Professional Documents
Culture Documents
FSB Position Paper On E-Privacy (01092017)
FSB Position Paper On E-Privacy (01092017)
Regulation on the Respect for Private Life and the Protection of Personal
Data in Electronic Communications (EPrivacy)
In summary
FSB welcomes the intention to harmonise the data protection and privacy
rules across Europe, but questions the need for a Regulation at this time
given the provisions of the General Data Protection Regulation (GDPR).
FSB calls for a thorough impact assessment on how the proposed rules will
affect the online visibility of SMEs and on those business models that use
third-party cookies, including the actual costs for implementing those rules.
FSB calls for greater recognition of the cumulative legislative burden faced
by small businesses and for a 2-year transitional compliance period to
enable the smallest businesses to adapt to the proposed rules.
To avoid duplications and creating additional burdens for SMEs, the
proposed regulation and all its provisions, from consent to legal bases,
should be in full alignment with the GDPR.
A privacy-by-default approach to third party communications will
disproportionately impact SMEs and endanger those free service business
models.
Direct marketing is a cost-effective tool for SMEs to promote their products
and establish relationships with potential clients in a targeted and less
intrusive way. Article 16 clearly deviates from the legal bases in the GDPR
for that activity, in particular the legitimate interest. Thus, Article 16 if
adopted in its current form will disproportionately affect SMEs.
Background
The proposal for a Regulation on the respect for private life and the protection of
personal data in electronic communications (ePrivacy regulation) aims to ensure
consistency with the General Data Protection Regulation (GDPR), which will come into
force in May 2018.
The proposal also aims to update the 2002 e-privacy directive to address
technological developments that are currently not covered by legislation and provide
more clarity on original provisions in the 2002 e-privacy directive.
The proposed regulation covers all matters concerning the processing of personal
data not specifically addressed by the GDPR and will broadly apply to businesses that
1
provide any type of online communication service, use online tracking technologies
or electronic direct marketing.
This means over the top communications services such as voice over internet,
instant messaging and web-based e-email services - will be brought into scope of
this legislation and so subject to the same rules as traditional electronic
communications services.
General Considerations
The Federation of Small Business (FSB) strongly supports efforts to make the digital
single market a reality. Whilst FSB welcomes the general aim and background of the
ePrivacy proposal, FSB questions the need for the regulation given the provisions of
the General Data Protection Regulation (GDPR).
The proposal in its current form will only lead to increased uncertainty for small
businesses due to the lack of clarity in elements of the text and creates legal
uncertainty regarding its interplay and compatibility with existing EU instruments and
the General Data Protection Regulation (GDPR), which must be implemented in May
2018.
Moreover, the obligations set out in the proposal do not take into consideration that
SMEs have limited human, financial, and technical resources at their disposal. FSB
believes the provisions of the (GDPR) should be given time to be fully implemented
and assessed rather than rushing to implement this regulation at the same time as
the GDPR in May 2018.
Comments
Timeline
FSB remains concerned with the proposed date of application set by the European
Commission of the 25 May 2018, and calls for the European Institutions to carefully
review the current timeline and not rush to meet the desired date at any cost.
Council delegates have also recognised that as the choice of legal instrument is a
regulation, which requires a higher level of precision and clarity than a Directive, the
proposed date of application is considered unrealistic1. Small businesses are already
concerned with the implementation of the GDPR, especially as the guidance on how
to comply with the Regulation has yet to be completed by the Article 29 Working
Party. Thus, implementing an additional set of rules, without guidance and clarity on
the interplay between the proposed draft e-privacy regulation and the GDPR, will
create significant uncertainty for small businesses. FSB therefore calls for a 2-year
transitional compliance period to give the smallest businesses the time to adapt to
1
http://www.euractiv.com/wp-content/uploads/sites/2/2017/05/0108_001.pdf
2
the proposed rules. This will not only assist the smallest businesses transition to the
new rules, but it will also enable policy-makers to assess the impact and
consequences of the GDPR.
Article 16 of the draft regulation provides that a natural or legal person may use
electronic communication services for the purposes of sending direct marketing
communications to end-users who are natural persons that have given their consent.
