Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

ISACA Privacy Open Forum: status update on the ePrivacy Regulation

468 views

Published on

Status update taking into account the EP text (first reading).

Published in: Law
  • Be the first to comment

ISACA Privacy Open Forum: status update on the ePrivacy Regulation

  1. 1. Click to edit Master title stylePrivacy Open Forum Tuesday, 5th of December 2017
  2. 2. Brussels, 5 December 2017 2 Close
  3. 3. Brussels, 5 December 2017 THE PROPOSAL FOR EPRIVACY REGULATION: STATUS UPDATE JOHAN VANDENDRIESSCHE 3
  4. 4. Brussels, 5 December 2017 4 Agenda 1. 18:30 Introduction 2. 18:45 Proposal ePrivacy Regulation 3. 19:30 Break 4. 19:50 Proposal ePrivacy Regulation 5. 20:45 Close
  5. 5. Brussels, 5 December 2017 Agenda • Overview • Short timeline • Review of EP tekst • Changes proposed by EP text compared to EC text are underlined • See also ISACA Privacy Forum on ePrivacy Regulation of 22 February 2017 5
  6. 6. Brussels, 5 December 2017 Short timeline • July 2002: Directive 2002/58 • Jan 2017: EC Proposal ePrivacy COM(2017)10 final • Sept 2017: EU Council text (first reading) • Oct 2017: EP text (first reading) • Trilogue meetings • 25 May 2018? 6
  7. 7. Brussels, 5 December 2017 GENERAL OVERVIEW 7
  8. 8. Brussels, 5 December 2017 Legal Status Update • Full review of the data protection legal package • Directive 1995/46 • Directive 2002/58 • Regulation: uniform legislation within the EU • GDPR will replace Directive 1995/46 as of 25 May 2018 • Proposal for ePrivacy Regulation (set to replace Directive 2002/58) 8
  9. 9. Brussels, 5 December 2017 General principles • ePrivacy Regulation is broader than only processing of personal data • ePrivacy Regulation is lex specialis with regards to GDPR • Covers specific processing of personal data (field of electronic communications) • Prevails on GDPR in case of conflict (as lex specialis) • GDPR supplements the regulation in relation to all elements not covered (as lex generalis) 9
  10. 10. Brussels, 5 December 2017 Definitions • Main definitions • Electronic communications network • Electronic communications service • Traditional scope • Internet access service • (Number based / independent) Interpersonal communications service • End-user • Physical person • Legal person • User • Physical person 10
  11. 11. Brussels, 5 December 2017 Definitions • Terminal equipment • Equipment connected to the interface of a public communications network to send/process/receive information • Electronic communications data • Electronic communications content • Electronic communications metadata • Data processed for the purpose of electronic communications • Location data processed in the context of providing services • Location data generated in another context is not communications metadata 11
  12. 12. Brussels, 5 December 2017 SCOPE 12
  13. 13. Brussels, 5 December 2017 Scope • Reference to future legal framework dramatically expands scope of regulation • OTT services (e.g. VOIP, IM, webbased e- mail) • IoT • M2M • Future-proofing by using a more technology neutral approach 13
  14. 14. Brussels, 5 December 2017 Material scope • Processing of electronic communications data • Connection with • the provision and the use of electronic communications services • information related to or processed by the terminal equipment of end-users 14
  15. 15. Brussels, 5 December 2017 Material scope • Placing on the market of software permitting electronic communications including the retrieval and presentation of information on the Internet • Provision of publicly available directories of users of electronic communications • Sending of direct marketing electronic communications to end-users 15
  16. 16. Brussels, 5 December 2017 Material scope • Covers both natural and legal persons • Exceptions apply • E.g. closed communication networks 16
  17. 17. Brussels, 5 December 2017 Territorial scope • No distinction is made between EU- based and non EU based service providers • Offering of electronic communications services, software, publicly available directories, or direct marketing electronic communications to end-users in the EU (no requirements of payment) • Activities that are provided from the territory from the EU 17
  18. 18. Brussels, 5 December 2017 Territorial scope • No distinction is made between EU- based and non EU based service providers • The processing of information related to or processed by terminal equipment of end-users that is in the EU • Location of processing is irrelevant • Obligation of non-EU based provider to designate a representative in the EU • Larger role than in GDPR? 18
  19. 19. Brussels, 5 December 2017 PROTECTION OF ELECTRONIC COMMUNICATIONS 19
  20. 20. Brussels, 5 December 2017 Protection of electronic communication • Confidentiality • Electronic communications shall be confidential • Prohibition of interference by persons other than end-users • Interception, surveillance or processing • End-Users - Users? • Confidentiality also applies to data related to or processed by terminal equipment • Examples: IMSI catchers or intercepting communication over open wifi networks 20
  21. 21. Brussels, 5 December 2017 Protection of electronic communication • Exceptions (for providers of electronic communications networks and services) • Electronic communications data only if technically necessary for transmission, for the duration necessary 21
