POSITION STATEMENT

Regulation on the Respect for Private Life and the Protection of Personal
Data in Electronic Communications (EPrivacy)

In summary

FSB welcomes the intention to harmonise the data protection and privacy
rules across Europe, but questions the need for a Regulation at this time
given the provisions of the General Data Protection Regulation (GDPR).
FSB calls for a thorough impact assessment on how the proposed rules will
affect the online visibility of SMEs and on those business models that use
third-party cookies, including the actual costs for implementing those rules.
FSB calls for greater recognition of the cumulative legislative burden faced
by small businesses and for a 2-year transitional compliance period to
enable the smallest businesses to adapt to the proposed rules.
To avoid duplications and creating additional burdens for SMEs, the
proposed regulation and all its provisions, from consent to legal bases,
should be in full alignment with the GDPR.
A privacy-by-default approach to third party communications will
disproportionately impact SMEs and endanger those free service business
models.
Direct marketing is a cost-effective tool for SMEs to promote their products
and establish relationships with potential clients in a targeted and less
intrusive way. Article 16 clearly deviates from the legal bases in the GDPR
for that activity, in particular the legitimate interest. Thus, Article 16 if
adopted in its current form will disproportionately affect SMEs.

Background

The proposal for a Regulation on the respect for private life and the protection of
personal data in electronic communications (ePrivacy regulation) aims to ensure
consistency with the General Data Protection Regulation (GDPR), which will come into
force in May 2018.

The proposal also aims to update the 2002 e-privacy directive to address
technological developments that are currently not covered by legislation and provide
more clarity on original provisions in the 2002 e-privacy directive.

The proposed regulation covers all matters concerning the processing of personal
data not specifically addressed by the GDPR and will broadly apply to businesses that

1
provide any type of online communication service, use online tracking technologies
or electronic direct marketing.

This means over the top communications services such as voice over internet,
instant messaging and web-based e-email services - will be brought into scope of
this legislation and so subject to the same rules as traditional electronic
communications services.

General Considerations

The Federation of Small Business (FSB) strongly supports efforts to make the digital
single market a reality. Whilst FSB welcomes the general aim and background of the
ePrivacy proposal, FSB questions the need for the regulation given the provisions of
the General Data Protection Regulation (GDPR).

The proposal in its current form will only lead to increased uncertainty for small
businesses due to the lack of clarity in elements of the text and creates legal
uncertainty regarding its interplay and compatibility with existing EU instruments and
the General Data Protection Regulation (GDPR), which must be implemented in May
2018.

Moreover, the obligations set out in the proposal do not take into consideration that
SMEs have limited human, financial, and technical resources at their disposal. FSB
believes the provisions of the (GDPR) should be given time to be fully implemented
and assessed rather than rushing to implement this regulation at the same time as
the GDPR in May 2018.

Comments

Timeline

FSB remains concerned with the proposed date of application set by the European
Commission of the 25 May 2018, and calls for the European Institutions to carefully
review the current timeline and not rush to meet the desired date at any cost.
Council delegates have also recognised that as the choice of legal instrument is a
regulation, which requires a higher level of precision and clarity than a Directive, the
proposed date of application is considered unrealistic1. Small businesses are already
concerned with the implementation of the GDPR, especially as the guidance on how
to comply with the Regulation has yet to be completed by the Article 29 Working
Party. Thus, implementing an additional set of rules, without guidance and clarity on
the interplay between the proposed draft e-privacy regulation and the GDPR, will
create significant uncertainty for small businesses. FSB therefore calls for a 2-year
transitional compliance period to give the smallest businesses the time to adapt to

1
http://www.euractiv.com/wp-content/uploads/sites/2/2017/05/0108_001.pdf

2
the proposed rules. This will not only assist the smallest businesses transition to the
new rules, but it will also enable policy-makers to assess the impact and
consequences of the GDPR.