This regulation appears to contradict the provisions contained in the GDPR. For
example, the GDPR has several legal bases for the same activity, including legitimate
3
interests. The GDPR also provides that direct marketing can be an example of a
practice which could be regarded as a legitimate interest, thereby not requiring
consent, or prior consent as the rapporteur advocates. For those companies that have
limited financial, technical and human resources at their disposal, direct marketing
offers a viable tool for SMEs to promote their products and establish relationships
with potential clients in a cost-efficient way and in targeted and less intrusive manner.
Moreover, it is important to recognise that SMEs do not have the marketing budget
available to compete with larger companies that use more traditional channels,
therefore restrictions on direct marketing will disproportionately impact SMEs.
Impact Assessment
FSB calls upon the European Parliament to conduct a thorough impact assessment of
the e-privacy proposal, including the stricter provisions made by the rapporteur in
her draft report. This impact assessment should assess how the above will affect
small enterprises and the self-employed in terms of online visibility, how the proposed
rules will affect those business models using third-party cookies, on business-to-
business data, the actual costs of implementing these rules, and provide a detailed
analysis regarding the possible overlaps, duplications or contradictions with other
legislation (GDPR & ECC), as advocated in the Council progress report of the 15 May
20172. Conducting such an assessment would be in line with the principles of better
regulation, which calls for policy measures to be evidence-based, well-designed and
deliver tangible and sustainable benefits for citizens, business and society as a
whole3.
2
http://www.euractiv.com/wp-content/uploads/sites/2/2017/05/0108_001.pdf
3
http://ec.europa.eu/smart-regulation/better_regulation/documents/com_2015_215_en.pdf
4
Amendments
5
processing data from internet
or voice communications usage
should not be valid if the user
has no genuine and free choice,
or is unable to refuse or
withdraw consent without
detriment.
Recital 20 Recital 20 Recital 20
6
hidden identifiers, tracking for the purpose of identification requires enhanced privacy
cookies and other similar and tracking, using techniques protection. Furthermore, the
unwanted tracking tools can such as the so-called device so-called spyware, web bugs,
enter end-user's terminal fingerprinting, often without hidden personal identifiers,
equipment without their the knowledge of the user, and tracking cookies and other
knowledge in order to gain may seriously intrude upon the similar personal tracking
access to information, to store privacy of these users. tools can enter end-user's
hidden information and to Furthermore, so-called terminal equipment without
trace the activities. spyware, web bugs, hidden their knowledge in order to
Information related to the identifiers and unwanted gain access to personal
end-users device may also be tracking tools can enter users' information, to store hidden
collected remotely for the terminal equipment without personal information and to
purpose of identification and their knowledge in order to gain trace the personal activities.
tracking, using techniques access to information or to Personal Information related
such as the so-called device store hidden information. to the end-users device may
fingerprinting, often without Techniques that surreptitiously also be collected remotely for
the knowledge of the end- monitor the actions of users, the purpose of identification
user, and may seriously for example by tracking their and tracking, using
intrude upon the privacy of activities online or the location techniques such as the so-
these end-users. Techniques of their terminal equipment, or called device fingerprinting,
that surreptitiously monitor subvert the operation of the often without the knowledge
the actions of end-users, for users terminal equipment pose of the end-user, and may
example by tracking their a serious threat to the privacy seriously intrude upon the
activities online or the of users. Therefore, any such privacy of these end-users.
location of their terminal interference with the user's Techniques that
equipment, or subvert the terminal equipment should be surreptitiously monitor the
operation of the end-users allowed only with the user's actions of end-users, for
terminal equipment pose a consent and for specific and example by tracking their
serious threat to the privacy transparent purposes. Users activities online or the
of end-users. Therefore, any should receive all relevant location of their terminal
such interference with the information about the intended equipment, or subvert the
end-user's terminal processing in clear and easily operation of the end-users
equipment should be allowed understandable language. Such terminal equipment pose a
only with the end-user's information should be provided serious threat to the privacy
consent and for specific and separately from the terms and of end-users. Therefore, any
transparent purposes. conditions of the service. such interference with the
end-user's terminal
equipment should be allowed
only with the end-user's
consent and for specific and
transparent purposes.
Where pseudonymous or
anonymous data is used
in accordance with
Regulation (EU)
2016/679 and its privacy-
7
by-design principles, such
use shall not qualify as
such interference with the
end-user's terminal
equipment.
