ECPS calls for higher privacy safeguards in its second Opinion on ePrivacy Directive

The European Data Protection Supervisor (EDPS) adopted on January, 9th 2009, an Opinion on the review of the Directive on Privacy and electronic communications, usually referred to as the ePrivacy Directive. The recommendations presented in this Opinion aim at streamlining some of the provisions of the Directive, while at the same time ensuring an adequate level of data protection and privacy.

This Second Opinion comes as a response to the Council's Common Position which, on a number of critical points, fails to endorse some of the data protection safeguards proposed by the European Parliament and the European Commission or previously recommended by the European Data Protection Supervisor (EDPS). This Opinion follows upon a first EDPS Opinion, as well as Comments, in which recommendations were made to help ensure that the proposed changes effectively provide for the best possible protection of personal data.

The Opinion particularly focuses on the provisions relating to the setting up of a mandatory security breach notification system for which the Supervisor believes there is still some room for improvement.

EDPS, Peter Hustinx, particularly highlighted in this respect that “the full benefits of security breach notification will be best realized if the legal framework is set right from the outset”. He added that in order to reach this objective, “the Parliament and the Council will need to meet the challenge of determining the proper standard setting forth the conditions for notification and ensuring that the appropriate processes are put into effect. Citizens will expect such a system to apply not only to their Internet access providers, but also to their on-line banks and on-line pharmacies."

Main EDPS recommendations on ePrivacy Directive

  • Scope of application: the EDPS supports the Parliament's approach to broaden the scope of application of the Directive to include publicly accessible private networks in the Community. He recommends to further clarify the types of services that would be covered by the broadened scope.
  • Processing of traffic data for security purposes: the EDPS considers the new article introduced by the Parliament - and maintained by the Council's Common Position and the Commission's Amended Proposal - legitimising the collection of traffic data for security purpose as being unnecessary. In the EDPS view, such a provision may be subject to risk of abuse, especially if adopted in a form that does not include the necessary data protection safeguards.
  • Right of action against infringements to the Directive: the EDPS calls upon the Commission and the Council to endorse the provision introduced by the Parliament that gives the possibility to legal entities, such as consumer associations, to bring legal action against infringements of any provisions of the Directive.

The EDPS is hopeful that, as the review of the Directive continues to make its way through the legislative process, new amendments will be adopted in accordance with the above recommendations with a view to restoring the necessary data protection safeguards.