Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications)

This document was prepared by Access Now and noyb. The following organisations also provided inputs to the proposed amendments and expressed support: EDRi, IT-Pol, and Privacy International.

This is a first working document to inform legislators as the trilogue negotiations starts. This document will evolve as talks progress and as issues get clarified.

European Commission1 European Parliament2 Council of the European Union3 Proposal from Access Now, EDRi, IT-Pol, noyb and Privacy International Recitals (1) Article 7 of the Charter of (1) Article 7 of the Charter of (1) Article 7 of the Charter of (1) Article 7 of the Charter of Fundamental Rights of the European Fundamental Rights of the European Fundamental Rights of the European Fundamental Rights of the European Union ("the Charter") protects the Union (“the Charter”) protects the Union ("the Charter") protects the Union ("the Charter") protects the fundamental right of everyone to the fundamental right of everyone to the fundamental right of everyone to the fundamental right of everyone to the respect for his or her private and respect for his or her private and respect for private and family life, respect for private and family life, 1 https://www.europarl.europa.eu/RegData/docs_autres_institutions/commission_europeenne/com/2017/0010/COM_COM(2017)0010_EN.pdf 2 https://www.europarl.europa.eu/doceo/document/A-8-2017-0324_EN.html 3 https://data.consilium.europa.eu/doc/document/ST-6087-2021-INIT/en/pdf family life, home and family life, home and home and communications. Respect home and communications. Respect communications. Respect for the communications. Respect for the for the confidentiality of one’s for the privacy and confidentiality of privacy of one’s communications is privacy of one’s communications is communications is an essential one’s communications is an essential an essential dimension of this right. an essential dimension of this right. dimension of this right, applying both dimension of this right, applying both Confidentiality of electronic Confidentiality of electronic to natural and legal persons. to natural and legal persons. communications ensures that communications ensures that Confidentiality of electronic Confidentiality of electronic information exchanged between information exchanged between communications ensures that communications ensures that parties and the external elements of parties and the external elements of information exchanged between information exchanged between such communication, including when such communication, including when parties and the external elements of parties and the external elements of the information has been sent, from the information has been sent, from such communication, including when such communication, including when where, to whom, is not to be revealed where, to whom, is not to be revealed the information has been sent, from the information has been sent, from to anyone other than to the parties to anyone other than to the where, to whom, is not to be revealed where, to whom, is not to be revealed involved in a communication. The communicating parties involved in to anyone other than to the parties to anyone other than to the principle of confidentiality should a communication. The principle of involved in a communication. The communicating parties involved in a apply to current and future means of confidentiality should apply to current principle of confidentiality should communication. The principle of communication, including calls, and future means of communication, apply to current and future means of confidentiality should apply to current internet access, instant messaging including calls, internet access, communication, including calls, and future means of communication, applications, e-mail, internet phone instant messaging applications, e- internet access, instant messaging including calls, internet access, instant calls and personal messaging mail, internet phone calls and inter- applications, e-mail, internet phone messaging applications, e-mail, provided through social media. personal messaging provided through calls and personal messaging internet phone calls and personal social media. It should also apply provided through social media. messaging provided through social when the confidentiality of media. It should also apply when electronic communications and the confidentiality of electronic the privacy of the physical communications and the privacy of environment converge, i.e. where the physical environment terminal devices for electronic converge, i.e. where terminal communications can also listen devices for electronic into their physical environment or communications can also listen use other input channels such as into their physical environment or Bluetooth signalling or movement use other input channels such as sensors. Bluetooth signalling or movement sensors. (2) The content of electronic (2) The content of electronic (2) The content of electronic (2) The content of electronic communications may reveal highly communications may reveal highly communications may reveal highly communications may reveal highly sensitive information about the sensitive information about the sensitive information about the sensitive information about the natural natural persons involved in the natural persons involved in the natural persons involved in the persons involved in the communication, from personal communication, from personal communication, from personal communication, from personal experiences and emotions to medical experiences and emotions to medical experiences and emotions to medical experiences and emotions to medical conditions, sexual preferences and conditions, sexual preferences and conditions, sexual preferences and conditions, sexual preferences and political views, the disclosure of which political views, the disclosure of which political views, the disclosure of which political views, the disclosure of which could result in personal and social could result in personal and social could result in personal and social could result in personal and social harm, economic loss or harm, economic loss or harm, economic loss or harm, economic loss or embarrassment. Similarly, metadata embarrassment. Similarly, metadata embarrassment. Similarly, metadata embarrassment. Similarly, metadata derived from electronic derived from electronic derived from electronic derived from electronic communications may also reveal very communications may also reveal very communications may also reveal very communications may also reveal very sensitive and personal information. sensitive and personal information. sensitive and personal information. sensitive and personal information. These metadata includes the These metadata includes the These metadata includes the These metadata includes the numbers numbers called, the websites visited, numbers called, the websites visited, numbers called, the websites visited, called, the websites visited, geographical location, the time, date geographical location, the time, date geographical location, the time, date geographical location, the time, date and duration when an individual and duration when an individual and duration when an individual made and duration when an individual made made a call etc., allowing precise made a call etc., allowing precise a call etc., allowing precise a call etc., allowing precise conclusions to be drawn regarding conclusions to be drawn regarding conclusions to be drawn regarding conclusions to be drawn regarding the the private lives of the persons the private lives of the persons the private lives of the persons private lives of the persons involved in involved in the electronic involved in the electronic involved in the electronic the electronic communication, such as communication, such as their social communication, such as their social communication, such as their social their social relationships, their habits relationships, their habits and relationships, their habits and relationships, their habits and and activities of everyday life, their activities of everyday life, their activities of everyday life, their activities of everyday life, their interests, tastes etc. interests, tastes etc. interests, tastes etc. interests, tastes etc. Metadata can also be processed Metadata can also be processed and analysed much easier than and analysed much easier than content, as it is already brought content, as it is already brought into a structured and standardised into a structured and standardised format. Metadata provides the format. The protection of means of establishing a profile of confidentiality of communications the individuals concerned, is an essential condition for the information that is no less respect of other connected sensitive, having regard to the right fundamental rights and freedoms, to privacy, than the actual content such as the protection of freedom of communications. The protection of thought, conscience and of confidentiality of religion, freedom of assembly, communications is an essential freedom of expression and condition for the respect of other information. connected fundamental rights and freedoms, such as the protection of freedom of thought, conscience and religion, freedom of assembly, freedom of expression and information. Explanation: Based on EP recital 2, using language from para. 99 of the CJEU judgment in Tele2 about sensitivity of metadata. (2a) Regulation (EU) 2016/679 (2a) Regulation (EU) 2016/679 regulates the protection of regulates the protection of personal data. This Regulation personal data. This Regulation protects in addition the respect for protects in addition the respect for private life and communications. private life and communications. The provisions of this Regulation The provisions of this Regulation particularise and complement the particularise and complement the general rules on the protection of general rules on the protection of personal data laid down in personal data laid down in Regulation (EU) 2016/679. This Regulation (EU) 2016/679. This Regulation therefore does not Regulation therefore does not lower the level of protection lower the level of protection enjoyed by natural persons under enjoyed by natural persons under Regulation (EU) 2016/679. The Regulation (EU) 2016/679. On the provisions particularise Regulation contrary, it aims to provide (EU) 2016/679 as regards personal additional and complementary data by translating its principles safeguards taking into account the into specific rules. If no specific need for additional protection as rules are established in this regards the confidentiality of Regulation, Regulation (EU) communications. 2016/679 should apply to any The provisions particularise processing of data that qualify as Regulation (EU) 2016/679 as personal data. The provisions regards personal data by complement Regulation (EU) translating its principles into 2016/679 by setting forth rules specific rules. If no specific rules regarding subject matters that are are established in this Regulation, not within the scope of Regulation Regulation (EU) 2016/679 should (EU) 2016/679, such as the apply to any processing of data protection of the rights of end- that qualify as personal data. The users who are legal persons. provisions complement Regulation Processing of electronic (EU) 2016/679 by setting forth rules communications data by providers regarding subject matters that are of electronic communications not within the scope of Regulation services and networks should only (EU) 2016/679, such as the be permitted in accordance with protection of the rights of end- this Regulation. This Regulation users who are legal persons. does not impose any obligations Processing of electronic on the end-user End-users who are communications data by providers legal persons may have rights of electronic communications conferred by Regulation (EU) services and networks should only 2016/679 to the extent specifically be permitted in accordance with required by this Regulation this Regulation. This Regulation does not impose any obligations on the end-user. End-users who are legal persons may have rights conferred by Regulation (EU) 2016/679 to the extent specifically required by this Regulation.

