The General Data Protection Regulation (GDPR) represents one of the EU’s greatest achievements in recent years, but without a complementary and effective legal tool to protect the fundamental right to private life, of which the confidentiality of our communications is a vital component, the EU privacy and data protection framework remains incomplete, the European Data Protection Supervisor (EDPS) said today, as he published his Opinion on the ePrivacy Regulation.
Giovanni Buttarelli, EDPS, said: “I welcome and support the Commission’s ambitious attempt to provide for the comprehensive protection of electronic communications. The extension of confidentiality obligations to a broader range of providers and services is a particularly important step forward, which reflects recent technological developments and our changing relationship with technology. However, certain improvements are necessary if the Regulation is to deliver on the promise of a high level of protection for electronic communications.”
In his July 2016 preliminary Opinion on the review of the ePrivacy Directive, the EDPS called for smarter, clearer and stronger rules for ePrivacy. The Commission’s proposal represents an ambitious attempt to provide this. However, its complexity is daunting. By splitting communications data into a range of different types, each entitled to a different level of confidentiality and subject to different exceptions, there is a risk that gaps in protection might emerge.
The EDPS also raises concerns over the Commission’s intention to base the definitions on which the proposal relies on the European Electronic Communications Code, which is yet to be finalised. The EDPS notes that no legal justification exists for linking the new ePrivacy Regulation to the Code and holds that the market-focused definitions provided by the Code are simply not appropriate for dealing with fundamental rights. He therefore suggests that a set of definitions, which take into account the specific scope and objectives of the new rules, are included in the ePrivacy Regulation itself.
The new rules must also take into account the processing of electronic communications data by individuals or organisations other than the eCommunications providers covered in the proposal. The additional protection the proposal offers to communications data is of little use if the rules can be circumvented by transferring communications data to a third party, for example. In line with his recent Opinion on the Commission’s proposal for a Directive on digital content, the EDPS also stresses the need for the Regulation to ensure that no communications are subject to unlawful tracking and monitoring without freely-given and genuine user consent.
The GDPR represents a significant step forward for data protection and privacy law, but without a smart, clear and strong ePrivacy Regulation, which reflects technological change, the EU privacy and data protection framework remains incomplete. New rules on ePrivacy are essential if we are to protect the confidentiality of our communications and reinforce the right to privacy.
The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EC) No 45/2001. The EDPS is a relatively new but increasingly influential independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection.
Giovanni Buttarelli (EDPS) and Wojciech Wiewiórowski (Assistant EDPS) are the members of the institution, appointed by a joint decision of the European Parliament and the Council. Assigned for a five year term, they took office on 4 December 2014.
Personal information or data: Any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. Other details such as IP addresses and communications content - related to or provided by end-users of communications services - are also considered as personal data.
Privacy: the right of an individual to be left alone and in control of information about his or herself. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8)
Processing of personal data: According to Article 2(b) of Regulation (EC) No 45/2001, processing of personal data refers to "any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction." See the glossary on the EDPS website.