After months of stagnant debate on the “privacy and electronic communications” regulation (ePrivacy Regulation), MEPs and EU diplomats have launched discussions on the sensitive issue of the processing of data, metadata and the contents of electronic communications.
Representatives of the European Parliament and of the Council of the EU met on 10 November for a technical discussion on the “privacy and electronic communications” regulation, a highly controversial legislative initiative that has been stalled for years.
EU member states only reached a common position in February 2021, four years after the proposal was presented. Since then, the negotiating teams of the two institutions have made little progress, with technical discussions focused on the less controversial parts of the proposals.
A non-paper by Parliament rapporteur Birgit Sippel and the Czech Presidency of the Council of the EU, discussed last week and seen by EURACTIV, marked a turning point in the discussions. Tackle the critical part of securing electronic communications.
The technical meeting was inconclusive, but the text sets the stage for future discussions. Parliament’s political groups have until Friday (18 November) to submit written observations to the rapporteur.
Data relating to electronic communications
At the center of the discussion is the article that defines the conditions under which electronic communications data can be processed, i.e. only to the extent strictly necessary to carry out the transmission of the communication and guarantee the security of the communication networks.
“The necessity of processing electronic communications data for the purposes set out in this Regulation should only be assessed on the basis of objective technical requirements and not be based on commercial considerations”reads a new paragraph proposed in the preamble of the text.
A further clarification has been introduced to cover the specific cases for which the conservation of the transmitted electronic communication is part of the users’ communication request. Therefore, for email services, emails are stored on a cloud server where the user can find them later.
On the security aspect, EU policy makers have proposed clarifying that service providers cannot process data stored on or emitted by users’ devices in order to detect technical faults and errors. This proposal constitutes an attempt to compromise with the MEPs who for their part have deleted this point.
The issue of data retention, another sensitive issue, has been temporarily suspended.
Electronic communications metadata
Another critical point of the “privacy and electronic communications” legislation concerns metadata, i.e. information relating to who communicates and how (time, place or even IP address). The processing of metadata can only be allowed in certain situations foreseen by the compromise text.
This is especially true when users give their explicit consent for one or more purposes that cannot be achieved without this metadata. However, in the event of a high risk to the rights and freedoms of users, a data protection impact analysis should be carried out beforehand.
The processing of metadata may also be authorized when such processing is strictly necessary to ensure billing, determine the interconnection rate and detect or stop the fraudulent or abusive use of electronic communications services.
A third possibility is that metadata analysis is essential for the telecommunications sector in order to comply with the European Electronic Communications Code, avoid network congestion under the Open Internet Regulation or optimize network performance.
“The processing of communications metadata for network optimization purposes should only be allowed if the necessary metadata is aggregated to a meaningful level and using state-of-the-art methods before any other processing is initiated”can be read in the explanatory paragraph.
For location data in particular, the idea is to allow processing to the extent strictly necessary to protect a person’s vital interests in an emergency and only if the data subject cannot give consent.
Furthermore, location data may be stored at the request of a public authority or on the basis of a specific contractual obligation for statistical analyses. In this case, the location data must be immediately pseudonymized, aggregated as soon as possible, encrypted during storage and deleted when it is no longer needed.
Content of Electronic Communications
The paperless document outlines the terms under which communication service providers may process content. One possibility is that all affected end users have given their consent to the processing of the communication content for one or more specific purposes.
A second possibility is that an individual user requests a communication service which cannot be provided without processing the communication content, “provided that such processing does not prejudice the fundamental rights and interests of another data subject”.
Again, the service provider will need to carry out a data protection impact analysis.
Compatible processing of electronic communications metadata
Before this non-paper became a joint effort with the Parliament rapporteur, the Czech Presidency had released a version which included the Council article on compatible management of electronic communications metadata.
According to information obtained by EURACTIV, this article was withdrawn due to opposition from rapporteur Birgit Sippel, who believed that it would open the door to further processing of metadata for purposes other than those set out in the regulation.
Ms. Sippel’s office declined our request for comment on the matter.
[Édité par Anne-Sophie Gayet]