Article 8 (Processing of Terminal Equipment Data)

Article 8 prohibits the use of processing and storage capabilities of terminal

equipment and the collection of information from end-users terminal equipment,
unless specific conditions are fulfilled, such as by obtaining consent from the end-
user (or in the rapporteurs case specific consent). Thus, the draft proposal is far
more restrictive than the GDPR, which has additional legal grounds for processing
data, such as through a contractual relationship between both parties. FSB calls on
the European Parliament to align this Article with the legal grounds for processing
contained in the GDPR. Moreover, inserting processing on the basis of a legitimate
interest, as defined in Article 6 of the GDPR, as well as an article limiting processing
to pseudonymised data will balance both the interests of companies and data
subjects.

Article 10 (Software Placed on the Market)

Article 10 prescribes that software placed on the market permitting electronic

communications, including the retrieval and presentation of information on the
internet, shall offer the option to prevent third parties from storing information on
terminal equipment of an end-user or processing information already stored on that
equipment. If adopted, this article will require all software on an end-user device,
from mobile applications to browsers, to provide options that may block all third-
party communications. The rapporteur has gone even further by amending the article
to include a privacy-by-default approach. Third party communications and the traffic
generated by these operators is vital for small businesses, which rely on these
operators to increase their online visibility and drive consumers to their website. If a
blanket approach which restricts third party communications is applied, either by
default or manually via browser settings, this will disproportionately impact SMEs and
those businesses that have developed privacy settings tailored to their users, as well
as jeopardise those business models that are able to offer free services in exchange
for advertisements. The GDPR already contains provisions designed to tackle the
collection and use of data, as a result of using software, on lawful processing etc.

Article 16 (Unsolicited Communications)

Article 16 of the draft regulation provides that a natural or legal person may use
electronic communication services for the purposes of sending direct marketing
communications to end-users who are natural persons that have given their consent.
This regulation appears to contradict the provisions contained in the GDPR. For
example, the GDPR has several legal bases for the same activity, including legitimate

3
interests. The GDPR also provides that direct marketing can be an example of a
practice which could be regarded as a legitimate interest, thereby not requiring
consent, or prior consent as the rapporteur advocates. For those companies that have
limited financial, technical and human resources at their disposal, direct marketing
offers a viable tool for SMEs to promote their products and establish relationships
with potential clients in a cost-efficient way and in targeted and less intrusive manner.
Moreover, it is important to recognise that SMEs do not have the marketing budget
available to compete with larger companies that use more traditional channels,
therefore restrictions on direct marketing will disproportionately impact SMEs.

Impact Assessment

FSB calls upon the European Parliament to conduct a thorough impact assessment of
the e-privacy proposal, including the stricter provisions made by the rapporteur in
her draft report. This impact assessment should assess how the above will affect
small enterprises and the self-employed in terms of online visibility, how the proposed
rules will affect those business models using third-party cookies, on business-to-
business data, the actual costs of implementing these rules, and provide a detailed
analysis regarding the possible overlaps, duplications or contradictions with other
legislation (GDPR & ECC), as advocated in the Council progress report of the 15 May
20172. Conducting such an assessment would be in line with the principles of better
regulation, which calls for policy measures to be evidence-based, well-designed and
deliver tangible and sustainable benefits for citizens, business and society as a
whole3.

2
http://www.euractiv.com/wp-content/uploads/sites/2/2017/05/0108_001.pdf
3
http://ec.europa.eu/smart-regulation/better_regulation/documents/com_2015_215_en.pdf