  22. 22. Brussels, 5 December 2017 Protection of electronic communication • Exceptions (for providers of electronic communications networks and services or other parties acting on behalf of the provider or the end-user) • Electronic communications data only if technically necessary for availability, integrity, confidentiality and security or to detect technical faults/errors in transmission, for the duration necessary 22
  23. 23. Brussels, 5 December 2017 Protection of electronic communication • Exceptions (for providers of electronic communications services and networks) • Electronic communications metadata • Strictly necessary for mandatory quality of service requirements, for the duration technically necessary for that purpose • Strictly necessary for billing related purposes (including fraud detection and prevention) • User consent for specified purposes, provided it is not possible to fulfill the purpose without processing the metadata • Likelihood of high risk: DPIA 23
  24. 24. Brussels, 5 December 2017 Protection of electronic communication • Exceptions (for providers of electronic communications services) • Electronic communications content • Service provision to the user, requested by the user, with end-user consent and provided service cannot be provided without the processing of such content • User consent for specified purposes that cannot be fulfilled by processing anonymous information • Consultation of supervisory authority • Link with GDPR prior consultation procedure • DPIA required? 24
  25. 25. Brussels, 5 December 2017 Protection of electronic communication • Process electronic communications data by the provider of the electronic communications service: • solely for the provision of an explicitly requested service, for purely individual usage • only for the duration necessary for that purpose • without the consent of all users • If: no adverse affect on the fundamental rights and interests of another user or users 25
  26. 26. Brussels, 5 December 2017 Protection of electronic communication • Storage and erasure of electronic communications data by service provider • Obligation to erase electronic communications content when no longer necessary for provision of service as requested by the user • Anonymization no longer included • Record and storage by users and third parties on their behalf • User may process in accordance with GDPR 26
  27. 27. Brussels, 5 December 2017 Protection of electronic communication • Obligation to erase or anonymize electronic communications metadata when no longer necessary for the provision of the service, as requested by the user 27
  28. 28. Brussels, 5 December 2017 Protection of electronic communication • Storage and erasure of electronic communications data • Strictly necessary metadata used for billing purposes may be kept until end of the period during which a bill may be lawfully challenged or payment pursued • Impact contractual conditions? 28
  29. 29. Brussels, 5 December 2017 User terminal equipment • Prohibition • Use of processing and storage capabilities • The collection of information from users’ terminal equipment (including about its hardware and software) • Other than by the user • Broader wording than Directive 2002/58 • Exceptions apply • Typically (but not solely) targets cookies, hidden identifiers, … 29
  30. 30. Brussels, 5 December 2017 User terminal equipment • Exceptions • Strictly necessary for the sole purpose of carrying out transmission over an electronic communications network • user consent • Strictly technically necessary for providing information society service specifically requested by the user 30
  31. 31. Brussels, 5 December 2017 User terminal equipment • Exceptions • Technically necessary for measuring the reach of information society service requested by the user • By or on behalf of provider, or web analytics agency for scientific purpose • Aggregated data • Possibility to object for the user • No personal data is made available to any third party • No adverse affect on the fundamental rights of the user • If collected on behalf of provider, separation of data 31
  32. 32. Brussels, 5 December 2017 User terminal equipment • Exceptions • Necessary to ensure security, confidentiality, integrity, availability and authenticity of equipment of end-user, by means of updates, for the duration necessary • No change in functionality of hardware or software • No change in privacy settings • User is informed in advance each time • User may postpone or turn off automatic installation of updates 32
  33. 33. Brussels, 5 December 2017 User terminal equipment • Exceptions • Employment relationship where strictly technically necessary for the execution of the employee’s tasks • Employer provides and/or is the user • Employee is the user • No further use for monitoring the employee 33
  34. 34. Brussels, 5 December 2017 User terminal equipment • No denial of access to any information society service on grounds that user has not given his or her consent under to the processing of personal information and/or the use of processing or storage capabilities of user terminal equipment that is not necessary for the provision of that service or functionality 34
