ePrivacy Directive debated in the EP's Civil Liberties Committee

By EDRi · July 2, 2008

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

On 25 June 2008, the European Parliament’s Standing Committee on Civil
Liberties, Justice and Home Affairs asked for measures to correct the
European Commission’s proposal to amend the Directive on Privacy and
Electronic Communications (called ePrivacy Directive).

“We have introduced a few points directed towards better consumer protection
and manageability” in order to “improve data protection overall and bring it
in line with the changed situation” stated Rapporteur for the project MEP
Alexander Alvaro (FDP).

Peter Hustinx, the European Data Protection Supervisor (EDPS), adopted, on
14 April, an Opinion on the European Commission’s proposal amending, among
others, the ePrivacy Directive. The EDPS basically supported the EC proposal
giving a few recommendations such as the obligation to notify any breach of
security not only from providers of public electronic communication services
in public networks but also from providers of information society services
which process sensitive personal data.

What the MEPs are now asking for is a procedure to inform users, in case of
security breaches at service providers and a better protection from
surveillance. For the measures requiring providers of electronic services to
inform users of breaches of data protection, the MEPs intend to involve an
intermediary body. The companies will inform national telecommunications
regulators or other “competent authorities” on “serious” security breaches
of personal data and the regulatory bodies will decide if consumers need to
be rapidly informed. The companies might also be asked to report the
occurrence of security problems in their annual reports.

One of the aspects that was largely debated within the Committee was
related to the collection of personal data such as IP addresses, a
compromise being reached in the end considering that an online identity
should be specifically considered as an item of personal information needing
special protection when it is related to an individual in combination with
other information. The EP Committee asked the European Commission to submit,
in consultation with EU data protection officials, within the next two
years, specific draft legislation for treating IP addresses as personal
data.

Alvaro’s proposal to apply the provision allowing member states to enact
their own legislation to relax protection of connection and location data
for public security and the prevention, detection and prosecution of
criminal acts or illegal use of electronic communications systems, to cases
when ownership rights are infringed, failed as concerns have been expressed
by data protection officials, such as German data protection commissioner
Peter Schaar.

However Alvaro succeeded in passing several other proposals such as the
future application of the directive to publicly accessible private
telecommunications networks including university networks or social networks
such as StudiVZ or Facebook. Companies offering applications attempting to
access personal data on hard drives, or other IT systems, such as USB flash
drives, will have to get the user’s consent beforehand on the basis of the
opt-in principle. Alvaro drew the attention that a user setting his browser
to accept cookies would be considered to give consent to data collection.
However, according to the directive, in the future, cookies for storing user
data using the Flash multimedia application will require separate consent.

According to Alvaro, the amendments proposed by the Standing Committee on
Civil Liberties, Justice and Home Affairs will be incorporated into the
report of the Internal Market and Consumer Protection committee, primarily
responsible for the telecommunications package. The entire package for
regulating telecommunications companies and ISPs will be voted in
September after a first reading at a plenary session. The European Council
will be then required to submit comments.

During its 66th plenary session that took place in Brussels between 24-25
June, the Article 29 Working Party expressed its opinion on the review of
the E-privacy Directive fully supporting “the proposed strengthening of
Article 4 ‘Security’ by requiring providers of publicly available
communication services to notify security breaches, and underlines the
importance of informing all persons concerned when their personal data have
been compromised or are at risk of being compromised.”

However, the Working Party 29 considers there are issues that still need to
be covered such as the need to extend the scope of the obligation to notify
security breaches to the providers of information society services as well
as the scope of the recipients of the notification to include all persons
concerned rather than only the “subscribers”.

MEPs adopt draft “e-privacy directive” reforms (27.06.2008)
http://www.heise.de/english/newsticker/news/110110

Press Release – Article 29 Working Party (26.06.2008)
http://ec.europa.eu/justice_home/fsj/privacy/news/docs/pr_30_06_08_en.pdf

Working Party Article 29, Opinion on the review of the Directive 2002/58/EC on privacy and
electronic communications (ePrivacy Directive) (15.05.2008)
http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2008/
wp150_en.pdf

EDRIgram – EDPS endorses data breach notification provision in ePrivacy
Directive (23.04.2008)
http://www.edri.org/edrigram/number6.8/edps-data-breach-notification