Privacy Open Forum Tuesday, 5 th of December 2017
Brussels, 5 December 2017
THE PROPOSAL FOR
EPRIVACY REGULATION:
STATUS UPDATEJOHAN VANDENDRIESSCHE
3
Brussels, 5 December 2017 4
Agenda
1. 18:30 Introduction
2. 18:45 Proposal ePrivacy Regulation
3. 19:30 Break
4. 19:50 Proposal ePrivacy Regulation
5. 20:45 Close
Brussels, 5 December 2017
Agenda
• Overview
• Short timeline
• Review of EP tekst
• Changes proposed by EP text
compared to EC text are underlined
• See also ISACA Privacy Forum on
ePrivacy Regulation of 22 February 2017
5
Brussels, 5 December 2017
Short timeline
• July 2002: Directive 2002/58
• Jan 2017: EC Proposal ePrivacy
COM(2017)10 final
• Sept 2017: EU Council text (first
reading)
• Oct 2017: EP text (first reading)
• Trilogue meetings
• 25 May 2018?
6
Brussels, 5 December 2017
Legal Status Update
• Full review of the data protection legal
package
• Directive 1995/46
• Directive 2002/58
• Regulation: uniform legislation within
the EU
• GDPR will replace Directive 1995/46 as of
25 May 2018
• Proposal for ePrivacy Regulation (set to
replace Directive 2002/58)
8
Brussels, 5 December 2017
General principles
• ePrivacy Regulation is broader than
only processing of personal data
• ePrivacy Regulation is lex specialis
with regards to GDPR
• Covers specific processing of personal
data (field of electronic communications)
• Prevails on GDPR in case of conflict (as
lex specialis)
• GDPR supplements the regulation in
relation to all elements not covered (as lex
generalis)9
Brussels, 5 December 2017
Definitions
• Main definitions
• Electronic communications network
• Electronic communications service
• Traditional scope
• Internet access service
• (Number based / independent) Interpersonal
communications service
• End-user
• Physical person
• Legal person
• User
• Physical person
10
Brussels, 5 December 2017
Definitions
• Terminal equipment
• Equipment connected to the interface of a
public communications network to
send/process/receive information
• Electronic communications data
• Electronic communications content
• Electronic communications metadata
• Data processed for the purpose of electronic
communications
• Location data processed in the context of providing
services
• Location data generated in another context is not
communications metadata
11
Brussels, 5 December 2017
Scope
• Reference to future legal framework
dramatically expands scope of
regulation
• OTT services (e.g. VOIP, IM, webbased e-
mail)
• IoT
• M2M
• Future-proofing by using a more
technology neutral approach
13
Brussels, 5 December 2017
Material scope
• Processing of electronic
communications data
• Connection with
• the provision and the use of electronic
communications services
• information related to or processed by the
terminal equipment of end-users
14
Brussels, 5 December 2017
Material scope
• Placing on the market of software
permitting electronic communications
including the retrieval and presentation
of information on the Internet
• Provision of publicly available
directories of users of electronic
communications
• Sending of direct marketing electronic
communications to end-users
15
Brussels, 5 December 2017
Material scope
• Covers both natural and legal persons
• Exceptions apply
• E.g. closed communication networks
16
Brussels, 5 December 2017
Territorial scope
• No distinction is made between EU-
based and non EU based service
providers
• Offering of electronic communications
services, software, publicly available
directories, or direct marketing electronic
communications to end-users in the EU
(no requirements of payment)
• Activities that are provided from the
territory from the EU
17
Brussels, 5 December 2017
Territorial scope
• No distinction is made between EU-
based and non EU based service
providers
• The processing of information related to
or processed by terminal equipment of
end-users that is in the EU
• Location of processing is irrelevant
• Obligation of non-EU based provider to
designate a representative in the EU
• Larger role than in GDPR?
18
Brussels, 5 December 2017
Protection of electronic communication
• Confidentiality
• Electronic communications shall be
confidential
• Prohibition of interference by persons
other than end-users
• Interception, surveillance or processing
• End-Users - Users?