8
should not constitute access receive content requested by preferences. Cookies can also
to such a device or use of the the user, should not constitute be a legitimate and useful
device processing capabilities. illegitimate access. tool to improve the
performance of a website, for
example, in measuring web
traffic to a website or identify
if end-users get error
messages from certain pages
on a website. Similarly,
providers of terminal
equipment and the
software needed to
operate such equipment
regularly need access to
configuration and other
device information and
the processing and
storage capabilities to
maintain the equipment,
prevent security
vulnerabilities and correct
problems related to the
equipments operation.
Information society
providers and electronic
communications service
providers that engage in
configuration checking to
provide the service in
compliance with the end-
users settings and the
mere logging of the fact
that the end-users device
is unable to receive
content requested by the
end-user should not
constitute access to such
a device or use of the
device processing
capabilities.
Technology exists that Technology exists that enables Technology exists that
enables providers of providers of electronic enables providers of
electronic communications communications services to electronic
9
services to limit the reception limit the reception of unwanted communications services
of unwanted calls by end- calls by end-users in different to limit the reception of
users in different ways, ways, including blocking silent unwanted calls by end-
including blocking silent calls calls, other fraudulent and users in different ways,
and other fraudulent and nuisance calls or marketing including blocking silent
nuisance calls. Providers of calls with a specific code or calls, other fraudulent and
publicly available number- prefix. Providers of publicly nuisance calls. Providers of
based interpersonal available number-based publicly available number-
communications services interpersonal communications based interpersonal
should deploy this technology services should deploy this communications services
and protect end-users against technology and protect end- should deploy this
nuisance calls and free of users against nuisance calls technology and protect
charge. Providers should and should do so free of end-users against
ensure that end-users are charge. Providers should ensure nuisance calls. Providers
aware of the existence of such that end-users are aware of the should ensure that end-users
functionalities, for instance, existence of such are aware of the existence of
by publicising the fact on their functionalities, for instance, by such functionalities, for
webpage. publicising the fact on their instance, by publicising the
webpage. fact on their webpage.
The use of processing and The use of processing and The use of processing and
storage capabilities of storage capabilities of terminal storage capabilities of
terminal equipment and the equipment and the collection of terminal equipment and the
collection of information from information from users collection of personal data
end-users terminal terminal equipment, or making from end-users terminal
equipment, including about its information available through equipment, other than by the
software and hardware, other the terminal equipment, end-user concerned shall be
than by the end-user including information about or prohibited, except on the
concerned shall be prohibited, generated by its software and following grounds:
except on the following hardware, other than by the
grounds: user concerned shall be (a) it is necessary for the
prohibited, except on the sole purpose of carrying out
(a) it is necessary for the sole following grounds: the transmission of an
purpose of carrying out the electronic communication
transmission of an electronic (a) it is strictly technically over an electronic
communication over an necessary for the sole purpose communications network; or
electronic communications of carrying out the transmission
network; or of an electronic communication (b) the end-user has given his
over an electronic or her consent; or
(b) the end-user has given his communications network; or
or her consent; or (c) pseudonymous data
that is used for purposes
10
(c) it is necessary for (b) the user has given his or justified pursuant to
providing an information her specific consent, which shall Regulation (EU)
society service requested by not be mandatory to access the 2016/679; or
the end-user; or service; or
(d) if it is necessary for web
(d) if it is necessary for web (c) it is strictly technically audience measuring,
audience measuring, provided necessary for providing an provided that such
that such measurement is information society service measurement is carried out
carried out by the provider of requested by the user; or either by the provider of the
the information society information society service
service requested by the end- (d) if it is technically necessary requested by the end-user or
user. for web audience measuring of using anonymous or
the information society service pseudonymous data.
requested by the user, provided
that such measurement is
carried out by the provider, or
on behalf of the provider, or by
an independent web analytics
agency acting in the public
interest or for scientific
purpose; and further provided
that no personal data is made
accessible to any other party
and that such web audience
measurement does not
adversely affect the
fundamental rights of the user;
11
(b) upon installation, inform and
offer the user the possibility to
change or confirm the privacy
settings options defined in point
(a) by requiring the user's
consent to a setting;
12
Article 29 (Paragraph 2) Article 29 (Paragraph 2) Article 29 (Paragraph 2)
It shall apply from 25 May No changes from Commission It shall apply from 25 May
2018 text. 2020
13