Telecoms Package ePrivacy IMCO Report

Telecoms Package: Directive concerning the processing of personal data and the protection of privacy in the electronic communications sector (ePrivacy 2002/58/EC) − Committee on the Internal Market and Consumer Protection Report − 2008-07-07

Article 1
(26a) Directive 2002/58/EC provides for the harmonisation of the provisions of the Member States required to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy and the right to confidentiality and security of information technology systems, with respect to the processing of personal data in the electronic communications sector, and to ensure the free movement of such data and of electronic communications equipment and services in the Community.

Article 2
Article 2 − Definitions

Save as otherwise provided, the definitions in Directive 95/46/EC and in Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive)(8) shall apply.

The following definitions shall also apply:

(a) “user” means any natural person using a publicly available electronic communications service, for private or business purposes, without necessarily having subscribed to this service;

(b) “traffic data” means any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof;

(c) “location data” means any data processed in an electronic communications network, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service;

(d) “communication” means any information exchanged or conveyed between a finite number of parties by means of a publicly available electronic communications service. This does not include any information conveyed as part of a broadcasting service to the public over an electronic communications network except to the extent that the information can be related to the identifiable subscriber or user receiving the information;

(e) “call” means a connection established by means of a publicly available telephone service allowing two-way communication;

(f) “consent” by a user or subscriber corresponds to the data subject's consent in Directive 95/46/EC;

(g) “value added service” means any service which requires the processing of traffic data or location data other than traffic data beyond what is necessary for the transmission of a communication or the billing thereof;

(h) “electronic mail” means any text, voice, sound or image message sent over a public communications network which can be stored in the network or in the recipient's terminal equipment until it is collected by the recipient.

Article 3
''(28) Technological progress allows the development of new applications based on devices for data collection and identification, which may be contactless devices using radio frequencies. For example, Radio Frequency Identification Devices (RFID) use radio frequencies to capture data from uniquely identified tags, which can then be transferred over existing communications networks. The wide use of such technologies can bring considerable economic and social benefits and thus make a powerful contribution to the internal market if their use is acceptable to citizens. To achieve that, it is necessary to ensure that the fundamental rights of individuals, in particular the right to privacy and data protection, are safeguarded. When such devices are connected to publicly available electronic communications networks or make use of electronic communications services as a basic infrastructure, the relevant provisions of Directive 2002/58/EC, including those on security, traffic and location data and on confidentiality, should apply.''

''(28a) For the purpose of Directive 2002/58/EC, Internet Protocol addresses should be considered as personal data only if they can be directly linked to an individual alone or in conjunction with other data. By ... (Two years from the date of entry into force of this Directive.), the Commission should propose specific legislation on the legal handling of Internet Protocol addresses as personal data within the framework of data protection following consultation of the Article 29 Working Party and the European Data Protection Supervisor.''

Article 4
Article 4 − Security of processing

1. The provider of a publicly available electronic communications service must take appropriate technical and organisational measures to safeguard security of its services, if necessary in conjunction with the provider of the public communications network with respect to network security. Having regard to the state of the art and the cost of their implementation, these measures shall ensure a level of security appropriate to the risk presented.

1a. Without prejudice to the provisions of Directive 95/46/EC and Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks (OJ L 105, 13.4.2006, p. 54.), these measures shall include:

- appropriate technical and organisational measures to ensure that personal data can be accessed only by authorised personnel for legally authorised purposes and to protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration and unauthorised or unlawful storage, processing, access or disclosure;

- appropriate technical and organisational measures to protect the network and services against accidental, unlawful or unauthorised usage or interference with or hindering of their functioning or availability;

- a security policy with respect to the processing of personal data;

- a process for identifying and assessing reasonably foreseeable vulnerabilities in the systems maintained by the provider of electronic communications services, which shall include regular monitoring for security breaches; and

- a process for taking preventive, corrective and mitigating action against any vulnerabilities discovered in the process described under the fourth indent and a process for taking preventive, corrective and mitigating action against security incidents that can lead to a security breach.

1b. National regulatory authorities shall be able to audit the measures taken by providers of publicly available electronic communication services and information society services and to issue recommendations about best practices and performance indicators concerning the level of security which these measures should achieve.

