|
Scope of the regulation
The regulation covers 1) electronic communications content transmitted using publicly available services and networks, 2) metadata (location, time and recipient of communication etc.) and 3) end-user’ terminal equipment information (incl. IMSI).
The regulation also covers machine-to-machine data transmitted via a public network, which means that IoT is in the scope of the legislation.
The rules apply when end-users are in the EU, even if the processing takes place outside the EU or if the service provider is established or located outside the EU.
The general rule: confidentiality of electronic communications
The general rule is that electronic communication data is confidential. The text states that “[a]ny interference with electronic communications data, including listening, tapping, storing, monitoring, scanning or other kind of interception, surveillance and processing of electronic communications data, by anyone other than the end-users concerned, shall be prohibited, except when permitted by this Regulation.”
Thus, it is only permitted to process communications data without the consent of the user in specific cases, e.g., ensuring the integrity of communication services, checking for the presence of malware or viruses, prosecution of criminal offences or prevention of threats to public security.
Public security exception
The regulation states that it “should not affect the ability of Member States to carry out lawful interception of electronic communications, including by requiring providers to enable and assist competent authorities in carrying out lawful interceptions, or take other measures, such as legislative measures providing for the retention of data for a limited period of time”.
Electronic communication services should provide for appropriate procedures to facilitate legitimate requests of competent authorities.
Processing of metadata
Metadata may be processed in specific cases too, for instance: to protect users’ vital interests, including monitoring epidemics and their spread or in humanitarian emergencies.
This final agreed position also allows processing of metadata -without consent- for a purpose other than for which it was collected if this other purpose is compatible with the initial purpose for processing. Therefore, the Council’s position is less protective than the initial proposal from the Commission, which did not allow further compatible processing without consent.
IT security exceptions
When it comes to terminal equipment, the use of processing and storage capabilities and the collection of information from the device will only be allowed with the user’s consent or for other specific purposed laid down in the regulation.
For instance, the regulation establishes that consent should not be necessary when the purpose of using the processing storage capabilities of terminal equipment is to fix security vulnerabilities and other security bugs or for software-updates for security reasons. The end-user must be informed prior to such updates and such updates must not in any way change the functionality of the hardware or software or the privacy settings chosen by the end-user. The end-user must be given the possibility to postpone or turn off the automatic installation of these updates.
Likewise, the regulation considers that an information society service provider or a provider of security technologies may process the electronic communication data for network and information security, including the prevention, monitoring and termination of unauthorised access and Distributed Denial of Service attacks.
Cases of emergency (eCall)
The location information established by the terminal equipment may supplement the location data supplied by providers of number-based interpersonal communication services when a call is made to emergency services. The temporary absence of consent of the end-user, for instance if the location settings are turned off, shall not prevent the transfer of such information to emergency services. The text mentions the need to allow the eCall function to carry its tasks effectively.
France approves, Germany abstains
France approved the text last minute after the article on data retention was amended.
Austria and Germany, who are opposed to the proposal, abstained.
Germany’s federal data protection regulator called the proposal “a serious blow to data protection”. Ulrich Kelber, head of Germany’s regulator, criticised Member States’ decision to reintroduce clauses allowing data retention and further compatible processing of metadata. The data protection body called on the European Parliament to stand up to the Council in the upcoming negotiations.
Next steps:
The Council of the EU will start talks with the European Parliament.
|
