Council of the
European Union
Brussels, 17 November 2017
(OR. en)
PUBLIC
14374/17
Interinstitutional File:
2017/0003 (COD)
LIMITE
TELECOM 294
COMPET 766
MI 833
DATAPROTECT 184
CONSOM 353
JAI 1048
DIGIT 245
FREMP 132
CYBER 181
CODEC 1817
NOTE
From:
Presidency
To:
Permanent Representatives Committee/Council
No. prev. doc.:
14062/17 TELECOM 269 COMPET 734 MI 789 DATAPROTECT 175
CONSOM 340 JAI 1010 DIGIT 232 FREMP 122 CYBER 171 CODEC
1752
No. Cion doc.:
5358/17 TELECOM 12 COMPET 32 MI 45 DATAPROTECT 4 CONSOM
19 JAI 40 DIGIT 10 FREMP 3 CYBER 10 IA 12 CODEC 52
Subject:
Proposal for a Regulation of the European Parliament and of the Council
concerning the respect for private life and the protection of personal data in
electronic communications and repealing Directive 2002/58/EC (Regulation
on Privacy and Electronic Communications)
- Progress report
The present report has been drawn up under the responsibility of the Estonian Presidency and is
without prejudice to particular points of interest or further contributions of individual delegations.
It sets out the work done so far in the Council's preparatory bodies and gives an account on the
state of play in the examination of the above mentioned proposal.
14374/17
KM/ek
1
DG E2B
LIMITE
EN
Conseil UE
link to page 2 link to page 2 link to page 2 link to page 2
I.
INTRODUCTION
1.
The Commission adopted its proposal for a Regulation on Privacy and Electronic
Communications (hereinafter: ePR) on 10 January 2017 with the aim to replace the current
ePrivacy Directive
1. The proposal is one of the actions foreseen by the Digital Single Market
Strategy
2 to reinforce trust and security in the Digital Single Market and, among others, seeks
to align the rules for electronic communications with the new standards of the General Data
Protection Regulation
3 (hereinafter: GDPR) adopted in 2016.
2.
In the Council, the proposal and the impact assessment were presented to the Working Party
on Telecommunications and Information Society (hereinafter: WP TELE) in February 2017,
which was followed by the article-by-article examination of the whole proposal. The Maltese
Presidency presented a progress report
4 to the June 2017 TTE Council.
3.
In the European Parliament, the lead LIBE committee adopted its report, together with the
mandate to start interinstitutional negotiations on 19 October 2017, which was confirmed by a
plenary vote on 26 October 2017. The rapporteur for the file, Marju Lauristin (S&D, Estonia),
who has left the European Parliament, has been replaced by Birgit Sippel (S&D, Germany).
1
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002
concerning the processing of personal data and the protection of privacy in the electronic
communications sector (Directive on privacy and electronic communications)
2
Doc. 8672/15
3
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of personal data and on the
free movement of such data, and repealing Directive 95/46/EC (General Data Protection
Regulation)
4
Doc. 9324/17
14374/17
KM/ek
2
DG E2B
LIMITE
EN
link to page 3
II. STATE OF PLAY IN THE COUNCIL
4.
Under the Estonian Presidency, considerable efforts have been put into advancing
negotiations on the proposal. The WP TELE has discussed the proposal in six full-day
meetings and the Presidency has issued several compromise text
s5. In this context, the
Presidency is grateful for the delegations' constructive approach, bearing in mind that, in
many cases, the analysis of the proposal at the national level is still ongoing.
5.
On the basis of the discussions in the WP TELE and of the written comments submitted by
delegations so far, the Presidency put together the present progress report. The objective is to
inform Ministers about the state of play of the proposal and to draw attention to the issues that
will necessitate further discussions.
i.
Link to the General Data Protection Regulation (GDPR) and consent
6.
