2023 0879 004 Redacted.pdf

The  European  Data  Protection  Supervisor  (EDPS)  is  an  independent  institution  of  the  EU,
responsible under Article  52(2) of  Regulation  2018/1725  ‘With  respect to  the processing  of
personal data… for ensuring that the fundamental rights and freedoms of natural persons, and
in particular their right to  data protection, are respected by Union institutions and bodies’,
and under Article 52(3)‘…for advising Union institutions and bodies and data subjects on all
matters  concerning  the  processing  of  personal  data’.  Under  Article  58(3)(c)  of  Regulation
2018/1725, the EDPS shall have the power ‘to issue on his or her own initiative or on request,
opinions  to  Union  institutions  and  bodies  and  to  the  public  on  any  issue  related  to  the
protection of personal data’. Under Article 58(3)(c) of Regulation 2018/1725, the EDPS shall
have  the  power  ‘to  issue  on  his  or  her  own  initiative  or  on  request,  opinions  to  Union
institutions  and  bodies  and  to  the  public  on  any  issue  related  to  the  protection  of  personal
data’.
He was appointed in December 2014 together with the Assistant Supervisor with the specific
remit  of  being  constructive  and  proactive.  The  EDPS  published  in  March  2015  a  five-year
strategy setting out how he intends to implement this remit, and to be accountable for doing
so.
This Opinion relates to the EDPS' mission to advise the EU institutions on the data protection
implications of their policies and foster accountable policymaking - in line with Action 9 of the
EDPS  Strategy:  'Facilitating  responsible  and  informed  policymaking'.  While  the  EDPS
supports  the  objective  of  combatting  the  dissemination  of  terrorist  content  online,  thus
contributing  to  a  more  secure  Union  overall,  he  considers  that  the  Proposal  shcould  be
improved in certain key aspects to ensure compliance with data protection principles.

2 | P a g e

TABLE OF CONTENTS

1.
INTRODUCTION AND BACKGROUND ................................................................................................ 6
1 1  CONTEXT OF THE PROPOSAL
6
1 2  CONTENT OF THE PROPOSAL
7
2.
COMMENTS AND RECOMMENDATIONS .......................................................................................... 8
2 1  PRELIMINARY REMARKS
8
2 2  OBLIGATIONS FOR HSPS
10
2 2 1 On the use of automated tools in the context of proactive measures
10
2 2 2 Article 15(1) of Directive 2000/31/EC
11
2 2 3 Preservation of content and related data
11
3.
CONCLUSIONS .................................................................................................................................... 1312
Notes
14

5 | P a g e

Notes


1 OJ L 119, 4 5 2016, p  1
2 OJ L 295, 21 11 2018, p  39
3 OJ L 119, 4 5 2016, p  89
4 COM (2018) 640 final, Proposal for a Regulation of the European Parliament and of the Council on preventing
the dissemination of terrorist content online.
5 Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects
of information society services, in particular electronic commerce, in the Internal Market ('Directive on
electronic commerce'), OJ L 178, 17.7.2000, p. 1–16.
6 These initiatives include inter alia Directive 2011/92/EU of the European Parliament and of the Council of 13
December 2011 on combating the sexual abuse and sexual exploitation of children and child pornography, and
replacing Council Framework Decision 2004/68/JHA, OJ L 335, 17.12.2011, p. 1–14; Directive (EU) 2017/541 of
the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council
Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA, OJ L 88, 31.3.2017, p. 6–21;
COM (2016) 593 final, Proposal for Directive of the European Parliament and of the Council on copyright in the
Digital Single Market and most recent COM (2018) 1177 final, Commission Recommendation of 1.3 2018 on
measures to effectively tackle illegal content online .
7 Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating
terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision
2005/671/JHA, OJ L 88, 31.3.2017, p. 6–21.
8 COM(2016) 287 final Proposal for a Directive of the European Parliament and of the Council amending
Directive 2010/13/EU on the coordination of certain provisions laid down by law, regulation or administrative
action in Member States concerning the provision of audiovisual media services in view of changing market
realities.
9 COM(2018) 225 final, Proposal for a Regulation of the European Parliament and of the Council on European
Production and Preservation Orders for electronic evidence in criminal matters.
10 The EDPS observes in particular that Recital 32 of the Proposal already refers to the e-evidence Proposal.
11 In the Impact Assessment it is stated that the terrorist group Daesh produced in the years 2015-2017 an
average of 1200 new propaganda items every month (cf. Impact Assessment, p. 7).
12 Explanatory Memorandum, p. 1.
13 For instance Recital 7 and 17 or Article 3 and 6 of the Proposal.
14 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection
of natural persons with regard to the processing of personal data and on the free movement of such data, and
repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5 2016, p. 1–88.
15 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of
natural persons with regard to the processing of personal data by competent authorities for the purposes of
the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal
penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA,
OJ L 119, 4.5.2016, p. 89–131.
16 Cf. Article 7, 10 and 11 of the Proposal.
17 See Joined Cases C‑203/15 and C‑698/15, Tele2 Sverige AB v Post- och telestyrelsen and Secretary of State
for the Home Department v Tom Watson and Others, para. 104-107.
On general monitoring in the context of IPR infringements (general monitoring mandates for platforms
conflicting not only with Article 15 of the eCommerce Directive, but also with fundamental rights of internet
users, including the right to the protection of personal data), see Case C-70/10, Scarlet Extended SA v Société
belge des auteurs, compositeurs et éditeurs (SABAM), para. 53.
18 See Recital 21 of the Proposal.
19 As long as HSPs obligations are unclear, there is a risk that HSPs would be ‘incentivized’ by the threat of
penalties laid down in the Regulation (cf. Article 18(1)(e) referring to Article 7) to collect an excessive amount
of data, which will be obviously detrimental to the protection of personal data (as well as to other
fundamental rights such as freedom of expression).
14 | P a g e

20 Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of
data generated or processed in connection with the provision of publicly available electronic communications
services or of public communications networks and amending Directive 2002/58/EC, OJ L 105, 13.4.2006, p.
54-63, repealed by Judgment of the Court (Grand Chamber), 8 April 2014, Joined Cases C‑293/12 and
C‑594/12, Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others
and Kärntner Landesregierung and Others.
21 Joined Cases C-293/12 and C-594/12, Digital Rights Ireland Ltd, para. 54-55 and 65-67.
15 | P a g e