipment and the processing of information related to or processed by a users' terminal equipment, or making information available through the terminal equipment, including information about and processed by its software and hardware.
Amendment 655 #
Proposal for a regulation
Article 10 – paragraph 2
Article 10 – paragraph 2
2. Upon installation, the software shall inform the end-user about the privacy settings options and, to continue with the installation, requiBy default, such hardware or software shall have activated privacy settings that prevent other parties from exercising the activities referred to in paragraph 1. If the hardware or software allows for deviating settings, the user shall be informed about the privacy settings options during first use or installation and shall be offered the end-user to consent to a settingpossibility to change or confirm them.
Amendment 659 #
Proposal for a regulation
Article 10 – paragraph 2 a (new)
Article 10 – paragraph 2 a (new)
2 a. For the purposes of (a) giving or withdrawing consent pursuant to Article 9(2) of this Regulation, and (b) objecting to the processing of personal data pursuant to Article 21(5) of Regulation (EU) 2017/679, the settings shall lead to a signal based on technical specifications which is sent to the other parties to inform them about the user's intentions with regard to consent or objection.This signal shall be legally valid and be binding on, and enforceable against, any other party. The European Data Protection Board shall issue guidelines to determine which technical specifications and signalling methods fulfil the conditions for consent and objection pursuant to points (a) and (b).
Amendment 665 #
Proposal for a regulation
Article 10 – paragraph 3
Article 10 – paragraph 3
3. In the case of software which has already been installed on 25 May 2018, the requirements under paragraphs 1, 2 and 2a shall be complied with at the time of the first update of the software, but no later than 25 August 2018.
Amendment 670 #
Proposal for a regulation
Article 11
Article 11
Amendment 678 #
Proposal for a regulation
Article 11 a (new)
Article 11 a (new)
Article 11 a Restrictions on the rights of the user or subscriber 1.Union or Member State law to which the provider is subject may temporarily restrict by way of a legislative measure the scope of the obligations and principles relating to processing of electronic communications data provided for in Articles 6, 7 and 8 of this Regulation in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22 of Regulation (EU) 2016/679, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the following general public interests: (a) national security; (c) defence; (d) the prevention, investigation, detection or prosecution of serious criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. 2.In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, pursuant to Article 23(2) of Regulation (EU) 2016/679.
Amendment 681 #
Proposal for a regulation
Article 11 b (new)
Article 11 b (new)
Article 11 b Restrictions of the confidentiality of communications 1.Union or Member State law to which the provider is subject may temporarily restrict by way of a legislative measure the scope of the rights provided for in Article 5 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the following general public interests: (a) national security; (b) defence; (c) the prevention, investigation, detection or prosecution of serious criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. 2.In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, pursuant to Article 23(2) of Regulation (EU) 2016/679.It shall also require prior judicial authorisation for any access to content or metadata. 3.No legislative measure referred to in paragraph 1 may allow for the weakening of the integrity and confidentiality of electronic communications by mandating a manufacturer of hardware or software, including terminal equipment or software providing for the use of electronic communications, or a provider of electronic communications services, to create and build in backdoors that weaken the cryptographic methods used or the security and integrity of the terminal equipment.
Amendment 683 #
Proposal for a regulation
Article 11 c (new)
Article 11 c (new)
Article 11 c Documentation and reporting of restrictions 1.Providers of electronic communications services shall keep documentation about requests made by competent authorities to access communications content or metadata pursuant to Article 11b(2).This documentation shall include for each request: (a) the in-house staff member who handled the request; (b) the identity of the body making the request; (c) the purpose for which the information was sought; (d) the date and time of the request; (e) the legal basis and authority for the request, including the identity and status or function of the official submitting the request; (f) the judicial authorisation of the request; (g) the number of subscribers to whose data the request related; (h) the data provided to the requesting authority;and (i) the period covered by the data. The documentation shall be made available to the competent supervisory authority upon request. 2.Member States' competent authorities shall publish once per year a report with statistical information per month about data access requests pursuant to Article 11b(2), including requests that were not authorised by a judge, including, but not limited to, the following points: (a) the number of requests; (b) the categories of purposes for the request; (b) the categories of data requested; (c) the legal basis and authority for the request; (d) the number of subscribers to whose data the request related; (e) the period covered by the data; The reports shall also contain statistical information per month about any other restrictions pursuant to Articles 11a and 11b.