2. In case of a particular risk of a breach of the security of the network, the provider of a publicly available electronic communications service must inform the subscribers concerning such risk and, where the risk lies outside the scope of the measures to be taken by the service provider, of any possible remedies, including an indication of the likely costs involved.

3. In case of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed in connection with the provision of publicly available communications services in the Community which is likely to cause harm to users, the provider of publicly available electronic communications services, as well as any undertaking operating on the Internet and providing services to consumers, which is the data controller and the provider of information society services shall, without undue delay, notify the national regulatory authority or the competent authority according to the individual law of the Member State of such a breach. The notification to the competent authority shall at least describe the nature of the breach and recommend measures to mitigate its possible negative effects. The notification to the competent authority shall, in addition, describe the consequences of and the measures taken by the provider to address the breach.

The provider of publicly available electronic communications services, as well as any undertaking operating on the Internet and providing services to consumers, which is the data controller and the provider of information society services, shall notify their users beforehand if they deem it necessary to avoid imminent and direct danger to the rights and interests of consumers.

''(29) A breach of security resulting in the loss or compromising personal data of an individual subscriber may, if not addressed in an adequate and timely manner, result in substantial economic loss and social harm, including identity fraud. Therefore, the national regulatory authority or other competent national authority should be notified without delay. The notification should include information about measures taken by the provider to address the breach, as well as recommendations for the users affected. The competent authority should consider and determine the seriousness of the breach. If the breach is deemed to be serious the competent authority should require the provider of publicly available electronic communications service and the provider of information society services to give an appropriate notification without undue delay to the persons affected by the breach.''

3a. The competent authority shall consider and determine the seriousness of the breach. If the breach is deemed to be serious, the competent authority shall require the provider of publicly available electronic communications services and the provider of information society services to give an appropriate notification without undue delay to the persons affected by the breach. The notification shall contain the elements described in paragraph 3.

The notification of a serious breach may be postponed in cases where the notification may hinder the progress of a criminal investigation related to the serious breach.

Providers shall annually notify affected users of all breaches of security that have led to the accidental or unlawful destruction, loss or alteration or the unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed in connection with the provision of publicly available communications services in the Community.

National regulatory authorities shall also monitor whether companies have complied with their notification obligations under this Article and impose appropriate sanctions, including publication, as appropriate, in the event of a failure to do so.

3b. The seriousness of a breach requiring notification to subscribers shall be determined according to the circumstances of the breach, such as the risk to the personal data affected by the breach, the type of data affected by the breach, the number of subscribers involved, and the immediate or potential impact of the breach on the provision of services.

3c. The breach shall not be determined to be serious and the provider of publicly available electronic communications services and the provider of information society services shall be exempt from the requirement to provide notification to the persons affected, if they can demonstrate that there is no reasonable risk to the personal data affected by the breach due to the use of appropriate technological protection measures.

Technological protection measures in the event of accidental or unlawful destruction, loss or alteration or unauthorized disclosure of or access to personal data which are transmitted or stored shall either render the data unintelligible to any third party, or in the event of accidental or unlawful loss shall make the personal data available to the provider of publicly available electronic communication services and the provider of information society services.

4. In order to ensure consistency in implementation of the measures referred to in paragraphs 1, 2, 3, 3a, 3b and 3c, the Commission shall, following consultation with the European Data Protection Supervisor, relevant stakeholders and ENISA, recommend technical implementing measures concerning inter alia the measures described in paragraph 1a and the circumstances, format and procedures applicable to information and notification requirements referred to in paragraphs 3a and 3b.

The Commission shall involve all relevant stakeholders, particularly in order to be informed of the best available technical and economic methods for improving the implementation of this Directive.

Those measures designed to amend non-essential elements of this Directive by supplementing it shall be adopted in accordance with the regulatory procedure with scrutiny referred to in Article 14a (2). On imperative grounds of urgency, the Commission may use the urgency procedure referred to in Article 14a (3).

Article 5
Article 5 − Confidentiality of the communications

1. Member States shall ensure the confidentiality of communications and the related traffic data by means of a public communications network and publicly available electronic communications services, through national legislation. In particular, they shall prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, except when legally authorised to do so in accordance with Article 15(1). This paragraph shall not prevent technical storage which is necessary for the conveyance of a communication without prejudice to the principle of confidentiality.

2. Paragraph 1 shall not affect any legally authorised recording of communications and the related traffic data when carried out in the course of lawful business practice for the purpose of providing evidence of a commercial transaction or of any other business communication.