4
 Amendments
European Commission European Parliament (LIBE)
Draft Report
Recital 17a
This Regulation broadens the
possibilities for providers of
electronic communications
services to process electronic
communications metadata
based on users' informed
consent. However, users attach
great importance to the
confidentiality of their
communications, including their
online activities, and they want
to control the use of their
electronic communications data
for purposes other than
conveying the communication.
Therefore, this Regulation
should require providers of
electronic communications
services to obtain users'
consent to process electronic
communications metadata,
which should include data on
the location of the device
generated for the purposes of
granting and maintaining
access and connection to the
service. For the purposes of
this Regulation, the consent of
an end-user, regardless of
whether the latter is a natural
or legal person, should have
the same meaning and be
subject to the same conditions
as the consent of the data
subject under Regulation (EU)
2016/679. The end-users
should have the right to
withdraw their consent from an
additional service without
breaching the contract for the
basic service. Consent for
FSB Proposed
Amendments
Recital 17a
This Regulation broadens the
possibilities for providers of
electronic communications
services to process electronic
communications metadata
based on a legitimate
legal ground. Therefore,
this Regulation should
require providers of
electronic communications
services to obtain users'
consent or to ensure that in
order to process electronic
communications metadata,
which should include data on
the location of the device
generated for the purposes
of granting and maintaining
access and connection to the
service, users have been
duly informed of the legal
ground on which the
processing is based. For
the purposes of this
Regulation, the consent of an
end-user, regardless of
whether the latter is a
natural or legal person,
should have the same
meaning and be subject to
the same conditions as the
consent of the data subject
under Regulation (EU)
2016/679.
5

Recital 20
Terminal equipment of end-
users of electronic
communications networks and
any information relating to
the usage of such terminal
equipment, whether in
particular is stored in or
emitted by such equipment,
requested from or processed
in order to enable it to
connect to another device and
or network equipment, are
part of the private sphere of
the end-users requiring
protection under the Charter
of Fundamental Rights of the
European Union and the
European Convention for the
Protection of Human Rights
and Fundamental Freedoms.
Given that such equipment
contains or processes
information that may reveal
details of an individual's
emotional, political, social
complexities, including the
content of communications,
pictures, the location of
individuals by accessing the
devices GPS capabilities,
contact lists, and other
information already stored in
the device, the information
related to such equipment
requires enhanced privacy
protection. Furthermore, the
so-called spyware, web bugs,
processing data from internet
or voice communications usage
should not be valid if the user
has no genuine and free choice,
or is unable to refuse or
withdraw consent without
detriment.
Recital 20
Terminal equipment of users of
electronic communications
networks and any information
relating to the usage of such
terminal equipment, whether in
particular is stored in or
emitted by such equipment,
requested from or processed in
order to enable it to connect to
another device and or network
equipment, are part of the
private sphere of the users
requiring protection under the
Charter of Fundamental Rights
of the European Union and the
European Convention for the
Protection of Human Rights and
Fundamental Freedoms. Given
that such equipment contains
or processes very sensitive data
that may reveal details of the
behaviour, psychological
features, emotional condition
and political and social
preferences of an individual,
including the content of
communications, pictures, the
location of individuals by
accessing the GPS capabilities
of their device, contact lists,
and other information already
stored in the device, the
information related to such
equipment requires enhanced
privacy protection. Information
related to the users device
may also be collected remotely
Recital 20
Terminal equipment of end-
users of electronic
communications networks
and any personally
attributable information
relating to the usage of such
terminal equipment, whether
in particular is stored in or
emitted by such equipment,
requested from or processed
in order to enable it to
connect to another device
and or network equipment,
are part of the private sphere
of the end-users requiring
protection under the Charter
of Fundamental Rights of the
European Union and the
European Convention for the
Protection of Human Rights
and Fundamental Freedoms.
Given that such equipment
contains or processes
information that, unless
pseudonymized or
anonymized, may reveal
details of an individual's
emotional, political, social
complexities, including the
content of communications,
pictures, the precise location
of individuals by accessing
the devices GPS capabilities,
contact lists, and other
information already stored in
the device, the information
related to such equipment
6
hidden identifiers, tracking
cookies and other similar
unwanted tracking tools can
enter end-user's terminal
equipment without their
knowledge in order to gain
access to information, to store
hidden information and to
trace the activities.
Information related to the
end-users device may also be
collected remotely for the
purpose of identification and
tracking, using techniques
such as the so-called device
fingerprinting, often without
the knowledge of the end-
user, and may seriously
intrude upon the privacy of
these end-users. Techniques
that surreptitiously monitor
the actions of end-users, for
example by tracking their
activities online or the
location of their terminal
equipment, or subvert the
operation of the end-users
terminal equipment pose a
serious threat to the privacy
of end-users. Therefore, any
such interference with the
end-user's terminal
equipment should be allowed
only with the end-user's
consent and for specific and
transparent purposes.
for the purpose of identification
and tracking, using techniques
such as the so-called device
fingerprinting, often without
the knowledge of the user, and
may seriously intrude upon the
privacy of these users.
Furthermore, so-called
spyware, web bugs, hidden
identifiers and unwanted
tracking tools can enter users'
terminal equipment without
their knowledge in order to gain
access to information or to
store hidden information.
Techniques that surreptitiously
monitor the actions of users,
for example by tracking their
activities online or the location
of their terminal equipment, or
subvert the operation of the
users terminal equipment pose
a serious threat to the privacy
of users. Therefore, any such
interference with the user's
terminal equipment should be
allowed only with the user's
consent and for specific and
transparent purposes. Users
should receive all relevant
information about the intended
processing in clear and easily
understandable language. Such
information should be provided
separately from the terms and
conditions of the service.
requires enhanced privacy
protection. Furthermore, the
so-called spyware, web bugs,
hidden personal identifiers,
tracking cookies and other
similar personal tracking
tools can enter end-user's
terminal equipment without
their knowledge in order to
gain access to personal
information, to store hidden
personal information and to
trace the personal activities.
Personal Information related
to the end-users device may
also be collected remotely for
the purpose of identification
and tracking, using
techniques such as the so-
called device fingerprinting,
often without the knowledge
of the end-user, and may
seriously intrude upon the
privacy of these end-users.
Techniques that
surreptitiously monitor the
actions of end-users, for
example by tracking their
activities online or the
location of their terminal
equipment, or subvert the
operation of the end-users
terminal equipment pose a
serious threat to the privacy
of end-users. Therefore, any
such interference with the
end-user's terminal
equipment should be allowed
only with the end-user's
consent and for specific and
transparent purposes.
Where pseudonymous or
anonymous data is used
in accordance with
Regulation (EU)
2016/679 and its privacy-
7