Amendment 686 #
Proposal for a regulation
Article 12 – paragraph 1 – point a
Article 12 – paragraph 1 – point a
(a) the calling end-ususer or subscriber with the possibility of preventing the presentation of the calling line identification on a per call, per connection or permanent basis;
Amendment 687 #
Proposal for a regulation
Article 12 – paragraph 1 – point b
Article 12 – paragraph 1 – point b
(b) the called end-ususer or subscriber with the possibility of preventing the presentation of the calling line identification of incoming calls;
Amendment 688 #
Proposal for a regulation
Article 12 – paragraph 1 – point c
Article 12 – paragraph 1 – point c
(c) the called end-ususer or subscriber with the possibility of rejecting incoming calls where the presentation of the calling line identification has been prevented by the calling end-ususer or subscriber;
Amendment 689 #
Proposal for a regulation
Article 12 – paragraph 1 – point d
Article 12 – paragraph 1 – point d
(d) the called end-ususer or subscriber with the possibility of preventing the presentation of the connected line identification to the calling end-ususer or subscriber.
Amendment 690 #
Proposal for a regulation
Article 12 – paragraph 2
Article 12 – paragraph 2
Amendment 692 #
Proposal for a regulation
Article 13 – paragraph 1
Article 13 – paragraph 1
1. Regardless of whether the calling end-ususer or subscriber has prevented the presentation of the calling line identification, where a call is made to emergency services, providers of publicly available number-based interpersonal communications services shall override the elimination of the presentation of the calling line identification and the denial or absence of consent of an end- user for the processing of metadata, on a per-line basis for organisations dealing with emergency communications, including public safety answering points, for the purpose of responding to such communications.
Amendment 693 #
Proposal for a regulation
Article 13 – paragraph 2
Article 13 – paragraph 2
2. Member States shall establish more specific provisionsThe Commission shall be empowered to adopt implementing measures in accordance with Article 26(1) with regard to the establishment of procedures and the circumstances where providers of publicly available number- based interpersonal communication services shall override the elimination of the presentation of the calling line identification on a temporary basis, where end-ususers or subscribers request the tracing of malicious or nuisance calls.
Amendment 694 #
Proposal for a regulation
Article 14 – paragraph 1 – introductory part
Article 14 – paragraph 1 – introductory part
Providers of publicly available number- based interpersonal communications services shall deploy state of the art measures to limit the reception of unwanted calls by end-users and shall also provide the called end-user with the following possibilities, free of charge:
Amendment 695 #
Proposal for a regulation
Article 14 – paragraph 1 – point a
Article 14 – paragraph 1 – point a
(a) to block incoming calls from specific numbers, or numbers having a specific code or prefix identifying the fact that the call is a marketing call referred to in Article 16(3)(b), or from anonymous sources;
Amendment 696 #
Proposal for a regulation
Article 14 – paragraph 1 – point b
Article 14 – paragraph 1 – point b
(b) to stop automatic call forwarding by a third party to the end-ussubscriber's terminal equipment.
Amendment 699 #
Proposal for a regulation
Article 15 – paragraph 1
Article 15 – paragraph 1
1. The providers of publicly available directories or the electronic communication service providers shall obtain the consent of end- ussubscribers who are natural persons to include their personal data in the directory and, consequently, shall obtain consent from these end-ussubscribers for inclusion of data per category of personal data, to the extent that such data are relevantnecessary for the purpose of the directory as determined by the provider of the directory. P. Without prejudice to Articles 12 to 22 of Regulation (EU) 2016/679, providers shall give end-ussubscribers who are natural persons the means to verify, correct and delete such data.
Amendment 712 #
Proposal for a regulation
Article 15 – paragraph 2
Article 15 – paragraph 2
2. The providers of a publicly available directory shall inform end-ussubscribers who are natural persons whose personal data are in the directory of the available search functions of the directory and obtain end-ussubscribers’' consent before enabling such search functions related to their own data.
