The EDPS welcomes the Proposal for the Regulation. There is a need of “a specific legal tool to protect the right to private life guaranteed by Article 7 of the Charter of Fundamental Rights, of which confidentiality of communications is an essential component”; a tool that would complete the GDPR (Regulation (EU) 2016/679).
“Without a strong ePrivacy Regulation, which reflects technological change, the EU privacy and data protection framework remains incomplete”.
However, the EDPS fears the complexity of the rules outlined in the ePrivacy Regulation Proposal.
“Communications are sliced into metadata, content data, data emitted by terminal equipment. Each being entitled to a different level of confidentiality and subject to different exceptions.”
This complexity may bring a risk of gaps in protection.
The definitions under the Proposal must not depend on the separate legislative procedure concerning the Directive establishing the European Electronic Communications Code (the EECC Proposal).
The EDPS stresses that ePrivacy must not permit a lower standard of protection than that provided under the GDPR. The rules applying to the processing of electronic communications data by controllers other than providers of electronic communications services should not be easily circumvented by, for example, transferring data to third parties.
The EDPS also stresses the need for the Regulation to ensure that no communication be subject to unlawful tracking and monitoring without freely-given and genuine user consent, as required under the GDPR.
In addition, the new rules must also “set strong requirements for privacy by design and by default”.