Explanation: This proposal gathers language from COU’s recital 2a and EP recital 5. (3) Electronic communications data (3) Electronic communications data (3) Electronic communications data (3) Electronic communications data may also reveal information may also reveal information may also reveal information may also reveal information concerning legal entities, such as concerning legal entities, such as concerning legal entities, such as concerning legal entities, such as business secrets or other sensitive business secrets or other sensitive business secrets or other sensitive business secrets or other sensitive information that has economic value. information that has economic value. information that has economic value information that has economic value Therefore, the provisions of this Therefore, the provisions of this and the protection of which allows and the protection of which allows Regulation should apply to both Regulation should apply to both legal persons to conduct their legal persons to conduct their natural and legal persons. natural and legal persons. business, supporting among other business, supporting among other Furthermore, this Regulation should Furthermore, this Regulation should innovation. Therefore, the provisions innovation. Therefore, the provisions ensure that provisions of the ensure that provisions of the of this Regulation should in principle of this Regulation should in principle Regulation (EU) 2016/679 of the Regulation (EU) 2016/679 of the apply to both natural and legal apply to both natural and legal European Parliament and of the European Parliament and of the persons. Furthermore, this Regulation persons. Furthermore, this Regulation Council , also apply to end-users who Council, also apply to end-users who should ensure that, where should ensure that provisions of the are legal persons. This includes the are legal persons. This includes the necessary, provisions of the Regulation (EU) 2016/679 of the definition of consent under Regulation definition of consent under Regulation Regulation (EU) 2016/679 of the European Parliament and of the (EU) 2016/679. When reference is (EU) 2016/679. When reference is European Parliament and of the Council, also apply mutatis mutandis made to consent by an end-user, made to consent by an end-user, Council, also apply mutatis to end-users who are legal persons. including legal persons, this definition including legal persons, this definition mutandis to end-users who are legal This includes the definition of should apply. In addition, legal should apply. In addition, legal persons. This includes the definition provisions on consent under persons should have the same rights persons should have the same rights of provisions on consent under Regulation (EU) 2016/679. When as end-users that are natural persons as end-users that are natural persons Regulation (EU) 2016/679. When reference is made to consent by an regarding the supervisory authorities; regarding the supervisory authorities; reference is made to consent by an end-user, including legal persons, furthermore, supervisory authorities furthermore, supervisory authorities end-user, including legal persons, this definition should apply. In under this Regulation should also be under this Regulation should also be this definition should apply. In addition, legal persons should have responsible for monitoring the responsible for monitoring the addition, legal persons should the same rights as end-users that application of this Regulation application of this Regulation have the same rights as end-users are natural persons regarding the regarding legal persons. regarding legal persons. that are natural persons regarding supervisory authorities; the supervisory authorities; furthermore, supervisory furthermore, supervisory authorities under this Regulation authorities under this Regulation should also be responsible for should also be responsible for monitoring the application of this monitoring the application of this Regulation regarding legal Regulation regarding legal persons. persons. (3a)This Regulation should not No comment affect national law regulating for instance the conclusion or the validity of a contract. Similarly, this Regulation should not affect national law in relation to determining who has the legal power to represent legal persons in any dealings with third parties or in legal proceedings. (4) Pursuant to Article 8(1) of the (4) Pursuant to Article 8(1) of the (4) Pursuant to Article 8(1) of the (4) Pursuant to Article 8(1) of the Charter and Article 16(1) of the Charter and Article 16(1) of the Charter and Article 16(1) of the Treaty Charter and Article 16(1) of the Treaty Treaty on the Functioning of the Treaty on the Functioning of the on the Functioning of the European on the Functioning of the European European Union, everyone has the European Union, everyone has the Union, everyone has the right to the Union, everyone has the right to the right to the protection of personal right to the protection of personal protection of personal data protection of personal data concerning data concerning him or her. data concerning him or her. concerning him or her. Regulation him or her. Regulation (EU) 2016/679 Regulation (EU) 2016/679 lays down Regulation (EU) 2016/679 lays down (EU) 2016/679 lays down rules lays down rules relating to the rules relating to the protection of rules relating to the protection of relating to the protection of natural protection of natural persons with natural persons with regard to the natural persons with regard to the persons with regard to the processing regard to the processing of personal processing of personal data and rules processing of personal data and rules of personal data and rules relating to data and rules relating to the free relating to the free movement of relating to the free movement of the free movement of personal data movement of personal data personal data personal data Electronic communications data may Electronic communications data may Electronic communications data may Electronic communications data may include personal data as defined in often include personal data as defined include personal data as defined in include are generally personal data Regulation (EU) 2016/679. in Regulation (EU) 2016/679. Regulation (EU) 2016/679. as defined in Regulation (EU) 2016/679. (5) The provisions of this Regulation (5) The provisions of this Regulation Deleted. Delete. particularise and complement the particularise and complement the Part of the language should be general rules on the protection of general rules on the protection of incorporated in recital 2a (see above). personal data laid down in Regulation personal data laid down in Regulation (EU) 2016/679 as regards electronic (EU) 2016/679 as regards electronic communications data that qualify as communications data that qualify as personal data. This Regulation personal data. This Regulation therefore does not lower the level of therefore does not lower the level of protection enjoyed by natural persons protection enjoyed by natural persons under Regulation (EU) 2016/679. under Regulation (EU) 2016/679. Processing of electronic On the contrary, it aims to provide communications data by providers of additional and complementary electronic communications services safeguards take into account the should only be permitted in need for additional protection as accordance with this Regulation. regards the confidentiality of communications. Processing of electronic communications data by providers of electronic communications services should only be permitted in accordance with this Regulation. (6) While the principles and main (6) While the principles and main (6) While the principles and main (6) While the principles and main provisions of Directive 2002/58/EC of provisions of Directive 2002/58/EC of provisions of Directive 2002/58/EC of provisions of Directive 2002/58/EC of the European Parliament and of the the European Parliament and of the the European Parliament and of the the European Parliament and of the Council remain generally sound, that Council remain generally sound, that Council remain generally sound, that Council remain generally sound, that Directive has not fully kept pace with Directive has not fully kept pace with Directive has not fully kept pace with Directive has not fully kept pace with the evolution of technological and the evolution of technological and the evolution of technological and the evolution of technological and market reality, resulting in an market reality, resulting in an market reality, resulting in an market reality, resulting in an inconsistent or insufficient effective inconsistent or insufficient effective inconsistent or insufficient effective inconsistent or insufficient effective protection of privacy and protection of privacy and protection of privacy and protection of privacy and confidentiality in relation to electronic confidentiality in relation to electronic confidentiality in relation to electronic confidentiality in relation to electronic communications. Those communications. Those communications. Those communications. Those developments developments include the entrance developments include the entrance developments include the entrance include the entrance on the market of on the market of electronic on the market of electronic on the market of electronic electronic communications services communications services that from a communications services that from a communications services that from a that from a consumer perspective are consumer perspective are consumer perspective are consumer perspective are substitutable to traditional services, substitutable to traditional services, substitutable to traditional services, substitutable to traditional services, but do not have to comply with the but do not have to comply with the but do not have to comply with the but do not have to comply with the same set of rules. same set of rules. same set of rules. same set of rules. Another development concerns new Another development concerns new Another development concerns new Another development concerns new techniques that allow for tracking of techniques that allow for tracking of techniques that allow for tracking of techniques that allow for tracking of online behaviour of end-users, online behaviour of end-users, which users online behaviour of end- online behaviour of end-users, which which are not covered by Directive are not covered by Directive 2002/58/ users, which are not covered by are not covered by Directive 2002/58/ 2002/58/EC. Directive 2002/58/EC EC. Directive 2002/58/EC should Directive 2002/58/EC. Directive EC. Directive 2002/58/EC should should therefore be repealed and therefore be repealed and replaced 2002/58/EC should therefore be therefore be repealed and replaced replaced by this Regulation. by this Regulation. repealed and replaced by this by this Regulation. Regulation. (7) The Member States should be (7) The Member States European (7) The Member States should be (7) The Member States European allowed, within the limits of this Data Protection Board should be allowed, within the limits of this Data Protection Board should be Regulation, to maintain or introduce allowed, where necessary, issue Regulation, to maintain or introduce allowed, where necessary, issue national provisions to further specify guidance and opinions, within the national provisions to further specify guidance and opinions, within the and clarify the application of the rules limits of this Regulation, to maintain and clarify the application of the rules limits of this Regulation, to maintain or of this Regulation in order to ensure or introduce national provisions to of this Regulation in order to ensure introduce national provisions to further an effective application and further specify and clarify the an effective application and specify and clarify the application of interpretation of those rules. application of the rules of this interpretation of those rules. the rules of this Regulation in order to Therefore, the margin of discretion, Regulation in order to ensure an Therefore, the margin of discretion, ensure an effective application and which Member States have in this effective application and which Member States have in this interpretation of those rules. regard, should maintain a balance interpretation of those rules. regard, should maintain a balance Therefore, the margin of discretion, between the protection of private life Therefore, the margin of between the protection of private life which Cooperation and and personal data and the free discretion, which Cooperation and and personal data and the free consistency between Member States movement of electronic consistency between Member movement of electronic have in this regard, should, in communications data. States have in this regard, should, communications data. particular between national Data in particular between national Data Protection Authorities, is essential Protection Authorities, is essential to maintain a balance between the to maintain a balance between the protection of private life and personal protection of private life and personal data and the free movement of data and the free movement of electronic communications data. electronic communications data. (7a) This Regulation does not Delete. apply to the protection of This recital aims at circumventing fundamental rights and freedoms case law of the CJEU on data related to activities which fall retention. This Regulation aims at outside the scope of Union law, protecting the fundamental right to and in any event measures, privacy, not to weaken it. processing activities and operations concerning national security and defence, regardless of who is carrying out those operations, whether it is a public authority or a private operator acting at the request of a public authority. (8) This Regulation should apply to (8) This Regulation should apply to (8) This Regulation should apply to (8) This Regulation should apply to providers of electronic providers of electronic providers of electronic providers of electronic communications services, to communications services, to communications services, and to communications services, to providers providers of publicly available providers of publicly available providers of publicly available of publicly available directories, and to directories, and to software providers directories, and to software providers directories, and to software software providers permitting permitting electronic communications, permitting electronic communications, providers permitting electronic electronic communications, including including the retrieval and including the retrieval and communications, including the the retrieval and presentation of presentation of information on the presentation of information on the retrieval and presentation of information on the internet. internet. internet. information on the internet. This Regulation should also apply to This Regulation should also apply to This Regulation should also apply to This Regulation should also apply to natural and legal persons who use natural and legal persons who use natural and legal persons who use natural and legal persons who use electronic communications services to electronic communications services electronic communications services electronic communications services to send direct marketing commercial to send direct marketing commercial to send direct marketing commercial send direct marketing commercial communications or make use of communications or collect information communications or collect information communications or make use of processing and storage capabilities related to or stored in end-users’ transmitted to, stored in, related to processing and storage of terminal equipment or collect terminal equipment. or stored in end-users’ processed capabilities of terminal equipment information processed by or emitted by users’ terminal equipment. or collect information processed by by or stored in end-users’ terminal or emitted by or stored in end-users’ equipment. terminal equipment. (8aaa) Furthermore, this Delete. Regulation should apply The language provided in recital 9 regardless of whether the which covers the same issue is processing of electronic clearer (see below). communications data or personal data of end-users who are in the Union takes place in the Union or not, or of whether the service provider or person processing such data is established or located in the Union or not. (8aa) Some end-users, for example Delete for consistency with proposed providers of payment services or Recital 2a and Recital 9. payment systems, process as recipients their electronic communications data for different purposes or request a third party to process their electronic communications data on their behalf. It is also important that end-users, including legal entities, have the possibility to take the necessary measures to secure their services, networks, employees and customers from security threats or incidents. Information security services may play an important role in ensuring the security of end-users' digital sphere. For example, an end-user as an information society service provider may process its electronic communications data, or may request a third party, such as a provider of security technologies and services, to process that end-user's electronic communications data on its behalf, for purposes such as ensuring network and information security, including the prevention, monitoring and termination of fraud, unauthorised access and Distributed Denial of Service attacks, or facilitating efficient delivery of website content. Processing of their electronic communications data by the end- users concerned, or by a third party entrusted by the end-users concerned to process their electronic communications data after receipt on their behalf, is should not be covered by this Regulation. For the purpose of protecting the end-user’s terminal equipment processing upon receipt, including also just before receipt, by a third party entrusted should not be covered by this Regulation. (8a) This Regulation does not No comment. apply to the electronic communications data of deceased persons. Member States may provide for rules regarding the processing of electronic communications data of deceased persons. (9) This Regulation should apply to (9) This Regulation should apply to Deleted. (9) This Regulation should apply to electronic communications data electronic communications data electronic communications data processed in connection with the processed in connection with the processed in connection with the provision and use of electronic provision offering and use of provision and use of electronic communications services in the electronic communications services in communications services in the Union, Union, regardless of whether or not the Union, regardless of whether or regardless of whether or not the the processing takes place in the not the processing takes place in the processing takes place in the Union. Union. Moreover, in order not to Union. Moreover, in order not to Moreover, in order not to deprive end- deprive end-users in the Union of deprive end-users in the Union of users in the Union of effective effective protection, this Regulation effective protection, this Regulation protection, this Regulation should also should also apply to electronic should also apply to electronic apply to electronic communications communications data processed in communications data processed in data processed in connection with the connection with the provision of connection with the provision of provision of electronic electronic communications services electronic communications services communications services from outside from outside the Union to end-users from outside the Union to end-users the Union to end-users in the Union. in the Union. in the Union. This should be the This should be the case case irrespective of whether the irrespective of whether the electronic communications are electronic communications are connected to a payment or not. connected to a payment or not. For For the purpose of this Regulation, the purpose of this Regulation, where the provider of an electronic where the provider of an electronic communications service is not communications service is not established in the Union, it should established in the Union, it should designate, in writing, a designate, in writing, a representative in the Union. representative in the Union. (10) Radio equipment and its (10) Radio equipment and its (10) Radio equipment and its (10) Radio equipment and its software software which is placed on the software which is placed on the software which is placed on the which is placed on the internal market internal market in the Union, must internal market in the Union, must internal market in the Union, must in the Union, must comply with comply with Directive 2014/53/EU of comply with Directive 2014/53/EU of comply with Directive 2014/53/EU of Directive 2014/53/EU of the European the European Parliament and of the the European Parliament and of the the European Parliament and of the Parliament and of the Council. This Council. This Regulation should not Council. This Regulation should not Council 23 . This Regulation should Regulation should not affect the affect the applicability of any of the affect the applicability of any of the not affect the applicability of any of applicability of any of the requirements requirements of Directive 2014/53/EU requirements of Directive 2014/53/EU the requirements of Directive of Directive 2014/53/EU nor the power nor the power of the Commission to nor the power of the Commission to 2014/53/EU nor the power of the of the Commission to adopt delegated adopt delegated acts pursuant to adopt delegated acts pursuant to Commission to adopt delegated acts acts pursuant to Directive 2014/53/EU Directive 2014/53/EU requiring that Directive 2014/53/EU requiring that pursuant to Directive 2014/53/EU requiring that specific categories or specific categories or classes of radio specific categories or classes of radio requiring that specific categories or classes of radio equipment equipment incorporate safeguards to equipment incorporate safeguards to classes of radio equipment incorporate safeguards to ensure that ensure that personal data and privacy ensure that personal data and privacy incorporate safeguards to ensure that personal data and privacy of end- of end-users are protected of end-users are protected personal data and privacy of end- users are protected users are protected (11) The services used for (11) The services used for (11) The services used for (11) The services used for communications purposes, and the communications purposes, and the communications purposes, and the communications purposes, and the technical means of their delivery, technical means of their delivery, technical means of their delivery, technical means of their delivery, have have evolved considerably. have evolved considerably. have evolved considerably. evolved considerably. End-users increasingly replace End-users increasingly replace End-users increasingly replace End-users increasingly replace traditional voice telephony, text traditional voice telephony, text traditional voice telephony, text traditional voice telephony, text messages (SMS) and electronic mail messages (SMS) and electronic mail messages (SMS) and electronic mail messages (SMS) and electronic mail conveyance services in favour of conveyance services in favour of conveyance services in favour of conveyance services in favour of functionally equivalent online services functionally equivalent online services functionally equivalent online services functionally equivalent online services such as Voice over IP, messaging such as Voice over IP, messaging such as Voice over IP, messaging such as Voice over IP, messaging services and web-based e-mail services and web-based e-mail services and web-based e-mail services and web-based e-mail services. In order to ensure an services, also known as “over-the- services. In order to ensure an services. In order to ensure an effective and equal protection of end- top-services” (OTTs). In order to effective and equal protection of end- effective and equal protection of end- users when using functionally ensure This Regulation aims at users when using functionally users when using functionally equivalent services, this Regulation ensuring an effective and equal equivalent services, this Regulation equivalent services, this Regulation uses the definition of electronic protection of end-users when using uses the definition of electronic uses the definition of electronic communications services set forth in functionally equivalent services, this communications services set forth in communications services set forth in the [Directive of the European Regulation uses the definition of the Directive (EU) 2018/1972. That the Directive (EU) 2018/1972. That Parliament and of the Council electronic communications definition encompasses not only definition encompasses not only establishing the European Electronic services set forth in the [Directive internet access services and services internet access services and services Communications Code]. That so as to ensure the confidentiality consisting wholly or partly in the consisting wholly or partly in the definition encompasses not only of their communications, conveyance of signals but also conveyance of signals but also internet access services and services irrespective of the European interpersonal communications interpersonal communications consisting wholly or partly in the Parliament and of the Council services, which may or may not be services, which may or may not be conveyance of signals but also establishing the European number-based, such as for example, number-based, such as for example, interpersonal communications Electronic Communications Code]. Voice over IP, messaging services Voice over IP, messaging services services, which may or may not be That definition encompasses and web-based e-mail services. and web-based e-mail services. The number-based, such as for example, technological medium chosen. It protection of confidentiality of Voice over IP, messaging services does not only cover internet access (11a) The protection of confidentiality communications is crucial also as and web-based e-mail services. The services and services consisting of communications is crucial also as regards interpersonal communications protection of confidentiality of wholly or partly in the conveyance of regards interpersonal services that are ancillary to another communications is crucial also as signals but also interpersonal communications services that are service; therefore, the processing of regards interpersonal communications services, which may ancillary to another service; therefore, electronic communications data in communications services that are or may not be number-based, such the processing of electronic the context of the provision of such ancillary to another service; therefore, as for example, Voice over IP, communications data in the type of services also having a such type of services also having a messaging services and web-based context of the provision of such communication functionality should be communication functionality should e-mail services. The protection of type of minor ancillary services also covered by this Regulation. be covered by this Regulation. confidentiality of communications having a communication is crucial also as regards functionality should be covered by interpersonal communications this Regulation. services that are ancillary to another service; therefore, such type of services also having a communication functionality should be covered by this Regulation. (11aa) In all the circumstances Delete. The definition of electronic where electronic communication is communication is defined under taking place between a finite, that Directive (EU) 2018/1972 and should is to say not potentially unlimited, be limited under this Regulation as it number of end-users which is would reduce the scope of protection determined by the sender of the for the confidentiality of communications, e.g. any communications. messaging application allowing two or more people to connect and communicate, such services constitute interpersonal communications services. Conversely, a communications channel does not constitute an interpersonal communications service when it does not enable direct interpersonal and interactive exchange of information via electronic communications networks between a finite number of persons, whereby the persons initiating or participating in the communication determine its recipient(s). This is for example the case when the entity providing the communications channel is at the same time a communicating party, such as a company that operates a communications channel for customer care that allows customers solely to communicate with the company in question. Also, where access to an electronic communications is available for anyone, e.g. communications in an electronic communications channel in online games which is open to all persons playing the game, such channel does not constitute an interpersonal communications feature. This reflects the end- users' expectations regarding the confidentiality of a service. (12) Connected devices and Deleted. (12) Connected devices and (12) Connected devices and machines increasingly communicate machines increasingly machines increasingly with each other by using electronic communicate with each other by communicate with each other by communications networks (Internet of using electronic communications using electronic communications Things). The transmission of networks (Internet of Things). The networks (Internet of Things). The machine-to-machine communications use of machine-to-machine and use of machine-to-machine and involves the conveyance of signals Internet of Things services, that is Internet of Things services, that is over a network and, hence, usually to say services involving an to say services involving a transfer constitutes an electronic automated transfer of data and of data and information between communications service. In order to information between devices or devices or software-based ensure full protection of the rights to software-based applications with applications with limited or no privacy and confidentiality of limited or no human interaction, is human interaction, is emerging. In communications, and to promote a emerging. In order to ensure full order to ensure full protection of the trusted and secure Internet of Things protection of the rights to privacy and rights to privacy and confidentiality of in the digital single market, it is confidentiality of communications, communications, and to promote a necessary to clarify that this and to promote a trusted and secure trusted and secure Internet of Things Regulation should apply to the Internet of Things in the digital single in the digital single market, it is transmission of machine-to-machine market, it is necessary to clarify necessary to clarify that this communications. Therefore, the that this Regulation, in particular Regulation, in particular the principle of confidentiality enshrined the requirements relating to the requirements relating to the in this Regulation should also apply to confidentiality of communications, confidentiality of communications, the transmission of machine-to- should apply to the transmission of should apply to the transmission of machine communications. Specific machine-to-machine machine-to-machine safeguards could also be adopted communications such services. communications via such services. under sectorial legislation, as for Therefore, the principle of Therefore, the principle of instance Directive 2014/53/EU. confidentiality enshrined in this confidentiality enshrined in this Regulation should also apply to Regulation should also apply to the the transmission of machine-to- transmission of machine-to- machine communications. The machine communications. The transmission of machine-to- transmission use of machine-to- machine or Internet of Things machine or Internet of Things services regularly involves the services regularly involves the conveyance of signals via an conveyance of signals via an electronic communications electronic communications network and, hence, constitutes an network and, hence, constitutes an electronic communications electronic communications service. service. This Regulation should This Regulation should apply to the apply to the provider of the provider of the transmission transmission service if that service if that transmission is transmission is carried out via a carried out via a publicly available publicly available electronic electronic communications service communications service or or network or home network. network. Conversely, where the Conversely, where the transmission of machine-to- transmission of machine-to- machine or Internet of Things machine or Internet of Things services is carried out via a private services is carried out via a private or closed network such as a or closed network such as a closed closed factory network, this factory network, this Regulation Regulation should not apply. should not apply. Typically, Typically, providers of machine-to- providers of machine-to-machine machine or Internet of Things or Internet of Things services services operate at the application operate at the application layer (on layer (on top of electronic top of electronic communications communications services). These services). These service providers service providers and their and their customers who use IoT customers who use IoT services services are in this respect end- are in this respect end-users, and users, and not providers of the not providers of the electronic electronic communication service communication service and and therefore benefit from the therefore benefit from the protection of confidentiality of their protection of confidentiality of electronic communications data. their electronic communications Specific safeguards could also be data. Specific safeguards could also adopted under sectorial legislation, as be adopted under sectorial legislation, for instance Directive 2014/53/EU. as for instance Directive 2014/53/EU. (13) The development of fast and (13) The development of fast and (13) The development of fast and (13) The development of fast and efficient wireless technologies has efficient wireless technologies has efficient wireless technologies has efficient wireless technologies has fostered the increasing availability for fostered the increasing availability for fostered the increasing availability for fostered the increasing availability for the public of internet access via the public of internet access via the public of internet access via the public of internet access via wireless networks accessible by wireless networks accessible by wireless networks accessible by wireless networks accessible by anyone in public and semi-private anyone in public and semi-private anyone in public and semi-private anyone in public and semi-private spaces such as 'hotspots' situated at spaces such as ‘hotspots' wireless spaces such as 'hotspots' situated at spaces such as ‘hotspots' wireless different places within a city, internet access points situated at different places within a city, internet access points situated at department stores, shopping malls different places within a city, for department stores, shopping malls different places within a city, for and hospitals. To the extent that example department stores, and hospitals. To the extent that example department stores, shopping those communications networks are shopping malls, and hospitals, those communications networks are malls, and hospitals, airports, hotels provided to an undefined group of airports, hotels and restaurants. provided to an undefined group of and restaurants. Those access end-users, the confidentiality of the Those access points might require end-users, regardless if these points might require a log in or communications transmitted through a log in or provide a password and networks are secured with provide a password and might be such networks should be protected. might be provided also by public passwords or not, the confidentiality provided also by public The fact that wireless electronic administrations, including Union of the communications transmitted administrations, including Union communications services may be bodies and agencies. To the extent through such networks should be bodies and agencies. To the extent ancillary to other services should not that those communications networks protected. The fact that wireless that those communications networks stand in the way of ensuring the are provided to an undefined group electronic communications services are provided to an undefined group protection of confidentiality of of end- users, the confidentiality of may be ancillary to other services of end- users, the confidentiality of communications data and application the communications transmitted should not stand in the way of the communications transmitted of this Regulation. Therefore, this through such networks should be ensuring the protection of through such networks should be Regulation should apply to electronic protected. The fact that wireless confidentiality of communications protected. The fact that wireless communications data using electronic electronic communications data and application of this electronic communications services communications services and public services may be ancillary to other Regulation. Therefore, this Regulation may be ancillary to other services communications networks. In services should not stand in the should apply to electronic should not stand in the way of contrast, this Regulation should not way of ensuring the protection of communications data using publicly ensuring the protection of apply to closed groups of end-users confidentiality of communications available electronic communications confidentiality of communications data such as corporate networks, access data and application of this services and public electronic and application of this Regulation. to which is limited to members of the Regulation. Therefore, this communications networks. In Therefore, this Regulation should corporation. Regulation should apply to electronic contrast, this Regulation should not apply to electronic communications communications data using electronic apply to closed groups of end-users data using electronic communications communications services and public such as home (fixed or wireless) services and public communications communications networks. This networks or corporate networks or networks. This Regulation should Regulation should also apply to networks to which the, access is also apply to closed social media closed social media profiles and limited to a pre-defined group of profiles and groups that the users groups that the users have end-users, e.g. to family members have restricted or defined as restricted or defined as private. In or, members of a corporation. private. In contrast, this Regulation contrast, this Regulation should not Similarly, this Regulation does not should not apply to closed groups of apply to closed groups of end-users apply to data processed by end-users such as corporate intranet such as corporate intranet networks, services or networks used for networks, access to which is limited to access to which is limited to members purely internal communications members of the corporation an of the corporation an organisation. purposes between public organisation. The mere The mere requirement of a institutions, courts, court requirement of a password should password should not be administrations, financial, social not be considered as providing considered as providing access to and employment administrations. access to a closed group of end- a closed group of end-users if the As soon as electronic users if the access to the service access to the service as a whole is communications data is as a whole is provided to an provided to an undefined group of transferred from such a closed undefined group of end-users.The end-users. group network to a public provisions of this Regulation electronic communications regarding the protection of end- network, this Regulation applies to users' terminal equipment such data, including when it is information also apply in the case M2M/IoT and personal/home of terminal equipment connected to assistant data. The provisions of a closed group network such as this Regulation regarding the intranet networks a home (fixed or protection of end-users' terminal wireless) network which in turn is equipment information also apply connected to an electronic in the case of terminal equipment communications network. connected to a closed group network such as a home (fixed or wireless) network which in turn is connected to a public electronic communications network. (14) Electronic communications data (14) Electronic communications data (14) Electronic communications data (14) Electronic communications data should be defined in a sufficiently should be defined in a sufficiently should be defined in a sufficiently should be defined in a sufficiently broad and technology neutral way so broad and technology neutral way so broad and technology neutral way so broad and technology neutral way so as to encompass any information as to encompass any information as to encompass any information as to encompass any information concerning the content transmitted or concerning the content transmitted or concerning the content transmitted or concerning the content transmitted or exchanged (electronic exchanged (electronic exchanged (electronic exchanged (electronic communications content) and the communications content) and the communications content) and the communications content) and the information concerning an end-user information concerning an end- user information concerning an end-user of information concerning an end-user of of electronic communications of electronic communications electronic communications services electronic communications services services processed for the purposes services processed for the purposes processed for the purposes of processed for the purposes of of transmitting, distributing or of transmitting, distributing or transmitting, distributing or enabling transmitting, distributing or enabling enabling the exchange of electronic enabling the exchange of electronic the exchange of electronic the exchange of electronic communications content; including communications content; including communications content; including communications content; including data to trace and identify the source data to trace and identify the source data to trace and identify the source data to trace and identify the source and destination of a communication, and destination of a communication, and destination of a communication, and destination of a communication, geographical location and the date, geographical location and the date, geographical location and the date, geographical location and the date, time, duration and the type of time, duration and the type of time, duration and the type of time, duration and the type of communication. communication. It should also communication. communication. It should also Whether such signals and the related include data necessary to identify Whether such signals and the related include data necessary to identify data are conveyed by wire, radio, users’ terminal equipment and data are conveyed by wire, radio, users’ terminal equipment and data optical or electromagnetic means, data emitted by terminal optical or electromagnetic means, emitted by terminal equipment including satellite networks, cable equipment when searching for including satellite networks, cable when searching for access points networks, fixed (circuit- and packet- access points or other equipment. networks, fixed (circuit- and packet- or other equipment. Whether such switched, including internet) and Whether such signals and the related switched, including internet) and signals and the related data are mobile terrestrial networks, electricity data are conveyed by wire, radio, mobile terrestrial networks, electricity conveyed by wire, radio, optical or cable systems, the data related to optical or electromagnetic means, cable systems, the data related to electromagnetic means, including such signals should be considered as including satellite networks, cable such signals should be considered as satellite networks, cable networks, electronic communications metadata networks, fixed (circuit- and packet- electronic communications metadata fixed (circuit- and packet-switched, and therefore be subject to the switched, including internet) and and therefore be subject to the including internet) and mobile provisions of this Regulation. mobile terrestrial networks, electricity provisions of this Regulation. terrestrial networks, electricity cable Electronic communications metadata cable systems, the data related to Electronic communications metadata systems, the data related to such may include information that is part of such signals should be considered as may include information that is part of signals should be considered as the subscription to the service when electronic communications metadata the subscription to the service when electronic communications metadata such information is processed for the and therefore be subject to the such information is processed for the and therefore be subject to the purposes of transmitting, distributing provisions of this Regulation. purposes of transmitting, distributing provisions of this Regulation. or exchanging electronic Electronic communications metadata or exchanging electronic Electronic communications metadata communications content. may include information that is part of communications content. may include information that is part of the subscription to the service when the subscription to the service when such information is processed for the such information is processed for the purposes of transmitting, distributing purposes of transmitting, distributing or exchanging electronic or exchanging electronic communications content. The communications content. Electronic exclusion of services providing communications metadata also “content transmitted using includes information related to the electronic communications use of machine-to-machine or networks” from the definition of Internet of Things services. “electronic communications service” in Article 4 of this Regulation does not mean that service providers who offer both electronic communications services and content services are outside the scope of the provisions of the Regulation which applies to the providers of electronic communications services (14 a) Modern electronic (14 a) Modern electronic communications services, communications services, including the Internet and the OTT including the Internet and the OTT services that run on top of it, services that run on top of it, function on the basis of a protocol function on the basis of a protocol stack. Each protocol defines stack. Each protocol defines content (also called payload), a content (also called payload), a header and sometimes a trailer. header and sometimes a trailer. Any higher protocol in the stack Any higher protocol in the stack would be encapsulated in the would be encapsulated in the content part of a lower level content part of a lower level protocol. For example, A TCP protocol. For example, A TCP segment would be in the content segment would be in the content part of an IP packet, whose header part of an IP packet, whose header would include the source and would include the source and destination IP addresses between destination IP addresses between which the IP packet should be which the IP packet should be routed. TCP segments could routed. TCP segments could contain an SMTP message in their contain an SMTP message in their content part, i.e. an e-mail. At the content part, i.e. an e-mail. At the SMTP protocol level, the header SMTP protocol level, the header would notably contain the sender would notably contain the sender and receiver email addresses and and receiver email addresses and the content part would contain the the content part would contain the message itself. In practice, the message itself. In practice, the header and the trailer of a protocol header and the trailer of a protocol message correspond to metadata message correspond to metadata for the given protocol. This means for the given protocol. This means that the metadata on one protocol that the metadata on one protocol layer will be content for the lower layer will be content for the lower layers encapsulating the layers encapsulating the information. Where this Regulation information. Where this Regulation lays down different rules for the lays down different rules for the processing of content and processing of content and metadata, this should be metadata, this should be understood specifically for the understood specifically for the considered electronic considered electronic communications service and the communications service and the protocol layer it is operating on. protocol layer it is operating on. For an Internet service provider, For an Internet service provider, for for example, the subject, the example, the subject, the sender, sender, the recipient and the body the recipient and the body of an of an email will be altogether email will be altogether considered considered as content of the IP as content of the IP packets routed packets routed by it. However by it. However, regarding an e-mail regarding an e-mail provider, only provider, only the subject and the the subject and the body of the body of the email will be email will considered as content, considered as content, whereas the whereas the recipient and the recipient and the sender will be sender will be considered as considered as metadata. This metadata. This separation of separation of protocol layers is protocol layers is crucial for crucial for maintaining the maintaining the neutrality of the neutrality of the electronic electronic communications communications services (net services (net neutrality), which is neutrality), which is protected protected under Regulation (EU) under Regulation (EU) 2015/2120. 2015/2120. (15) Electronic communications data (15) Electronic communications data (15) Electronic communications data (15) Electronic communications and should be treated as confidential. should be treated as confidential. should be treated as confidential. This data should be treated as confidential. This means that any interference with This means that any interference with means that any interference with the This means that any interference with the transmission of electronic the transmission of electronic transmission of electronic the transmission of electronic communications data, whether communications data,, whether communications data, whether communications and data, whether directly by human intervention or directly by human intervention or directly by human intervention or directly by human intervention or through the intermediation of through the intermediation of through the intermediation of through the intermediation of automated processing by machines, automated processing by machines, automated processing by machines, automated processing by machines, without the consent of all the without the consent of all the without the consent of all the without the consent of all the communicating parties should be communicating parties should be communicating parties should be communicating parties should be prohibited. The prohibition of prohibited. When the processing is prohibited. The prohibition of prohibited. When the processing is interception of communications data allowed under any exception to the interception of communications data allowed under any exception to the should apply during their conveyance, prohibitions under this Regulation, should apply during their conveyance, prohibitions under this Regulation, i.e. until receipt of the content of the any other processing on the basis i.e. until receipt of the content of the any other processing on the basis electronic communication by the of Article 6 of Regulation (EU) electronic communication by the of Article 6 of Regulation (EU) intended addressee. Interception of 2016/679 should be considered as intended addressee. Interception of 2016/679 should be considered as electronic communications data may prohibited, including processing electronic communications data may prohibited, including processing occur, for example, when someone for another purpose on the basis occur, for example, when someone for another purpose on the basis of other than the communicating parties, of Article 6 paragraph 4 of that other than the communicating parties, Article 6 paragraph 4 of that listens to calls, reads, scans or stores Regulation. This should not listens to calls, reads, scans or stores Regulation. This should not the content of electronic prevent requesting additional the content of electronic prevent requesting additional communications, or the associated consent for new processing communications, or the associated consent for new processing metadata for purposes other than the operations. The prohibition of metadata for purposes other than the operations. The prohibition of exchange of communications. interception of communications data exchange of communications. interception of communications and Interception also occurs when third should apply also during their Interception also occurs when third data should apply during their parties monitor websites visited, conveyance. For non-real-time parties monitor websites visited, conveyance, i.e. until receipt of the timing of the visits, interaction with electronic communications such timing of the visits, interaction with content of the electronic others, etc., without the consent of as email or messaging, the others, etc., without the consent of communication by the intended the end-user concerned. As transmission starts with the the end-user concerned. As addressee and continue to apply technology evolves, the technical submission of the content for technology evolves, the technical until the addressee delete such ways to engage in interception have delivery and finishes with the , i.e. ways to engage in interception have communications from terminal also increased. Such ways may until receipt of the content of the also increased. Such ways may range equipment and other storage, range from the installation of electronic communication by the from the installation of equipment that including cloud providers. equipment that gathers data from service provider of the intended gathers data from terminal equipment Interception of electronic terminal equipment over targeted addressee. recipient. Interception of over targeted areas, such as the so- communications and data may occur, areas, such as the so-called IMSI electronic communications data may called IMSI (International Mobile for example, when someone other (International Mobile Subscriber occur, for example, when someone Subscriber Identity) catchers, to than the communicating parties, Identity) catchers, to programs and other than the communicating parties, programs and techniques that, for listens to calls, reads, scans or stores techniques that, for example, listens to calls, reads, scans or stores example, surreptitiously monitor the content of electronic surreptitiously monitor browsing the content of electronic browsing habits for the purpose of communications, or the associated habits for the purpose of creating communications, or the associated creating end-user profiles. Other metadata for purposes other than the end-user profiles. Other examples of metadata for purposes other than the examples of interception include exchange of communications. interception include capturing payload exchange of communications. capturing payload data or content Interception also occurs when third data or content data from Interception also occurs when third data from unencrypted wireless parties monitor websites visited, timing unencrypted wireless networks and parties monitor websites visited, networks and routers, including of the visits, interaction with others, routers, including browsing habits timing of the visits, interaction with browsing habits without the end- etc., without the consent of the end- without the end-users' consent. others, etc., without the consent of users' consent. user concerned. As technology the end- user concerned. As evolves, the technical ways to engage technology evolves, the technical in interception have also increased. ways to engage in interception have Such ways may range from the also increased. Such ways may installation of equipment that gathers range from the installation of data from terminal equipment over equipment that gathers data from targeted areas, such as the so-called terminal equipment over targeted IMSI (International Mobile Subscriber areas, such as the so-called IMSI Identity) catchers, to programs and (International Mobile Subscriber techniques that, for example, Identity) catchers, to programs and surreptitiously monitor browsing habits techniques that, for example, for the purpose of creating end-user surreptitiously monitor browsing profiles. Other examples of habits for the purpose of creating interception include capturing payload end- user profiles. Other examples data or content data from unencrypted of interception include capturing wireless networks and routers, payload data or content data from including browsing habits without the unencrypted wireless networks and end-users' consent. routers, and analysis of users' traffic data, including browsing habits without the end- users’ consent. (15aa) In order to ensure the (15aa) In order to ensure the confidentiality of electronic confidentiality of electronic communications data, providers of communications data, providers of electronic communications electronic communications services should apply security services should apply security measures in accordance with measures in accordance with Article 40 of Directive (EU) Article 40 of Directive (EU) 2018/1972 and Article 32 of 2018/1972 and Article 32 of Regulation (EU) 2016/679. Regulation (EU) 2016/679. (15aaa) Moreover, trade secrets Delete. are protected in accordance with Directive (EU) 2016/943. (15a) The prohibition of (15a) Upon receipt, electronic interception of electronic communications content and communications content under related metadata should be erased this Regulation should apply until or made anonymous in such a receipt of the content of the manner that no natural or legal electronic communication by the person is identifiable, by the intended addressee, i.e. during the provider of the electronic end-to-end exchange of electronic communications service except communications content between when processing is permitted end-users. Receipt implies that the under this Regulation. After end-user gains control over, and electronic communications content has the possiblity to interact with, has been received by the intended the individual electronic end-user or end-users, it may be communications content, for recorded or stored by those end- example by recording, storing, users. End-users are free to printing or otherwise processing mandate a third party to record or such data, including for security store such data on their behalf. purposes. The exact moment of the receipt of electronic or communications content may depend on the type of electronic (15a) The technological design of communications service that is electronic communications provided. For instance, depending services has evolved considerably. on the technology used, a voice Traditional telecommunications call may be completed as soon as services (voice telephony and SMS) either of the end-users ends the focus on providing transmission of call. For electronic mail or instant electronic communications data, messaging, depending on the and centralised storage of content technology used, the moment of is not part of the technological receipt may be as soon as the design, except for temporary addressee has collected the storage of text messages if the message, typically from the server recipient is offline. After of the electronic communications transmission, end-users gain service provider. Upon receipt, complete control over their electronic communications messages since they are only content and related metadata stored on the end-users' devices. should be erased or made For «over the top» electronic anonymous in such a manner that communications services, such as no natural or legal person is electronic mail and instant identifiable, by the provider of the messaging services, permanent electronic communications service storage by the service provider of except when processing is electronic communications data permitted under this Regulation. after transmission is often an After electronic communications integral part of the technological content has been received by the design. This offers convenience for intended end-user or end-users, it end-users who can access their may be recorded or stored by messages from multiple devices those end-users. End-users are and provides useful backup free to mandate a third party to facilities that protect messages record or store such data on their from being lost in case of hardware behalf. failure. However, it also increases the risk that electronic communications data will be processed for other purposes after transmission. Due to the technological design, end-users do not gain full control over the stored electronic communications data, unless they decide to delete their messages after reception, which is generally undesirable. In accordance with the principle of technological neutrality, the prohibition of interception of interference with electronic communications data data content under this Regulation should apply to the provider of the electronic communications service during transmission and storage for as long as the electronic communications data is accessible by the service provider. (16) The prohibition of storage of (16) The prohibition of storage of (16) The prohibition of processing, (16) The prohibition of processing, communications is not intended to communications is not intended to including storage of communications including storage of communications prohibit any automatic, intermediate prohibit any automatic, intermediate is not intended to prohibit any is not intended to prohibit any and transient storage of this and transient storage of this automatic, intermediate and transient automatic, intermediate and transient information insofar as this takes place information insofar as this takes place processing, including storage of processing, including storage of this for the sole purpose of carrying out for the sole purpose of carrying out this information insofar as this takes information insofar as this takes the transmission in the electronic the transmission in the electronic place for the sole purpose of carrying place for the sole purpose of communications network. It should communications network. It should out the transmission in the electronic carrying out the transmission in the not prohibit either the processing of not prohibit either the processing of communications network. electronic communications electronic communications data to electronic communications data by Processing of electronic network. In case of storage or other ensure the security and continuity of public authorities, computer communications data by providers processing after transmission of the electronic communications emergency response teams of electronic communications communications, the principles of services, including checking security (CERTs), computer security services and networks should only confidentiality shall continue to threats such as the presence of incident response teams (CSIRTs), be permitted in accordance with apply to communications data. malware or the processing of providers of electronic this Regulation. It should not prohibit Processing of electronic metadata to ensure the necessary communications networks and the processing of electronic communications data by providers quality of service requirements, such services and by providers of communications data without of electronic communications as latency, jitter etc. security technologies and consent of the end-user to ensure services and networks should only services, in compliance with the security, including the be permitted in accordance with Regulation 2016/679 and to the availability, authenticity, integrity this Regulation. It should not prohibit extent strictly necessary and or confidentiality, of the electronic the processing of electronic proportionate for the sole communications services, including communications data to ensure the purposes of ensuring network and for example checking security security, including the authenticity, information security, [i.e. threats such as the presence of integrity or confidentiality, of the preservation of availability, malware or viruses, or the electronic communications services, integrity], and confidentiality of identification of phishing. Security including for example checking information, and ensuring the measures are essential to prevent security threats such as the presence security of the related services personal data breaches in of malware or viruses, or the offered by, or accessible via, those electronic communications. Spam identification of phishing. Security networks and systems. This could, electronic messages may also measures are essential to prevent for example, include preventing affect the availability of the personal data breaches in unauthorised access to electronic respective services and could electronic communications. Such communications networks and potentially impact the performance security measures, including anti- malicious code distribution and of networks and services, which spam measures, should be stopping ‘denial of service’ attacks justifies the processing of proportionate and should be and damage to computer and electronic communications data to performed in the least intrusive electronic communications mitigate this risk. Such security manner. Providers of electronic systems, security services, measures, including anti-spam communications services are checking security threats such as the measures, should be proportionate encouraged to offer end-users the presence of malware, spam or to and should be performed in the possibility to check electronic check against DDoS attacks, or the least intrusive manner. Providers messages deemed as spam in processing of metadata to ensure the of electronic communications order to ascertain whether they necessary quality of service services are encouraged to offer were indeed spam. requirements, such as latency, jitter end-users the possibility to check etc. Such processing could be electronic messages deemed as carried out by another party which spam in order to ascertain whether acts as a data processor in the they were indeed spam. meaning of Regulation (EU) 2016/679 for the provider of the service. (16a) The protection of the content (16a) The content of electronic of electronic communications pertains communications pertains to the to the essence of the fundamental essence of the fundamental right to right to respect for private and family respect for private and family life, life, home and communications home and communications protected protected under Article 7 of the under Article 7 of the Charter. Any Charter. Any interference with the interference with the processing of content of electronic communications content data of electronic should be allowed only under very communications should be allowed clear defined conditions, for specific only under very clearly defined purposes and be subject to adequate conditions, for specific purposes and safeguards against abuse. This be subject to adequate safeguards Regulation provides for the possibility against abuse. This Regulation of providers of electronic provides for the possibility of providers communications services to process of electronic communications services electronic communications content in to process electronic communications transit, with the informed consent of content data in transit, with the all the end-users concerned. For informed consent of all the end-users example, providers may offer services concerned. For example, providers that entail the scanning of emails to may offer services that entail the remove certain pre-defined material. scanning of emails to remove certain Given the sensitivity of the content of pre-defined material. Given the communications, this Regulation sets sensitivity of the content of forth a presumption that the communications, this Regulation sets processing of such content data will forth a presumption that the result in high risks to the rights and processing of such content data will freedoms of natural persons. When result in high risks to the rights and processing such type of content, the freedoms of natural persons. When provider of the electronic processing such type of data, the communications service should provider of the electronic consult the supervisory authority if communications service should necessary pursuant to Article 36 always carry out an impact (1) of Regulation (EU) 2016/679. assessment as provided for in Such consultation should be in Regulation (EU) 2016/679 and accordance with Article 36 (2) and (3) consult the supervisory authority prior of Regulation (EU) 2016/679. The to the processing. Such consultation presumption does not encompass the should be in accordance with processing of content to provide a Article 36 (2) and (3) of Regulation service requested by the end-user (EU) 2016/679. The presumption does where the end-user has consented to not encompass the processing of such processing and it is carried out content data to provide a service for the purposes and duration strictly requested by the end-user where the necessary and proportionate for such end-user has consented to such service. After electronic processing and it is carried out for the communications content has been purposes and duration strictly sent by the end-user and received by necessary and proportionate for such the intended end-user or end-users, it service. After electronic may be recorded or stored by the communications content has been end-user, end-users or by a third sent by the end-user and received by party entrusted by them to record or the intended end-user or end-users, it store such data. Any processing of may be recorded or stored by the end- such data must comply with user, end-users or by a third party Regulation (EU) 2016/679. entrusted by them to record or store such data, which could be an electronic communications service provider. Any processing of such stored communications data where the data is stored on behalf of the user must comply with this Regulation. Any other processing of such data must comply with Regulation (EU) 2016/679.