3. For the purpose of marketing electronic communications services or for the provision of value added services, the provider of a publicly available electronic communications service may process the data referred to in paragraph 1 to the extent and for the duration necessary for such services or marketing, if the subscriber or user to whom the data relate has given his/her prior consent. Users or subscribers shall be given the possibility to withdraw their consent for the processing of traffic data at any time.

Article 6
Article 6 − Traffic data

1. Traffic data relating to subscribers and users processed and stored by the provider of a public communications network or publicly available electronic communications service must be erased or made anonymous when it is no longer needed for the purpose of the transmission of a communication without prejudice to paragraphs 2, 3 and 5 of this Article and Article 15(1).

2. Traffic data necessary for the purposes of subscriber billing and interconnection payments may be processed. Such processing is permissible only up to the end of the period during which the bill may lawfully be challenged or payment pursued.

3. For the purpose of marketing electronic communications services or for the provision of value added services, the provider of a publicly available electronic communications service may process the data referred to in paragraph 1 to the extent and for the duration necessary for such services or marketing, if the subscriber or user to whom the data relate has given his/her prior consent. Users or subscribers shall be given the possibility to withdraw their consent for the processing of traffic data at any time.

4. The service provider must inform the subscriber or user of the types of traffic data which are processed and of the duration of such processing for the purposes mentioned in paragraph 2 and, prior to obtaining consent, for the purposes mentioned in paragraph 3.

5. Processing of traffic data, in accordance with paragraphs 1, 2, 3 and 4, must be restricted to persons acting under the authority of providers of the public communications networks and publicly available electronic communications services handling billing or traffic management, customer enquiries, fraud detection, marketing electronic communications services or providing a value added service, and must be restricted to what is necessary for the purposes of such activities.

6. Paragraphs 1, 2, 3 and 5 shall apply without prejudice to the possibility for competent bodies to be informed of traffic data in conformity with applicable legislation with a view to settling disputes, in particular interconnection or billing disputes.

6a. Traffic data may be processed by any natural or legal person for the purpose of implementing technical measures to ensure the security of a public electronic communication service, a public or private electronic communications network, an information society service or related terminal and electronic communication equipment. Such processing must be restricted to that which is strictly necessary for the purposes of such security activity.

Article 14
Article 14 − Technical features and standardisation

1. In implementing the provisions of this Directive, Member States shall ensure, subject to paragraphs 2 and 3, that no mandatory requirements for specific technical features, including, without limitation, for the purpose of detecting, intercepting or preventing infringements of intellectual property rights by users, are imposed on terminal or other electronic communication equipment which could impede the placing of equipment on the market and the free circulation of such equipment in and between Member States.

2. Where provisions of this Directive can be implemented only by requiring specific technical features in electronic communications networks, Member States shall inform the Commission in accordance with the procedure provided for by Directive 98/34/EC of the European Parliament and of the Council of 22 June 1998 laying down a procedure for the provision of information in the field of technical standards and regulations and of rules on information society services(9).

3. Where required, measures may be adopted to ensure that terminal equipment is constructed in a way that is compatible with the right of users to protect and control the use of their personal data, in accordance with Directive 1999/5/EC and Council Decision 87/95/EEC of 22 December 1986 on standardisation in the field of information technology and communications. Such measures shall respect the principle of technology neutrality.

Article 15
Article 15 − Application of certain provisions of Directive 95/46/EC

1. Member States may adopt legislative measures to restrict the scope of the rights and obligations provided for in Article 5, Article 6, Article 8(1), (2), (3) and (4), and Article 9 of this Directive when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system, as referred to in Article 13(1) of Directive 95/46/EC. To this end, Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period justified on the grounds laid down in this paragraph. All the measures referred to in this paragraph shall be in accordance with the general principles of Community law, including those referred to in Article 6(1) and (2) of the Treaty on European Union.

(30a) Article 15(1) of Directive 2002/58/EC should be construed as meaning that disclosure of personal data in the context of Article 8 of Directive 2004/48/EC of the European Parliament and of the Council of 29 April 2004 on the enforcement of intellectual property rights (OJ L 157, 30.4.2004, p. 45.) is without prejudice to Directive 2002/58/EC or Directive 95/46/EC where it takes place following a justified, i.e. sufficiently well-founded, and proportionate request in accordance with procedures laid down by the Member States to guarantee that these safeguards are respected.