Recital 21
Exceptions to the obligation to
obtain consent to make use of
the processing and storage
capabilities of terminal
equipment or to access
information stored in terminal
equipment should be limited
to situations that involve no,
or only very limited, intrusion
of privacy. For instance,
consent should not be
requested for authorizing the
technical storage or access
which is strictly necessary and
proportionate for the
legitimate purpose of enabling
the use of a specific service
explicitly requested by the
end-user. This may include
the storing of cookies for the
duration of a single
established session on a
website to keep track of the
end-users input when filling
in online forms over several
pages. Cookies can also be a
legitimate and useful tool, for
example, in measuring web
traffic to a website.
Information society providers
that engage in configuration
checking to provide the
service in compliance with the
end-user's settings and the
mere logging of the fact that
the end-users device is
unable to receive content
requested by the end-user
Recital 21
Exceptions to the obligation to
obtain consent to make use of
the processing and storage
capabilities of terminal
equipment or to access
information stored in terminal
equipment should be limited to
situations that involve no, or
only very limited, intrusion of
privacy. For instance, consent
should not be requested for
authorizing the technical
storage or access which is
strictly necessary and
proportionate for the legitimate
purpose of enabling the use of
a specific service explicitly
requested by the user. This
may include the storing of
information (such as cookies
and identifiers) for the duration
of a single established session
on a website to keep track of
the users input when filling in
online forms over several
pages. Tracking techniques, if
implemented with appropriate
privacy safeguards, can also be
a legitimate and useful tool, for
example, in measuring web
traffic to a website. Information
society providers could engage
in configuration checking in
order to provide the service in
compliance with the user's
settings and the mere logging
revealing the fact that the
users device is unable to
by-design principles, such
use shall not qualify as
such interference with the
end-user's terminal
equipment.
Recital 21
Exceptions to the obligation
to obtain consent to store
information in terminal
equipment or to access
information stored in
terminal equipment should
be limited to situations that
comply with all obligations
pursuant to Regulation (EU)
2016/679. For instance,
the technical storage or
access which is
proportionate; essential
and necessary for the
function and performance
of the website with the
legitimate purpose of
enabling the use of a
service that is beneficial
to the end-user; or that
provides increased user-
friendliness for the end-
user. Such information
could e.g. be necessary to
make the website function
properly; enable website
improvement based on
end-user interaction; or
enable adaptation of
website according to an
end-users individual
preferences. This may
include the storing of cookies
on a website to keep track of
the end-users input when
filling in online forms over
several pages or enabling
other adaptation to individual
8
should not constitute access
to such a device or use of the
device processing capabilities.
Recital 29
Technology exists that
enables providers of
electronic communications
receive content requested by
the user, should not constitute
illegitimate access.
Recital 29
Technology exists that enables
providers of electronic
communications services to
preferences. Cookies can also
be a legitimate and useful
tool to improve the
performance of a website, for
example, in measuring web
traffic to a website or identify
if end-users get error
messages from certain pages
on a website. Similarly,
providers of terminal
equipment and the
software needed to
operate such equipment
regularly need access to
configuration and other
device information and
the processing and
storage capabilities to
maintain the equipment,
prevent security
vulnerabilities and correct
problems related to the
equipments operation.
Information society
providers and electronic
communications service
providers that engage in
configuration checking to
provide the service in
compliance with the end-
users settings and the
mere logging of the fact
that the end-users device
is unable to receive
content requested by the