Explanation: Recital 16a of COU comes from Recital 19 of the COM proposal. We support the re- organisation of the text to move the provision here and proposed modifications merging proposals from the EP and the COU. (16b) Services that facilitate end- (16b) Processing of electronic users everyday life such as index communication data might be functionality, personal assistant, necessary for some functionalities translation services and services in services for individual use, such that enable more inclusion for as searching and organising persons with disabilities such as messages in email inbox or text-to-speech services are messaging applications, translation emerging. Processing of electronic services, and services that enable communication content might be more inclusion for persons with necessary also for some disabilities such as text-to-speech functionalities used normally in services. Therefore, as regards the services for individual use, such processing of electronic as searching and organising the communications data for the messages in email or messaging specific delivery of services applications. Therefore, as regards expressly requested by the user for the processing of electronic their own individual use, consent communications content for should not be required. Processing services requested by the end- of electronic communications data user for their own individual use, should be allowed to the extent consent should only be requested necessary for the provision of the required from the end-user requested functionalities. It also requesting the service taking into precludes the provider from account that the processing processing this data for other should not adversely affect purposes. Users shall have the fundamental rights and interest of right to stop and object to the another end-user concerned. processing at any given time via Processing of electronic easily accessible settings. Once an communications data should be end-user has objected to the allowed with the prior consent of processing of electronic the end-user concerned and to the communications data for these extent necessary for the provision services and functionality, the of the requested functionalities. processing cannot take place unless the users consent to renew the use.

Explanation: It is important to ensure that such processing shall be limited to specific purposes requested by the user. (16c) Providers of electronic (16c) Providers of electronic communications services may, for communications services may, for example, obtain the consent of the example, obtain the consent of the end-user for the processing of end-user for the processing of electronic communications data, at electronic communications data, at the time of the conclusion of the the time of the conclusion of the contract, and any moment in time contract, and any moment in time thereafter. In some cases, the legal thereafter as long as the conditions person having subscribed to the for consent set forth under electronic communications service Regulation (EU) 2016/679 are may allow a natural person, such respected. as an employee, to make use of the service in accordance with Regulation 2016/679. (17) The processing of electronic (17) The processing of electronic (17) The processing of electronic (17) The processing of electronic communications data can be useful communications data can be useful communications data can be useful communications data can be useful for for businesses, consumers and for businesses, consumers and for businesses, consumers and businesses, consumers and society as society as a whole. Vis-à-vis Directive society as a whole. Vis-à-vis society as a whole. Vis-à-vis Directive a whole. Vis-à-vis Directive 2002/58/EC, this Regulation Directive 2002/58/EC, this 2002/58/EC, this Regulation 2002/58/EC, this Regulation broadens broadens the possibilities for Regulation broadens the broadens the possibilities for the possibilities for providers of providers of electronic possibilities for providers of providers of electronic electronic communications services to communications services to process electronic communications communications services to process process electronic communications electronic communications metadata, services to process electronic electronic communications metadata. metadata, based on end-users based on end-users consent. communications metadata, based However, end-users attach great consent. However, end-users attach However, end-users attach great on end-users consent. importance to the confidentiality of great importance to the confidentiality importance to the confidentiality of However, end-users attach great their communications, including their of their communications, including their communications, including their importance to the confidentiality of online activities, and they also want their online activities, and that they online activities, and that they want to their communications, including their to control the use of electronic want to control the use of electronic control the use of electronic online activities, and that they want to communications metadata for communications data for purposes communications data for purposes control the use of electronic purposes other than conveying the other than conveying the other than conveying the communications data for purposes communication. Therefore, this communication. Therefore, this communication. Therefore, this other than conveying the Regulation should require providers Regulation should require providers of Regulation should require providers communication. Therefore, this of electronic communications electronic communications networks of electronic communications Regulation should require providers networks and services to obtain and services to obtain end-users' services to obtain end-users' consent of electronic communications should be permitted to process consent to process electronic to process electronic communications services to obtain end-users' electronic communications communications metadata, which metadata, which should include data consent to process electronic metadata after having obtained the should include data on the location of on the location of the device communications metadata, which end-users' consent to process the device generated for the purposes generated for the purposes of should include data on the location of electronic communications of granting and maintaining access granting and maintaining access and the device generated for the metadata, which should include and connection to the service. connection to the service. Location purposes of granting and maintaining data on the location of the device Location data that is generated other data that is generated other than in access and connection to the service. generated for the purposes of than in the context of providing the context of providing electronic Location data that is generated other granting and maintaining access electronic communications services communications services should not than in the context of providing and connection to the service. should not be considered as be considered as metadata. electronic communications services Location data that is generated metadata. Examples of commercial Examples of commercial usages of should not be considered as other than in the context of usages of electronic communications electronic communications metadata metadata. Examples of commercial providing electronic metadata by providers of electronic by providers of electronic usages of electronic communications services should communications services may include communications services may include communications metadata by not be considered as metadata. In the provision of heatmaps; a graphical the provision of heatmaps; a providers of electronic addition, those providers should representation of data using colors to graphical representation of data using communications services may be permitted to process an end- indicate the presence of individuals. colors to indicate the presence of include the provision of heatmaps; user’s electronic communications To display the traffic movements in individuals. To display the traffic a graphical representation of data metadata where it is necessary for certain directions during a certain movements in certain directions using colors to indicate the the provision of an electronic period of time, an identifier is during a certain period of time, an presence of individuals. To display communications service based on necessary to link the positions of identifier is necessary to link the the traffic movements in certain a contract with that end-user and individuals at certain time intervals. positions of individuals at certain time directions during a certain period for billing related to that contract. a non-persistent identifier linking intervals. This identifier would be of time, an identifier is necessary Examples of commercial usages of the positions of individuals may missing if anonymous data were to be to link the positions of individuals electronic communications metadata only be used for the purpose of used and such movement could not at certain time intervals. This by providers of electronic statistical counting which must be be displayed. Such usage of identifier would be missing if communications services may include limited in time and space. would electronic communications metadata anonymous data were to be used the provision of heat maps; a be missing if anonymous data were could, for example, benefit public and such movement could not be graphical representation of data using to be used and such movement authorities and public transport displayed. Such usage of colours to indicate the presence of could not be displayed. Such operators to define where to develop electronic communications individuals. To display the traffic uUsage of electronic communications new infrastructure, based on the metadata could, for example, movements in certain directions metadata could, for example, benefit usage of and pressure on the existing benefit public authorities and during a certain period of time, an public authorities and public transport structure. Where a type of processing public transport operators to identifier is necessary to link the operators to define where to develop of electronic communications define where to develop new positions of individuals at certain time new infrastructure, based on the metadata, in particular using new infrastructure, based on the usage intervals. This identifier would be usage of and pressure on the existing technologies, and taking into account of and pressure on the existing missing if anonymous data were to be structure. Where a type and scale of the nature, scope, context and structure. Where a type of used and such movement could not processing of electronic purposes of the processing, is likely processing of electronic be displayed. Such usage of communications metadata, in to result in a high risk to the rights communications metadata, in electronic communications metadata particular using new technologies, and and freedoms of natural persons, a particular using new technologies, could, for example, benefit public taking into account the nature, scope, data protection impact assessment and taking into account the nature, authorities and public transport context and purposes of the and, as the case may be, a scope, context and purposes of the operators to define where to develop processing, is likely to result in a high consultation of the supervisory processing, is likely to result in a high new infrastructure, based on the risk to the rights and freedoms of authority should take place prior to risk to the rights and freedoms of usage of and pressure on the existing natural persons, a data protection the processing, in accordance with natural persons, a data protection structure. Where a type of processing impact assessment and, as the case Articles 35 and 36 of Regulation (EU) impact assessment and, as the case of electronic communications may be, a consultation of the 2016/679. may be, a consultation of the metadata, in particular using new supervisory authority should take supervisory authority should take technologies, and taking into account place prior to the processing, in place prior to the processing, in the nature, scope, context and accordance with Articles 35 and 36 of accordance with Articles 35 and 36 of purposes of the processing, is likely Regulation (EU) 2016/679. Regulation (EU) 2016/679. to result in a high risk to the rights and freedoms of natural persons, a data protection impact assessment and, as the case may be, a consultation of the supervisory authority should take place prior to the processing, in accordance with Articles 35 and 36 of Regulation (EU) 2016/679. (17 a) Examples of commercial Deleted, included in recital 17. usages of electronic communications metadata by providers of electronic communications services may include the provision of heatmaps; a graphical representation of data using colors to indicate the presence of individuals. To display the traffic movements in certain directions during a certain period of time, an identifier is necessary to link the positions of individuals at certain time intervals. This identifier would be missing if anonymous data were to be used and such movement could not be displayed. Such usage of electronic communications metadata could, for example, benefit public authorities and public transport operators to define where to develop new infrastructure, based on the usage of and pressure on the existing structure. (17aa) Further processing for Delete. We reject the addition of a purposes other than for which the possibility to further process metadata metadata where initially collected under this Regulation. may take place without the As noted, this Regulation already consent of the end-users clarifies and provides more concerned, provided that such opportunity for the processing of processing is compatible with the communications content and purpose for which the metadata metadata for providers. Further are initially collected, certain opportunities for processing, in additional conditions and particular ones where the end-users safeguards set out by this would not be able to consent to such Regulation are complied with, processing would erode the objective including the requirement to of this Regulation and the right it genuinely anonymise the result seeks to protect. before sharing the analysis with third parties. As end-users attach great value to the confidentiality of their communications, including their physical movements, such data cannot be used to determine the nature or characteristics on an end-user or to build a profile of an end-user, in order to, for example, avoid that the data is used for segmentation purposes, to monitor the behaviour of a specific end-user or to draw conclusions concerning the private life of an end-user. For the same reason, the end-user must be provided with information about these processing activities taking place and given the right to object to such processing. (17a) The processing of electronic (17a) The processing of electronic communications metadata should communications metadata should also be regarded to be permitted also be regarded to be permitted where it is necessary in order to where it is necessary to protect an protect an interest which is interest which is essential for the essential for the life of the end- life of the end-user who is a natural users who are natural persons or person or that of another natural that of another natural person. person. Processing of electronic Processing of electronic communications metadata of end- communications metadata for the users for the protection of the vital protection of vital interests of the interest of another natural person end-user may include for instance should in principle take place only processing necessary for where the processing cannot be humanitarian purposes, including manifestly based on another legal for monitoring epidemics and their basis and where the protection of spread or in humanitarian such interests cannot be ensured emergencies, in particular natural without that processing. Some and man-made disasters. types of processing may serve Processing of electronic both important grounds of public communications metadata of an interest and the vital interests of end-user for the protection of the the end user as for instance when vital interest of an end-user who is processing is necessary for a natural person should in humanitarian purposes, including principle take place only where the for monitoring epidemics and their processing cannot be manifestly spread or in situations of based on another legal basis and humanitarian emergencies, in where the protection of such particular in situations of natural interests cannot be ensured and man-made disasters. without that processing. Explanation: Alignment with recital 46 of the GDPR for legal certainty, using electronic communications metadata in lieu of personal data, and end-user who is a natural person in lieu of data subject.