1b. Providers of publicly available communications services and providers of information society services shall notify the independent data protection authorities, without undue delay, of all requests for access to users' personal data received pursuant to paragraph 1, including the legal justification given and the legal procedure followed for each request; the independent data protection authority concerned shall notify the appropriate judicial authorities of those cases in which it deems that the relevant provisions of national law have not been complied with.

2. The provisions of Chapter III on judicial remedies, liability and sanctions of Directive 95/46/EC shall apply with regard to national provisions adopted pursuant to this Directive and with regard to the individual rights derived from this Directive.

3. The Working Party on the Protection of Individuals with regard to the Processing of Personal Data instituted by Article 29 of Directive 95/46/EC shall also carry out the tasks laid down in Article 30 of that Directive with regard to matters covered by this Directive, namely the protection of fundamental rights and freedoms and of legitimate interests in the electronic communications sector.

Article 15a
Article 15a − Implementation and enforcement

1. Member States shall lay down the rules on penalties, including penal sanctions where appropriate, applicable to infringements of the national provisions adopted pursuant to this Directive and shall take all measures necessary to ensure that they are implemented. The penalties provided for must be effective, proportionate and dissuasive. The Member States shall notify those provisions to the Commission by the [time limit for implementation of the amending act] at the latest and shall notify it without delay of any subsequent amendment affecting them.

2. Without prejudice to any judicial remedy which might be available, Member States shall ensure that the national regulatory authority has the power to order the cessation of the infringements referred to in paragraph 1.

3. Member States shall ensure that national regulatory authorities have all the investigative powers and resources necessary, including the possibility to obtain any relevant information they might need to monitor and enforce national provisions adopted pursuant to this Directive.

4. In order to ensure effective cross-border co-operation in the enforcement of the national laws adopted pursuant to this Directive and to create harmonised conditions for the provision of services involving cross-border data flows, the Commission may adopt technical implementing measures, following consultation with ENISA, the Article 29 Working Party and the relevant regulatory authorities.

The measures designed to amend non-essential elements of this Directive by supplementing it shall be adopted in accordance with the regulatory procedure with scrutiny referred to in Article 14a (2). On imperative grounds of urgency, the Commission may use the urgency procedure referred to in Article 14a (3).

(26b) When defining the implementing measures on the security of processing, in accordance with the regulatory procedure with scrutiny, the Commission should consult all relevant European authorities and organisations (ENISA, the European Data Protection Supervisor and the Article 29 Working Party) as well as all other relevant stakeholders, particularly in order to be informed of the best available technical and economic methods for improving the implementation of Directive 2002/58/EC.

(30b) When implementing measures transposing Directive 2002/58/EC, the authorities and courts of the Member States should not only interpret their national law in a manner consistent with that Directive, but should also ensure that they do not rely on an interpretation of that Directive which would be in conflict with other fundamental rights or general principles of Community law, such as the principle of proportionality.

''(36) The need to ensure an adequate level of protection of privacy and personal data transmitted and processed in connection with the use of electronic communications networks in the Community calls for effective implementation and enforcement powers in order to provide adequate incentives for compliance. National regulatory authorities should have sufficient powers and resources to investigate cases of non-compliance effectively, including the possibility to obtain any relevant information they might need, to decide on complaints and to impose sanctions in cases of non-compliance.''

Article 18
Article 18 − Review

By ... (Two years from the date of entry into force of this Directive.), the Commission shall submit to the European Parliament and the Council, having consulted the Article 29 Working Party and the European Data Protection Supervisor, a report on the application of this Directive and its impact on economic operators and consumers, in particular as regards the provisions on unsolicited communications, breach notifications and the use of personal data by public or private third parties for purposes not covered by this Directive, taking into account the international environment. For this purpose, the Commission may request information from the Member States, which shall be supplied without undue delay. Where appropriate, the Commission shall submit proposals to amend this Directive, taking account of the results of that report, any changes in the sector, the Treaty of Lisbon amending the Treaty on European Union and the Treaty establishing the European Community (OJ C 306, 17.12.2007, p. 1.), in particular the new competences in matters of data protection as laid down in Article 16, and any other proposal it may deem necessary in order to improve the effectiveness of this Directive.