Poszanowanie życia prywatnego oraz ochrony danych osobowych w łączności elektronicznej - opinia

W związku z prowadzonymi przez Ministerstwo Cyfryzacji konsultacjami najnowszej wersji projektu rozporządzenia Parlamentu Europejskiego i Rady w sprawie poszanowania życia prywatnego oraz ochrony danych osobowych w łączności elektronicznej i uchylające dyrektywę 2002/58/WE, zaproponowanej przez  Prezydencję estońską (dokument 153333/17 z 5 grudnia 2017 r.) (dalej: projekt rozporządzenia), wraz z dokumentem towarzyszącym (dalej: "discussion paper"), Konfederacja Lewiatan, w załączeniu, przekazała stanowisko do projektu.

Stanowisko Konfederacji Lewiatan odnoszące się do projektu rozporządzenia Parlamentu Europejskiego i Rady w sprawie poszanowania życia prywatnego oraz ochrony danych osobowych w łączności elektronicznej i uchylające dyrektywę 2002/58/WE, zaproponowanej przez Prezydencję estońską (dokument 153333/17 z 5 grudnia 2017 r.)

Poniżej Konfederacja Lewiatan przedstawia uwagi do projektu rozporządzenia odnosząc się bezpośrednio do poszczególnych opcji regulacyjnych (oraz do ich numeracji), przedstawionych w dokumencie "discussion paper" :

1. the relationship between the ePR and GDPR


Option 1

The proposed changes in Article 1(3) and recital (2a) of doc. 15333/17 on the relationship between the ePR and GDPR are partly sufficient for the purposes of clarifying the relation between the GDPR and the ePR. PCL appreciates the fact that the reference to the Regulation (EU) 2016/679 applies solely and exclusively to personal data. Nevertheless, further clarification is needed in the text of the proposal (either in the articles or recitals) as regards metadata processing (e.g. Art. 6(2)c requires consent for metadata processing - under what conditions should such consent be obtained?, - will it be left for the Member States to decide on that issue?).

2.1. Issues related to scope of the ePrivacy Regulation and the alignment with the proposal for a Directive establishing a European Electronic Communications Code (EECC)

Option 1

Due to differences between our member companies no changes have been proposed as regards Art. 4 par. 2 of the proposal.

Alternatively , Art 6 (3) should be revised as follows:

it is necessary for performance of the contract to which the end-user is party, including billing, calculating interconnection payments, detecting or stopping fraudulent, or abusive use of, or subscription to, electronic communications services as well as for the purpose of ADR mechanisms or...

2.2. Machine-to-machine communications (Articles 2, 3 and 5)

Option 2

We express a positive view on "Option 2" (exclusion of the scope of ePR) when it comes to M2M communication (p. 11)

· Enterprise data is protected by Art. 7 of the Charter of Fundamental Rights and business secrecy / unfair competition legislation. When it comes to critical infrastructure, the NIS directive offers additional protection measures.

· Technical means as encryption are industry standard providing for additional layers of confidentiality.

·  Limiting the ePR scope to M2M data "in transit" (e.g. on transmission from sender to receiver) is in theory a good idea, but there a a lot of details unclear (e.g. when does the transmission start/end; what about services as e.g. in terms of cyber security, which might need to have access to data in transmission).

3. Article 6: Permitted processing of electronic communications data

Option 5

The GDPR provides already a balanced set of legal permissions, whereas special (sensitive) data underly a stronger protection than regular (personal) data, and data subjects have the right to object to processing based on legitimate interest. etc. This nuanced approach of the GDPR was meant to cover all aspects of data processing in the EU. We still back the view of some Member States, that an alignment with GDPR rules strike the balance of protecting individuals rights of freedom of information and potential for innovation. This view would be reflected by "Option 5" (p. 16) in the Presidency document attached.