(17b) Processing of electronic Deleted. communication metadata for scientific research or statistical purposes could also be considered to be permitted processing. This type of processing should be subject to safeguards to ensure privacy of the end-users by employing appropriate security measures such as encryption and pseudonymisation. In addition, end-users who are natural persons should be given the right to object. Processing for statistical counting and scientific purposes should only result in aggregated data, and not be used in support of measures or decisions regarding any particular natural person. In particular, such data should not be used to determine the nature or characteristics of an end-user, to build an individual profile or to draw conclusions concerning an end-user private life. Such usage of electronic communications metadata could, for example, benefit public authorities and public transport operators to define where to develop new infrastructure, based on the usage of and pressure on the existing structure. Such usage should also include processing that is necessary for the development, production and dissemination of official national or European statistics in accordance with national or Union law, to the extent necessary for this purpose. (18) End-users may consent to the (18) The user or end-users may (18) End-users may consent to the (18) End-users may consent to the processing of their metadata to consent to the processing of their processing of their metadata to processing of their metadata to receive specific services such as metadata to receive specific services receive specific services such as receive specific services such as protection services against fraudulent such as protection services against protection services against fraudulent protection services against fraudulent activities (by analysing usage data, fraudulent activities (by analysing activities (by analysing usage data, activities (by analysing usage data, location and customer account in real usage data, location and customer location and customer account in real location and customer account in real time). In the digital economy, services account in real time). In the digital time). In the digital economy, services time). In the digital economy, services are often supplied against counter- economy, services are often supplied are often supplied against counter- are often supplied against counter- performance other than money, for against counter-performance other performance other than money, for performance other than money, for instance by end-users being exposed than money, for instance by end- instance by end-users being exposed instance by end-users being exposed to advertisements. For the purposes users being exposed to to advertisements. For the purposes to advertisements. For the purposes of of this Regulation, consent of an end- advertisements. For the purposes of of this Regulation, consent of an end- this Regulation, consent of an end- user, regardless of whether the latter this Regulation, consent of a an user, regardless of whether the latter user, regardless of whether the latter is a natural or a legal person, should end-user, regardless of whether is a natural or a legal person, should is a natural or a legal person, should have the same meaning and be the latter is a natural or a legal have the same meaning and be have the same meaning and be subject to the same conditions as the person, should have the same subject to the same conditions as the subject to the same conditions as the data subject's consent under meaning and be subject to the same data subject's consent under data subject's consent under Regulation (EU) 2016/679. Basic conditions as the data subject's Regulation (EU) 2016/679. Basic Regulation (EU) 2016/679. Basic broadband internet access and voice consent under Regulation (EU) broadband internet access and voice broadband internet access and voice communications services are to be 2016/679. Basic broadband internet communications services are to be communications services are to be considered as essential services for access and voice communications considered as essential services for considered as essential services for individuals to be able to communicate services are to be considered as individuals to be able to communicate individuals to be able to communicate and participate to the benefits of the essential services for individuals to be and participate to the benefits of the and participate to the benefits of the digital economy. Consent for able to communicate and participate digital economy. Consent for digital economy. Consent for processing data from internet or voice to the benefits of the digital economy. processing electronic processing electronic communication usage will not be valid Consent for processing data from communications data from internet communications data from internet if the data subject has no genuine internet or voice communication or voice communication usage will not or voice communication usage will not and free choice, or is unable to refuse usage will not be valid if the data be valid if the data subject end-user be valid if the data subject or end- or withdraw consent without subject has no genuine and free has no genuine and free choice or is user has no genuine and free choice detriment. choice, or is unable to refuse or unable to refuse or withdraw consent or is unable to refuse or withdraw withdraw consent without detriment. without detriment. consent without detriment. Consent Consent should not be considered should not be considered as freely as freely given if it is required to given if it is required to access a access any service or obtained service, including when the through repetitive requests. In alternative is to pay for an order to prevent such abusive otherwise free service, or if it is requests, users should be able to obtained through repetitive order service providers to requests. In order to prevent such remember their choice not to abusive requests, users should be consent and to adhere to technical able to order service providers to specifications signalling not to remember their choice not to consent, withdrawal of consent, or consent and to adhere to technical an objection. specifications signalling not to consent, withdrawal of consent, or an objection. (19) The content of electronic (19) The content of electronic (19) Third parties are legal or (19) The content of electronic communications pertains to the communications pertains to the natural person that do not provide communications pertains to the essence of the fundamental right to essence of the fundamental right to an electronic communications essence of the fundamental right to respect for private and family life, respect for private and family life, service to the end-user concerned. respect for private and family life, home and communications protected home and communications protected However, sometimes the same home and communications protected under Article 7 of the Charter. Any under Article 7 of the Charter. Any legal or natural person can also under Article 7 of the Charter. Any interference with the content of interference with the processing of provide different kind of services interference with processing of the electronic communications should be content data of electronic to the same end-user, for example content of electronic communications allowed only under very clear defined communications should be allowed information society service such should be allowed only under very conditions, for specific purposes and only under very clear defined as cloud storage. With respect to clear defined conditions, for specific be subject to adequate safeguards conditions, for specific purposes and the provision of this other service, purposes and be subject to adequate against abuse. This Regulation be subject to adequate safeguards the same legal person is normally safeguards against abuse. This provides for the possibility of against abuse. This Regulation deemed to be a third party. If the Regulation provides for the possibility providers of electronic provides for the possibility of other service is necessary for the of providers of electronic communications services to process providers of electronic provision of the electronic communications services to process electronic communications data in communications services to process communication service, such as electronic communications data in transit, with the informed consent of electronic communications data in automatic storage of the messages transit, with the informed consent of all all the end-users concerned. For transit, with the informed consent of in the cloud by web-based email, the end-users concerned. For example, providers may offer all the end-users concerned. For the provider of such a service example, providers may offer services services that entail the scanning of example, providers may offer normally is not deemed to be a that entail the scanning of emails to emails to remove certain pre-defined services that entail the scanning of third party. The content of electronic remove certain pre-defined material. material. Given the sensitivity of the emails to remove certain pre-defined communications pertains to the Given the sensitivity of the content of content of communications, this material. Given the sensitivity of the essence of the fundamental right to communications, this Regulation sets Regulation sets forth a presumption content of communications, this respect for private and family life, forth a presumption that the that the processing of such content Regulation sets forth a presumption home and communications protected processing of such content data will data will result in high risks to the that the processing of such content under Article 7 of the Charter. Any result in high risks to the rights and rights and freedoms of natural data will result in high risks to the interference with the content of freedoms of natural persons. When persons. When processing such type rights and freedoms of natural electronic communications should be processing such type of data, the of data, the provider of the electronic persons. When processing such type allowed only under very clear defined provider of the electronic communications service should of data, the provider of the electronic conditions, for specific purposes and communications service should always consult the supervisory communications service should be subject to adequate safeguards always consult the supervisory authority prior to the processing. always carry out an impact against abuse. This Regulation authority prior to the processing. Such Such consultation should be in assessment as provided for in provides for the possibility of consultation should be in accordance accordance with Article 36 (2) and (3) Regulation (EU) 2016/679 and if providers of electronic with Article 36 (2) and (3) of of Regulation (EU) 2016/679. The necessary under that Regulation, communications services to process Regulation (EU) 2016/679. The presumption does not encompass the consult the supervisory authority prior electronic communications data in presumption does not encompass the processing of content data to provide to the processing. Such transit, with the informed consent of processing of content data to provide a service requested by the end-user consultation should be in all the end-users concerned. For a service explicitly requested by the where the end-user has consented to accordance with Article 36 (2) and example, providers may offer services end-user, where the end-user has such processing and it is carried out (3) of Regulation (EU) 2016/679. that entail the scanning of emails to consented to such processing and it is for the purposes and duration strictly The presumption does not remove certain pre-defined material. carried out for the purposes and necessary and proportionate for such encompass the processing of Given the sensitivity of the content of duration strictly necessary and service. After electronic content data to provide a service communications, this Regulation sets proportionate for such service. After communications content has been requested by the end-user where forth a presumption that the electronic communications content sent by the end-user and received by the end-user has consented to processing of such content data will has been sent by the end-user and the intended end-user or end-users, it such processing and it is carried result in high risks to the rights and received by the intended end-user or may be recorded or stored by the out for the purposes and duration freedoms of natural persons. When end-users, it may be recorded or end-user, end-users or by a third strictly necessary and processing such type of data, the stored by the end-user, end-users or party entrusted by them to record or proportionate for such service. provider of the electronic by a third party entrusted by them to store such data. Any processing of After electronic communications communications service should record or store such data, which such data must comply with content has been sent by the end- always consult the supervisory could be the electronic Regulation (EU) 2016/679. user and received by the intended authority prior to the processing. Such communications service provider. end-user or end-users, it may be consultation should be in accordance Any processing of such stored recorded or stored by the end-user, with Article 36 (2) and (3) of communications data where the end-users or by a third party Regulation (EU) 2016/679. The data is stored on behalf of the user entrusted by them to record or store presumption does not encompass the must comply with this Regulation. such data, which could be the processing of content data to provide The end-user may further process electronic communications service a service requested by the end-user the data and if it contains personal provider. Any processing of such where the end-user has consented to data, must comply with Regulation stored communications data such processing and it is carried out (EU) 2016/679. where the data is stored on behalf for the purposes and duration strictly of the user must comply with this necessary and proportionate for such Regulation. The user may further service. After electronic process the data and if it contains communications content has been personal data, must comply with sent by the end-user and received by Regulation (EU) 2016/679. the intended end-user or end-users, it may be recorded or stored by the end-user, end-users or by a third party entrusted by them to record or store such data. Any processing of such data must comply with Regulation (EU) 2016/679. (19 a) It should be possible to Deleted. See recital 16b which covers process electronic the same issue. communications data for the purposes of providing services explicitly requested by a user for personal or personal work-related purposes such as search or keyword indexing functionality, virtual assistants, text-to-speech engines and translation services, including picture-to-voice or other automated content processing used as accessibility tools by persons with disabilities. This should be possible without the consent of all users but may take place with the consent of the user requesting the service. Such consent also precludes the provider from processing those data for other purposes. (19 b) Interference with the Deleted. See recital 17b which covers confidentiality of metadata or the same issue. interference with the protection of information stored in and related to end-users’ terminal equipment can only be regarded to be lawful where it is strictly necessary and proportionate to protect an interest which is essential for the life of the data subject or that of another natural person. Such interference based on the vital interest of another natural person should take place only in a specific case and where the processing cannot be manifestly based on another legal basis. (20) Terminal equipment of end- (20) Terminal equipment of end- (20) Terminal equipment of end-users (20) Terminal equipment of end-users users of electronic communications users of electronic communications of electronic communications of electronic communications networks and any information relating networks and any information relating networks and any information relating networks and any information relating to the usage of such terminal to the usage of such terminal to the usage of such terminal to the usage of such terminal equipment, whether in particular is equipment, whether in particular is equipment, in particular where such equipment, in particular where such stored in or emitted by such stored in or emitted by such information is processed by, stored information is processed by, stored equipment, requested from or equipment, requested from or in, emitted collected from such in, emitted, collected from such processed in order to enable it to processed in order to enable it to equipment, or where information is equipment, or where information is connect to another device and or connect to another device and or collected requested from it or collected requested from it or network equipment, are part of the network equipment, are part of the processed in order to enable it to processed in order to enable it to private sphere of the end-users private sphere of the end-users connect to another device and or connect to another device and or requiring protection under the Charter requiring protection under the Charter network equipment, are part of the network equipment, are part of the of Fundamental Rights of the of Fundamental Rights of the end-user's private sphere of the end-user's private sphere of the end- European Union and the European European Union and the European end-users requiring, including the users requiring, including the Convention for the Protection of Convention for the Protection of privacy of one’s communications, privacy of one’s communications, Human Rights and Fundamental Human Rights and Fundamental and require protection in and require protection in accordance Freedoms. Given that such Freedoms. Given that such accordance with the Charter of with the Charter of Fundamental equipment contains or processes equipment contains or processes Fundamental Rights of the European Rights of the European Union and the information that may reveal details of information very sensitive data that Union and the European European Convention for the an individual's emotional, political, may reveal details of an individual's Convention for the Protection of Protection of Human Rights and social complexities, including the the behaviour, psychological Human Rights and Fundamental Fundamental Freedoms. Given that content of communications, pictures, features, emotional condition and Freedoms. Given that such such equipment contains or processes the location of individuals by political and social complexities equipment contains or processes information very sensitive data that accessing the device’s GPS preferences of an individual, information that may reveal details of may reveal details of an individual's capabilities, contact lists, and other including the content of an individual's emotional, political, the behaviour, psychological information already stored in the communications, pictures, the social complexities, including the features, emotional condition and device, the information related to location of individuals by accessing content of communications, pictures, political and social complexities such equipment requires enhanced the device’s GPS capabilities of the the location of individuals by preferences of an individual, privacy protection. Furthermore, the device, contact lists, and other accessing the device’s GPS including the content of so-called spyware, web bugs, hidden information already stored in the capabilities, contact lists, and other communications, pictures, the location identifiers, tracking cookies and other device, the information related to information already stored in the of individuals by accessing the similar unwanted tracking tools can such equipment requires enhanced device, the information related to device’s GPS capabilities of the enter end-user's terminal equipment privacy protection. Furthermore, the such equipment requires enhanced device, contact lists, and other without their knowledge in order to so-called spyware, web bugs, privacy protection. Furthermore, the information already stored in the gain access to information, to store hidden identifiers, tracking so-called spyware, web bugs, hidden device, the information related to such hidden information and to trace the cookies and other similar identifiers, tracking cookies and other equipment requires enhanced privacy activities. Information related to the unwanted tracking tools can enter similar unwanted tracking tools can protection. Furthermore, the so-called end-user’s device may also be end-user's terminal equipment enter end-user's terminal equipment spyware, web bugs, hidden identifiers, collected remotely for the purpose of without their knowledge in order to without their knowledge in order to tracking cookies and other similar identification and tracking, using gain access to information, to gain access to information, to store unwanted tracking tools can often techniques such as the so-called store hidden information and to hidden information and to trace the currently enter end-user's terminal ‘device fingerprinting’, often without trace the activities. Information activities. Information related to the equipment without their knowledge in the knowledge of the end-user, and related to the end-user’s device may end-user’s device may also be order to gain access to information, to may seriously intrude upon the also be collected remotely for the collected remotely for the purpose of store hidden information and to trace privacy of these end-users. purpose of identification and tracking, identification and tracking, using the activities. Information related to Techniques that surreptitiously using techniques such as the so- techniques such as the so-called the end-user’s device may also be monitor the actions of end-users, for called ‘device fingerprinting’, often ‘device fingerprinting’, often without collected remotely for the purpose of example by tracking their activities without the knowledge of the end- the knowledge of the end-user, and identification and tracking, using online or the location of their terminal user, and may seriously intrude upon may seriously intrude upon the techniques such as the so-called equipment, or subvert the operation the privacy of these end-users. privacy of these end-users. ‘device fingerprinting’, often without of the end-users’ terminal equipment Furthermore, so-called spyware, Techniques that surreptitiously the knowledge of the end-user, and pose a serious threat to the privacy of web bugs, hidden identifiers and monitor the actions of end-users, for may seriously intrude upon the privacy end-users. Therefore, any such unwanted tracking tools can enter example by tracking their activities of these end-users.Techniques that interference with the end-user's users' terminal equipment without online or the location of their terminal surreptitiously monitor the actions of terminal equipment should be allowed their knowledge in order to gain equipment, or subvert the operation end-users, for example by tracking only with the end-user's consent and access to information or to store of the end-users’ terminal equipment their activities online or the location of for specific and transparent purposes. hidden information, to process pose a serious threat to the privacy of their terminal equipment, or subvert data and use input and output end-users. Therefore, any such the operation of the end-users’ functionalities such as sensors, interference with the use of terminal equipment pose a serious and to trace the activities. processing and storage threat to the privacy of end-users. Techniques that surreptitiously capabilities and the collection of This Regulation seeks to address monitor the actions of end-users, for information from end-user's terminal these unlawful practices. Therefore, example by tracking their activities equipment should be allowed only any such interference with the end- online or the location of their terminal with the end-user's consent and or for user's terminal equipment should be equipment, or subvert the operation other specific and transparent allowed only with the end-user's of the end-users’ terminal equipment purposes as laid down in this consent and for specific and pose a serious threat to the privacy of Regulation. The information transparent purposes laid down in end-users. Therefore, any such collected from end-user’s terminal this Regulation. Users should interference with the end-user's equipment can often contain receive all relevant information terminal equipment should be allowed personal data. about the intended processing in only with the end- user's consent clear and easily understandable and for specific and transparent language. Such information should purposes. Users should receive all be provided separately from the relevant information about the terms and conditions of the intended processing in clear and service. easily understandable language. Such information should be provided separately from the terms and conditions of the service. (20aa) In light of the principle of Delete. We reject the addition of a purpose limitation laid down in possibility to further process metadata Article 5 (1) (b) of Regulation (EU) under this Regulation in light of the 2016/679, it should be possible to limitation in Article 8(2) of the EU process in accordance with this Charter of Fundamental Rights. Regulation data collected from the As noted, this Regulation already end-user's terminal equipment for clarifies and provides more purposes compatible with the opportunity for the processing of purpose for which it was collected communications content and from the end-user’s terminal metadata for providers. Further equipment. opportunities for processing, in particular ones where the end-users would not be able to consent to such processing would erode the objective of this Regulation and the right it seeks to protect. (20aaa) The responsibility for (20aaa) The responsibility for obtaining consent for the storage obtaining consent lies on the entity of a cookie or similar identifier lies that makes use of processing and on the entity that makes use of storage capabilities of terminal processing and storage equipment or collects information capabilities of terminal equipment from end-users’ terminal or collects information from end- equipment, such as an information users’ terminal equipment, such as society service provider or ad an information society service network provider. Such entities provider or ad network provider. may request another party to Such entities may request another obtain consent on their behalf. party to obtain consent on their behalf. The end-user's consent to storage of a cookie or similar identifier may also entail consent for the subsequent readings of the cookie in the context of a revisit to the same website domain initially visited by the end-user. (20aaaa) In contrast to access to (20aaaa) To the extent that use is website content provided against made of processing and storage monetary payment, where access capabilities of terminal equipment is provided without direct and information from end-users’ monetary payment and is made terminal equipment is collected for dependent on the consent of the other purposes than for what is end-user to the storage and necessary for the purpose of reading of cookies for additional providing an electronic purposes, requiring such consent communication service or for the would normally not be considered provision of the service requested, as depriving the end-user of a consent should be required. In genuine choice if the end-user is such a scenario, consent should be able to choose between services, given by the end-user who on the basis of clear, precise and requests the service from the user-friendly information about the provider of the service. However, purposes of cookies and similar making access to website content techniques, between an offer that dependent on consent is includes consenting to the use of considered to deprive the end-user cookies for additional purposes on of a genuine choice and does not the one hand, and an equivalent therefore constitute a valid offer by the same provider that consent. does not involve consenting to data use for additional purposes, on the other hand. Conversely, in some cases, making access to website content dependent on consent to the use of such cookies may be considered, in the presence of a clear imbalance between the end-user and the service provider as depriving the end-user of a genuine choice. This would normally be the case for websites providing certain services, such as those provided by public authorities. Similarly, such imbalance could exist where the end-user has only few or no alternatives to the service, and thus has no real choice as to the usage of cookies for instance in case of service providers in a dominant position. To the extent that use is made of processing and storage capabilities of terminal equipment and information from end-users’ terminal equipment is collected for other purposes than for what is necessary for the purpose of providing an electronic communication service or for the provision of the service requested, consent should be required. In such a scenario, consent should normally be given by the end-user who requests the service from the provider of the service. (20a) End-users are often (20a) End-users are often requested to provide consent to requested to provide consent to the the storage and access to stored storage and access to stored data data in their terminal equipment, in their terminal equipment, due to due to the ubiquitous use of the ubiquitous use of tracking tracking cookies and similar cookies and similar tracking tracking technologies. As a result, technologies. As a result, end- end-users may be overloaded with users may be overloaded with requests to provide consent. This requests to provide consent. This can lead to a situation where can lead to a situation where consent request information is no consent request information is no longer read and the protection longer read and the protection offered by consent is undermined. offered by consent is undermined. Implementation of technical means Implementation of technical means in electronic communications in electronic communications software to provide specific and software to provide specific and informed consent through informed consent, withdraw transparent and user-friendly consent and object to processing settings, can be useful to address of data through transparent and this issue. Where available and user-friendly settings, can be technically feasible, an end user useful to address this issue. An may therefore grant, through end user may therefore grant or software settings, consent to a withdraw consent or object specific provider for the use of processing through software processing and storage settings, to a specific provider or a capabilities of terminal equipment group of providers for the use of for one or multiple specific processing and storage capabilities purposes across one or more of terminal equipment for one or specific services of that provider. multiple specific purposes across For example, an end-user can give one or more specific services of consent to the use of certain types that provider. Providers of software of cookies by whitelisting one or are required to include settings in several providers for their their software which allows end- specified purposes. Providers of users, in a user friendly and software are encouraged to transparent manner, to manage include settings in their software specific consent, including to the which allows end-users, in a user storage and access to stored data friendly and transparent manner, in their terminal equipment. to manage consent to the storage and access to stored data in their terminal equipment by easily setting up and amending whitelists and withdrawing consent at any moment. In light of end-user’s self- determination, consent directly expressed by an end-user should always prevail over software settings. Any consent requested and given by an end-user to a service should be directly implemented, without any further delay, by the applications of the end user’s terminal. If the storage of information or the access of information already stored in the end-user’s terminal equipment is permitted, the same should apply. (21) Exceptions to the obligation to (21) Exceptions to the obligation to (21)Exceptions to the obligation to (21) Exceptions to the obligation to obtain consent to make use of the obtain consent to make use of the obtain consent to make Use of the obtain consent to make use of the processing and storage capabilities of processing and storage capabilities of processing and storage capabilities of processing and storage capabilities of terminal equipment or to access terminal equipment or to access terminal equipment or access to terminal equipment or to access information stored in terminal information stored in terminal information stored in terminal information stored in terminal equipment should be limited to equipment should be limited to equipment without the consent of equipment should be limited to situations that involve no, or only very situations that involve no, or only very the end-user should be limited to situations that involve no, or only very limited, intrusion of privacy. For limited, intrusion of privacy. For situations that involve no, or only very limited, intrusion of privacy. For instance, consent should not be instance, consent should not be limited, intrusion of privacy. For instance, consent should not be requested for authorizing the requested for authorizsing the instance, consent should not be requested for authorizsing the technical storage or access which is technical storage or access which is requested for authorizing the technical storage or access which is strictly necessary and proportionate strictly necessary and proportionate technical storage or access which is strictly necessary and proportionate for the legitimate purpose of enabling for the legitimate purpose of enabling necessary and proportionate for the for the legitimate purpose of the use of a specific service explicitly the use of a specific service explicitly legitimate purpose of enabling the enabling the use of providing a requested by the end-user. This may requested by the end-user. This may use of providing a specific service specific service explicitly requested by include the storing of cookies for the include the storing of information requested by the end-user. This may the end-user. This may include the duration of a single established (such as cookies and other include the storing of cookies for the storing of information (such as session on a website to keep track of identifiers) for the duration of a duration of a single established cookies and other identifiers) for the the end-user’s input when filling in single established session on a session on a website to keep track of duration of a single established online forms over several pages. website to keep track of the end- the end-user’s input when filling in session on a website to keep track of Cookies can also be a legitimate and user’s input when filling in online online forms over several pages, the end-user’s input when filling in useful tool, for example, in measuring forms over several pages. Cookies authentication session cookies online forms over several pages, web traffic to a website. Information Such techniques, if implemented used to verify the identity of end- authentication session cookies society providers that engage in with appropriate privacy users engaged in online used to verify the identity of end- configuration checking to provide the safeguards, can also be a legitimate transactions or cookies used to users engaged in online service in compliance with the end- and useful tool, for example, in remember items selected by the transactions or cookies used to user's settings and the mere logging measuring web traffic to a website. end-user and placed in shopping remember items selected by the of the fact that the end-user’s device Such measuring implies that the basket. In the area of IoT services end-user and placed in shopping is unable to receive content result of processing is not which rely on connected devices basket. In the area of IoT services requested by the end-user should not personal data, but aggregate data, (such as connected thermostats, which rely on connected devices constitute access to such a device or and that this result or the personal connected medical devices, smart (such as connected thermostats, use of the device processing data are not used in support of meters or automated and connected medical devices, smart capabilities. measures or decisions regarding connected vehicles), the use of the meters or automated and any particular natural person. processing and storage capacities connected vehicles), the use of the Information society providers that of those devices and access to processing and storage capacities could engage in configuration information stored therein should of those devices and access to checking in order to provide the not require consent to the extent information stored therein should service in compliance with the end- that such use or access is not require consent to the extent user's settings and the mere logging necessary for the provision of the that such use or access is of revealing the fact that the user’s service requested by the end-user. necessary for the provision of the device is unable to receive content For example, storing of information service requested by the end-user. requested by the end-user, should in or accessing information from a For example, storing of information not constitute illegitimate access to smart meter might be considered in or accessing information from a such a device, or use of the device as necessary for the provision of a smart meter might be considered processing capabilities for which requested energy supply service to as necessary for the provision of a consent is required. the extent the information stored requested energy supply service to and accessed is necessary for the the extent the information stored stability and security of the energy and accessed is necessary for the network or for the billing of the stability and security of the energy end-users' energy consumption. network or for the billing of the The same applies for instance to end-users' energy consumption. storing, processing or accessing The same applies for instance to of information from automated and storing, processing or accessing of connected vehicles for security information from automated and related software updates. connected vehicles for security Cookies can also be a legitimate related software updates. and useful tool, for example, in Cookies can also be a legitimate measuring web traffic to a website. and useful tool, for example, in Information society providers that measuring web traffic to a website. engage in configuration checking Information society providers that to provide the service in engage in configuration checking compliance with the end-user's to provide the service in settings and the mere logging of compliance with the end-user's the fact that the end-user’s device settings and the mere logging of is unable to receive content the fact that the end-user’s device requested by the end-user should is unable to receive content not constitute access to such a requested by the end-user should device or use of the device not constitute access to such a processing capabilities. device or use of the device processing capabilities. (21aa) In some cases the use of Deleted. processing and storage capabilities of terminal equipment and the collection of information from end-users' terminal equipment may also be necessary for providing a service, requested by the end-user, such as services provided in accordance with the freedom of expression and information including for journalistic purposes, e.g. online newspaper or other press publications as defined in Article 2 (4) of Directive (EU) 2019/790, that is wholly or mainly financed by advertising provided that, in addition, the end-user has been provided with clear, precise and user-friendly information about the purposes of cookies or similar techniques and has accepted such use. (21a) Cookies can also be a (21a) Cookies can also be a legitimate and useful tool, for legitimate and Tracking techniques example, in assessing the using the processing and storage effectiveness of a delivered capabilities of terminal equipment information society service, for and of information from end-users’ example of website design and terminal equipment, can also be a advertising or by helping to useful tool for example, in measure the numbers of end-users measuring web traffic to a website. visiting a website, certain pages of statistical counting of the number a website or the number of end- of users of an information society users of an application. This is not services if implemented with the case, however, regarding appropriate privacy safeguards and cookies and similar identifiers in line with the principles of used to determine the nature of Regulation (EU) 2016/679. That who is using the site, which always means for example that the result require the consent of the end- of such measuring is in aggregated user. Information society providers anonymised data, and that this that engage in configuration checking result or the underlying personal to provide the service in compliance data cannot be used in support of with the end-user's settings and the measures or decisions regarding mere logging of the fact that the end- any particular natural person. user’s device is unable to receive Information society providers that content requested by the end-user could engage in configuration should not constitute access to such checking in order to provide the a device or use of the device service in compliance with the end- processing capabilities. user's settings and the mere logging of the fact that the user’s device is unable to receive content requested by the end-user’s device should not constitute illegitimate access to such a device, or use of the device processing capabilities for which consent is required. (21b) Consent should not be (21b) Consent should not be necessary either when the purpose necessary either when the purpose of using the processing storage of using the processing storage capabilities of terminal equipment capabilities of terminal equipment is to fix security vulnerabilities and is to fix security vulnerabilities and other security bugs or for other security bugs or for software- software-updates for security updates for security reasons, reasons, provided that the end- provided that the end-user user concerned has been informed concerned has been informed prior prior to such updates, and to such updates, and provided that provided that such updates do not such updates do not in any way in any way change the change the functionality of the functionality of the hardware or hardware or software or the privacy software or the privacy settings settings chosen by the end-user chosen by the end-user and the and the end-user has the end-user has the possibility to possibility to postpone or turn off postpone or turn off the automatic the automatic installation of such installation of such updates. updates. Software updates that do Software updates that do not not exclusively have a security exclusively have a security purpose, for example those purpose, for example those intended to add new features to an intended to add new features to an application or improve its application or improve its performance, should not fall under performance, should not fall under this exception. this exception. (22) The methods used for providing (22) The methods used for providing Deleted. Deleted. See recital 20a which covers information and obtaining end-user's information and obtaining end-user's the same issue. consent should be as user-friendly as consent should be as user-friendly as possible. Given the ubiquitous use of possible. Given the ubiquitous use of tracking cookies and other tracking tracking cookies and other tracking techniques, end-users are techniques, end-users are increasingly requested to provide increasingly requested to provide consent to store such tracking consent to store such tracking cookies in their terminal equipment. cookies in their terminal equipment. As a result, end-users are overloaded As a result, end-users are with requests to provide consent. The overloaded with requests to provide use of technical means to provide consent. This Regulation should consent, for example, through prevent the use of so- called transparent and user-friendly settings, “cookie walls” and “cookie may address this problem. Therefore, banners” that do not help users to this Regulation should provide for the maintain control over their possibility to express consent by personal information and privacy using the appropriate settings of a or become informed about their browser or other application. The rights. The use of technical means to choices made by end-users when provide consent, for example, through establishing its general privacy transparent and user-friendly settings, settings of a browser or other may address this problem. Therefore, application should be binding on, and this Regulation should provide for the enforceable against, any third parties. possibility to express consent by Web browsers are a type of software technical specifications, for application that permits the retrieval instance by using the appropriate and presentation of information on settings of a browser or other the internet. Other types of application. Those settings should applications, such as the ones that include choices concerning the permit calling and messaging or storage of information on the provide route guidance, have also the user's terminal equipment as well same capabilities. Web browsers as a signal sent by the browser or mediate much of what occurs other application indicating the between the end-user and the user's preferences to other parties. website. From this perspective, they The choices made by end-users are in a privileged position to play an when establishing its the general active role to help the end-user to privacy settings of a browser or other control the flow of information to and application should be binding on, and from the terminal equipment. More enforceable against, any third parties. particularly web browsers may be Web browsers are a type of software used as gatekeepers, thus helping application that permits the retrieval end-users to prevent information from and presentation of information on their terminal equipment (for example the internet. Other types of smart phone, tablet or computer) from applications, such as the ones that being accessed or stored. permit calling and messaging or provide route guidance, have also the same capabilities. Web browsers mediate much of what occurs between the end-user and the website. From this perspective, they are in a privileged position to play an active role to help the end-user to control the flow of information to and from the terminal equipment. More particularly web browsers, or applications or operating systems may be used as gatekeepers the executor of a user's choices, thus helping end-users to prevent information from their terminal equipment (for example smart phone, tablet or computer) from being accessed or stored. (23) The principles of data protection (23) The principles of data protection Deleted. (23) The principles of data protection by design and by default were by design and by default were are by design and by default were are codified under Article 25 of codified under Article 25 of codified under Article 25 of Regulation Regulation (EU) 2016/679. Currently, Regulation (EU) 2016/679. Currently, (EU) 2016/679. However, currently, the default settings for cookies are the default settings for cookies are the default settings for cookies and set in most current browsers to set in most current browsers to other trackers are set in most current ‘accept all cookies’. Therefore ‘accept all cookies’. Therefore browsers to ‘accept all cookies’. providers of software enabling the providers of software enabling the Therefore providers of software retrieval and presentation of retrieval and presentation of enabling the retrieval and information on the internet should information on the internet should presentation of information on the have an obligation to configure the have an obligation to permitting internet should have an obligation software so that it offers the option to electronic communications (such to permitting electronic prevent third parties from storing as browsers, operating systems communications (such as information on the terminal and communication apps), browsers, operating systems and equipment; this is often presented as irrespective of whether the communication apps), irrespective ‘reject third party cookies’. End-users software is obtained separately or of whether the software is obtained should be offered a set of privacy bundled with hardware, shall separately or bundled with setting options, ranging from higher configure the software so that it hardware, shall configure the (for example, ‘never accept cookies’) offers the option to prevent third software so that it offers the option to lower (for example, ‘always accept parties from privacy is protected, to prevent third parties from cookies’) and intermediate (for the cross- domain