In its paper, DIGITALEUROPE noted that we regret that the European Commission has not followed the ‘Better Regulation principle’, largely ignored the contributions from industry and missed an opportunity to streamline data privacy rules in Europe. We expressed our view that the ePR takes a prohibitive and unworkable approach, which seriously undermines the development of Europe’s digital economy and will likely to lead to yet greater confusion, legal fragmentation, and overly-restrictive rules rather than creating a level playing field. We stressed the need to ensure coherence between the General Data Protection Regulation (“GDPR”) and ePR while calling for the ePR to not interpret provisions in the GDPR.
In the paper DIGITALEUROPE drew the attention of the co-legislators to the following issue-specific points:
- Scope - The ePR captures a disproportionately broad range of services. It should avoid to become a ‘catch-all’ legislation. We encourage exclusion from the scope of those services with only ancillary communications features and of M2M communications to bring the legislation in line with the Electronic Communications Code. We also welcome further clarification around the exclusion of closed user groups.
- Confidentiality - The introduction of extreme limitations on the processing of communications data goes beyond what is necessary to ensure the fundamental right to confidentiality and ignores the technological reality of how communications services work today. The ePR should protect the confidentiality of communication, not protect people against communication.
- Consent - The ePR must provide additional flexibility for the use of communications data through a greater reliance on legal basis’ for processing other than end-user consent, such as ‘legitimate interest’. It is unclear from whom consent needs to be obtained and who is responsible for obtaining it.
- Terminal Equipment - The ePR places special restrictions on the processing of terminal equipment data and ignores the central role that such data plays in ensuring pertinence, quality of service, and quality of experience for end-users. We encourage aligning the ePR as much as possible with the legal bases and provisions of the GDPR (e.g. legitimate interest).
- Connection Data - Data required to connect devices to a network should be a standalone category and should be subject to the same rules for lawfulness of processing as those outlined in the GDPR.
- Law Enforcement Access to Data - The ePR provides for significantly more opportunities for law enforcement authorities to request data as it expands on the type of data they can request, the range of providers that have to respond and the list of circumstances where law enforcement can disregard confidentiality requirements. More privacy safeguards must be introduced, based on the recent jurisprudence of the CJEU.
- Timeline - Co-legislators must take the time to properly consult and evaluate the impact of the ePR instead of rushing negotiations to meet an unrealistic timeline. Furthermore, and in line with the established jurisprudence of the CJEU and the principles of legal certainty, the ePR cannot apply the same day as it enters into force. It is impractical to expect that data controllers, who already devote significant time and effort to comply with the new requirements introduced by the GDPR, can somehow also devote resources to complying within the same timeline to requirements that are only in draft form. Especially that this new proposal comes just 14 months before they are expected to comply. This timeline completely ignores the reality of software and hardware development which takes place over a far longer schedule.
You can find DIGITALEUROPE’s position paper here
For more information please contact: