Data protection authorities support civil society on the Telecom Package

This article is also available in:
Deutsch: [Datenschutzbehörden unterstützen die Zivilgesellschaft beim Thema Telekompaket | http://www.unwatched.org/node/1302]

Macedonian: [Органите за заштита на лични податоци го поддржуваат граѓанското општество | http://www.metamorphosis.org.mk/content/view/1382/4/lang,mk/]

The Article 29 Working Group and the European Data Protection Supervisor
have issued public statement supporting some of the arguments of the civil
society, including EDRi, made in the recent open letter sent to the European
Parliament on 17 February 2009 and in the campaign against “voluntary data
retention”.

The open letter underlines the signatories’ concerns related to those
amendments of the Telecoms Package which might affect the Internet and
Internet users, by targeting the open and non-discriminatory access
features. Thus the fundamental users’ rights such as privacy and freedom of
speech are put in jeopardy.

The Article 29 adopted on 10 February Opinion 1/2009 on the
proposals amending the e-Privacy Directive, acknowledging its concerns
regarding the present article 6 a) that “might lend legitimacy to large
scale deployment of deep packet inspection both in the network and in user
equipment such as ADSL boxes, while the current legal framework already
details the cases in which traffic data may be processed for security
purposes.”

Considering that “the wording proposed by the Commission establishes beyond
all doubt that the processing of traffic data falls within the scope of the
Data Protection Directive”, the working group decided that the Article 6(6a)
is unnecessary.

A similar opinion is supported by the European Data Protection Supervisor’s
comments on some issues in the review of the Universal Service
Directive. According to the text “he is concerned about the implementation
of traffic management policies that require the monitoring of Internet usage
and interception without appropriate data protection safeguards,” and
concludes that “Article 5 of the ePrivacy Directive applies whenever traffic
management policies entail interception or surveillance of Internet usage.
Therefore, to avoid confusion, it seems only just and reasonable to
recognise that pursuant to this article informed consent from users is
necessary.”

In the same document, EDPS tackles the 3 strikes procedure and considers as
unfortunate its possible introduction in the Telecom package and notes that
“it would have been preferable if the European Parliament had not given up
to pressure by laying down the foundation for a three strikes approach and
if all these issues had been addressed separately in different legal
instruments, after careful analysis and debate.”

The EDPS supports the civil society in calling upon decision makers to
re-introduce Amendment 138 and Article 32a of the Universal Service
Directive that would strengthen the safeguards towards ensuring the
protection of individuals’ rights, including the right to data protection
and privacy and due process.

The Article 29’s Opinion also tackles other aspects regarding the
e-Privacy directive. Thus the document strongly supports “an extension of
personal data breach notifications to Information Society Services (…)
given the ever increasing role these services play in the daily lives of
European citizens.” This resonates with the initial Amendments of the
European Parliament or with Peter Hustinx’s public comments, who explains
why the position of the Commission and the Council is not enough to protect
the citizens in the online world:
“That restriction means European citizens would only be alerted if their
internet access or telephone company suffers security breaches. If their
online bank is hacked or its security systems are cracked, enabling the
unauthorised access to bank account information, citizens might not be
notified.
So, unless the amendments proposed by the European Parliament are adopted by
the Council, online banks and other e-businesses would be off the hook.”

The Article 29 Working Group has also re-emphasised its earlier opinion
“that unless the service provider is in a position to distinguish with
absolute certainty that the data correspond to users that cannot be
identified, it will have to treat all IP information as personal data, to be
on the safe side”. Thus the WG agrees with the Commission that a substantive
provision of a directive is not the most suitable way of addressing this
issue, and that a reporting obligation referring to “purposes not covered by
this Directive” is not appropriate.

Open letter to the European Parliament – Telecom Package (17.02.2009)
http://www.edri.org/edrigram/campaigns/open-letter-telecom-package

EU proposal puts confidential communications data at risk (28.02.2009)
http://www.edri.org/campaigns/no-voluntary-data-retention

All data breaches must be made public (29.01.2009)
http://resources.zdnet.co.uk/articles/comment/0,1000002985,39603777,00.htm

Opinion 1/2009 on the proposals amending Directive 2002/58/EC on privacy and
electronic communications (e-Privacy Directive) (10.02.2009)
http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2009/wp159_en.pdf

EDPS comments on some issues in the review of the Directive 2002/22/EC
(Universal Service) (16.02.2009)
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Comments/2009/09-02-16_Comments_ePrivacy_EN.pdf

EDRi-gram: Data breach notification – different opinions in EU bodies ?
(19.11.2008)
http://www.edri.org/edri-gram/number6.22/data-breach-ec