tracking and the privacy is protected by default with example, ‘reject third party cookies’ or storing of information on the terminal all non-necessary cookies and ‘only accept first party cookies’). Such equipment this is is often trackers off and that the cross- privacy settings should be presented presented as ‘reject by third party domain and cross-devices tracking in an easily visible and intelligible cookies’ parties is prohibited by and the storing of information on the manner. default. In addition, providers of terminal equipment are prohibited such software are required to offer this is is often presented as ‘reject sufficiently granular options to by third party cookies’ parties. No consent to each distinct category consent is required for information of purposes. These distinct that is collected from end-users’ categories include, at least, the terminal equipment when it is following categories: (i) tracking strictly necessary for providing an for commercial purposes or for information society service direct marketing for non- requested by the end-user, for commercial purposes (behavioural example in order to adapt the advertising); (ii) tracking for screen size to the device, or to personalised content; (iii) tracking remember items in a shopping for analytical purposes; (iv) basket. Privacy settings should tracking of location data; (v) also include options to allow the providing personal data to third user to decide for example, whether parties (including providing multimedia players, interactive unique identifiers to match with programming language viewers, or personal data held by third parties) similar software can be executed, if No consent is required for a website can collect geo-location information that is collected from data from the user, or if it can end-users’ terminal equipment access specific hardware such as a when it is strictly necessary for webcam or microphone. End-users providing an information society should be offered a set of privacy service requested by the end-user, setting options, ranging from for example in order to adapt the higher (for example, ‘never accept screen size to the device, or to cookies’) to lower (for example, remember items in a shopping ‘always accept cookies’) and basket. Web browsers, operating intermediate (for example, ‘reject systems and communication apps third party cookies’ or ‘only accept should allow the end-user to first party cookies’). Such privacy consent to cookies or other settings should be presented in an information that is stored on, or easily visible and intelligible manner, read from terminal equipment and at the moment of installation or (including the browser on that first use, users should be informed equipment) by a specific website about the possibility to change the or originator even when the default privacy settings among the general settings prevent the various options. Information interference and vice versa. With provided should not dissuade regard to a specific party, web users from selecting higher privacy browsers and communication settings or dissuade users from apps should also allow users to modifying high privacy settings separately consent to internet- that would have been set by wide tracking. Privacy settings default. It should include relevant should also include options to information about the risks allow the user to decide for associated with allowing cross- example, whether multimedia domain trackers, including the players, interactive programming compilation of long-term records of language viewers, or similar individuals’ browsing histories and software can be executed, if a the use of such records to send website can collect geo-location targeted advertising or sharing with data from the user, or if it can more third parties. Software access specific hardware such as manufacturers should be required a webcam or microphone. End- to provide easy ways for users to users should be offered a set of change the privacy settings at any privacy setting options, ranging time during use and to allow the from higher (for example, ‘never user to make exceptions for or to accept cookies’) to lower (for specify for such services websites example, ‘always accept cookies’) trackers and cookies are always or and intermediate (for example, never allowed. ‘reject third party cookies’ or ‘only accept first party cookies’). Such privacy settings should be presented Explanation: We note that since the in an easily visible and intelligible proposal of the Regulation, the manner, and at the moment of situation around the use of cookies installation or first use, users and trackers have evolved and that should be informed about the companies, in particular browsers, are possibility to change the default rolling out changes that increasingly privacy settings among the limit the use of third-party cookies. various options. Information This recital and related language in provided should not dissuade Article 8 should therefore be re- users from selecting higher discussed by the negotiators to remain privacy settings and should technology neutral and reflect on include relevant information about these evolutions and provide for clear the risks associated to allowing rules on privacy by design and by cross-domain trackers, including default to guide these developments the compilation of long-term and ensure fairness in the EU single records of individuals’ browsing market. histories and the use of such records to send targeted advertising or sharing with more third parties. Software manufacturers should be required to provide easy ways for users to change the privacy settings at any time during use and to allow the user to make exceptions for or to specify for such services websites trackers and cookies are always or never allowed. (24) For web browsers to be able to Deleted. Deleted. Deleted, most issues are covered in obtain end-users’ consent as defined recital 23. under Regulation (EU) 2016/679, for example, to the storage of third party tracking cookies, they should, among others, require a clear affirmative action from the end-user of terminal equipment to signify his or her freely given, specific informed, and unambiguous agreement to the storage and access of such cookies in and from the terminal equipment. Such action may be considered to be affirmative, for example, if end-users are required to actively select ‘accept third party cookies’ to confirm their agreement and are given the necessary information to make the choice. To this end, it is necessary to require providers of software enabling access to internet that, at the moment of installation, end-users are informed about the possibility to choose the privacy settings among the various options and ask them to make a choice. Information provided should not dissuade end-users from selecting higher privacy settings and should include relevant information about the risks associated to allowing third party cookies to be stored in the computer, including the compilation of long-term records of individuals' browsing histories and the use of such records to send targeted advertising. Web browsers are encouraged to provide easy ways for end-users to change the privacy settings at any time during use and to allow the user to make exceptions for or to whitelist certain websites or to specify for which websites (third) party cookies are always or never allowed. (25) Accessing electronic (25) Accessing electronic (25) Accessing electronic (25) Accessing electronic communications networks requires communications networks requires communications networks requires communications networks requires the the regular emission of certain data the regular emission of certain data the regular emission of certain data regular emission of certain data packets in order to discover or packets in order to discover or packets in order to discover or packets in order to discover or maintain a connection with the maintain a connection with the maintain a connection with the maintain a connection with the network or other devices on the network or other devices on the network or other devices on the network or other devices on the network. Furthermore, devices must network. Furthermore, devices must network. Furthermore, devices must network. Furthermore, devices must have a unique address assigned in have a unique address assigned in have a unique address assigned in have a unique address assigned in order to be identifiable on that order to be identifiable on that order to be identifiable on that order to be identifiable on that network. network. network. network. Wireless and cellular telephone Wireless and cellular telephone Wireless and cellular telephone Wireless and cellular telephone standards similarly involve the standards similarly involve the standards similarly involve the standards similarly involve the emission of active signals containing emission of active signals containing emission of active signals containing emission of active signals containing unique identifiers such as a MAC unique identifiers such as a MAC unique identifiers such as a MAC unique identifiers such as a MAC address, the IMEI (International address, the IMEI (International address, the IMEI (International address, the IMEI (International Mobile Station Equipment Identity), Mobile Station Equipment Identity), Mobile Station Equipment Identity), Mobile Station Equipment Identity), the IMSI etc. A single wireless base the IMSI etc. A single wireless base the IMSI, the WiFi signal etc. A the IMSI, the WiFi signal etc. A single station (i.e. a transmitter and station (i.e. a transmitter and single wireless base station (i.e. a wireless base station (i.e. a transmitter receiver), such as a wireless access receiver), such as a wireless access transmitter and receiver), such as a and receiver), such as a wireless point, has a specific range within point, has a specific range within wireless access point, has a specific access point, has a specific range which such information may be which such information may be range within which such information within which such information may be captured. Service providers have captured. Service providers have may be captured. Service providers captured. Service providers have emerged who offer tracking services emerged who offer tracking services have emerged who offer physical emerged who offer tracking services based on the scanning of equipment based on the scanning of equipment movements' tracking services based based on the scanning of equipment related information with diverse related information with diverse on the scanning of equipment related related information with diverse functionalities, including people functionalities, including people information with diverse functionalities, including people counting, providing data on the counting, providing data on the functionalities, including people counting, providing data on the number of people waiting in line, number of people waiting in line, counting, including such as number of people waiting in line, ascertaining the number of people in ascertaining the number of people in providing data on the number of ascertaining the number of people in a a specific area, etc. This information a specific area, etc. This information people waiting in line, ascertaining specific area, etc. This information may be used for more intrusive may be used for more intrusive the number of people in a specific may be used for more intrusive purposes, such as to send purposes, such as to send area, etc referred to as statistical purposes, such as to send commercial commercial messages to end-users, commercial messages to end-users, counting for which the consent of messages to end-users, for example for example when they enter stores, for example when they enter stores, end-users is not needed, provided when they enter stores, with with personalized offers. While some with personalizsed offers. While that such counting is limited in personalizsed offers. While some of of these functionalities do not entail some of these functionalities do not time and space to the extent these functionalities do not entail high high privacy risks, others do, for entail high privacy risks, others do, for necessary for this purpose. privacy risks, others do, for example, example, those involving the tracking example, those involving the tracking Providers should also apply those involving the tracking of of individuals over time, including of individuals over time, including appropriate technical and individuals over time, including repeated visits to specified locations. repeated visits to specified locations. organisations measures to ensure repeated visits to specified locations. Providers engaged in such practices Providers engaged in such practices the level if security appropriate to Providers engaged in such practices should display prominent notices should display prominent notices the risks, including should display prominent notices located on the edge of the area of located on the edge of the area of pseudonymisation of the data and located on the edge of the area of coverage informing end-users prior to coverage informing end-users making it anonymous or erase it as coverage informing end-users prior to entering the defined area that the prior to entering the defined area soon it is not longer needed for entering the defined area that the technology is in operation within a that the technology is in operation this purpose. Providers engaged in technology is in operation within a given perimeter, the purpose of the within a given perimeter either such practices should display given perimeter to limit the tracking, the person responsible for it obtain the user's consent or prominent notices located on the processing to mere statistical and the existence of any measure the anonymise the data immediately edge of the area of coverage counting within a limited time and end-user of the terminal equipment while limiting the purpose of the informing end-users prior to entering space and offering effective opt-out can take to minimize or stop the tracking, the person responsible the defined area that the technology possibilities. the purpose of the collection. Additional information for it and the existence of any is in operation within a given tracking, the person responsible should be provided where personal measure the end-user of the perimeter, the purpose of the for it and the existence of any data are collected pursuant to Article terminal equipment can take to tracking, the person responsible for it measure the end-user of the 13 of Regulation (EU) 2016/679. minimize or stop the collection. and the existence of any measure the terminal equipment can take to Additional information should be end-user of the terminal equipment minimize or stop the collection. provided where personal data are can take to minimize or stop the Additional information should be collected pursuant to Article 13 of collection. Additional information provided where personal data are Regulation (EU) 2016/679. should be provided where personal collected pursuant to Article 13 of to mere statistical counting within data are collected pursuant to Article Regulation (EU) 2016/679. a limited time and space and 13 of Regulation (EU) 2016/679. This offering effective opt-out information may be used for more possibilities. intrusive purposes, which should not be considered statistical counting, such as to send commercial messages to end-users, for example when they enter stores, with personalized offers locations, subject to the conditions laid down in this Regulation, as well as the tracking of individuals over time, including repeated visits to specified locations. (25a) Processing the information (25a) Processing the information emitted by the terminal equipment emitted by the terminal equipment to enable it to connect to another to enable it to connect to another device would be permitted if the device would be permitted if the end-user has given consent or if it end-user has given consent or if it is necessary for the provision of a is necessary for the provision of a service requested by the end-user. service specifically requested by This kind of processing might be the end-user. This kind of necessary for example for the processing might be necessary for provision of some IoT related example for the provision of some services. IoT related services. (26) When the processing of (26) When the processing of (26) When the processing of (26) When the processing of electronic communications data by electronic communications data by electronic communications data by electronic communications data by providers of electronic providers of electronic providers of electronic providers of electronic communications services falls within communications services falls within communications services falls within communications services falls within its scope, this Regulation should its scope, this Regulation should its scope, this Regulation should its scope, this Regulation should provide for the possibility for the provide for the possibility for the provide for the possibility for the provide for the possibility for the Union Union or Member States under Union or Member States under Union or Member States under or Member States under specific specific conditions to restrict by law specific conditions to restrict by law specific conditions to restrict by law conditions to restrict by law certain certain obligations and rights when certain obligations and rights when certain obligations and rights, obligations and rights when such a such a restriction constitutes a such a restriction constitutes a including by way of derogations, restriction constitutes a necessary and necessary and proportionate necessary and proportionate when such a restriction constitutes a proportionate measure in a democratic measure in a democratic society to measure in a democratic society to necessary and proportionate measure society to safeguard specific public safeguard specific public interests, safeguard specific public interests, in a democratic society to safeguard interests, including national security, including national security, defence, including national security, defence, specific public interests, including defence, public security and the public security and the prevention, public security and the prevention, public security and the prevention, prevention, investigation, detection or investigation, detection or prosecution investigation, detection or prosecution investigation, detection or prosecution prosecution of criminal offences or the of criminal offences or the execution of criminal offences or the execution of criminal offences, or the execution execution of criminal penalties, of criminal penalties, including the of criminal penalties, including the of criminal penalties, including the including the safeguarding against and safeguarding against and the safeguarding against and the safeguarding against and the the prevention of threats to public prevention of threats to public prevention of threats to public prevention of threats to public security security and other important security and other important security and other important and other important objectives of objectives of general public objectives of general public interest of objectives of general public general public interest of the Union or interest of the Union or of a the Union or of a Member State, in interest of the Union or of a of a Member State, in particular an Member State, in particular an particular an important economic or Member State, in particular an important economic or financial important economic or financial financial interest of the Union or of a important economic or financial interest of the Union or of a Member interest of the Union or of a Member State, or a monitoring, interest of the Union or of a State, or a monitoring, inspection or Member State, or a monitoring, inspection or regulatory function Member State, or a monitoring, regulatory function connected to the inspection or regulatory function connected to the exercise of official inspection or regulatory function exercise of official authority for such connected to the exercise of official authority for such interests. connected to the exercise of interests. Therefore, this Regulation authority for such interests. Therefore, this Regulation should not official authority for such should not affect the ability of Therefore, this Regulation should not affect the ability of Member States to interests. Therefore, this Regulation Member States to carry out lawful affect the ability of Member States to carry out lawful interception of should not affect the ability of interception of electronic carry out lawful interception of electronic communications or take Member States to carry out lawful communications, including by electronic communications or take other measures, if necessary and interception of electronic requiring providers to enable and other measures, if necessary and proportionate to safeguard the public communications or take other assist competent authorities in proportionate to safeguard the public interests mentioned above, in measures, if necessary and carrying out lawful interceptions, interests mentioned above, in accordance with the Charter of proportionate to safeguard the public or take other measures, such as accordance with the Charter of Fundamental Rights of the European interests mentioned above, in legislative measures providing for Fundamental Rights of the European Union and the European Convention accordance with the Charter of the retention of data for a limited Union and the European Convention for the Protection of Human Rights Fundamental Rights of the European period of time, if necessary and for the Protection of Human Rights and Fundamental Freedoms, as Union and the European Convention proportionate to safeguard the public and Fundamental Freedoms, as interpreted by the Court of Justice of for the Protection of Human Rights interests mentioned above, in interpreted by the Court of Justice of the European Union and of the and Fundamental Freedoms, as accordance with the Charter of the European Union and of the European Court of Human Rights. interpreted by the Court of Justice of Fundamental Rights of the European European Court of Human Rights. Providers of electronic the European Union and of the Union and the European Convention Providers of electronic communications services should European Court of Human Rights. for the Protection of Human Rights communications services should provide for appropriate procedures to Providers of electronic and Fundamental Freedoms, as provide for appropriate procedures facilitate legitimate requests of communications services should interpreted by the Court of Justice of to facilitate legitimate requests of competent authorities, where relevant provide for appropriate the European Union and of the competent authorities, where also taking into account the role of procedures to facilitate legitimate European Court of Human Rights. relevant also taking into account the representative designated requests of competent authorities, Providers of electronic the role of the representative pursuant to Article 3(3). where relevant also taking into communications services should designated pursuant to Article 3(3). account the role of the provide for appropriate procedures to representative designated facilitate legitimate requests of pursuant to Article 3(3). competent authorities, where relevant also taking into account the role of the representative designated pursuant to Article 3(3). (26 a) In order to safeguard the (26 a) In order to safeguard the security and integrity of networks security and integrity of networks and services, the use of end-to- and services, the use of end-to-end end encryption should be encryption should be promoted promoted and, where necessary, and, where necessary, be be mandatory in accordance with mandatory in accordance with the the principles of security and principles of security and privacy privacy by design. Member States by design. Member States should should not impose any obligation not impose any obligation on on encryption providers, on encryption providers, on providers providers of electronic of electronic communications communications services or on services or on any other any other organisations (at any organisations (at any level of the level of the supply chain) that supply chain) that would result in would result in the weakening of the weakening of the security of the security of their networks and their networks and services, such services, such as the creation or as the creation or facilitation of facilitation of “backdoors”. “backdoors”. (27) As regards calling line (27) As regards calling line (27) As regards calling line No comment identification, it is necessary to identification, it is necessary to identification, it is necessary to protect the right of the calling party to protect the right of the calling party to protect the right of the calling party to withhold the presentation of the withhold the presentation of the withhold the presentation of the identification of the line from which identification of the line from which identification of the line from which the call is being made and the right of the call is being made and the right of the call is being made and the right of the called party to reject calls from the called party to reject calls from the called party to reject calls from unidentified lines. Certain end-users, unidentified lines. Certain end-users, unidentified lines. Certain end-users, in particular help lines, and similar in particular help lines, and similar in particular help lines, and similar organisations, have an interest in organisations, have an interest in organisations, have an interest in guaranteeing the anonymity of their guaranteeing the anonymity of their guaranteeing the anonymity of their callers. As regards connected line callers. As regards connected line callers. As regards connected line identification, it is necessary to identification, it is necessary to identification, it is necessary to protect the right and the legitimate protect the right and the legitimate protect the right and the legitimate interest of the called party to withhold interest of the called party to withhold interest of the called party to withhold the presentation of the identification the presentation of the identification the presentation of the identification of the line to which the calling party is of the line to which the calling party is of the line to which the calling party is actually connected. actually connected. actually connected. (28)There is justification for overriding (28)There is justification for overriding (28)There is justification for overriding No comment the elimination of calling line the elimination of calling line the elimination of calling line identification presentation in specific identification presentation in specific identification presentation in specific cases. cases. cases. End-users' rights to privacy with End-users' rights to privacy with End-users' rights to privacy with regard to calling line identification regard to calling line identification regard to calling line identification should be restricted where this is should be restricted where this is should be restricted where this is necessary to trace nuisance calls and necessary to trace nuisance calls and necessary to trace malicious or with regard to calling line with regard to calling line nuisance calls and with regard to identification and location data where identification and location data where calling line identification and location this is necessary to allow emergency this is necessary to allow emergency data where this is necessary to allow services, such as eCall, to carry out services, such as eCall, to carry out emergency services, such as eCall, to their tasks as effectively as possible. their tasks as effectively as possible. carry out their tasks as effectively as possible. Location information established by the terminal equipment, using its built-in Global Navigation Satellite Systems (GNSS) capabilities or other types of terminal equipment based location data, such as location data derived from the WiFi functionality, may supplement the location data supplied by providers of number-based interpersonal communications services when a call is made to emergency services. The temporary denial or absence of consent of an end-user to access location data provided by the terminal equipment GNSS, for example, because location settings are turned off, shall not prevent the transfer of such information to emergency services for the purposes of facilitating access to such services. Directive 2014/53/EU empowers the Commission to adopt delegated acts requiring that specific categories or classes of radio equipment support certain features ensuring access to emergency services. (29)Technology exists that enables (29)Technology exists that enables (29) Technology exists that enables No comment providers of electronic providers of electronic providers of electronic communications services to limit the communications services to limit the communications services to limit the reception of unwanted calls by end- reception of unwanted calls by end- reception of unwanted, malicious or users in different ways, including users in different ways, including nuisance calls by end-users in blocking silent calls and other blocking silent calls and other different ways, including blocking fraudulent and nuisance calls. fraudulent and nuisance calls. silent calls and other unwanted, Providers of publicly available Providers of publicly available malicious and nuisance calls, such number-based interpersonal number-based interpersonal as calls originating from invalid communications services should communications services should numbers, i.e. numbers that do not deploy this technology and protect deploy this technology and protect exist in the numbering plan, valid end-users against nuisance calls and end-users against nuisance calls and numbers that are not allocated to a free of charge. Providers should free of charge. Providers should provider of a number-based ensure that end-users are aware of ensure that end-users are aware of interpersonal communications the existence of such functionalities, the existence of such functionalities, service, and valid numbers that are for instance, by publicising the fact on for instance, by publicising the fact on allocated but not assigned to an their webpage. their webpage. end-user. Providers of number-based interpersonal communications services should deploy this technology and protect end-users against such calls free of charge. Providers should ensure that end- users are aware of the existence of such functionalities, for instance, by publicising the fact on their webpage. (30) Publicly available directories of (30) Publicly available directories of (30) Publicly available directories No comment end-users of electronic end-users of electronic means any directory or service communications services are widely communications services are widely containing information on end-users distributed. Publicly available distributed. Publicly available of number-based interpersonal directories means any directory or directories means any directory or communication services such as service containing end-users service containing end-users name, phone numbers (including information such as phone numbers information such as phone numbers mobile phone numbers), email (including mobile phone numbers), (including mobile phone numbers), address, home address and includes email address contact details and email address contact details and inquiry services, the main function includes inquiry services. The right to includes inquiry services. The right to of which is to enable to identify privacy and to protection of the privacy and to protection of the such end-users. End-users that are personal data of a natural person personal data of a natural person natural persons should be asked for requires that end-users that are requires that end-users that are consent before their personal data natural persons are asked for consent natural persons users are asked are included in a directory, unless before their personal data are for consent before their personal data Member States provide that such included in a directory. The legitimate are included in a directory. The end-users have the right to object interest of legal entities requires that legitimate interest of legal entities to inclusion of their personal data. end-users that are legal entities have requires that end-users that are legal The legitimate interest of legal the right to object to the data related entities have the right to object to the persons requires that end-users that to them being included in a directory. data related to them being included in are legal persons have the right to a directory. The consent should be object to the data related to them collected by the electronic being included in a directory. End- communications service provider users who are natural persons at the moment of signing the acting in a professional capacity contract for such service. Natural should be treated as legal persons persons acting in a professional for the purpose of the provisions capacity, such as independent on publicly available directories. professionals, operators of small businesses or freelancers, shall be equated with legal persons, as regards their data related to their professional capacity. (31) If end-users that are natural (31) If end-users that are natural (31) If end-users that are natural (31) If end-users that are natural persons give their consent to their persons users give their consent to persons give their consent to their persons give their consent to their data being included in such their data being included in such data being included in such data being included in such directories, they should be able to directories, they should be able to directories, they should be able to directories, they should be able to determine on a consent basis which determine on a consent basis which determine on a consent basis determine on a consent basis which categories of personal data are categories of personal data are which categories of personal data categories of personal data are included in the directory (for example included in the directory (for example are included in the directory (for included in the directory (for example name, email address, home address, name, email address, home address, example name, email address, name, email address, home address, user name, phone number). In user name, phone number). In home address, user name, phone user name, phone number). In addition, providers of publicly addition, electronic number). In addition, Providers of addition, providers of publicly available available directories should inform the communications service providers publicly available directories directories should inform the end- end-users of the purposes of the of publicly available directories number-based interpersonal users of the purposes of the directory directory and of the search functions should inform the end-users of the communications services should and of the search functions of the of the directory before including them purposes of the directory and of the inform the end-users who are natural directory before including them in that in that directory. End-users should be search functions of the directory persons of the purposes of the directory. End-users should be able to able to determine by consent on the before including them in that directory and of the search functions determine by consent on the basis of basis of which categories of personal directory. End-Users should be able of the directory and obtain their which categories of personal data their data their contact details can be to determine by consent on the basis consent before enabling such contact details can be searched. The searched. The categories of personal of which categories of personal data search functions related to their categories of personal data included in data included in the directory and the their contact details can be searched. personal data. including them in the directory and the categories of categories of personal data on the The categories of personal data that directory. End-users should personal data on the basis of which basis of which the end-user's contact included in the directory and the be able to determine by consent the end-user's contact details can be details can be searched should not categories of personal data on the on the basis of which categories of searched should not necessarily be necessarily be the same. basis of which the end-user's contact personal data their contact details the same. Since reverse searches of details can be searched should not can be searched. The categories of natural persons based on phone necessarily be the same. The personal data included in the numbers may be regarded as more providers or publicly available directory and the categories of intrusive than other searches, a directories shall provide personal data on the basis of which separate consent should always be information about the search the end-user's contact details can be required before enabling such functions, as well as if new searched should not necessarily be searches of the end-user. options and functions of the the same. directories are available in the Explanation: Provides clarity that publicly available directories and separate consent is required for provide the users the option to reverse searches which are more disable such functions. intrusive to privacy. (32) In this Regulation, direct (32) In this Regulation, direct (32) In this Regulation, direct (32) In this Regulation, direct marketing refers to any form of marketing refers to any form of marketing communications refers to marketing communications refers to advertising by which a natural or legal advertising by which a natural or legal any form of advertising by which a any form of advertising by which a person sends direct marketing person sends direct marketing natural or legal person sends natural or legal person sends direct communications directly to one or communications directly to one or direct marketing communications marketing communications sent, more identified or identifiable end- more identified or identifiable end- sent by a natural or legal person directed, or presented by a natural users using electronic users using electronic directly to one or more identified or or legal person directly to one or more communications services. In addition communications services, identifiable specific end-users using identified or identifiable end-users to the offering of products and regardless of the form it takes. In publicly available electronic using electronic communications services for commercial purposes, addition to the offering of products communications services. The services, regardless of the form it this should also include messages and services for commercial provisions on direct marketing takes. In addition to the offering of sent by political parties that contact purposes, this should also include communications do should not products and services for commercial natural persons via electronic messages sent by political parties apply to other form of marketing or purposes, this should also include communications services in order to that contact natural persons via advertising that is not sent directly messages sent by political parties that promote their parties. The same electronic communications services in to any specific end-user for contact natural persons via electronic should apply to messages sent by order to promote their parties. The reception by that end-user at communications services in order to other non-profit organisations to same should apply to messages sent addresses, number or other promote their parties. The same support the purposes of the by other non-profit organisations to contact details, e.g. the display of should apply to messages sent by organisation. support the purposes of the advertising on a visited website or other non-profit organisations to organisation. within an information society support the purposes of the service requested by that end-user. organisation. In addition to direct communications advertising for the offering of products and services for commercial purposes, this should also Member States may decide that direct marketing communications may include messages direct marketing communications sent by political parties that contact natural persons via publicly available electronic communications services in order to promote their parties. The same applies to messages sent by other non-profit organisations to support the purposes of the organisation. (33) Safeguards should be provided (33) Safeguards should be provided (33) Safeguards should be provided (33) Safeguards should be provided to protect end-users against to protect end-users against to protect end-users against direct to protect end-users against unsolicited communications for direct unsolicited communications for or marketing unsolicited unsolicited communications for or marketing purposes, which intrude direct marketing purposes, which communications, which intrude into direct marketing purposes, which into the private life of end-users. The intrude into the private life of end- the privacy private life of end-users. intrude into the private life of end- degree of privacy intrusion and users. The degree of privacy intrusion The degree of privacy intrusion and users. The degree of privacy intrusion nuisance is considered relatively and nuisance is considered relatively nuisance is considered relatively and nuisance is considered relatively similar independently of the wide similar independently of the wide similar independently of the wide similar independently of the wide range of technologies and channels range of technologies and channels range of technologies and channels range of technologies and channels used to conduct these electronic used to conduct these electronic used to conduct these electronic used to conduct these electronic communications, whether using communications, whether using communications, whether using communications, whether using automated calling and communication automated calling and automated calling and communication automated calling and systems, instant messaging communications systems, semi- systems, instant messaging communications systems, semi- applications, emails, SMS, MMS, automated systems, instant applications, emails, SMS, MMS, automated systems, instant Bluetooth, etc. It is therefore justified messaging applications, faxes, e- Bluetooth, etc. It is therefore justified messaging applications, faxes, e- to require that consent of the end- mails, SMS, MMS, Bluetooth, etc. It is to require that consent of the end- mails, SMS, MMS, Bluetooth, etc. It is user is obtained before commercial therefore justified to require that users who are natural persons is therefore justified to require that electronic communications for direct consent of the end-user is obtained obtained before direct marketing consent of the end-user is obtained marketing purposes are sent to end- before commercial electronic commercial electronic before commercial electronic users in order to effectively protect communications for direct marketing communications for direct communications for direct marketing individuals against the intrusion into purposes are sent to end-users in marketing are sent to end-users communications purposes are sent their private life as well as the order to effectively protect individuals them in order to effectively protect to end-users in order to effectively legitimate interest of legal persons. against the intrusion into their private individuals them against the protect individuals against the Legal certainty and the need to life as well as the legitimate interest intrusion into their private life as well intrusion into their private life as well ensure that the rules protecting of legal persons. Legal certainty and as the legitimate interest of legal as the legitimate interest of legal against unsolicited electronic the need to ensure that the rules persons. Legal certainty and the persons. Legal certainty, and the need communications remain future-proof protecting against unsolicited need to ensure that the rules to ensure that the rules protecting justify the need to define a single set electronic communications remain protecting against unsolicited against unsolicited electronic of rules that do not vary according to future-proof and justify the need to electronic direct marketing communications remain future-proof, the technology used to convey these define a single set of rules that do not communications remain future-proof justify the need to define a single set unsolicited communications, while at vary according to the technology justify the need to define in principle of rules that do not vary according to the same time guaranteeing an used to convey these unsolicited a single set of rules that do not vary the technology used to convey these equivalent level of protection for all communications, while at the same according to the technology used to unsolicited communications, while at citizens throughout the Union. time guaranteeing an equivalent high convey these unsolicited electronic the same time guaranteeing an However, it is reasonable to allow the level of protection for all citizens direct marketing communications, equivalent high level of protection for use of e-mail contact details within end-users throughout the Union. while at the same time guaranteeing all citizens end-users throughout the the context of an existing customer However, it is reasonable to allow the an equivalent level of protection for all Union. However, it is reasonable to relationship for the offering of similar use of e-mail contact details within citizens throughout the Union. allow the use of e-mail contact details products or services. Such possibility the context of an existing customer However, it is reasonable to allow the within the context of an existing should only apply to the same relationship for the offering of similar use of e-mail contact details for customer relationship for the offering company that has obtained the other products or services. Such electronic message within the of similar other products or services. electronic contact details in possibility should only apply to the context of an existing customer Such possibility should only apply to accordance with Regulation (EU) same company that has obtained the relationship for the offering of similar the same company that has obtained 2016/679. electronic contact details in products or services. Such possibility the electronic contact details in accordance with Regulation (EU) should only apply to the same accordance with Regulation (EU) 2016/679. company that has obtained the 2016/679 and that the end-user has electronic contact details for consented to the sending of electronic message in accordance commercial communications. with Regulation (EU) 2016/679. (33a) Voice-to-voice direct marketing No comment calls that do not involve the use of automated calling and communication systems are more costly for the sender and impose no financial costs on end-users. Member States should therefore be able to establish and or maintain national systems which allow all or certain types of voice- to-voice calls to end-users who are natural persons and who have not objected, including in the context of an existing customer relationship. (34) When end-users have provided (34) When end-users have provided (34) When end-users who are No comment their consent to receiving unsolicited their consent to receiving unsolicited natural persons have provided their communications for direct marketing communications for direct marketing consent to receiving direct purposes, they should still be able to purposes, they should still be able to marketing communications, they withdraw their consent at any time in withdraw their consent at any time in should still be able to withdraw their an easy manner. To facilitate an easy manner. To facilitate consent at any time in an easy effective enforcement of Union rules effective enforcement of Union rules manner and without any cost to on unsolicited messages for direct on unsolicited messages for direct them. To facilitate effective marketing, it is necessary to prohibit marketing, it is necessary to prohibit enforcement of Union rules on direct the masking of the identity and the the masking of the identity and the marketing communications, it is use of false identities, false return use of false identities, false return necessary to prohibit the masking of addresses or numbers while sending addresses or numbers while sending the identity and the use of false unsolicited commercial unsolicited commercial identities, false return addresses or communications for direct marketing communications for direct marketing numbers while sending direct purposes. Unsolicited marketing purposes. Unsolicited marketing marketing communications. Direct communications should therefore be communications should therefore be marketing communications should clearly recognizable as such and clearly recognizable as such and therefore be clearly recognizable as should indicate the identity of the should indicate the identity of the such and should indicate the identity legal or the natural person legal or the natural person of the legal or the natural person transmitting the communication or on transmitting the communication or on sending or the communication and, behalf of whom the communication is behalf of whom the communication is where applicable, on whose behalf transmitted and provide the transmitted and provide the the communication is sent and necessary information for recipients necessary information for recipients