Amendment 721 #
Proposal for a regulation
Article 15 – paragraph 3
Article 15 – paragraph 3
3. The providers of publicly available directories shall provide end-ussubscribers that are legal persons with the possibility to object to data related to them being included in the directory. Providers shall give such end-ussubscribers that are legal persons the means to verify, correct and delete such data.
Amendment 723 #
Proposal for a regulation
Article 15 – paragraph 4
Article 15 – paragraph 4
4. TWithout prejudice to Article 12(5) of Regulation (EU) 2016/679, the information to the subscribers and the possibility for end-ussubscribers not to be included in a publicly available directory, or to verify, correct and delete any data related to them shall be provided free of charge.
Amendment 736 #
Proposal for a regulation
Article 16 – paragraph 1
Article 16 – paragraph 1
1. Natural or legal persons may use electronic communications services for the purposes of sendingpresenting or sending unsolicited or direct marketing communications to end-ussubscribers who are natural persons thatonly if these have given their explicit consent.
Amendment 738 #
Proposal for a regulation
Article 16 – paragraph 2
Article 16 – paragraph 2
2. Where a natural or legal person obtains electronic contact details for electronic mail from its customer, in the context of the sale of a product or a service, in accordance with Regulation (EU) 2016/679, that natural or legal person may use these electronic contact details for direct marketing of its own similar products or services only if customers are clearly and distinctly given the opportunity to object, free of charge and in an easy manner, to such use. The customer shall be informed about the right to object and shall be given an easy way to exercise it at the time of collection and each time a message is sent.
Amendment 747 #
Proposal for a regulation
Article 16 – paragraph 3 – point a
Article 16 – paragraph 3 – point a
(a) present the identity of a line on which they can be contacted; orand
Amendment 753 #
Proposal for a regulation
Article 16 – paragraph 4
Article 16 – paragraph 4
Amendment 758 #
Proposal for a regulation
Article 16 – paragraph 5
Article 16 – paragraph 5
5. Member States shall ensure, in the framework of Union law and applicable national law, that the legitimate interest of end-ussubscribers that are legal persons with regard to unsolicited communications sent to them by means set forth under paragraph 1 are sufficiently protected. Member States shall specifically provide that the placing of direct marketing voice-to-voice calls to subscribers who are legal persons shall only be allowed in respect of subscribers who have not expressed their objection or have consented to receiving those communications. Member States shall provide that subscribers can object to receiving the unsolicited communications via a national Do Not Call Register, thereby also ensuring that the user is only required to opt out once.
Amendment 760 #
Proposal for a regulation
Article 16 – paragraph 6
Article 16 – paragraph 6
6. Any natural or legal person using electronic communications services to transmit direct marketing communications shall inform end-usclearly and visibly inform subscribers of the marketing nature of the communication and the identity of the legal or natural person transmitting the communication and on behalf of whom the communication is transmitted and shall provide the necessary information and means for recipients to exercise their right to withdraw their consent or to object, in an easy manner, to receiving further marketing communications.
Amendment 764 #
Proposal for a regulation
Article 16 – paragraph 7
Article 16 – paragraph 7
7. The Commission shall be empowered to adopt implementing measures in accordance with Article 26(2) specifying the code/ or prefix to identify marketing calls, pursuant to point (b) of paragraph 3.
Amendment 767 #
Proposal for a regulation
Article 17 – title
Article 17 – title
Integrity of the communications and information about detected security risks
Amendment 770 #
Proposal for a regulation
Article 17 – paragraph 1
Article 17 – paragraph 1
Amendment 776 #
Proposal for a regulation
Article 17 – paragraph 1 a (new)
Article 17 – paragraph 1 a (new)
Providers of electronic communications services shall ensure that there is sufficient protection in place against unauthorised access or alterations to the electronic communications data, and that the confidentiality and integrity of the communication in transmission or stored are also guaranteed by technical measures according to the state of the art, including end-to-end encryption of the electronic communications data. When encryption of electronic communications data is used, decryption by anybody else than the user shall be prohibited. Member States shall not impose any obligations on electronic communications service providers or on hardware or software manufacturers that would result in the weakening of the confidentiality and integrity of their networks and services of the terminal equipment, including the encryption methods used.