end-user should not
constitute access to such
a device or use of the
device processing
capabilities.
Recital 29
Technology exists that
enables providers of
electronic
9
services to limit the reception
of unwanted calls by end-
users in different ways,
including blocking silent calls
and other fraudulent and
nuisance calls. Providers of
publicly available number-
based interpersonal
communications services
should deploy this technology
and protect end-users against
nuisance calls and free of
charge. Providers should
ensure that end-users are
aware of the existence of such
functionalities, for instance,
by publicising the fact on their
webpage.
Article 8 (Paragraph 1)
The use of processing and
storage capabilities of
terminal equipment and the
collection of information from
end-users terminal
equipment, including about its
software and hardware, other
than by the end-user
concerned shall be prohibited,
except on the following
grounds:
(a) it is necessary for the sole
purpose of carrying out the
transmission of an electronic
communication over an
electronic communications
network; or
(b) the end-user has given his
or her consent; or
limit the reception of unwanted
calls by end-users in different
ways, including blocking silent
calls, other fraudulent and
nuisance calls or marketing
calls with a specific code or
prefix. Providers of publicly
available number-based
interpersonal communications
services should deploy this
technology and protect end-
users against nuisance calls
and should do so free of
charge. Providers should ensure
that end-users are aware of the
existence of such
functionalities, for instance, by
publicising the fact on their
webpage.
Article 8 (Paragraph 1)
The use of processing and
storage capabilities of terminal
equipment and the collection of
information from users
terminal equipment, or making
information available through
the terminal equipment,
including information about or
generated by its software and
hardware, other than by the
user concerned shall be
prohibited, except on the
following grounds:
(a) it is strictly technically
necessary for the sole purpose
of carrying out the transmission
of an electronic communication
over an electronic
communications network; or
communications services
to limit the reception of
unwanted calls by end-
users in different ways,
including blocking silent
calls, other fraudulent and
nuisance calls. Providers of
publicly available number-
based interpersonal
communications services
should deploy this
technology and protect
end-users against
nuisance calls. Providers
should ensure that end-users
are aware of the existence of
such functionalities, for
instance, by publicising the
fact on their webpage.
Article 8 (Paragraph 1)
The use of processing and
storage capabilities of
terminal equipment and the
collection of personal data
from end-users terminal
equipment, other than by the
end-user concerned shall be
prohibited, except on the
following grounds:
(a) it is necessary for the
sole purpose of carrying out
the transmission of an
electronic communication
over an electronic
communications network; or
(b) the end-user has given his
or her consent; or
(c) pseudonymous data
that is used for purposes
10
(c) it is necessary for
providing an information
society service requested by
the end-user; or
(d) if it is necessary for web
audience measuring, provided
that such measurement is
carried out by the provider of
the information society
service requested by the end-
user.
(b) the user has given his or justified pursuant to
her specific consent, which shall Regulation (EU)
not be mandatory to access the 2016/679; or
service; or
(d) if it is necessary for web
(c) it is strictly technically audience measuring,
necessary for providing an provided that such
information society service measurement is carried out
requested by the user; or either by the provider of the
information society service
(d) if it is technically necessary requested by the end-user or
for web audience measuring of using anonymous or
the information society service pseudonymous data.
requested by the user, provided
that such measurement is
carried out by the provider, or
on behalf of the provider, or by
an independent web analytics
agency acting in the public
interest or for scientific
purpose; and further provided
that no personal data is made
accessible to any other party
and that such web audience
measurement does not
adversely affect the
fundamental rights of the user;