• Confidentiality also applies to data related
to or processed by terminal equipment
• Examples: IMSI catchers or intercepting
communication over open wifi networks
20
Brussels, 5 December 2017
Protection of electronic communication
• Exceptions (for providers of electronic
communications networks and
services)
• Electronic communications data only if
technically necessary for transmission, for
the duration necessary
21
Brussels, 5 December 2017
Protection of electronic communication
• Exceptions (for providers of electronic
communications networks and
services or other parties acting on
behalf of the provider or the end-user)
• Electronic communications data only if
technically necessary for availability,
integrity, confidentiality and security or to
detect technical faults/errors in
transmission, for the duration necessary
22
Brussels, 5 December 2017
Protection of electronic communication
• Exceptions (for providers of electronic
communications services and
networks)
• Electronic communications metadata
• Strictly necessary for mandatory quality of
service requirements, for the duration
technically necessary for that purpose
• Strictly necessary for billing related purposes
(including fraud detection and prevention)
• User consent for specified purposes, provided
it is not possible to fulfill the purpose without
processing the metadata
• Likelihood of high risk: DPIA23
Brussels, 5 December 2017
Protection of electronic communication
• Exceptions (for providers of electronic
communications services)
• Electronic communications content
• Service provision to the user, requested by the
user, with end-user consent and provided
service cannot be provided without the
processing of such content
• User consent for specified purposes that
cannot be fulfilled by processing anonymous
information
• Consultation of supervisory authority
• Link with GDPR prior consultation procedure
• DPIA required?
24
Brussels, 5 December 2017
Protection of electronic communication
• Process electronic communications data by the
provider of the electronic communications service:
• solely for the provision of an explicitly requested service,
for purely individual usage
• only for the duration necessary for that purpose
• without the consent of all users
• If: no adverse affect on the fundamental rights and
interests of another user or users
25
Brussels, 5 December 2017
Protection of electronic communication
• Storage and erasure of electronic
communications data by service provider
• Obligation to erase electronic communications
content when no longer necessary for provision
of service as requested by the user
• Anonymization no longer included
• Record and storage by users and third
parties on their behalf
• User may process in accordance with GDPR
26
Brussels, 5 December 2017
Protection of electronic communication
• Obligation to erase or anonymize
electronic communications metadata
when no longer necessary for the
provision of the service, as requested
by the user
27
Brussels, 5 December 2017
Protection of electronic communication
• Storage and erasure of electronic
communications data
• Strictly necessary metadata used for
billing purposes may be kept until end of
the period during which a bill may be
lawfully challenged or payment pursued
• Impact contractual conditions?
28
Brussels, 5 December 2017
User terminal equipment
• Prohibition
• Use of processing and storage capabilities
• The collection of information from users’
terminal equipment (including about its
hardware and software)
• Other than by the user
• Broader wording than Directive 2002/58
• Exceptions apply
• Typically (but not solely) targets
cookies, hidden identifiers, …
29
Brussels, 5 December 2017
User terminal equipment
• Exceptions
• Strictly necessary for the sole purpose of
carrying out transmission over an
electronic communications network
• user consent
• Strictly technically necessary for
providing information society service
specifically requested by the user
30
Brussels, 5 December 2017
User terminal equipment
• Exceptions
• Technically necessary for measuring the reach of
information society service requested by the user
• By or on behalf of provider, or web analytics
agency for scientific purpose
• Aggregated data
• Possibility to object for the user
• No personal data is made available to any third
party
• No adverse affect on the fundamental rights of the
user
• If collected on behalf of provider, separation of
data
31
Brussels, 5 December 2017
User terminal equipment
• Exceptions
• Necessary to ensure security,
confidentiality, integrity, availability and
authenticity of equipment of end-user, by
means of updates, for the duration
necessary
• No change in functionality of hardware or
software
• No change in privacy settings
• User is informed in advance each time
• User may postpone or turn off automatic
installation of updates
32
Brussels, 5 December 2017
User terminal equipment
• Exceptions
• Employment relationship where strictly
technically necessary for the execution of
the employee’s tasks
• Employer provides and/or is the user
• Employee is the user
• No further use for monitoring the employee
33
Brussels, 5 December 2017
User terminal equipment
• No denial of access to any information
society service on grounds that user
has not given his or her consent under
to the processing of personal
