ISACA Privacy Open Forum: status update on the ePrivacy Regulation

Click to edit Master title stylePrivacy Open Forum

Tuesday, 5th of December 2017

Brussels, 5 December 2017 2

Close

Brussels, 5 December 2017

THE PROPOSAL FOR

EPRIVACY REGULATION:

STATUS UPDATEJOHAN VANDENDRIESSCHE

3


Agenda

1. 18:30 Introduction

2. 18:45 Proposal ePrivacy Regulation

3. 19:30 Break

4. 19:50 Proposal ePrivacy Regulation

5. 20:45 Close


Agenda

• Overview

• Short timeline

• Review of EP tekst

• Changes proposed by EP text

compared to EC text are underlined

• See also ISACA Privacy Forum on

ePrivacy Regulation of 22 February 2017

5


Short timeline

• July 2002: Directive 2002/58

• Jan 2017: EC Proposal ePrivacy

COM(2017)10 final

• Sept 2017: EU Council text (first

reading)

• Oct 2017: EP text (first reading)

• Trilogue meetings

• 25 May 2018?

6


GENERAL OVERVIEW

7


Legal Status Update

• Full review of the data protection legal

package

• Directive 1995/46

• Directive 2002/58

• Regulation: uniform legislation within

the EU

• GDPR will replace Directive 1995/46 as of

25 May 2018

• Proposal for ePrivacy Regulation (set to

replace Directive 2002/58)

8


General principles

• ePrivacy Regulation is broader than

only processing of personal data

• ePrivacy Regulation is lex specialis

with regards to GDPR

• Covers specific processing of personal

data (field of electronic communications)

• Prevails on GDPR in case of conflict (as

lex specialis)

• GDPR supplements the regulation in

relation to all elements not covered (as lex

generalis)9


Definitions

• Main definitions

• Electronic communications network

• Electronic communications service

• Traditional scope

• Internet access service

• (Number based / independent) Interpersonal

communications service

• End-user

• Physical person

• Legal person

• User

• Physical person

10


Definitions

• Terminal equipment

• Equipment connected to the interface of a

public communications network to

send/process/receive information

• Electronic communications data

• Electronic communications content

• Electronic communications metadata

• Data processed for the purpose of electronic

communications

• Location data processed in the context of providing

services

• Location data generated in another context is not

communications metadata

11


SCOPE

12


Scope

• Reference to future legal framework

dramatically expands scope of

regulation

• OTT services (e.g. VOIP, IM, webbased e-

mail)

• IoT

• M2M

• Future-proofing by using a more

technology neutral approach

13


Material scope

• Processing of electronic

communications data

• Connection with

• the provision and the use of electronic

communications services

• information related to or processed by the

terminal equipment of end-users

14


Material scope

• Placing on the market of software

permitting electronic communications

including the retrieval and presentation

of information on the Internet

• Provision of publicly available

directories of users of electronic

communications

• Sending of direct marketing electronic

communications to end-users

15


Material scope

• Covers both natural and legal persons

• Exceptions apply

• E.g. closed communication networks

16


Territorial scope

• No distinction is made between EU-

based and non EU based service

providers

• Offering of electronic communications

services, software, publicly available

directories, or direct marketing electronic

communications to end-users in the EU

(no requirements of payment)

• Activities that are provided from the

territory from the EU

17


Territorial scope

• No distinction is made between EU-

based and non EU based service

providers

• The processing of information related to

or processed by terminal equipment of

end-users that is in the EU

• Location of processing is irrelevant

• Obligation of non-EU based provider to

designate a representative in the EU

• Larger role than in GDPR?

18


PROTECTION OF

ELECTRONIC

COMMUNICATIONS19


Protection of electronic communication

• Confidentiality

• Electronic communications shall be

confidential

• Prohibition of interference by persons

other than end-users

• Interception, surveillance or processing

• End-Users - Users?

• Confidentiality also applies to data related

to or processed by terminal equipment

• Examples: IMSI catchers or intercepting

communication over open wifi networks

20



• Exceptions (for providers of electronic

communications networks and

services)

• Electronic communications data only if

technically necessary for transmission, for

the duration necessary

21




communications networks and

services or other parties acting on

behalf of the provider or the end-user)

• Electronic communications data only if

technically necessary for availability,

integrity, confidentiality and security or to

detect technical faults/errors in

transmission, for the duration necessary

22




communications services and

networks)

• Electronic communications metadata

• Strictly necessary for mandatory quality of

service requirements, for the duration

technically necessary for that purpose

• Strictly necessary for billing related purposes

(including fraud detection and prevention)

• User consent for specified purposes, provided

it is not possible to fulfill the purpose without

processing the metadata

• Likelihood of high risk: DPIA23




communications services)

• Electronic communications content

• Service provision to the user, requested by the

user, with end-user consent and provided

service cannot be provided without the

processing of such content

• User consent for specified purposes that

cannot be fulfilled by processing anonymous

information

• Consultation of supervisory authority

• Link with GDPR prior consultation procedure

• DPIA required?

24



• Process electronic communications data by the

provider of the electronic communications service:

• solely for the provision of an explicitly requested service,

for purely individual usage

• only for the duration necessary for that purpose

• without the consent of all users

• If: no adverse affect on the fundamental rights and

interests of another user or users

25



• Storage and erasure of electronic

communications data by service provider

• Obligation to erase electronic communications

content when no longer necessary for provision

of service as requested by the user

• Anonymization no longer included

• Record and storage by users and third

parties on their behalf

• User may process in accordance with GDPR

26



• Obligation to erase or anonymize

electronic communications metadata

when no longer necessary for the

provision of the service, as requested

by the user

27



• Storage and erasure of electronic

communications data

• Strictly necessary metadata used for

billing purposes may be kept until end of

the period during which a bill may be

lawfully challenged or payment pursued

• Impact contractual conditions?