During the discussions and in their written comments, many delegations inquired about the
interplay between the ePR and the GDPR. Delegations sought clarifications with regard to the
application of the 'lex specialis' principle to the ePR vis-à-vis the GDPR, in particular bearing
in mind that not all electronic communications data qualifies as personal data and that while
the ePR covers electronic communications data of both natural and legal persons, the GDPR
only protects natural persons’ related data.
7.
The Presidency has introduced changes in the text with the aim to make clear that the ePR is a
lex specialis vis-à-vis the GDPR as far as personal data (i.e. of natural persons) is concerned.
If no specific rules are established in the ePR, the provisions of the GDPR apply to any
processing of data that qualify as personal data. Moreover, the GDPR as such does not apply
to data related to legal persons which does not constitute personal data. Therefore it should be
clear that in this respect the GDPR shall apply, for the purposes of the ePR, only where the
ePR explicitly provides for it.
5
Doc. 11995/17, 12955/17, 13217/17+COR1
14374/17
KM/ek
3
DG E2B
LIMITE
EN
link to page 4
8.
In this connection, a lot of work has been done also on the concept of consent that comes from
the GDPR. Firstly, the provision on consent has been moved to the general provisions to
ensure that the same concept is applied throughout the proposal. Secondly, a number of
delegations raised concerns with regard to who can give the GDPR-compliant consent on
behalf of legal persons. In this regard, the Commission has provided explanation based on the
distinction whether a natural person is using the service concerned (then this natural person
has to give the consent) or not (in such a case national law provides who can act on behalf of
a legal person).
9.
While delegations mostly welcome the clarifications mentioned in points 7 and 8, it is clear
that further work is needed with regard to specific wording of the relevant provisions.
ii.
Machine-to-machine communications
10. Delegations raised concerns with regard to the application of the ePR to machine-to-machine
communications, in particular those that only involve business-to-business communications or
communications without human interaction (e.g. technical feasibility of giving GDPR
compliant consent in such situations). The first Presidency compromise proposal included a
provision specifying that machine-to-machine communications were only covered as long as
they were related to end-users. However, following further analysis of the issue, the
Presidency has proposed to clarify that the ePR follows the same approach as in the
compromise proposal of the European Electronic Communications Code (EECC)
6. Under the
EECC compromise proposal the transmission services used for the provision of machine-to-
machine services constitute an electronic communications service and as such should be
covered by the ePR. However, the application layer of such machine-to-machine services,
which does not normally constitute an electronic communications service, is not covered by
the ePR.
11. Further reflection is necessary on this approach, including on the appropriate way to translate
it in concrete drafting. Furthermore, the aim of future discussions should also be to dispel
certain misunderstandings surrounding this rather complicated topic.
6
Latest version: doc. 12797/1/17 REV 1
14374/17
KM/ek
4
DG E2B
LIMITE
EN
iii.
Publicly available directories
12. Discussions on publicly available directories (article 15) focused mainly on the question of
who the relevant obligations should be addressed to. In line with the approach taken in the
EECC, the Presidency has proposed to address them to providers of number-based
interpersonal communications services instead of providers of directories as they should have
easier access to the end-user. The latter approach seemed to be supported by many
delegations but its consequences still need to be carefully considered. Delegations also sought
clarity on what is actually considered to be a publicly available directory under the ePR
proposal.
13. Moreover, some delegations raised a question of the added value of the provision vis-à-vis the
protection already offered (for natural persons) by the GDPR.
iv.
Direct marketing communications
14. The original Commission proposal provided that persons making direct marketing calls
should either present their calling line identification or use a specific prefix (specified by the
Commission's implementing act) indicating that their call is a marketing call. Delegations
raised concerns regarding the difficulties to enforce such an obligation and regarding the
related implementing act from the numbering management point of view. The Presidency has
therefore proposed that presentation of the calling line identification by persons making
direct marketing calls shall be mandatory. In addition, if Member States so wish, they can
require by national law that persons making direct marketing calls use specific codes or
prefixes. In such a case the code or prefix should be made available at national level, which
removes the need for the implementing act. While a number of delegations indicated that the
Presidency proposal is moving in the right direction, concerns remain as to the technical
feasibility as well as compatibility with national and international rules on numbering that
need further examining.
