Am 24. April 2017 veröffentlichte der Europäische Datenschutzbeauftragte (EDSB/EDPS) seine Stellungnahme ("Opinion 6/2017 - EDPS Opinion on the Proposal for a Regulation on Privacy and Electronic Communications (ePrivacy Regulation)") zum Entwurf der ePrivacy-Verordnung der EU-Kommission; die neue Verordnung soll die bisher geltende „Cookie-Richtlinie“ (Richtlinie 2009/136/EG) ersetzen.
In seiner Stellungnahme begrüsst der EDPS grundsätzlich den Entwurf der EU-Kommission zur ePrivacy-Verordnung. Er teilt die Auffassung, wonach spezifische, technologieneutrale Regeln zum Schutz der Vertraulichkeit sowie Sicherheit bei elektronischer Kommunikation notwendig seien; die EU-DSGVO sei in dieser Hinsicht zu ergänzen bzw. zu konkretisieren.
Der EDPS erachtet insbesondere die folgenden Aspekte der ePrivacy-Verordnung als positiv:
(i) the choice of a regulation over a directive as the form of legal instrument, which may ensure a more consistent level of protection across the European Union;
(ii) the extension of the scope to cover OTT (‘over-the-top’) providers;
(iii) the approach of allowing processing only under clearly defined conditions;
(iv) the modernisation of the current consent requirements (...);
(v) focusing security provisions on issues specific to communications services and ensuring full alignment with the GDPR on data breaches;
(vi) the choice of making the same authorities responsible for supervision of the rules under the GDPR and the ePrivacy Regulation;
(vii) and the opt-in rule for all unsolicited commercial communications.
Die nachfolgenden Aspekte werden vom EDPS hingegen als verbesserungsbedürftig angesehen:
(i) the definitions under the Proposal must not depend on the separate legislative procedure concerning the Directive establishing the European Electronic Communications Code53 (the EECC Proposal);
(ii) the provisions on end-user consent need to be strengthened. Consent must be requested from the individuals who are using the services, whether or not they have subscribed for them and from all parties to a communication. In addition, data subjects who are not parties to the communications must also be protected;
(iii) it must be ensured that the relationship between the GDPR and the ePrivacy Regulation does not leave loopholes for the protection of personal data (...);
(iv) (...) Access to websites must not be made conditional upon the individual being forced to ‘consent’ to being tracked across websites. In other words, the EDPS calls on the legislators to ensure that consent will be genuinely freely given;
(v) the Proposal fails to ensure that browsers (and other software placed on the market permitting electronic communications) will by default be set to prevent tracking individuals’ digital footsteps;
(vi) the exceptions regarding tracking of location of terminal equipment are too broad and lack adequate safeguards;
(vii) the Proposal includes the possibility for Member States to introduce restrictions; these call for specific safeguards.
Schliesslich formuliert der EDPS in seiner Stellungnahme Lösungsvorschläge und hält weitere Kommentare sowie Empfehlungen im Anhang fest.
NB am 4. April 2017 veröffentlichte bereits die Art. 29 Datenschutzgruppe ihre Stellungnahme ("Opinion 01/2017 on the Proposed Regulation for the ePrivacy Regulation (2002/58/EC)") zum Entwurf zur ePrivacy-Verordnung.
Michal Cichocki
In seiner Stellungnahme begrüsst der EDPS grundsätzlich den Entwurf der EU-Kommission zur ePrivacy-Verordnung. Er teilt die Auffassung, wonach spezifische, technologieneutrale Regeln zum Schutz der Vertraulichkeit sowie Sicherheit bei elektronischer Kommunikation notwendig seien; die EU-DSGVO sei in dieser Hinsicht zu ergänzen bzw. zu konkretisieren.
Der EDPS erachtet insbesondere die folgenden Aspekte der ePrivacy-Verordnung als positiv:
(i) the choice of a regulation over a directive as the form of legal instrument, which may ensure a more consistent level of protection across the European Union;
(ii) the extension of the scope to cover OTT (‘over-the-top’) providers;
(iii) the approach of allowing processing only under clearly defined conditions;
(iv) the modernisation of the current consent requirements (...);
(v) focusing security provisions on issues specific to communications services and ensuring full alignment with the GDPR on data breaches;
(vi) the choice of making the same authorities responsible for supervision of the rules under the GDPR and the ePrivacy Regulation;
(vii) and the opt-in rule for all unsolicited commercial communications.
Die nachfolgenden Aspekte werden vom EDPS hingegen als verbesserungsbedürftig angesehen:
(i) the definitions under the Proposal must not depend on the separate legislative procedure concerning the Directive establishing the European Electronic Communications Code53 (the EECC Proposal);
(ii) the provisions on end-user consent need to be strengthened. Consent must be requested from the individuals who are using the services, whether or not they have subscribed for them and from all parties to a communication. In addition, data subjects who are not parties to the communications must also be protected;
(iii) it must be ensured that the relationship between the GDPR and the ePrivacy Regulation does not leave loopholes for the protection of personal data (...);
(iv) (...) Access to websites must not be made conditional upon the individual being forced to ‘consent’ to being tracked across websites. In other words, the EDPS calls on the legislators to ensure that consent will be genuinely freely given;
(v) the Proposal fails to ensure that browsers (and other software placed on the market permitting electronic communications) will by default be set to prevent tracking individuals’ digital footsteps;
(vi) the exceptions regarding tracking of location of terminal equipment are too broad and lack adequate safeguards;
(vii) the Proposal includes the possibility for Member States to introduce restrictions; these call for specific safeguards.
Schliesslich formuliert der EDPS in seiner Stellungnahme Lösungsvorschläge und hält weitere Kommentare sowie Empfehlungen im Anhang fest.
NB am 4. April 2017 veröffentlichte bereits die Art. 29 Datenschutzgruppe ihre Stellungnahme ("Opinion 01/2017 on the Proposed Regulation for the ePrivacy Regulation (2002/58/EC)") zum Entwurf zur ePrivacy-Verordnung.
Michal Cichocki