information and/or the use of
processing or storage capabilities of
user terminal equipment that is not
necessary for the provision of that
service or functionality
34
Brussels, 5 December 2017
User terminal equipment
• Prohibition to process information
emitted by terminal equipment to
enable it to connect to another device
or to network equipment
• Exceptions
• Exclusively for sole purpose and time
necessary to establish a connection
requested by the user
• User information and consent
• Risk mitigation
35
Brussels, 5 December 2017
User terminal equipment
• For purpose of measuring and risk
mitigation:
• Purpose of data collection restricted to
mere statistical counting
• Limited in time and space to the extent
strictly necessary for this purpose
• Delete or anonymize data immediately
after purpose has been fulfulled
• User shall be given effective possibility to
object without effect on terminal
equipment
36
Brussels, 5 December 2017
Consent
• General rule: definitions of GDPR apply
• Stricter approach to consent
• Consent may not be based on mere silence
• Clear affirmative act
• Yes: written or oral statement, ticking a box,
choosing technical settings
• No: pre-ticked boxes, inactivity
• Result of a compromise
• Separate consent for each purpose
• Consent separate from consent to a contract
• Burden of proof
• Reminder of right to withdraw consent is
removed
37
Brussels, 5 December 2017
Consent
• Consent regarding use of terminal
equipment
• may be expressed or withdrawn by using
technical specifications for electronic
communications services or information
society services
• Specific consent for specific purposes
• Related to specific service actively
selected by the user in each case
• Signals on user choice are binding on
any other party38
Brussels, 5 December 2017
Software privacy settings
• Software
• Placed on the market
• Permitting electronic communications
• Obligations
• By default, privacy protective settings activated to prevent
transmitting and storing or processing information
• Upon installation, inform and offer user possibility to
change privacy setting options and require consent to a
setting prior to continuing with the installation
• Offer possibility to express specific consent through
settings after installation
39
Brussels, 5 December 2017
Software privacy settings
• Settings shall lead to a signal based on
technical specifications
• sent to the other parties to inform them
about the user's intentions with regard to
consent or objection
• legally valid and be binding on, and
enforceable against, any other party
• Information society service may allow
specific consent, which prevails on
privacy settings
40
Brussels, 5 December 2017
Software privacy settings
• Limited transition measure for software
already installed on [date to be
completed]
• first update but no later than six months
after [date of entry into force]
41
Brussels, 5 December 2017
Right to control electronic communications
• Right to control electronic
communications
• Calling and connected line identification
• Incoming call blocking
• Publicly available directories
• Unsolicited communications
43
Brussels, 5 December 2017
Current Belgian direct marketing rules
• Twofold legislation
• Data protection law
• ‘Direct marketing’ – right to object
• Processing of personal data for direct
marketing purposes
• Code of Economic Law
• Advertising regulated per channel
• Book VI
• Book XII
44
Brussels, 5 December 2017
Unsolicited communications
• Direct marketing communications
• Any form of advertising (written, oral or
video)
• Sent, served or presented to identified or
identifiable end-users
• Electronic mail
• Any electronic message sent over
electronic communications network
• Capable of being stored in network or
terminal equipment
• Broad definitions46
Brussels, 5 December 2017
Unsolicited communications
• Use of electronic communications services
for presenting or sending direct marketing
communications
• Prior consent
• Exception for existing clients (electronic mail)
• Contact details obtained in the context of sale
of a product or service
• Data protection compliance
• Own products or services
• Similarity no longer required
• Clear and distinct right to object at collection
and each time a message is sent
• Provide information and allow exercise of right
47
Brussels, 5 December 2017
Unsolicited communications
• Direct marketing by calls
• Identification and contact data (no
masking)
• Specific code/prefix identifying marketing
call
• Opt-out provisions are possible under
national legislations (e.g. article VI.110-
115 CEL) for users that are natural
persons
• Voice-to-voice calls
48
Brussels, 5 December 2017
Unsolicited communications
• National legislation must ensure
legitimate interests of end-users that
are legal persons (e.g. article VI.110-
115 CEL)
• Broader than merely voice-to-voice calls
• Additional transparency obligations
• Inform end-user of marketing nature of the
communication
• Identify advertiser
• Provide information of right to oppose to
further marketing communication49
Brussels, 5 December 2017 50
Contact details
Johan Vandendriessche
Partner – Erkelens Law
Visiting Professor ICT Law – UGent
Visiting Professor ICT &
Data Protection Law – HoWest
Mobile Phone +32 486 36 62 34
E-mail [email protected]
Website www.erkelenslaw.com