4. Article 7: Storage and erasure of electronic communications data

Option 2

The scope of the ePR should be limited to data "in transmission", i.e. when transported from sender to receiver on a electronic communication network. Therefore, Art. 7 (1) ePR should be deleted, as proposed by the Estonian presidency: "[There is] no need for this provision, considering the corresponding obligations under the GDPR and also in relation to the limitation of scope in art. 2 to 'content in transmission'."

5. Article 8: Protection of information stored in terminal equipment of end-users and related to or processed or emitted by such equipment

Option 3

Cookie banners have proven to be annoying for consumers, causing network traffic and related costs form companies. Replacing cookie banners with a new method of providing consent, namely through browser settings, may turn out to be equally if not more burdensome for the business. Stipulating consent as the predominant method of lawful processing will not achieve the Commission's objective to further protect these devices. Moreover it is much more difficult to obtain permission to use cookies on user's equipment which, in turn, could have an impact on ad-funded services. Therefore PCL believes, that recognising the legitimate interest for cookies coupled with the right to object (the opt-out option) would be the best solution.

We propose the following amendment of Art. 8 (1):

(aa) processing is necessary for the performance of a contract to which the end user is party or in order to take steps at the request of the end user prior to entering into a contract"

(f) it is necessary for compliance with a legal obligation.

NEW (g) it is necessary for billing, calculating payments, detecting or stopping fraudulent, abusive, or otherwise unauthorised use of information society services; or

NEW (f) it is necessary to maintain or restore the security of information society services and services, or detect technical faults and/or errors and/or attacks against information society services, for the duration necessary for that purpose.

NEW (h) a clear and prominent notice is displayed informing of, at least, the modalities of the collection, its purpose, the person responsible for it and the other information required under Article 13 of Regulation (EU) 2016/679 where personal data are collected, as well as any measure the user of the terminal equipment can take to stop or minimise the collection. The collection of such information shall be conditional on the application of appropriate technical measures and the application of organizational measures, which shall include inter alia pseudonymisation, to ensure a level of security appropriate to the risks, as set out in Article 32 of Regulation (EU) 2016/679.

6. Article 10: software privacy settings

Option 3

Article 10 should be deleted.

Alternatively, In line with what has been said in point 5, PCL proposes the following amendment (Art. 10):

1. Software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, shall offer the option to prevent third any other partiesthan the end-user from storing information on the terminal equipment of an end-user or processing information already stored on that equipment.

2. Upon installation or first usage, the software referred to in paragraph 1 shall inform the end-user about the privacy settings options. and, to continue with the installation or usage, require the end-user to consent to a setting.

2a. The software referred to in paragraph 1 shall provide in a clear manner easy ways for end-users to change the privacy setting consented to under paragraph 2 at any time during the use.

2aa. Privacy settings referred to in par. 1 shall not preclude service providers form storing information on the terminal equipment of an end-user or processing information already stored on that equipment if the service provider has a valid legal ground, including end user content, for such processing.

Consequently, recital 22 should be revised as follows:

(22) (...) Web browsers mediate much of what occurs between the end-user and the website. From this perspective, they are in a privileged position to play an active role to help the end-user to control the flow of information to and from the terminal equipment. More particularly web browsers may be used as gatekeepers, thus helping end-users to prevent information from their terminal equipment (for example smart phone, tablet or computer) from being accessed or stored. This should not however exclude storing information on the terminal equipment of an end-user or processing information already stored on that equipment by service providers that have legal ground for processing data under article 8, including consent.

Article 10 and in particular the related recitals are extremely prescriptive and will not enable businesses to continue offering the best privacy solutions for their users in a competitive environment. Instead, only one method of protection is offered that stipulates how privacy settings are presented to users. This would add burdens to businesses without creating better privacy results. More broadly, Article 10 would result in a sharp increase in third-party cookie-blocking. Additionally Art. 10 is too focussed on existing technology. It is not technology neutral and will not remain robust enough to encompass future developments.

Proposed changes aims to ensure that search engine setting should not create a barrier for service providers.