May 8, 2017

The EDPS says that the General Data Protection Regulation (GDPR) represents “one of the EU’s greatest achievements in recent years”, but without a complementary and effective legal tool to protect the fundamental right to private life, of which the confidentiality of our communications is a vital component, the EU privacy and data protection framework remains incomplete.

Publishing his Opinion on the Draft Regulation on Privacy and Electronic Communications, proposed by the European Commission in January 2017, Giovanni Buttarelli, the current EDPS, said: “I welcome and support the Commission’s ambitious attempt to provide for the comprehensive protection of electronic communications. The extension of confidentiality obligations to a broader range of providers and services is a particularly important step forward, which reflects recent technological developments and our changing relationship with technology. However, certain improvements are necessary if the Regulation is to deliver on the promise of a high level of protection for electronic communications.”

In his preliminary July 2016 Opinion on the review of the E-privacy Directive, the EDPS called for “smarter, clearer and stronger” rules for E-privacy. The EDPS says that the Commission’s proposal represents an “ambitious attempt” to provide this, but its complexity is “daunting”. By splitting communications data into a range of different types, each entitled to a different level of confidentiality and subject to different exceptions, there is a risk that gaps in protection might emerge, he says.

The EDPS also raises concerns over the Commission’s intention to base the definitions in the draft Regulation on the European Electronic Communications Code, which is yet to be finalised. There is no legal justification for linking the new E-privacy Regulation to the Code and the market-focused definitions provided by the Code are simply “not appropriate for dealing with fundamental rights”, according to the EDPS. He therefore suggests that a set of definitions, which take into account the specific scope and objectives of the new rules, should be included in the E-privacy Regulation itself.

The new rules should also take into account the processing of electronic communications data by individuals or organisations other than e-communications providers. In the view of the EDPS, the additional protection the draft Regulation offers to communications data is of little use if the rules can be circumvented by transferring communications data to a third party, for example. In The EDPS also stresses the need for the Regulation to ensure that no communications are subject to unlawful tracking and monitoring without freely given and genuine user consent. To read the EDPS press release in full and for a link to the Opinion, click here.