28


User terminal equipment

• Prohibition

• Use of processing and storage capabilities

• The collection of information from users’

terminal equipment (including about its

hardware and software)

• Other than by the user

• Broader wording than Directive 2002/58

• Exceptions apply

• Typically (but not solely) targets

cookies, hidden identifiers, …

29



• Exceptions

• Strictly necessary for the sole purpose of

carrying out transmission over an

electronic communications network

• user consent

• Strictly technically necessary for

providing information society service

specifically requested by the user

30



• Exceptions

• Technically necessary for measuring the reach of

information society service requested by the user

• By or on behalf of provider, or web analytics

agency for scientific purpose

• Aggregated data

• Possibility to object for the user

• No personal data is made available to any third

party

• No adverse affect on the fundamental rights of the

user

• If collected on behalf of provider, separation of

data

31



• Exceptions

• Necessary to ensure security,

confidentiality, integrity, availability and

authenticity of equipment of end-user, by

means of updates, for the duration

necessary

• No change in functionality of hardware or

software

• No change in privacy settings

• User is informed in advance each time

• User may postpone or turn off automatic

installation of updates

32



• Exceptions

• Employment relationship where strictly

technically necessary for the execution of

the employee’s tasks

• Employer provides and/or is the user

• Employee is the user

• No further use for monitoring the employee

33



• No denial of access to any information

society service on grounds that user

has not given his or her consent under

to the processing of personal

information and/or the use of

processing or storage capabilities of

user terminal equipment that is not

necessary for the provision of that

service or functionality

34



• Prohibition to process information

emitted by terminal equipment to

enable it to connect to another device

or to network equipment

• Exceptions

• Exclusively for sole purpose and time

necessary to establish a connection

requested by the user

• User information and consent

• Risk mitigation

35



• For purpose of measuring and risk

mitigation:

• Purpose of data collection restricted to

mere statistical counting

• Limited in time and space to the extent

strictly necessary for this purpose

• Delete or anonymize data immediately

after purpose has been fulfulled

• User shall be given effective possibility to

object without effect on terminal

equipment

36


Consent

• General rule: definitions of GDPR apply

• Stricter approach to consent

• Consent may not be based on mere silence

• Clear affirmative act

• Yes: written or oral statement, ticking a box,

choosing technical settings

• No: pre-ticked boxes, inactivity

• Result of a compromise

• Separate consent for each purpose

• Consent separate from consent to a contract

• Burden of proof

• Reminder of right to withdraw consent is

removed

37


Consent

• Consent regarding use of terminal

equipment

• may be expressed or withdrawn by using

technical specifications for electronic

communications services or information

society services

• Specific consent for specific purposes

• Related to specific service actively

selected by the user in each case

• Signals on user choice are binding on

any other party38


Software privacy settings

• Software

• Placed on the market

• Permitting electronic communications

• Obligations

• By default, privacy protective settings activated to prevent

transmitting and storing or processing information

• Upon installation, inform and offer user possibility to

change privacy setting options and require consent to a

setting prior to continuing with the installation

• Offer possibility to express specific consent through

settings after installation

39



• Settings shall lead to a signal based on

technical specifications

• sent to the other parties to inform them

about the user's intentions with regard to

consent or objection

• legally valid and be binding on, and

enforceable against, any other party

• Information society service may allow

specific consent, which prevails on

privacy settings

40



• Limited transition measure for software

already installed on [date to be

completed]

• first update but no later than six months

after [date of entry into force]

41


RIGHT TO CONTROL

ELECTRONIC

COMMUNICATIONS42


Right to control electronic communications

• Right to control electronic

communications

• Calling and connected line identification

• Incoming call blocking

• Publicly available directories

• Unsolicited communications

43


Current Belgian direct marketing rules

• Twofold legislation

• Data protection law

• ‘Direct marketing’ – right to object

• Processing of personal data for direct

marketing purposes

• Code of Economic Law

• Advertising regulated per channel

• Book VI

• Book XII

44


Current Belgian direct marketing rules

45


Unsolicited communications

• Direct marketing communications

• Any form of advertising (written, oral or

video)

• Sent, served or presented to identified or

identifiable end-users

• Electronic mail

• Any electronic message sent over

electronic communications network

• Capable of being stored in network or

terminal equipment

• Broad definitions46



• Use of electronic communications services

for presenting or sending direct marketing

communications

• Prior consent

• Exception for existing clients (electronic mail)

• Contact details obtained in the context of sale

of a product or service

• Data protection compliance

• Own products or services

• Similarity no longer required

• Clear and distinct right to object at collection

and each time a message is sent

• Provide information and allow exercise of right

47



• Direct marketing by calls

• Identification and contact data (no

masking)

• Specific code/prefix identifying marketing

call

• Opt-out provisions are possible under

national legislations (e.g. article VI.110-

115 CEL) for users that are natural

persons

• Voice-to-voice calls

48



• National legislation must ensure

legitimate interests of end-users that

are legal persons (e.g. article VI.110-

115 CEL)

• Broader than merely voice-to-voice calls

• Additional transparency obligations

• Inform end-user of marketing nature of the

communication

• Identify advertiser

• Provide information of right to oppose to

further marketing communication49


Contact details

Johan Vandendriessche

Partner – Erkelens Law

Visiting Professor ICT Law – UGent

Visiting Professor ICT &

Data Protection Law – HoWest

Mobile Phone +32 486 36 62 34

E-mail [email protected]

Website www.erkelenslaw.com

mailto:[email protected]

http://www.erkelenslaw.com/


ISACA BELGIUM