14374/17
KM/ek
5
DG E2B
LIMITE
EN
v.
Supervisory authorities
15. Most delegations asked for more flexibility with regard to the supervisory authorities.
Keeping in mind that the Data Protection Authorities (DPAs) have the experience and
knowledge needed to monitor the application of Chapter II of ePR and, on the other hand,
some of the provisions might require expertise beyond DPAs competences, the Presidency has
proposed to keep the DPAs as authorities for monitoring the application of Chapter II while
providing flexibility to Member States to designate supervisory authorities responsible for
monitoring the application of Chapter III. While many delegations would still prefer to keep
flexibility with regard to supervision of the whole proposal, including Chapter II, the
Presidency proposal seems to be moving in the right direction.
16. Further work will be needed on the text of the relevant provisions, bearing in mind the
requirements stemming from Article 8(3) of the Charter and Article 16(2) of the TFEU,
including on the cooperation between the supervisory authorities and on the role of the
European Data Protection Board.
vi.
Grounds for processing electronic communications data, protection of terminal
equipment, browser privacy settings
17. From the initial discussions on the permitted processing of electronic communications data
(article 6), it is clear that further analysis is necessary as to whether, and to what extent, the
grounds for processing proposed by the Commission need to be complemented by additional
grounds. Further consideration might be needed of certain grounds permitted under the
GDPR, keeping in mind, on the other hand, the specific nature of the electronic
communications data.
18. Further discussions will be needed on the issue of the protection of the end-users’ terminal
equipment, including the use of cookies and other tracking techniques as well as on device
tracking (article 8). Delegations stressed the need to find a balance between ensuring proper
privacy protection without undermining legitimate business models. On cookies,
considerations should also be given to their purpose and their actual impact on privacy.
14374/17
KM/ek
6
DG E2B
LIMITE
EN
19. With regard to software privacy settings (article 10), delegations raised a number of relevant
questions that need to be addressed before any redrafting of the text can take place. Those
include the impact on the role of browsers in the internet ecosystem, the added value from the
user perspective or the question of whether, given the existing market solutions, regulation is
needed at all in this respect.
vii.
Data retention
20. The issue of data retention has primarily been under the remit of the Justice and Home Affairs
Council and has been, at the working level, analysed in the DAPIX - Friends of Presidency
setting. The Presidency has, however, organised a joint DAPIX - FoP/ WP TELE meeting
which focused on the issues relevant in the ePR context, in particular the availability of
electronic communications data. Following the joint meeting, the debate was opened also in
the WP TELE. Delegations tabled various suggestions how to approach this issue in the
context of articles 2 (scope), 6 (permitted processing), 7 (storage and erasure) and 11
(restrictions of rights and obligations under Chapter II), which will need to be analysed in
future discussions.
viii.
Other elements
21. The Presidency has put considerable efforts into addressing other elements of the proposal,
such as clarifying the material scope, the requirement of a representative or clarifying the
scope of ancillary services. Further analysis is needed on those elements.
14374/17
KM/ek
7
DG E2B
LIMITE
EN
III. CONCLUSION
22. As outlined under different sections of this report, important work still lies ahead of us on
majority of the topics. The above listed issues represent a selection of topics discussed in the
WP TELE so far and there is a number of other issues that will also need to be addressed,
such as the definitions or Chapters V, VI and VII.
23. The Presidency keeps a possibility for an additional WP TELE meeting in December, which
would, if confirmed, focus on articles 6 to 8 and 10 to facilitate future progress on this
proposal.
*
* *
Following Coreper's consideration of this progress report, the Presidency will present it to the
Council with the invitation to take note of it.
_________________________
14374/17
KM/ek
8
DG E2B
LIMITE
EN