provide the necessary information for to exercise their right to oppose to to exercise their right to oppose to end-users who are natural persons receiving further written and/or oral receiving further written and/or oral to exercise their right to withdraw marketing messages. marketing messages. their consent to receiving further direct marketing communications, such as valid contact details (e.g. link, e-mail address) which can be easily used by end-users who are natural persons to withdraw their consent free of charge. (35) In order to allow easy withdrawal (35) In order to allow easy withdrawal (35) Legal or natural persons No comment of consent, legal or natural persons of consent, legal or natural persons conducting direct marketing conducting direct marketing conducting direct marketing communications through voice-to- communications by email should communications by email should voice calls and through calls by present a link, or a valid electronic present a link, or a valid electronic automating calling and mail address, which can be easily mail address, which can be easily communication systems should used by end-users to withdraw their used by end-users to withdraw their present their identity line on which consent. Legal or natural persons consent. Legal or natural persons the company can be called. Member conducting direct marketing conducting direct marketing States are encouraged to introduce communications through voice-to- communications through voice-to- by means of national law a specific voice calls and through calls by voice calls and through calls by code or prefix identifying the fact that automating calling and automating calling and the call is a direct marketing call to communication systems should communication systems should improve the tools provided for the display their identity line on which the display their identity line on which the end-users in order to protect their company can be called or present a company can be called or present a privacy in more efficient manner. specific code identifying the fact that specific code identifying the fact that Using a specific code or prefix the call is a marketing call. the call is a marketing call. should not relieve the legal or natural persons sending direct marketing call from the obligation to present their calling line identification. (36) Voice-to-voice direct marketing (36) Voice-to-voice direct marketing Not found. No comment calls that do not involve the use of calls that do not involve the use of automated calling and communication automated calling and systems, given that they are more communications systems, given that costly for the sender and impose no they are more costly for the sender financial costs on end-users. Member and impose no financial costs on end- States should therefore be able to users, justify the obligation for establish and or maintain national Member States should therefore be systems only allowing such calls to able to establish and or maintain end-users who have not objected. national systems only allowing such calls to end-users who have not objected. (37) Service providers who offer (37) Service providers who offer Deleted (37) Service providers who offer electronic communications services electronic communications services electronic communications services should inform end-users of measures should process electronic should process electronic they can take to protect the security communications data in such a communications data in such a of their communications for instance way as to prevent unauthorised way as to prevent unauthorised by using specific types of software or processing, including access, or processing, including access, or encryption technologies. The alteration. They should ensure that alteration. They should ensure that requirement to inform end-users of such unauthorised access or such unauthorised access or particular security risks does not alteration can be detected, and alteration can be detected, and also discharge a service provider from the also ensure that electronic ensure that electronic obligation to take, at its own costs, communications data are communications data are protected appropriate and immediate measures protected by using state-of the art by using state-of the art software to remedy any new, unforeseen software and cryptographic and cryptographic methods security risks and restore the normal methods including encryption including encryption technologies. security level of the service. The technologies. Service providers Service providers should also provision of information about should also inform end-users of inform end-users of measures they security risks to the subscriber should measures they can take to protect the can take to protect the security of their be free of charge. Security is security of their communications for communications for instance by using appraised in the light of Article 32 of instance by using specific types of specific types of software or Regulation (EU) 2016/679. software or encryption technologies. encryption technologies. The The requirement to inform end-users requirement to inform end-users of of particular security risks does not particular security risks does not discharge a service provider from the discharge a service provider from the obligation to take, at its own costs, obligation to take, at its own costs, appropriate and immediate measures appropriate and immediate measures to remedy any new, unforeseen to remedy any new, unforeseen security risks and restore the normal security risks and restore the normal security level of the service. The security level of the service. The provision of information about provision of information about security security risks to the subscriber should risks to the subscriber should be free be free of charge. Security is of charge. Security is appraised in the appraised in the light of Article 32 of light of Article 32 of Regulation (EU) Regulation (EU) 2016/679. The 2016/679. obligations of Article 40 of the [European Electronic Communications Code] should apply to all services within the scope of this Regulation as regards the security of networks and services and related security obligations thereto. (38) To ensure full consistency with (38) To ensure full consistency with (38) To ensure full consistency with (38) To ensure full consistency with Regulation (EU) 2016/679, the Regulation (EU) 2016/679, The Regulation (EU) 2016/679, the Regulation (EU) 2016/679, the enforcement of the provisions of this enforcement of the provisions of this enforcement of the provisions of this enforcement of the provisions this Regulation should be entrusted to the Regulation should be entrusted to the Regulation should be entrusted to the Regulation should be entrusted to the same authorities responsible for the same authorities responsible for the same authorities responsible for the same authorities responsible for the enforcement of the provisions enforcement of the provisions enforcement of the provisions enforcement of the provisions of Regulation (EU) 2016/679 and this Regulation (EU) 2016/679 and this Regulation (EU) 2016/679 and this Regulation (EU) 2016/679 and this Regulation relies on the consistency Regulation relies on the consistency Regulation relies on the consistency Regulation relies on the mechanism of Regulation (EU) mechanism of Regulation (EU) mechanism of Regulation (EU) consistency mechanism of 2016/679. Member States should be 2016/679. Member States should be 2016/679. Member States should be Regulation (EU) 2016/679 and able to have more than one able to have more than one able to have more than one should be subject to the supervisory authority, to reflect their supervisory authority, to reflect their supervisory authority, to reflect their consistency mechanism of constitutional, organisational and constitutional, organisational and constitutional, organisational and Regulation (EU) 2016/679 when administrative structure. The administrative structure. The administrative structure. The personal data are processed in supervisory authorities should also be supervisory authorities should also be supervisory authorities should also be cross-border cases in line with responsible for monitoring the responsible for monitoring the responsible for monitoring the Article 56 of Regulation (EU) application of this Regulation application of this Regulation application of this Regulation 2016/679. When no cross-border regarding electronic communications regarding electronic communications regarding electronic communications processing of personal data by the data for legal entities. Such additional data for legal entities. Where more data for legal entities. Such additional main establishment of a controller tasks should not jeopardise the ability than one supervisory authority is tasks should not jeopardise the ability takes place, each supervisory of the supervisory authority to established in a Member State, of the supervisory authority to perform authority should remain competent. perform its tasks regarding the such authorities should cooperate its tasks regarding the protection of Member States should be able to protection of personal data under with each other. They should also personal data under Regulation (EU) have more than one supervisory Regulation (EU) 2016/679 and this cooperate with the authorities 2016/679 and this Regulation. Each authority, to reflect their Regulation. Each supervisory appointed to enforce the European supervisory authority should be constitutional, organisational and authority should be provided with the Electronic Communications Code provided with the additional financial administrative structure. The additional financial and human and other relevant enforcement and human resources, premises and supervisory authorities should also be resources, premises and authorities, such as the authorities infrastructure necessary for the responsible for monitoring the infrastructure necessary for the tasked with consumer protection. effective performance of the tasks application of this Regulation effective performance of the tasks Such additional tasks should not under this Regulation. Member regarding electronic communications under this Regulation. jeopardise the ability of the States should be able to have more data for legal entities. Such additional supervisory authority to perform its than one supervisory authority, to tasks should not jeopardise the ability tasks regarding the protection of reflect their constitutional, of the supervisory authority to perform personal data under Regulation (EU) organisational and administrative its tasks regarding the protection of 2016/679 and this Regulation. Each structure. The designation of personal data under Regulation (EU) supervisory authority should be supervisory authorities 2016/679 and this Regulation. Each provided with the additional financial responsible for the monitoring of supervisory authority should be and human resources, premises and the application of this Regulation provided with the additional financial infrastructure necessary for the cannot affect the right of natural and human resources, premises and effective performance of the tasks persons to have compliance with infrastructure necessary for the under this Regulation. rules regarding the protection of effective performance of the tasks personal data subject to control by under this Regulation. an independent authority in accordance with Article 8(3) of the Charter as interpreted by the Court. End-users who are legal persons should have the same rights as end-users who are natural persons regarding any supervisory authority entrusted to monitor any provisions of this Regulation. Each supervisory authority should be provided with the additional financial and human resources, premises and infrastructure necessary for the effective performance of the additional tasks designated under this Regulation. (38a) The enforcement of the (38a) Where a Member State provisions of this Regulation often establishes several supervisory requires cooperation between the authorities, it should establish by national supervisory authorities of law mechanisms for ensuring the two or more Member States, for effective cooperation of those example in combating supervisory authorities between interferences with the each other and within the confidentiality of the terminal consistency mechanism as laid equipment. In order to ensure a down by the GDPR. These Member smooth and rapid cooperation in States should in particular such cases, the procedures of the designate the supervisory authority cooperation and consistency which functions as a single contact mechanism established under point for the effective participation Regulation 2016/679/EU should of those authorities in the apply to Chapter II of this mechanism, to ensure swift and Regulation. Therefore, the smooth cooperation with other European Data Protection Board supervisory authorities, the Board should contribute to the and the Commission. consistent application of this Regulation throughout the Union, in particular by issuing opinions in the context of the consistency mechanisms or by adopting binding decisions in the context of dispute resolution as provided in Article 65 of Regulation 2016/679/EU, as regards Chapter II of this Regulation. (39) Each supervisory authority (39) Each supervisory authority (39) Each supervisory authority (39) Each supervisory authority should be competent on the territory should be competent on the territory should be competent on the territory should be competent on the territory of of its own Member State to exercise of its own Member State to exercise of its own Member State to exercise its own Member State to exercise the the powers and to perform the tasks the powers and to perform the tasks, the powers and to perform the tasks powers and to perform the tasks, set set forth in this Regulation. In order to including adopting binding set forth in this Regulation. In order forth in this Regulation. In order to ensure consistent monitoring and decisions, set forth in this to ensure consistent monitoring ensure consistent monitoring and enforcement of this Regulation Regulation. In order to ensure and enforcement of this enforcement of this Regulation throughout the Union, the supervisory consistent monitoring and Regulation throughout the Union, throughout the Union, the supervisory authorities should have the same enforcement of this Regulation the supervisory authorities should authorities should have the same tasks and effective powers in each throughout the Union, the supervisory have the same tasks and effective tasks and effective powers in each Member State, without prejudice to authorities should have the same powers in each Member State, Member State, including powers of the powers of prosecutorial tasks and effective powers in each without prejudice to the powers of investigation, corrective and authorities under Member State law, Member State, including powers of prosecutorial authorities under advisory powers and powers to to bring infringements of this investigation, corrective powers Member State law, to bring issue sanctions and authorisation, Regulation to the attention of the and sanctions, and authorisation infringements of this Regulation to without prejudice to the powers of judicial authorities and engage in and advisory powers, without the attention of the judicial prosecutorial authorities under legal proceedings. Member States prejudice to the powers of authorities and engage in legal Member State law, to bring and their supervisory authorities are prosecutorial authorities under proceedings. Member States and infringements of this Regulation to the encouraged to take account of the Member State law, to bring their supervisory authorities are attention of the judicial authorities and specific needs of micro, small and infringements of this Regulation to the encouraged to take account of the engage in legal proceedings.In order medium-sized enterprises in the attention of the judicial authorities and specific needs of micro, small and to achieve an effective enforcement application of this Regulation. engage in legal proceedings. Member medium-sized enterprises in the of this Regulation, but also of States and their supervisory application of this Regulation. Regulation (EU) 2016/679, the authorities are encouraged to take supervisory authorities should be account of the specific needs of subject to a strict timeline to deal micro, small and medium-sized with cases, including on how to enterprises in the application of this exercise a right to be heard for Regulation. both parties and an obligation to adopt decisions after a complaint has been filed. Member States and their supervisory authorities are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation. (40) In order to strengthen the (40) In order to strengthen the (40) In order to strengthen the (40) In order to strengthen the enforcement of the rules of this enforcement of the rules of this enforcement of the rules of this enforcement of the rules of this Regulation, each supervisory Regulation, each supervisory Regulation, each supervisory Regulation, each supervisory authority authority should have the power to authority should have the power to authority should have the power to should have the power to impose impose penalties including impose penalties including impose penalties including penalties including administrative fines administrative fines for any administrative fines for any administrative fines for any for any infringement of this Regulation, infringement of this Regulation, in infringement of this Regulation, in infringement of this Regulation, in in addition to, or instead of any other addition to, or instead of any other addition to, or instead of any other addition to, or instead of any other appropriate measures pursuant to this appropriate measures pursuant to appropriate measures pursuant to appropriate measures pursuant to this Regulation. This Regulation should this Regulation. This Regulation this Regulation. This Regulation Regulation. This Regulation should indicate infringements and the upper should indicate infringements and the should indicate infringements and the indicate infringements and the upper limit and criteria for setting the related upper limit and criteria for setting the upper limit and criteria for setting the limit and criteria for setting the related administrative fines, which should be related administrative fines, which related administrative fines, which administrative fines, which should be determined by the competent should be determined by the should be determined by the determined by the competent supervisory authority in each competent supervisory authority in competent supervisory authority in supervisory authority in each individual case, taking into account all each individual case, taking into each individual case, taking into individual case, taking into account all relevant circumstances of the specific account all relevant circumstances of account all relevant circumstances of relevant circumstances of the specific situation, with due regard in particular the specific situation, with due regard the specific situation, with due regard situation, with due regard in particular to the nature, gravity and duration of in particular to the nature, gravity and in particular to the nature, gravity and to the nature, gravity and duration of the infringement and of its duration of the infringement and of its duration of the infringement and of its the infringement and of its consequences and the measures consequences and the measures consequences and the measures consequences and the measures taken to ensure compliance with the taken to ensure compliance with the taken to ensure compliance with the taken to ensure compliance with the obligations under this Regulation and obligations under this Regulation and obligations under this Regulation and obligations under this Regulation and to prevent or mitigate the to prevent or mitigate the to prevent or mitigate the to prevent or mitigate the consequences of the infringement. For consequences of the infringement. consequences of the infringement. consequences of the infringement. the purpose of setting a fine under this For the purpose of setting a fine For the purpose of setting a fine For the purpose of setting a fine Regulation, an undertaking should be under this Regulation, an undertaking under this Regulation, an undertaking under this Regulation, an undertaking understood to be an undertaking in should be understood to be an should be understood to be an should be understood to be an accordance with Articles 101 and 102 undertaking in accordance with undertaking in accordance with undertaking in accordance with of the Treaty. Articles 101 and 102 of the Treaty. Articles 101 and 102 of the Treaty. Articles 101 and 102 of the Treaty. (40a) Without prejudice to the enforcement of this Regulation against the providers of services or software subject to this Regulation, the supervisory authorities should be able to enforce their decision against the representative of these providers that are not established in the European Union. When such representative is not located in the Member State of the competent supervisory authority, the authority will adopt a corrective measure, such a decision should be enforceable against the representative located in this other Member State by means of all relevant applicable legal instruments under European and international law. (41) In order to fulfil the objectives of (41) In order to fulfil the objectives of (41) In order to fulfil the objectives of (41) In order to fulfil the objectives of this Regulation, namely to protect the this Regulation, namely to protect the this Regulation, namely to protect the this Regulation, namely to protect the fundamental rights and freedoms of fundamental rights and freedoms of fundamental rights and freedoms of fundamental rights and freedoms of natural persons and in particular their natural persons in the provision and natural persons and in particular their natural persons in the provision and right to the protection of personal use of electronic communications right to the protection of personal data use of electronic communications data and to ensure the free services and in particular their right and to ensure the free movement of services and in particular their right to movement of personal data within the to the protection respect of their personal data within the Union, the the protection respect of their Union, the power to adopt acts in private life and communications power to adopt acts in accordance private life and communications accordance with Article 290 of the with regard to the processing of with Article 290 of the Treaty should with regard to the processing of Treaty should be delegated to the personal data and to ensure the free be delegated to the Commission to personal data and to ensure the free Commission to supplement this movement of personal data within the supplement this Regulation. In movement of personal data within the Regulation. In particular, delegated Union, the power to adopt acts in particular, delegated acts should be Union, the power to adopt acts in acts should be adopted in respect of accordance with Article 290 of the adopted in respect of the information accordance with Article 290 of the the information to be presented, Treaty should be delegated to the to be presented, including by means Treaty should be delegated to the including by means of standardised Commission to supplement this of standardised icons in order to give Commission to supplement this icons in order to give an easily visible Regulation. In particular, delegated an easily visible and intelligible Regulation. In particular, delegated and intelligible overview of the acts should be adopted in respect of overview of the collection of acts should be adopted in respect of collection of information emitted by the information to be presented, information emitted by terminal the information to be presented, terminal equipment, its purpose, the including by means of standardised equipment, its purpose, the person including by means of standardised person responsible for it and of any icons in order to give an easily visible responsible for it and of any measure icons in order to give an easily visible measure the end-user of the terminal and intelligible overview of the the end-user of the terminal and intelligible overview of the equipment can take to minimise the collection of information emitted by equipment can take to minimise the collection of information emitted by collection. Delegated acts are also terminal equipment, its purpose, the collection. Delegated acts are also terminal equipment, its purpose, the necessary to specify a code to person responsible for it and of any necessary to specify a code to person responsible for it and of any identify direct marketing calls measure the end-user of the terminal identify direct marketing calls measure the end-user of the terminal including those made through equipment can take to minimise the including those made through equipment can take to minimise the automated calling and communication collection. Delegated acts are also automated calling and communication collection. Delegated acts are also systems. necessary to specify a code to systems. necessary to specify a code to It is of particular importance that the identify direct marketing calls It is of particular importance that the identify direct marketing calls Commission carries out appropriate including those made through Commission carries out appropriate including those made through consultations and that those automated calling and consultations and that those automated calling and consultations be conducted in communication systems. consultations be conducted in communication systems. accordance with the principles laid It is of particular importance that the accordance with the principles laid It is of particular importance that the down in the Interinstitutional Commission carries out appropriate down in the Interinstitutional Commission carries out appropriate Agreement on Better Law-Making of consultations and that those Agreement on Better Law-Making of consultations and that those 13 April 2016. In particular, to ensure consultations be conducted in 13 April 2016. In particular, to ensure consultations be conducted in equal participation in the preparation accordance with the principles laid equal participation in the preparation accordance with the principles laid of delegated acts, the European down in the Interinstitutional of delegated acts, the European down in the Interinstitutional Parliament and the Council receive all Agreement on Better Law-Making of Parliament and the Council receive all Agreement on Better Law-Making of documents at the same time as 13 April 2016. In particular, to ensure documents at the same time as 13 April 2016. In particular, to ensure Member States' experts, and their equal participation in the preparation Member States' experts, and their equal participation in the preparation experts systematically have access to of delegated acts, the European experts systematically have access to of delegated acts, the European meetings of Commission expert Parliament and the Council receive all meetings of Commission expert Parliament and the Council receive all groups dealing with the preparation of documents at the same time as groups dealing with the preparation of documents at the same time as delegated acts. Member States' experts, and their delegated acts. Member States' experts, and their Furthermore, in order to ensure experts systematically have access to Furthermore, in order to ensure experts systematically have access to uniform conditions for the meetings of Commission expert uniform conditions for the meetings of Commission expert implementation of this Regulation, groups dealing with the preparation of implementation of this Regulation, groups dealing with the preparation of implementing powers should be delegated acts. implementing powers should be delegated acts. conferred on the Commission when Furthermore, in order to ensure conferred on the Commission when Furthermore, in order to ensure provided for by this Regulation. uniform conditions for the provided for by this Regulation. Those uniform conditions for the Those powers should be exercised in implementation of this Regulation, powers should be exercised in implementation of this Regulation, accordance with Regulation (EU) No implementing powers should be accordance with Regulation (EU) No implementing powers should be 182/2011. conferred on the Commission when 182/2011. conferred on the Commission when provided for by this Regulation. For provided for by this Regulation. For instance, implementing measures instance, implementing measures are necessary to specify a code to are necessary to specify a code to identify direct marketing calls identify direct marketing calls including including those made through those made through automated calling automated calling and and communications systems. They communications systems. They are are also necessary to establish the also necessary to establish the procedures and circumstances to procedures and circumstances to override the elimination of the override the elimination of the presentation of the calling line presentation of the calling line identification on a temporary basis identification on a temporary basis where users request the tracing of where users request the tracing of malicious or nuisance calls Those malicious or nuisance calls Those powers should be exercised in powers should be exercised in accordance with Regulation (EU) No accordance with Regulation (EU) No 182/2011. 182/2011. (42)Since the objective of this (42)Since the objective of this (42)Since the objective of this (42) Since the objective of this Regulation, namely to ensure an Regulation, namely to ensure an Regulation, namely to ensure an Regulation, namely to ensure an equivalent level of protection of equivalent level of protection of equivalent level of protection of equivalent level of protection of natural natural and legal persons and the natural and legal persons and the natural and legal persons and the free and legal persons and the free flow of free flow of electronic free flow of electronic flow of electronic communications electronic communications data communications data throughout the communications data throughout the data throughout the Union, cannot be throughout the Union, cannot be Union, cannot be sufficiently achieved Union, cannot be sufficiently achieved sufficiently achieved by the Member sufficiently achieved by the Member by the Member States and can rather, by the Member States and can rather, States and can rather, by reason of States and can rather, by reason of by reason of the scale or effects of by reason of the scale or effects of the scale or effects of the action, be the scale or effects of the action, be the action, be better achieved at the action, be better achieved at better achieved at Union level, the better achieved at Union level, the Union level, the Union may adopt Union level, the Union may adopt Union may adopt measures, in Union may adopt measures, in measures, in accordance with the measures, in accordance with the accordance with the principle of accordance with the principle of principle of subsidiarity as set out in principle of subsidiarity as set out in subsidiarity as set out in Article 5 of subsidiarity as set out in Article 5 of Article 5 of the Treaty on European Article 5 of the Treaty on European the Treaty on European Union. In the Treaty on European Union. In Union. In accordance with the Union. In accordance with the accordance with the principle of accordance with the principle of principle of proportionality as set out principle of proportionality as set out proportionality as set out in that proportionality as set out in that in that Article, this Regulation does in that Article, this Regulation does Article, this Regulation does not go Article, this Regulation does not go not go beyond what is necessary in not go beyond what is necessary in beyond what is necessary in order to beyond what is necessary in order to order to achieve that objective. order to achieve that objective. achieve that objective. achieve that objective. (43)Directive 2002/58/EC should be (43)Directive 2002/58/EC should be (43)Directive 2002/58/EC should be (43) Directive 2002/58/EC should be repealed. repealed. repealed. repealed. CHAPTER I GENERAL PROVISIONS Article 1 - Subject matter 1.This Regulation lays down rules 1.This Regulation lays down rules 1. This Regulation lays down rules 1.This Regulation lays down rules regarding the protection of regarding the protection of regarding the protection of regarding the protection of fundamental rights and freedoms of fundamental rights and freedoms of fundamental rights and freedoms of fundamental rights and freedoms of natural and legal persons in the natural and legal persons in the natural and legal persons in the natural and legal persons in the provision and use of electronic provision and use of electronic provision and use of electronic provision and use of electronic communications services, and in communications services, and in communications services, and in communications services, and in particular, the rights to respect for particular, the rights to respect for particular, the rights to respect for particular, the rights to respect for private life and communications and private life and communications and private life and communications and private life and communications and the protection of natural persons with the protection of natural persons with the protection of natural persons with the protection of natural persons with regard to the processing of personal regard to the processing of personal regard to the processing of personal regard to the processing of personal data. data. data. data. 1a. This Regulation lays down Delete. rules regarding the protection of the fundamental rights and freedoms of legal persons in the provision and use of the electronic communications services, and in particular their rights to respect of communications. 2.This Regulation ensures free 2.This Regulation ensures free 2.This Regulation The free 2.This Regulation The free movement of electronic movement of electronic movement of electronic movement of electronic communications data and electronic communications data and electronic communications data and electronic communications data and electronic communications services within the communications services within the communications services within the communications services within the Union, which shall be neither Union, which shall be neither Union, which shall be neither Union, which shall be neither restricted nor prohibited for reasons restricted nor prohibited for reasons restricted nor prohibited for reasons restricted nor prohibited for reasons related to the respect for the private related to the respect for the private related to the respect for the private related to the respect for the private life and communications of natural life and communications of natural life and communications of natural life and communications of natural and legal persons and the protection and legal persons and the protection persons and legal and the protection persons and legal and the protection of natural persons with regard to the of natural persons with regard to the of natural persons with regard to the of natural persons with regard to the processing of personal data. processing of personal data. processing of personal data, and for processing of personal data, and for protection of communications of protection of communications of legal persons. legal persons. 3.The provisions of this Regulation 3.The provisions of this Regulation 3. The provisions of this Regulation 3.The provisions of this Regulation particularise and complement particularise and complement particularise and complement particularise and complement Regulation (EU) 2016/679 by laying Regulation (EU) 2016/679 by laying Regulation (EU) 2016/679 by laying Regulation (EU) 2016/679 by laying down specific rules for the purposes down specific rules for the purposes down specific rules for the purposes down specific rules for the purposes mentioned in paragraphs 1 and 2. mentioned in paragraphs 1 and 2. mentioned in paragraphs 1 and to 2. mentioned in paragraphs 1 and 2. Article 2 - Material Scope 1. This Regulation applies to: 1. This Regulation applies to: 1. This Regulation applies to: 1. This Regulation applies to: the processing of electronic (a) the processing of electronic (a) the processing of electronic (a) the processing of electronic communications data carried out in communications data carried out in communications content and of communications data carried out in connection with the provision and the connection with the provision and the electronic communications connection with the provision and the use of electronic communications use of electronic communications metadata carried out in connection use of electronic communications services and to information related to services, irrespective of whether a with the provision and the use of services, irrespective of whether a the terminal equipment of end-users. payment is required; electronic communications services; payment is required; (b) the processing of information (b) end-users' terminal equipment (b) the processing of information related to or processed by the information. related to, or processed by, the terminal equipment of end-users; (c) the offering of a publicly terminal equipment of end-users; (c) the placing on the market of available directory of end-users of (c) the placing on the market of software permitting electronic electronic communications software and hardware permitting communications including the services; electronic communications, retrieval and presentation of (d) the sending of direct marketing including the retrieval and information on the Internet communications to end-users. presentation of information on the (d) the provision of publicly Internet; available directories of users of (d) the offering of publicly electronic communications; available directories of users of (e) the sending of direct marketing electronic communications; electronic communications to end- (e) the sending of direct marketing users. electronic communications to end- users. 2. This Regulation does not apply to: 2. This Regulation does not apply to: 2. This Regulation does not apply to: 2. This Regulation does not apply to: (a) activities which fall outside the (a)activities which fall outside the (a) activities, which fall outside the (a)activities which fall outside the scope of Union law; scope of Union law; scope of Union law, and in any scope of Union law; (b) activities of the Member (b)activities of the Member States event measures, processing (b)activities of the Member States States which fall within the which fall within the scope of Chapter activities and operations which fall within the scope of Chapter scope of Chapter 2 of Title V 2 of Title V of the Treaty on European concerning national security and 2 of Title V of the Treaty on European of the Treaty on European Union; defence, regardless of who is Union; Union; (c)electronic communications carrying out those activities (c)electronic communications services (c) electronic communications services which are not publicly whether it is a public authority or a which are not publicly available; services which are not publicly available; private operator acting at the (d)activities, including data available; (d)activities of competent authorities request of a public authority; processing activities, of competent (d) activities of competent for the purposes of the prevention, (b) activities of the Member States authorities conducted in line with authorities for the purposes of investigation, detection or prosecution which fall within the scope of Chapter Union law, for the purposes of the the prevention, investigation, of criminal offences or the execution 2 of Title V of the Treaty on European prevention, investigation, detection or detection or prosecution of of criminal penalties, including the Union; prosecution of criminal offences or the criminal offences or the safeguarding against and the (c) electronic communications execution of criminal penalties, execution of criminal prevention of threats to public services which are not publicly including the safeguarding against and penalties, including the security; available; the prevention of threats to public safeguarding against and the (d) activities, including data security; prevention of threats to public processing activities, of competent security; authorities for the purposes of the Explanation: CJEU case law and prevention, investigation, detection or obligations deriving from the EU prosecution of criminal offences or treaties cannot be circumvented the execution of criminal penalties, through new interpretation in including the safeguarding against secondary legislation. We strongly and the prevention of threats to public urge negotiators to keep the original security; text of the proposal and not create (e) electronic communications data legal uncertainties. processed after receipt by the end- We further reject the addition of point user concerned, (e) in the Council text. When data is kept after reception of a message, the right to privacy and confidentiality must continue to apply as the nature of the information has not changed. 3.The processing of electronic 3.The processing of electronic Not found 3.This Regulation complement communications data by the Union communications data by the Union Regulation (EU) 2018/1725 which institutions, bodies, offices and institutions, bodies, offices and governs the processing of electronic agencies is governed by Regulation agencies is governed by Regulation communications data by the Union (EU) 00/0000 [new Regulation (EU) 00/0000 [new Regulation institutions, bodies, offices and replacing Regulation 45/2001]. replacing Regulation 45/2001]. agencies .is governed by Regulation (EU) 00/0000 [new Regulation replacing Regulation 45/2001] . 4.This Regulation shall be without 4.This Regulation shall be without 4.This Regulation shall be without 4.This Regulation shall be without prejudice to the application of prejudice to the application of prejudice to the application of prejudice to the application of Directive 2000/31/EC, in particular of Directive 2000/31/EC, in particular of Directive 2000/31/EC, in particular of Directive 2000/31/EC, in particular of the liability rules of intermediary the liability rules of intermediary the liability rules of intermediary the liability rules of intermediary service providers in Articles 12 to 15 service providers in Articles 12 to 15 service providers in Articles 12 to 15 service providers in Articles 12 to 15 of that Directive. of that Directive. of that Directive. of that Directive. 5.This Regulation shall be without 5.This Regulation shall be without 5.This Regulation shall be without 5.This Regulation shall be without prejudice to the provisions of prejudice to the provisions of prejudice to the provisions of prejudice to the provisions of Directive Directive 2014/53/EU. Directive 2014/53/EU. Directive 2014/53/EU. 2014/53/EU. Article 3 - Territorial scope and representative 1.This Regulation applies to: 1.This Regulation applies to: 1.This Regulation applies to: 1.This Regulation applies to: (a) the provision of electronic (a) the provision offering of (a) the provision of electronic (a) the provision of electronic communications services to end- electronic communications services, communications services to end- communications services, software users in the Union, irrespective of software, publicly available users who are in the Union, and hardware permitting electronic whether a payment of the end-user is directories, or direct marketing irrespective of whether a payment communications, publicly available required; electronic communications to end- of the end-user is required; directories, and direct marketing users in the Union, irrespective of electronic communications to end- whether a payment of the end-user is users who are in the Union, required; irrespective of whether a payment of the end-user is required; (aa) the processing of electronic (aa) the processing of electronic communications content and of communications content and of electronic communications electronic communications metadata of end-users who are in metadata of end-users who are in the Union; the Union; (b) the use of such services; (b) the use of such services; Deleted. Deleted. activities referred to in Article 2 that are provided from the territory of the Union; (c) the protection of information (c) the protection processing of (c) the protection of terminal (c) the protection of terminal related to the terminal equipment of information related to or processed equipment information of end-users equipment information of end-users end-users located in the Union. by the terminal equipment of end- who are in the Union. who are in the Union, including the users located that is in the Union. processing of information related to, or processed by, the terminal equipment. (cb) the offering of publicly Deleted, now covered under (a). available directories of end-users of electronic communications services who are in the Union; (cc) the sending of direct marketing communications to end- users who are in the Union. 2. Where the provider of an 2. Where the provider of an 2. Where the provider of an electronic 2. Where the provider of an electronic electronic communications service is electronic communications service, communications service, the communications service, the provider not established in the Union it shall provider of software permitting provider of a publicly available of software and hardware designate in writing a representative electronic communications, a directory, or a person using permitting electronic in the Union. person processing information electronic communications communications, the provider of a related to or processed by the services to send direct marketing publicly available directory, a terminal equipment of users or communications, or a person person using electronic end-users, a provider of a publicly using processing and storage communications services to send available directory, or a person capabilities or collecting direct marketing communications, using electronic communications information processed by or or a person using processing and services to transmit direct emitted by or stored in the end- storage capabilities or collecting marketing communications is not users’ terminal equipment is not information processed by or established in the Union, it shall established in the Union it shall emitted by or stored in the end- designate in writing a representative designate in writing, within one users’ terminal equipment is not in the Union. month from the start of its established in the Union it shall activities, a representative in the designate in writing, within one Union and communicate it to the month from the start of its competent Supervisory Authority. activities, a representative in the Union and communicate it to the competent Supervisory Authority in each Member State where the electronic communications services, software and hardware listed above are provided. 2a. The requirements laid down in Delete. paragraph 2 shall not apply if activities listed in paragraph 1 are Explanation: We object to the occasional and are unlikely to introduction of a risk based approach result in a risk to the fundamental to the protection of a fundamental rights of end-users taking into right. account the nature, context, scope and purpose of those activities. 3. The representative shall be 3. The representative shall be 3. The representative shall be 3. The representative shall be established in one of the Member established in one of the Member established in one of the Member established in one of the Member States where the end-users of such States where the end-users of such States where the end-users of such States where the end-users of such electronic communications services electronic communications services electronic communications services electronic communications are located. are located. are located. services the activities listed in paragraph 1 are located. 4. The representative shall have the 4. The representative shall have the 4. The representative shall be 4. The representative shall be power to answer questions and power to answer questions and mandated by the provider or mandated by the provider or provide information in addition to or provide information in addition to or person it represents to be person it represents to be instead of the provider it represents, instead of the provider it represents, addressed in addition to or instead of addressed, answer questions and in particular, to supervisory in particular, to supervisory the provider it represents, in provide information, in addition to or authorities, and end-users, on all authorities, courts, and end-users, particular, to supervisory authorities, instead of the provider or person it issues related to processing on all issues related to processing and end-users, on all issues related represents, in particular, to electronic communications data for electronic communications data to processing electronic supervisory authorities, courts, and the purposes of ensuring compliance the activities referred to in Article communications data for the end-users, on all issues related to with this Regulation. 2 for the purposes of ensuring purposes of ensuring compliance with processing electronic communications compliance with this Regulation. this Regulation. data for the purposes of ensuring compliance with this Regulation.

