Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

ISACA Privacy Open Forum - Proposal for ePrivacy Regulation

38,105 views

Published on

A presentation on the recent EC proposal for an ePrivacy Regulation. This proposal is intended to replace Directive 2002/58/EC and will bring align the ePrivacy rules with the GDPR.

Published in: Law
  • Be the first to comment

ISACA Privacy Open Forum - Proposal for ePrivacy Regulation

  1. 1. Click to edit Master title stylePrivacy Open Forum Wednesday, 22th of February 2017
  2. 2. Brussels, 22 February 2017 2 Close
  3. 3. Brussels, 22 February 2017 THE PROPOSAL FOR EPRIVACY REGULATION JOHAN VANDENDRIESSCHE 3
  4. 4. Brussels, 22 February 2017 4 Agenda 1. 18:30 Introduction 2. 18:45 Proposal ePrivacy Regulation 3. 19:30 Break 4. 19:50 Proposal ePrivacy Regulation 5. 20:45 Close
  5. 5. Brussels, 22 February 2017 GENERAL OVERVIEW 5
  6. 6. Brussels, 22 February 2017 Legal Status Update • Full review of the data protection legal package • Directive 1995/46 • Directive 2002/58 • Regulation: uniform legislation within the EU • GDPR will replace Directive 1995/46 as of 25 May 2018 • Proposal for ePrivacy Regulation (set to replace Directive 2002/58) 6
  7. 7. Brussels, 22 February 2017 Legal Status Update • Timeline • GDPR: application date = 25 May 2018 • ePrivacy Regulation: intended application date = 25 May 2018 • NIS Directive: implementation deadline = 9 May 2018 • Proposed Directive European Electronic Communications Code: implementation deadline? • Ambitious planning • Feasible? 7
  8. 8. Brussels, 22 February 2017 General principles • ePrivacy Regulation is broader than only processing of personal data • ePrivacy Regulation is lex specialis with regards to GDPR • Covers specific processing of personal data (field of electronic communications) • Prevail on GDPR in case of conflict (lex specialis) • GDPR supplements the regulation in relation to all elements not covered (lex generalis) 8
  9. 9. Brussels, 22 February 2017 Definitions • Major alignment of definitions with GDPR and (Draft) Directive Electronic Communications Code • Main definitions • Electronic communications network • Electronic communications service • Traditional scope • Internet access service • Interpersonal communications service • End-user • Physical person • Legal person 9
  10. 10. Brussels, 22 February 2017 Definitions • Terminal equipment • Equipment connected to the interface of a public communcations network to send/process/receive information • Electronic communications data • Electronic communications content • Electronic communications metadata • Data generated for the purpose of electronic communications • Location data generated in another context is not communications metadata 10
  11. 11. Brussels, 22 February 2017 SCOPE 11
  12. 12. Brussels, 22 February 2017 Scope • Reference to future legal framework dramatically expands scope of regulation • OTT services (e.g. VOIP, IM, webbased e- mail) • IoT • M2M • Future-proofing by using a more technology neutral approach 12
  13. 13. Brussels, 22 February 2017 Material scope • Processing of electronic communications data • Connection with • the provision and the use of electronic communications services • information related to the terminal equipment of end-users • Covers both natural and legal persons • Exceptions apply • E.g. closed communication networks 13
  14. 14. Brussels, 22 February 2017 Territorial scope • No distinction is made between EU- based and non EU based service providers • Provision of electronic communications services to end-users in the EU (no requirements of payment) • Use of such services • The protection of information related to terminal equipment of end-users located in the EU • Location of processing is irrelevant 14
  15. 15. Brussels, 22 February 2017 PROTECTION OF ELECTRONIC COMMUNICATIONS 15
  16. 16. Brussels, 22 February 2017 Protection of electronic communication • Confidentiality • Electronic communications data shall be confidential (during their conveyance?) • Prohibition of interference by persons other than end-users (during their conveyance?) • Interception, surveillance or processing • Exceptions provided in regulation • Examples • IMSI catchers • Intercepting communication over open wifi networks 16
  17. 17. Brussels, 22 February 2017 Protection of electronic communication • Exceptions (for providers of electronic communications networks and services) • Electronic communications data • Necessary for transmission, for the duration necessary • Necessary for security or to detect faults/errors in transmission, for the duration necessary 17
  18. 18. Brussels, 22 February 2017 Protection of electronic communication • Exceptions (for providers of electronic communications services) • Electronic communications metadata • Necessary for mandatory quality of service requirements, for the duration of that purpose • Necessary for billing related purposes (including fraud detection) • End-user consent for specified purposes, provided it is not possible to fulfill the purpose with anonymous data 18
  19. 19. Brussels, 22 February 2017 Protection of electronic communication • Exceptions (for providers of electronic communications services) • Electronic communications content • Service provision to end-user, with end-user consent and provided service cannot be provided without the processing of such content • End-user consent for specified purposes that cannot be fulfilled by processing anonymous information • Consultation of supervisory authority • Link with GDPR prior consultation procedure • DPIA required? 19
  20. 20. Brussels, 22 February 2017 Protection of electronic communication • Storage and erasure of electronic communications data • Obligation to erase or anonymize electronic communications content after receipt of electronic communication • Storage by end-users and third parties in accordance with GDPR • Obligation to erase or anonymize electronic communications metadata when no longer needed for purpose of transmission 20
  21. 21. Brussels, 22 February 2017 Protection of electronic communication • Storage and erasure of electronic communications data • Metadata used for billing purposes may be kept until end of the period during which a bill may be lawfully challenged or payment pursued • Impact contractual conditions? 21