Amendment 778 #
Proposal for a regulation
Article 17 – paragraph 1 b (new)
Article 17 – paragraph 1 b (new)
Providers of electronic communications services, providers of information society services, and manufacturers of hardware and software permitting the retrieval and presentation of information on the internet shall not use any means, no matter if technical, operational, or by terms of use or by contracts, that could prevent users and subscribers from applying the best available techniques against intrusions and interceptions and to secure their networks, terminal equipment and electronic communications. Breaking, decrypting, restricting or circumventing such measure taken by users or subscribers shall be prohibited.
Amendment 780 #
Proposal for a regulation
Article 17 – paragraph 1 c (new)
Article 17 – paragraph 1 c (new)
In the case of a particular risk that may compromise the security of networks, electronic communications services, information society services, hardware or software, the relevant provider or manufacturer shall inform all subscribers of such a risk and, where the risk lies outside the scope of the measures to be taken by the service provider, inform subscribers of any possible remedies. It shall also inform the relevant manufacturer and service provider.
Amendment 781 #
Proposal for a regulation
Article 17 – paragraph 1 d (new)
Article 17 – paragraph 1 d (new)
As regards the security of networks and services and related security obligations, the obligations of Article 40 of the [European Electronic Communications Code] shall apply mutatis mutandis to all services in the scope of this Regulation.
Amendment 782 #
Proposal for a regulation
Article 17 – paragraph 1 e (new)
Article 17 – paragraph 1 e (new)
This Article shall be without prejudice to the obligations provided for in Articles 32 to 34 of Regulation (EU) 2016/679 and the obligations provided for in Directive (EU) 2016/1148.
Amendment 783 #
Proposal for a regulation
Article 18 – paragraph 1
Article 18 – paragraph 1
1. The independent supervisory authority or authorities responsible for monitoring the application of Regulation (EU) 2016/679 shall also be responsible for monitoring the application of this Regulation. Chapter VI and VII of Regulation (EU) 2016/679 shall apply mutatis mutandis. The tasks and powers of the supervisory authorities shall be exercised with regard to end-usersWhere Regulation (EU) 2016/679 refers to data subjects, the tasks and powers of the supervisory authorities shall be exercised with regard to users and subscribers under this Regulation. Where Regulation (EU) 2016/679 refers to data controllers, the tasks and powers of the supervisory authorities shall be exercised with regard to providers of electronic communications services and information society services, and manufacturers of hardware and software under this Regulation.
Amendment 786 #
Proposal for a regulation
Article 18 – paragraph 2
Article 18 – paragraph 2
2. The supervisory authority or authorities referred to in paragraph 1 shall cooperate whenever appropriate with national regulatory authorities established pursuant to the [Directive Establishing the European Electronic Communications Code], and vice versa.
Amendment 788 #
Proposal for a regulation
Article 19 – paragraph 1 – point b a (new)
Article 19 – paragraph 1 – point b a (new)
(b a) draw up guidelines for supervisory authorities concerning the application of Article 9(1) and the particularities of expression of consent by legal entities;
Amendment 789 #
Proposal for a regulation
Article 19 – paragraph 1 – point b b (new)
Article 19 – paragraph 1 – point b b (new)
(b b) issue guidelines, recommendations and best practices in accordance with point (b) of this paragraph for the purpose of further specifying the criteria and requirements for types of services that may be requested for purely individual or work-related usage as referred to in Article 6(3a);
Amendment 790 #
Proposal for a regulation
Article 19 – paragraph 1 – point b c (new)
Article 19 – paragraph 1 – point b c (new)
(b c) issue guidelines, recommendations and best practices in accordance with point (b) of this paragraph for the purpose of further specifying the criteria and requirements for: (i) security updates referred to in Article 8(1)(e); (ii) the interference in the context of employment relationships referred to in Article 8(1)(f); (iv) the processing of information emitted by the terminal equipment referred to in Article 8(2)(c); (v) technical specifications and signalling methods that fulfil the conditions for consent and objection pursuant to Article 8(2a). (vi) software settings referred to in Article 10(1) and (2); and (vii) technical measures to ensure confidentiality and integrity of the communication pursuant to Article 17(1).
