De EDPB heeft in een verklaring met betrekking tot de toekomstige ePrivacyverordening zorgen geuit over het toezicht hierop.
Firstly, the EDPB wants to stress that this statement is without prejudice to its previous positions, including statement 3/2019(1) and its statement of 25 May 2018(2). The ePrivacy Regulation must under no circumstances lower the level of protection offered by the current ePrivacy Directive 2002/58/EC, but should complement the GDPR by providing additional strong guarantees for confidentiality and protection of all types of electronic communication.
Secondly, the EDPB welcomes the aim of the Council Presidency to reach a General Approach in order to begin the negotiations with the European Parliament and to adopt the ePrivacy Regulation as soon as possible. However, the EDPB is concerned about some new orientations of the discussions in the Council related to the enforcement of the future ePrivacy Regulation, which would create fragmentation of supervision, procedural complexity, as well as lack of consistency and legal certainty for individuals and companies.
The EDPB recalls that the scope of the proposed Regulation aims at ensuring its uniform application across every Member State and every type of data controller. Any proposed changes in the draft Regulation that may undermine this objective should be avoided to guarantee an equal level playing field for every provider and to ensure the confidentiality of electronic communications, as a fundamental right protected under the Charter, also taking into account the applicable CJEU case law.
In relation to ongoing discussions related to the further processing of electronic communications metadata, the EDPB reiterates its support to the approach of the proposed Regulation, based on broad prohibitions, narrow exceptions and the use of consent, while emphasising again that electronic communication metadata can still be processed without consent after it has been genuinely anonymised.
The EDPB also welcomes the inclusion of rules in Article 8 regarding the inclusion of reference to the information covered TV broadcasting services or the software updates, which should be designed in a privacy-friendly way. The EDPB also regrets the lost opportunity to give a clear guidance on the so- called “cookie walls”.
Thirdly, the EDPB would like to underline that many provisions of the future ePrivacy Regulation concern processing of personal data. For these processing activities, Article 8(3) of the Charter of Fundamental Rights of the European Union requires oversight by an independent authority. In order to ensure a high level of protection of personal data and to guarantee legal and procedural certainty, this oversight should be entrusted to the same national authorities, which are responsible for enforcement of the GDPR as initially proposed by the European Commission(3). In its proposal, the European Commission stressed that the cooperation and consistency mechanism foreseen under the GDPR would apply. Moreover, it laid down that all supervisory authorities monitoring the ePrivacy Regulation have to be independent.
Furthermore, in order to guarantee a level playing field on the digital single market, it is essential to ensure a harmonised interpretation and enforcement of the personal data processing elements of the ePrivacy Regulation across the EU. Chapter VII of the GDPR already provides for a well-functioning cooperation and consistency mechanism within the framework of the EDPB: this mechanism should also be used for the supervision of the ePrivacy Regulation in its’ personal data protection implications.
It would also benefit data controllers to have a single contact point for all personal data processing operations falling within the scope of ePrivacy Regulation: data controllers would not need to deal with multiple regulatory authorities, which otherwise could lead to diverging standards and interpretations. This does not preclude other authorities concerned from being responsible for parts, which are not related to processing of personal data, while also cooperating with data protection authorities where necessary. The EDPB would also like to recall that there is a clear interconnection of competencies between national authorities competent under the current ePrivacy Directive and data protection authorities(4). Provisions related to the processing of personal data of the current ePrivacy Directive and the future ePrivacy Regulation should not be applied in isolation, when they are intertwined with personal data processing and the provisions of the GDPR. Consistent interpretation and enforcement of both sets of rules, when covering personal data protection, would therefore be fulfilled in the most efficient way if the enforcement of those parts of the ePrivacy Regulation and the GDPR would be entrusted to the same authority. In summary, the future ePrivacy Regulation should be formulated to improve this procedural situation instead of adding complexity.
Moreover, the Council risks creating further procedural uncertainty in case national competent authorities who are not members of the EDPB would have to interact with the EDPB. The future ePrivacy Regulation should lay out a clear framework for the cooperation between data protection authorities as supervisory authorities competent under GDPR and authorities having the appropriate expertise, so their cooperation could function effectively.
Considering the above, the EDPB invitesthe Member States to support a more effective and consistent ePrivacy Regulation as initially proposed by the European Commission and as amended by the European Parliament.
For the European Data Protection Board
The Chair
(Andrea Jelinek)
1) European Data Protection Board, Statement 3/2019 on an ePrivacy Regulation, adopted on 13 March 2019
2) European Data Protection Board, Statement of the EDPB on the revision of the ePrivacy Regulation and its impact on the protection of individuals with regard to the privacy and confidentiality of their communications, adopted on 25 May 2018
3) European Commission, Proposal for a regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications)
4) European Data Protection Board, Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR, in particular regarding the competence, tasks and powers of data protection authorities, adopted on 12 March 2019
