On January 10, 2017, the EU Commission adopted a proposal for a Regulation on Privacy and Electronic Communications (“ePR”). On June 8, 2018, the Council of the European Union’s Bulgarian Presidency presented a progress report (the “Report”) on the draft ePR to the Transport, Telecommunications and Energy Council. The Report reflects on the amendments presented in the May 2018 Examination of the Presidency text. The Report is split into two sections: Annex I, a progress report, and Annex II, questions for the policy debate.
Annex I reports on the following features, among other things:
- State of play in the council: The Presidency discusses the scope of the ePR and its link with the EU General Data Protection Regulation (“GDPR”), particularly where the protection provided by the ePR ends and protection provided by the GDPR becomes relevant.
- Processing of electronic communications data (content and metadata) (Article 6(1)): The permitted processing of electronic communications data to maintain and restore the security of electronic communication networks and services now includes processing in relation to security risks.
- Processing of electronic communications metadata (Article 6(2), (3a)): The Presidency has introduced new permissions for processing electronic communications metadata, including processing for the purposes of network management and optimization, as well as for statistical counting. These new grounds for processing are accompanied by appropriate safeguards.
- Protection of terminal equipment information (Article 8): The prohibition on the processing of information from end-users’ terminal equipment remains, but the exceptions now include processing for the purposes of preventing fraud or detecting technical faults.
- Privacy settings (Article 10): The Presidency introduces significant changes; software providers are only obliged to offer privacy settings at the time of installation or first usage, and inform users when updates change the privacy settings and how they may use them.
- Data retention related elements (Articles 2 and 11): The Report touches on the issue of data retention and highlights that discussions have taken place in two joint meetings of the Working Party Telecommunications and Information Society and the Friends of Presidency, Working Party on Information Exchange and Data Protection. Exclusions have been included in the text relating to national security and defense.
- Exceptions to presentation and restriction of calling, connected line identification, access to emergency services (Article 13): There is discussion over the power of emergency services to override an end-user’s choice to reject incoming calls without the calling line identification, in the case of an emergency. Emergency services may also use the end-user’s terminal equipment when called in order to identify that end-users location.
- Unsolicited and direct marketing communications (Article 16): The Report highlights that, following extensive discussions, the new text allows for EU Member States to have the ability to establish laws with a maximum period of time that an organization can use its own customers’ contact details for direct marketing purposes.
- Supervisory authorities (Article 18): The Report highlights that, similar to the GDPR, supervisory authorities shall have the responsibility for monitoring the application of the ePR, and should have the power to provide remedies and impose administrative fines. The Report states that most delegations seek further flexibility with regards to supervisory authorities and that requirements stemming from Article 8(3) of the Charter and Article 16(2) of the TFEU should be considered.
Annex II lists three questions for which the Presidency would like to seek guidance from the Ministers. These questions relate to permitted processing of metadata, protection of terminal equipment, privacy settings and the balance between innovation and the safeguarding of confidentiality.