Amendment 791 #
Proposal for a regulation
Article 21 – paragraph 1
Article 21 – paragraph 1
1. Without prejudice to any other administrative or judicial remedy, every end-ususer and subscriber of electronic communications services and, where applicable, every body, organisation or association, shall have the same remedies provided for in Articles 77, 78, 79, and 7980 of Regulation (EU) 2016/679.
Amendment 794 #
Proposal for a regulation
Article 21 – paragraph 2
Article 21 – paragraph 2
2. Any natural or legal person other than end-ususers or subscribers adversely affected by infringements of this Regulation and having a legitimate interest in the cessation or prohibition of alleged infringements, including a provider of electronic communications services protecting its legitimate business interests, shall have a right to bring legal proceedings in respect of such infringements.
Amendment 798 #
Proposal for a regulation
Article 22 – paragraph 1
Article 22 – paragraph 1
Any end-ususer or subscriber of electronic communications services who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the infringer for the damage suffered, unless the infringer proves that it is not in any way responsible for the event giving rise to the damage in accordance with. Article 82 of Regulation (EU) 2016/679. shall apply mutatis mutandis also for subscribers which are legal persons.
Amendment 801 #
Proposal for a regulation
Article 23 – paragraph 2 – point a
Article 23 – paragraph 2 – point a
Amendment 802 #
Proposal for a regulation
Article 23 – paragraph 2 – point a a (new)
Article 23 – paragraph 2 – point a a (new)
(a a) the obligations of the providers of electronic communications services for documentation, pursuant to Article 11c(1);
Amendment 805 #
Proposal for a regulation
Article 23 – paragraph 2 – point b
Article 23 – paragraph 2 – point b
Amendment 806 #
Proposal for a regulation
Article 23 – paragraph 2 – point d a (new)
Article 23 – paragraph 2 – point d a (new)
(d a) the obligations of the providers of publicly available number-based interpersonal communication services pursuant to Article 12, 13 and 14.
Amendment 808 #
Proposal for a regulation
Article 23 – paragraph 3
Article 23 – paragraph 3
3. Infringements of the principle of confidentiality of communications, permitted processing of electronic communications data, time limits for erasure pursuant to Articles 5, 6, and 7following provisions of this Regulation shall, in accordance with paragraph 1 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.:
Amendment 810 #
Proposal for a regulation
Article 23 – paragraph 3 – subparagraph 1 (new)
Article 23 – paragraph 3 – subparagraph 1 (new)
(a) the principle of confidentiality of communications pursuant to Article 5; (b) the permitted processing of electronic communications data, pursuant to Article 6, (c) the time limits for erasure and the confidentiality obligations pursuant to Article 7; (d) the obligations of any legal or natural person who process electronic communications data pursuant to Article 8; (e) the requirements for consent pursuant to Article 9; (f) the obligations of the provider of software enabling electronic communications, pursuant to Article 10; (g) the obligations of the providers of electronic communications services, of the providers of information society services, or of the manufacturers of hardware and software permitting the retrieval and presentation of information on the internet pursuant to Article 17.
Amendment 811 #
Proposal for a regulation
Article 23 – paragraph 4
Article 23 – paragraph 4
Amendment 816 #
Proposal for a regulation
Article 25
Article 25
Amendment 817 #
Proposal for a regulation
Article 26 – paragraph 1
Article 26 – paragraph 1
1. The Commission shall be assisted by the Communications Committee established under Article 11093 of the [Directive establishing the European Electronic Communications Code]Regulation (EU) 2016/679. That committee shall be a committee within the meaning of Regulation (EU) No 182/201129 . _________________ 29 Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13–18).
Amendment 819 #
Proposal for a regulation
Article 27 – paragraph 1
Article 27 – paragraph 1
1. Directive 2002/58/EC isand Commission Regulation 611/2013 are repealed with effect from 25 May 2018.