5. The designation of a 5. The designation of a 5. The designation of a representative 5. The designation of a representative representative pursuant to paragraph representative pursuant to paragraph pursuant to paragraph 2 shall be pursuant to paragraph 2 shall be 2 shall be without prejudice to legal 2 shall be without prejudice to legal without prejudice to legal actions, without prejudice to administrative or actions, which could be initiated actions, which could be initiated which could be initiated against the legal actions, which could be initiated against a natural or legal person who against a natural or legal person who provider or person it represents. a against the provider or person it processes electronic communications processes electronic natural or legal person who represents, in particular when it is data in connection with the provision communications data in processes electronic located a natural or legal person of electronic communications connection with the provision of communications data in who processes electronic services from outside the Union to electronic communications connection with the provision of communications data in end-users in the Union. services undertakes the activities electronic communications connection with the provision of referred to in Article 2 from outside services from outside the Union to electronic communications the Union to end-users in the end-users in the Union. services from outside the Union. to Union. end-users in the Union. 6. This Regulation applies to the 6. This Regulation applies to the processing of personal data by a processing of communication data provider not established in the by a provider not established in the Union, but in a place where Union, but in a place where Member State law applies by virtue Member State law applies by virtue of public international law. of public international law. Article 4 - Definitions 1. For the purposes of this 1. For the purposes of this 1. For the purposes of this 1. For the purposes of this Regulation, Regulation, following definitions shall Regulation, following definitions shall Regulation, following definitions shall following definitions shall apply: apply: apply: apply: (a) the definitions in Regulation (EU) (a) the definitions in Regulation (EU) (a) the definitions in Regulation (EU) (a) the definitions in Regulation (EU) 2016/679; 2016/679; 2016/679; 2016/679; (b) the definitions of ‘electronic (b) the definitions of ‘electronic (b) the definitions of ‘electronic (b) the definitions of ‘electronic communications network’, ‘electronic communications network’, communications network’, ‘electronic communications network’, ‘electronic communications service’, ‘electronic communications communications service’, communications service’, ‘interpersonal communications service’, ‘interpersonal ‘interpersonal communications ‘interpersonal communications service’, ‘number-based interpersonal communications service’, service’, ‘number-based interpersonal service’, ‘number-based interpersonal communications service’, ‘number- ‘number-based interpersonal communications service’, ‘number- communications service’, ‘number- independent interpersonal communications service’, independent interpersonal independent interpersonal communications service’, ‘end-user’ ‘number-independent communications service’, ‘end-user’ communications service’, ‘end-user’ and ‘call’ in points (1), (4), (5), (6), (7), interpersonal communications and ‘call’ in paragraphs (1), (4), (5), and ‘call’ in paragraphs (1), (4), (5), (14) and (21) respectively of Article 2 service’, ‘end-user’ and ‘call’ in (6), (7), (14) and (21) (31) (6), (7), (14) and (31) respectively of of [Directive establishing the points (1), (4), (5), (6), (7), (14) and respectively of Article 2 of Directive Article 2 of Directive (EU) 2018/1972; European Electronic Communications (21) respectively definition of ‘call’ (EU) 2018/1972; Code]; in point (21) of Article 2 of [Directive establishing the European Electronic Communications Code]; (c) the definition of 'terminal (c) the definition of 'terminal (c) the definition of 'terminal (c) the definition of 'terminal equipment' in point (1) of Article 1 of equipment' in point (1) of Article 1 of equipment' in Article 1 (1) of equipment' in Article 1 (1) of Commission Directive 2008/63/EC Commission Directive 2008/63/EC Commission Directive 2008/63/EC; Commission Directive 2008/63/EC; (d) the definition of ‘information Deleted. society service’ in point (b) of Article 1 (1) of Directive (EU) 2015/1535. 2. For the purposes of point (b) of Deleted 2. For the purposes of this 2. For the purposes of this paragraph 1, the definition of Regulation of point (b) of Regulation of point (b) of ‘interpersonal communications paragraph 1, the definition of paragraph 1, the definition of service’ shall include services which ‘interpersonal communications ‘interpersonal communications enable interpersonal and interactive service’ referred to in point (b) of service’ referred to in point (b) of communication merely as a minor paragraph 1 shall include services paragraph 1 shall include services ancillary feature that is intrinsically which enable interpersonal and which enable interpersonal and linked to another service. interactive communication merely as interactive communication merely as a a minor ancillary feature that is minor ancillary feature that is intrinsically linked to another service. intrinsically linked to another service. 2a. For the purposes of this 2a. For the purposes of this Regulation, the definition of Regulation, the definition of 'processing' referred to in Article 4 'processing' referred to in Article 4 (2) of Regulation 2016/679 shall not (2) of Regulation 2016/679 shall not be limited to processing of be limited to processing of personal data. personal data. 3. In addition, for the purposes of this 3. In addition, for the purposes of this 3. In addition, for the purposes of this 3. In addition, for the purposes of this Regulation the following definitions Regulation the following definitions Regulation the following definitions Regulation the following definitions shall apply: shall apply: shall apply: shall apply: (a) ‘electronic communications data’ (a) ‘electronic communications data’ (a) ‘electronic communications data’ (a) ‘electronic communications data’ means electronic communications means electronic communications means electronic communications means electronic communications content and electronic content and electronic content and electronic content and electronic communications metadata; communications metadata; communications metadata; communications metadata; (-a) 'electronic communications Deleted, now covered under point (b). network' means a transmission system, whether or not based on a permanent infrastructure or centralised administration capacity, and, where applicable, switching or routing equipment and other resources, including network elements which are not active, which permit the conveyance of signals by wire, radio, optical or other electromagnetic means, including satellite networks, fixed (circuit - and packet - switched including Internet) and mobile terrestrial networks, electricity cable systems, to the extent that they are used for the purpose of transmitting signals, networks used for radio and television broadcasting, and cable television networks, irrespective of the type of information conveyed; (-aa) 'electronic communications service' means a service provided via electronic communications networks, whether for remuneration or not, which encompasses one or more of the following: an 'internet access service' as defined in Article 2(2) or Regulation (EU) 2015/2120; an interpersonal communications service; a service consisting wholly or mainly in the conveyance of the signals, such as a transmission service used for the provision of a machine-to- machine service and for broadcasting, but excludes information conveyed as part of a broadcasting service to the public over an electronic communications network or service except to the extent that the information can be related to the identifiable end-user receiving the information; it also includes services which are not publicly available, but provide access to a publicly available electronic communications network; (-ab) 'interpersonal communications service' means a service, whether provided for remuneration or not, that enables direct interpersonal and interactive exchange of information between a finite number of persons whereby the persons initiating or participating in the communication determine the recipient(s); (-ac) 'number-based interpersonal communications service' means an interpersonal communications service which connects to the public switched telephone network, either by means of assigned numbering resources, i.e. number or numbers in national or international telephone numbering plans, or by enabling communication with a number or numbers in national or international telephone numbering plans; (-ad) 'number-independent interpersonal communications service' means an interpersonal communications service which does not connect with the public switched telephone network, either by means of assigned numbering resources, i.e. a number or numbers in national or international telephone numbering plans, or by enabling communication with a number or numbers in national or international telephone numbering plans; (-ae) 'end-user' means a legal entity or a natural person using or requesting a publicly available electronic communications service; (-af) 'user' means any natural person using a publicly available electronic communications service, for private or business purposes, without necessarily having subscribed to this service; (b) ‘electronic communications (b) 'electronic communications (b) ‘electronic communications (b) 'electronic communications content’ means the content content' means the content content’ means the content content' means the content exchanged by means of electronic transmitted, distributed or exchanged by means of electronic transmitted, distributed or communications services, such as exchanged by means of electronic communications services, such as exchanged by means of electronic text, voice, videos, images, and communications services, such as text, voice, videos, images, and communications services, such as sound; text, voice, videos, images, and sound; text, voice, videos, images, and sound. Where metadata of other sound. Where metadata of other electronic communications electronic communications services or protocols are services or protocols are transmitted, distributed or transmitted, distributed or exchanged by using the respective exchanged by using the respective service, they shall be considered service, they shall be considered electronic communications electronic communications content content for the respective service; for the respective service; (c) ‘electronic communications (c) ‘electronic communications (c) ‘electronic communications (c) ‘electronic communications metadata’ means data processed in metadata’ means data processed in metadata’ means data processed by metadata’ means data processed in an electronic communications an electronic communications means of in an electronic an electronic communications network network for the purposes of network for the purposes of communications network services or services for the purposes of transmitting, distributing or transmitting, distributing or for the purposes of transmitting, transmitting, distributing or exchanging exchanging electronic exchanging electronic distributing or exchanging electronic electronic communications content; communications content; including communications content ; including communications content; including including data used to trace and data used to trace and identify the data used to trace and identify the data used to trace and identify the identify the source and destination of a source and destination of a source and destination of a source and destination of a communication, data on the location of communication, data on the location communication, data on the location communication, data on the location the device generated terminal of the device generated in the context of the device generated terminal of the device generated in the context equipment processed in the context of providing electronic equipment processed in the context of providing electronic of providing electronic communications services, and the of providing electronic communications services, and the communications services, and the date, time, duration and the type of communications services, and the date, time, duration and the type of date, time, duration and the type of communication; date, time, duration and the type of communication; communication; communication; (d)‘publicly available directory’ means (d)‘publicly available directory’ means (d) ‘publicly available directory’ (d) ‘publicly available directory’ means a directory of end-users of electronic a directory of end-users of electronic means a directory of end-users of a directory of end-users of electronic communications services, whether in communications services, whether in electronic number-based number-based interpersonal printed or electronic form, which is printed or electronic form, which is interpersonal communications communications services, whether in published or made available to the published or made available to the services, whether in printed or printed or electronic form, which is public or to a section of the public, public or to a section of the public, electronic form, which is published or published or made available to the including by means of a directory including by means of a directory made available to the public or to a public or to a section of the public, enquiry service; enquiry service; section of the public, including by including by means of a directory means of a directory enquiry service enquiry service and the main and the main function of which is function of which is to enable to enable identification of such identification of such end-users; end-users; (e)‘electronic mail’ means any (e)‘electronic mail’ means any (e) ‘electronic mail’ message’ means (e) ‘electronic mail’ message’ means electronic message containing electronic message containing any message containing information any message containing information information such as text, voice, video, information such as text, voice, video, such as text, voice, video, sound or such as text, voice, video, sound or sound or image sent over an sound or image sent over an image sent over an electronic image sent over an electronic electronic communications network electronic communications network communications network which can communications network which can be which can be stored in the network or which can be stored in the network or be stored in the network or in related stored in the network or in related in related computing facilities, or in in related computing facilities, or in computing facilities, or in the terminal computing facilities, or in the terminal the terminal equipment of its the terminal equipment of its equipment of its recipient, including equipment of its recipient, including recipient; recipient; e-mail, SMS, MMS, instant and e-mail, SMS, MMS, instant and direct messages, and functionally direct messages, and functionally equivalent applications and equivalent applications and techniques; techniques; (f) ‘direct marketing communications’ (f) ‘direct marketing communications’ (f) ‘direct marketing communications’ (f) ‘direct marketing communications’ means any form of advertising, means any form of advertising, means any form of advertising, means any form of advertising, whether written or oral, sent to one or whether in written, oral or video whether written or oral, sent via a whether in written, oral or video more identified or identifiable end- format, sent, served or presented to publicly available electronic format, sent, served or presented to users of electronic communications one or more identified or identifiable communications service directly to one or more identified or identifiable services, including the use of end-users of electronic one or more identified or end-users of electronic automated calling and communication communications services, including identifiable specific end-users of communications services, including systems with or without human the use of automated calling and electronic communications the placing of voice-to-voice calls, interaction, electronic mail, SMS, etc.; communications systems with or services, including the placing of the use of automated calling and without human interaction, electronic voice-to-voice calls, the use of communication systems with or mail, SMS, fax machines etc.; automated calling and communication without human interaction, electronic systems with or without human message mail, SMS, fax machines interaction, electronic message mail, etc.; SMS, etc.; (g) ‘direct marketing voice-to-voice (g) 'direct marketing voice-to-voice (g) ‘direct marketing voice-to-voice (g) ‘direct marketing voice-to-voice calls’ means live calls, which do not calls' means live calls, which do not calls’ means live calls, which do not calls’ means live calls, which do not entail the use of automated calling entail the use of automated calling entail the use of automated calling entail the use of automated calling systems and communication systems and communications systems and communication systems; systems and communication systems; systems; systems, including calls made using automated calling and communications systems which connect the called person to an individual; (h) ‘automated calling and (h) ‘automated calling and (h) ‘automated calling and (h) ‘automated calling and communication systems’ means communications systems’ means communication systems’ means communication systems’ means systems capable of automatically systems capable of automatically systems capable of automatically systems capable of automatically initiating calls to one or more initiating calls to one or more initiating calls to one or more initiating calls to one or more recipients in accordance with recipients in accordance with recipients in accordance with recipients in accordance with instructions set for that system, and instructions set for that system, and instructions set for that system, and instructions set for that system, and transmitting sounds which are not live transmitting sounds which are not live transmitting sounds which are not live transmitting sounds which are not live speech, including calls made using speech, including calls made using speech, including calls made using speech, including calls made using automated calling and communication automated calling and automated calling and communication automated calling and communication systems which connect the called communication systems which systems which connect the called systems which connect the called person to an individual. connect the called person to an person to an individual. person to an individual. individual. (i) 'direct marketing calls' means (i) 'direct marketing calls' means direct marketing voice-to-voice direct marketing voice-to-voice calls and calls made via automated calls and calls made via automated calling and communication calling and communication systems for the purpose of direct systems for the purpose of direct marketing. marketing. (j) ‘location data’ means data (j) ‘location data’ means data processed by means of an processed by means of an electronic communications electronic communications network network or service, indicating the or service, indicating the geographic position of the terminal geographic position of the terminal equipment of a user of a publicly equipment of a user of a publicly available electronic available electronic communications service; communications service; Article 4a - Consent Article 4a - Consent