  35. 35. Brussels, 5 December 2017 User terminal equipment • Prohibition to process information emitted by terminal equipment to enable it to connect to another device or to network equipment • Exceptions • Exclusively for sole purpose and time necessary to establish a connection requested by the user • User information and consent • Risk mitigation 35
  36. 36. Brussels, 5 December 2017 User terminal equipment • For purpose of measuring and risk mitigation: • Purpose of data collection restricted to mere statistical counting • Limited in time and space to the extent strictly necessary for this purpose • Delete or anonymize data immediately after purpose has been fulfulled • User shall be given effective possibility to object without effect on terminal equipment 36
  37. 37. Brussels, 5 December 2017 Consent • General rule: definitions of GDPR apply • Stricter approach to consent • Consent may not be based on mere silence • Clear affirmative act • Yes: written or oral statement, ticking a box, choosing technical settings • No: pre-ticked boxes, inactivity • Result of a compromise • Separate consent for each purpose • Consent separate from consent to a contract • Burden of proof • Reminder of right to withdraw consent is removed 37
  38. 38. Brussels, 5 December 2017 Consent • Consent regarding use of terminal equipment • may be expressed or withdrawn by using technical specifications for electronic communications services or information society services • Specific consent for specific purposes • Related to specific service actively selected by the user in each case • Signals on user choice are binding on any other party 38
  39. 39. Brussels, 5 December 2017 Software privacy settings • Software • Placed on the market • Permitting electronic communications • Obligations • By default, privacy protective settings activated to prevent transmitting and storing or processing information • Upon installation, inform and offer user possibility to change privacy setting options and require consent to a setting prior to continuing with the installation • Offer possibility to express specific consent through settings after installation 39
  40. 40. Brussels, 5 December 2017 Software privacy settings • Settings shall lead to a signal based on technical specifications • sent to the other parties to inform them about the user's intentions with regard to consent or objection • legally valid and be binding on, and enforceable against, any other party • Information society service may allow specific consent, which prevails on privacy settings 40
  41. 41. Brussels, 5 December 2017 Software privacy settings • Limited transition measure for software already installed on [date to be completed] • first update but no later than six months after [date of entry into force] 41
  42. 42. Brussels, 5 December 2017 RIGHT TO CONTROL ELECTRONIC COMMUNICATIONS 42
  43. 43. Brussels, 5 December 2017 Right to control electronic communications • Right to control electronic communications • Calling and connected line identification • Incoming call blocking • Publicly available directories • Unsolicited communications 43
  44. 44. Brussels, 5 December 2017 Current Belgian direct marketing rules • Twofold legislation • Data protection law • ‘Direct marketing’ – right to object • Processing of personal data for direct marketing purposes • Code of Economic Law • Advertising regulated per channel • Book VI • Book XII 44
  45. 45. Brussels, 5 December 2017 Current Belgian direct marketing rules 45
  46. 46. Brussels, 5 December 2017 Unsolicited communications • Direct marketing communications • Any form of advertising (written, oral or video) • Sent, served or presented to identified or identifiable end-users • Electronic mail • Any electronic message sent over electronic communications network • Capable of being stored in network or terminal equipment • Broad definitions 46
  47. 47. Brussels, 5 December 2017 Unsolicited communications • Use of electronic communications services for presenting or sending direct marketing communications • Prior consent • Exception for existing clients (electronic mail) • Contact details obtained in the context of sale of a product or service • Data protection compliance • Own products or services • Similarity no longer required • Clear and distinct right to object at collection and each time a message is sent • Provide information and allow exercise of right 47
  48. 48. Brussels, 5 December 2017 Unsolicited communications • Direct marketing by calls • Identification and contact data (no masking) • Specific code/prefix identifying marketing call • Opt-out provisions are possible under national legislations (e.g. article VI.110- 115 CEL) for users that are natural persons • Voice-to-voice calls 48
  49. 49. Brussels, 5 December 2017 Unsolicited communications • National legislation must ensure legitimate interests of end-users that are legal persons (e.g. article VI.110- 115 CEL) • Broader than merely voice-to-voice calls • Additional transparency obligations • Inform end-user of marketing nature of the communication • Identify advertiser • Provide information of right to oppose to further marketing communication 49
  50. 50. Brussels, 5 December 2017 50 Contact details Johan Vandendriessche Partner – Erkelens Law Visiting Professor ICT Law – UGent Visiting Professor ICT & Data Protection Law – HoWest Mobile Phone +32 486 36 62 34 E-mail johan.Vandendriessche@erkelenslaw.com Website www.erkelenslaw.com
  51. 51. Brussels, 5 December 2017 51 ISACA BELGIUM

×