Article 10 (Paragraph 1) Article 10 (Paragraph 1) Deleted

Software placed on the Software placed on the market Justification:

market permitting electronic
communications, including the
retrieval and presentation of
information on the internet,
shall offer the option to
prevent third parties from
storing information on the
terminal equipment of an
end-user or processing
information already stored on
that equipment.
permitting electronic
communications, including the
retrieval and presentation of
information on the internet,
shall:
(a) (new) by default, offer
privacy protective settings to
prevent other parties from
storing information on the
terminal equipment of a user
and from processing information
already stored on that
equipment;
Article 25 of Regulation (EU)
2016/679 governs data
protection by design and by
default. Article 10 of the
proposal for a regulation
only undermines Article
25 of Regulation (EU)
2016/679 and would
hamper most business
models.

11

Article 16 Para (i)
Natural or legal persons may
use electronic
communications services for
the purposes of sending direct
marketing communications to
end-users who are natural
persons that have given their
consent.
Article 27 (Paragraph 1)
Directive 2002/58/EC is
repealed with effect from 25
May 2018
(b) upon installation, inform and
offer the user the possibility to
change or confirm the privacy
settings options defined in point
(a) by requiring the user's
consent to a setting;
(c) make the setting defined in
points (a) and (b) easily
accessible during the use of the
software; and
(d) offer the user the possibility
to express specific consent
through the settings after the
installation of the software.
Article 16 Para (i)
The use by natural or legal
persons of electronic
communications services,
including voice-to-voice calls,
automated calling and
communications systems,
including semi-automated
systems that connect the call
person to an individual, faxes,
e-mail or other use of electronic
communications services for
the purposes of presenting
unsolicited or direct marketing
communications to end-users,
shall be allowed only in respect
of end-users who have given
their prior consent.
Article 27 (Paragraph 1)
No changes from Commission
text.
Deleted
Justification:
Article 16 of the proposal
for a regulation deals with
direct marketing aspects
without making
any direct link to
communications data or
end-user terminal
equipment. This provision
is concerned with the law
on advertising and
consumer protection,
matters which should be
governed by a
substantively appropriate
EU legal instrument.
Directive 2005/29/EC
(Directive on unfair business
practices) would be a more
appropriate legal instrument
here.
Article 27 (Paragraph 1)
Directive 2002/58/EC is
repealed with effect from 25
May 2020
12
Article 29 (Paragraph 2) Article 29 (Paragraph 2) Article 29 (Paragraph 2)

It shall apply from 25 May No changes from Commission It shall apply from 25 May
2018 text. 2020

13