  22. 22. Brussels, 22 February 2017 End-user terminal equipment • Prohibition • Use of processing and storage capabilities • The collection of information from end- users’ terminal equipment (including about its hardware and software) • Broader wording than Directive 2002/58 • Exceptions apply • Typically (but not solely) targets cookies, hidden identifiers, … 22
  23. 23. Brussels, 22 February 2017 End-user terminal equipment • Exceptions • Necessary for the sole purpose of carrying out transmission over an electronic communications network • End-user consent • Necessary for providing information society service requested by end-user • Necessary for web audience measuring carried out by information society service provider providing service requested by end-user 23
  24. 24. Brussels, 22 February 2017 End-user terminal equipment • Prohibition to collect information emitted by terminal equipment to enable it to connect to another device or to network equipment • Exceptions • Exclusively for purpose and time necessary to establish a connection • Clear and prominent notice is displayed • GDPR notice requirement + minimization measures • Security measures as per GDPR 24
  25. 25. Brussels, 22 February 2017 Consent • General rule: definitions of GDPR apply • Stricter approach to consent • Consent may not be based on mere silence • Clear affirmative act • Yes: written or oral statement, ticking a box, choosing technical settings • No: pre-ticked boxes, inactivity • Result of a compromise • Separate consent for each purpose • Consent separate from consent to a contract • Burden of proof 25
  26. 26. Brussels, 22 February 2017 Consent • Regulation explicitly mentions consent as per GDPR • Necessary? • Consent regarding use of terminal equipment may be provided by using appropriate technical setting of a software application • Limitation compared with GDPR? • Right to withdraw consent for specific consents 26
  27. 27. Brussels, 22 February 2017 Software privacy settings • Software • Placed on the market • Permitting electronic communications • Obligations • include option to prevent third parties from storing information on the terminal equipment or processing information already stored on that equipment • Upon installation, inform end-user about privacy setting options and require consent to a setting prior to continuing with the installation • Limited transition measure (first update but no later than 25 August 2018) 27
  28. 28. Brussels, 22 February 2017 RIGHT TO CONTROL ELECTRONIC COMMUNICATIONS 28
  29. 29. Brussels, 22 February 2017 Right to control electronic communications • Right to control electronic communications • Calling and connected line identification • Incoming call blocking • Publicly available directories • Unsolicited communications 29
  30. 30. Brussels, 22 February 2017 Current Belgian direct marketing rules • Twofold legislation • Data protection law • ‘Direct marketing’ – right to object • Processing of personal data for direct marketing purposes • Code of Economic Law • Advertising regulated by technology • Book 6 • Book 12 30
  31. 31. Brussels, 22 February 2017 Current Belgian direct marketing rules 31
  32. 32. Brussels, 22 February 2017 Unsolicited communications • Direct marketing communications • Any form of advertising • Sent to identified or identifiable end-users • Electronic mail • Any electronic message • Sent over electronic communications network • Capable of being stored in network or terminal equipment • Broad definitions 32
  33. 33. Brussels, 22 February 2017 Unsolicited communications • Use of electronic communications services for direct marketing communications • Consent • Exception for existing clients (electronic mail) • Contact details obtained in the context of sale of a product or service • Data protection compliance • Own similar products or services • Clear and distinct right to object at collection and each time a message is sent 33
  34. 34. Brussels, 22 February 2017 Unsolicited communications • Direct marketing by calls • Identification and contact data • Specific code/prefix identifying marketing call • Opt-out provisions are possible under national legislations (e.g. article VI.110- 115 CEL) for natural persons • Voice-to-voice calls 34
  35. 35. Brussels, 22 February 2017 Unsolicited communications • National legislation must ensure legitimate interests of end-users that are legal persons (e.g. article VI.110- 115 CEL) • Broader than merely voice-to-voice calls • Additional transparency obligations • Inform end-user of marketing nature of the communication • Identify advertiser • Provide information of right to withdraw consent 35
  36. 36. Brussels, 22 February 2017 Information about security risks • Particular risk • Risk = “may compromise” • Security of networks and electronic communications services • Obligation to inform end-users • If the remedy is outside the control of the service provider • Inform end-user about possible remedies • Indicate likely costs involved 36
  37. 37. Brussels, 22 February 2017 ENFORCEMENT 37
  38. 38. Brussels, 22 February 2017 Supervisory authorities • Supervisory authorities • GDPR supervisory authorities • Cooperation duty with supervisory authorities under European Electronic Communications Code 38
  39. 39. Brussels, 22 February 2017 Remedies, liability and penalties • GDPR remedies apply in favour of end- users • Right to lodge a complaint with supervisory authority • Right to judicial remedy against • Supervisory authority • Data controller or data processor • Right to bring legal proceedings • Any other person • Adversely affected by infringements • Having legitimate interest 39
  40. 40. Brussels, 22 February 2017 Remedies, liability and penalties • Administrative fines • 10 MEUR or 2% global annual turnover, whichever higher • 20 MEUR or 4% global annual turnover, whichever higher • Mainly related to obligation in relation to electronic communications data • National legislation must impose specific penalties 40
  41. 41. Brussels, 22 February 2017 41 Contact details Johan Vandendriessche Partner - Crosslaw Visiting Professor ICT Law – UGent Visiting Professor ICT Law – HoWest Mobile Phone +32 486 36 62 34 E-mail j.vandendriessche@crosslaw.be Website www.crosslaw.be
  42. 42. Brussels, 22 February 2017 42 ISACA BELGIUM

×