1. The provisions for consent 1. The definition of and conditions provided for under Regulation (EU) provisions for consent provided for 2016/679/EU shall apply to natural under Articles 4(11) and 7 of persons and, mutatis mutandis, to Regulation (EU) 2016/679/EU shall legal persons. apply.

1a. Paragraph 1 is without 1a. Paragraph 1 is without prejudice prejudice to national legislation on to national legislation on determining the persons who are determining the persons who are authorised to represent a legal authorised to represent a legal person in any dealings with third person in any dealings with third parties or in legal proceedings. parties.

2. Without prejudice to paragraph 1, 2. Without prejudice to paragraph 1, where technically possible and where technically possible and feasible, for the purposes of point (b) feasible, for the purposes of point (b) of Article 8 (1), consent may be of Article 8 (1), consent may be expressed by using the appropriate expressed, refused or withdrawn by technical settings of a software using the appropriate technical application enabling access to the settings of a software application internet placed on the market placed on the market enabling permitting electronic access to the internet permitting communications, including the electronic communications, retrieval and presentation of including the retrieval and information on the internet. presentation of information on the internet or via specifications for 2aa. Consent directly expressed by electronic communications an end-user in accordance with services or information society Paragraph (2) shall prevail over services which allow for specific software settings. Any consent consent for specific purposes and requested and given by an end- with regard to specific service user to a service shall be directly providers, pursuant to paragraph 1. implemented, without any further When such specifications are used delay, by the applications of the by the user's terminal equipment or end user’s terminal, including the software application enabling where the storage of information or access to the internet running on it, the access of information already they may automatically signal the stored in the end-user’s terminal user's specific choice based on equipment is permitted. general settings, lists or rules the user has chosen. The European 2a. As far as the provider is not Commission shall, by way of able to identify a data subject, the delegated acts, develop and technical protocol showing that approve signals that shall be consent was given from the binding on, and enforceable terminal equipment shall be against, any party. The EDPB shall sufficient to demonstrate the provide a binding opinion on consent of the end-user according whether the draft signals, Article 8 (1) (b). amendment or extension complies with this Regulation and develop 3. End-users who have consented to relevant guidelines for their use the processing of electronic pursuant Article 19(2)(bb). communications data in accordance with this Regulation shall be 2a. Consent, refusal of consent and reminded of the possibility to consent withdrawal directly withdraw their consent at periodic expressed by an end-user in intervals of [no longer than 12 accordance with Paragraph (2) months], as long as the processing shall prevail over other settings. continues, unless the end-user Any decision requested and given requests not to receive such by an end-user to a service shall be reminders. directly implemented, without any further delay.

2aa. As far as the provider is not able to identify the end user, the technical protocol showing that consent was given from the terminal equipment shall be sufficient to demonstrate the consent of the end-user according Article 8 (1) (b).

3. End-users who have consented to the processing of electronic communications data in accordance with this Regulation shall be given the possibility to withdraw their consent at any time as set forth under Article 7(3) of Regulation (EU) 2016/679 and be reminded of this possibility at periodic intervals of 6 months, as long as the processing continues.

3 a. Any processing based on consent must not adversely affect the rights and freedoms of individuals whose personal data are related to or transmitted by the communication, in particular their rights to privacy and the protection of personal data.

Explanation: We support the Council proposal to move the content of Article 9 of the original Commission proposal here. Our proposal reflects a compromise between the original text and the Parliament amendments on Article 9 and the Council newly proposed Article 4a. It is based on a signal for specific consent, not a general setting. Chapter 2 PROTECTION OF PROTECTION OF PROTECTION OF ELECTRONIC PROTECTION OF ELECTRONIC ELECTRONIC COMMUNICATIONS OF ELECTRONIC COMMUNICATIONS OF COMMUNICATIONS OF NATURAL AND LEGAL COMMUNICATIONS OF NATURAL AND LEGAL NATURAL AND LEGAL PERSONS END-USERS AND OF NATURAL AND LEGAL PERSONS AND OF PERSONS AND OF INFORMATION STORED IN PERSONS AND OF INFORMATION STORED IN INFORMATION STORED IN THE INTEGRITY OF THEIR INFORMATION STORED IN THEIR TERMINAL EQUIPMENT PROCESSED BY AND TERMINAL EQUIPMENT PROCESSED BY AND RELATED RELATED TO THEIR TERMINAL TO THEIR TERMINAL EQUIPMENT EQUIPMENT Article 5 Confidentiality of electronic Confidentiality of electronic Confidentiality of electronic Confidentiality of electronic communications data communications data communications data communications data Electronic communications data shall 1. Electronic communications data Electronic communications data shall Electronic communications and be confidential. Any interference with shall be confidential. Any be confidential. Any interference with electronic communication data shall electronic communications data, such interference, with electronic electronic communications data, be confidential. Any interference with as by listening, tapping, storing, communications data , such as by such as by including listening, electronic communications data, such monitoring, scanning or other kinds of listening, tapping, storing, monitoring, tapping, storing, monitoring, scanning as by including listening, tapping, interception, surveillance or scanning or other kinds of or other kinds of interception, storing, monitoring, scanning or other processing of electronic interception, surveillance or any surveillance and processing of kinds of interception, surveillance or communications data, by persons processing of electronic electronic communications data, by any processing of electronic other than the end-users, shall be communications data , by persons persons anyone other than the end- communications data, by persons prohibited, except when permitted by other than the end-users, shall be users concerned, shall be prohibited, anyone or any entity other than the this Regulation. prohibited, except when permitted except when permitted by this end-users concerned, shall be by this Regulation. Regulation. prohibited, except when permitted by this Regulation. 1 a. Confidentiality of electronic communications shall also apply 1 a. Confidentiality of electronic to data related to or processed by communications shall also apply to terminal equipment. data related to or processed by terminal equipment. Article 6 Permitted processing of Permitted Lawful processing Permitted processing of Permitted processing of electronic communications data of electronic communications data electronic communications data electronic communications data 1. Providers of electronic 1. Providers of electronic 1. Providers of electronic 1. Providers of electronic communications networks and communications networks and communications networks and communications networks and services may process electronic services may process electronic services may shall be permitted to services may shall be permitted to communications data if: communications data only if: process electronic communications process electronic communications (a) it is necessary to achieve the data only if: data only if: (a) it is necessary to achieve the transmission of the transmission of the communication, communication, for the duration (a) it is necessary to provide an (a) it is strictly necessary to provide for the duration necessary for that necessary for that purpose; or electronic communication an electronic communication purpose; or (b) it is necessary to maintain or service;achieve the transmission service,achieve the transmission of restore the security of electronic of the communication, for the the communication, for the duration (b) it is necessary to maintain or communications networks and duration necessary for that necessary for that purpose; or restore the security of electronic services, or detect technical faults purpose or communications networks and and/or errors in the transmission (b) it is strictly necessary to maintain services, or detect technical faults of electronic communications, for (b) it is necessary to maintain or or restore the availability, integrity, and/or errors in the transmission of the duration necessary for that restore the security of electronic confidentiality and security of electronic communications, for the purpose. it is technically communications networks and electronic communications networks duration necessary for that purpose. necessary to achieve the services, or detect technical faults, and services, or detect technical transmission of the and/or errors, security risks or faults, and/or errors, security risks communication, for the duration attacks on in the transmission or attacks on in the transmission necessary for that purpose. electronic communications networks electronic communications networks and services; for the duration and services; for the duration 1 b. Providers of electronic necessary for that purpose. necessary for that purpose. communications networks and services or other parties acting on behalf of the provider or the end- user may process electronic communications data only if it is technically necessary to maintain or restore the availability, integrity, confidentiality and security of the respective electronic communications network or services, or to detect technical faults and/or errors in the transmission of electronic communications, for the duration necessary for that purpose. (c) it is necessary to detect or (c) it is strictly necessary to detect prevent security risks or attacks or prevent security risks or attacks on end-users’ terminal equipment; on end-users’ terminal equipment;

(d) it is necessary for compliance 1a. A third party acting on behalf of with a legal obligation to which the a provider of electronic provider is subject laid down by communications network or Union or Member State law, which services may be permitted to respects the essence of the process electronic fundamental rights and freedoms communications data in and is a necessary and accordance with Article 6 provided proportionate measure in a that the conditions laid down in democratic society to safeguard Article 28 of Regulation (EU) the prevention, investigation, 2016/679 are met. detection or prosecution of criminal offences or the execution Explanation: This proposal gathers of criminal penalties, and the language suggested by all institutions safeguarding against and the in Article 6.1 and by the Council in prevention of threats to public their Article 6.3. security. 2. Providers of electronic 2. Providers of electronic 2. Providers of electronic 2. Without prejudice to Article (6) 1, communications services may communications services and communications services may providers of electronic process electronic communications networks may process electronic process electronic communications networks and metadata if: communications metadata only if: communications metadata if: services may shall be permitted to (a) it is necessary to meet process electronic communications (a) it is necessary to meet mandatory (a) it is strictly necessary to meet mandatory quality of service metadata only if: quality of service requirements mandatory quality of service requirements pursuant to pursuant to [Directive establishing the requirements pursuant to [Directive [Directive establishing the (a) it is strictly necessary to meet European Electronic Communications establishing the European Electronic European Electronic technical quality of service Code] or Regulation (EU) 2015/2120 Communications Code] or Regulation Communications Code] or requirements pursuant to Directive for the duration necessary for that (EU) 2015/2120 for the duration Regulation (EU) 2015/2120 for the (EU) 2018/1972 or Regulation (EU) purpose; or technically necessary for that duration necessary for that 2015/2120; for the duration purpose; or purpose; or technically necessary for that (b) it is necessary for billing, (b) it is necessary for billing, purpose; or calculating interconnection payments, (b) it is strictly necessary for billing, calculating interconnection detecting or stopping fraudulent, or calculating determining payments, detecting or stopping (b) it is strictly necessary for billing, abusive use of, or subscription to, interconnection payments, detecting fraudulent, or abusive use of, or calculating determining electronic communications services; or stopping fraudulent use of, subscription to, electronic interconnection payments, detecting or abusive use of, or subscription to, communications services; or or stopping fraudulent use, or electronic communications services; (c) the end-user concerned has abusive use of, or subscription to, (c) the end-user concerned has or given his or her consent to the electronic communications services; given his or her consent to the processing of his or her or processing of his or her (c) the end-user concerned has communications metadata for one communications metadata for one or given his or her consent to the or more specified purposes, (c) the end-users concerned have more specified purposes, including processing of his or her including for the provision of given consent to the processing of for the provision of specific services communications metadata for one or specific services to such end- communications metadata for one or to such end-users, provided that the more specified purposes, including users, provided that the purpose more specified purposes, including for purpose or purposes concerned could for the provision of specific services or purposes concerned could not the provision of specific services not be fulfilled by processing to such end-users, provided that the be fulfilled by processing requested by an end-user for information that is made anonymous. purpose or purposes concerned could information that is made purely individual use to such end- not be fulfilled by processing anonymous. users, provided that the purpose or information that is made purposes concerned could not be anonymous without the Electronic communications data fulfilled by processing information processing of such metadata. shall only be permitted to be that is made anonymous without processed for the duration the processing of such metadata necessary for the specified and where such requested purpose or purposes according to processing does not adversely Articles 6 to 6c and if the specified affect fundamental rights and purpose or purposes cannot be interests of another person fulfilled by processing information concerned; or that is made anonymous. (d) it is necessary in order to 3. A third party acting on behalf of protect the vital interest of a natural a provider of electronic person. communications network or services may be permitted to 2a. Electronic communications process electronic metadata shall only be permitted to communications data in be processed for the duration accordance with Articles 6 to 6c strictly necessary for the specified provided that the conditions laid purpose or purposes according to down in Article 28 of Regulation paragraph 2. (EU) 2016/679 are met.

Explanation: This proposal gathers language suggested by the Commission and Parliament in Article 6.2 and by the Council in their Article 6b. (2a) For the purposes of point (c) (2b) For the purposes of point (c) of paragraph 2, where a type of of paragraph 2 and point (a) processing of electronic paragraph 3, where a type of communications metadata, in processing of electronic particular using new technologies, communications data, in particular and taking into account the nature, using new technologies, and taking scope, context and purposes of into account the nature, scope, the processing, is likely to result in context and purposes of the a high risk to the rights and processing, is likely to result in a freedoms of natural persons, high risk to the rights and Articles 35 and 36 of Regulation freedoms of natural persons, (EU) 2016/679 shall apply. Articles 35 and 36 of Regulation (EU) 2016/679 shall apply. 3.Providers of the electronic 3.Providers of the electronic Article 6a [previous art. 3. Without prejudice to Article (6) 1, communications services may communications services may 6(3)] Permitted processing of providers of the electronic process electronic communications process electronic communications electronic communications communications networks and content only: content only: content services may shall be permitted to process electronic communications 1. Without prejudice to Article (6) content only: 1, providers of the electronic communications networks and services may shall be permitted to process electronic communications content only: (a) for the sole purpose of the (a) for the sole purpose of the (a) for the sole purpose of the (a) if it is strictly necessary for the provision of a specific service to an provision of a specific service to an provision of a specific service to an sole purpose of the provision of a end-user, if the end-user or end-users end-user requested by the user, if end-user requested by an end-user specific service to an end-user concerned have given their consent the end-user or end-users user for purely individual use if the requested by an end-user for to the processing of his or her concerned have has given their his requesting end-user or end-users purely individual use if the electronic communications content or her consent to the processing of user concerned hasve given their requesting end-user or end-users and the provision of that service his or her electronic communications consent to the processing of his or user concerned hasve given their cannot be fulfilled without the content and the provision of that her electronic communications consent to the processing of his or her processing of such content; or service cannot be fulfilled without the content and the provision of that electronic communications content processing of such content by the service cannot be fulfilled without and the provision of that service (b) if all end-users concerned have provider; or the processing of such content cannot be fulfilled without the given their consent to the processing and where such requested processing of such content and of their electronic communications (b) if all end-users concerned have processing does not adversely where such requested processing content for one or more specified given their consent to the processing affect fundamental rights and does not adversely affect purposes that cannot be fulfilled by of their electronic communications interests of another person fundamental rights and interests of processing information that is made content for one or more specified concerned; or another person concerned; or anonymous, and the provider has purposes that cannot be fulfilled by consulted the supervisory authority. processing information that is made (b) if all end-users concerned have (b) if all end-users concerned have Points (2) and (3) of Article 36 of anonymous, and the provider has given their consent to the processing given their consent to the processing Regulation (EU) 2016/679 shall apply consulted the supervisory authority. of their electronic communications of their electronic communications to the consultation of the supervisory Points (2) and (3) of Article 36 of content for one or more specified content for one or more specified authority. Regulation (EU) 2016/679 shall apply purposes that cannot be fulfilled by purposes that cannot be fulfilled by to the consultation of the supervisory processing information that is processing information that is authority. made anonymous, and the made anonymous, and the provider provider has consulted the has consulted the supervisory supervisory authority. Points (2) authority. Points (2) and (3) of and (3) of Article 36 of Regulation Article 36 of Regulation (EU) (EU) 2016/679 shall apply to the 2016/679 shall apply to the consultation of the supervisory consultation of the supervisory authority. authority.

2. Prior to the processing in 4. Prior to the processing in accordance with point (b) of accordance with point (b) of paragraph 1 the provider shall paragraph 3 the provider shall carry out a data protection impact carry out a data protection impact assessment of the impact of the assessment of the impact of the envisaged processing operations envisaged processing operations on the protection of electronic on the protection of electronic communications data and consult communications data and consult the supervisory authority if the supervisory authority pursuant to necessary pursuant to Article 36 Article 36 (1) of Regulation (EU) (1) of Regulation (EU) 2016/679. 2016/679. Article 36 (2) and (3) of Article 36 (2) and (3) of Regulation Regulation (EU) 2016/679 shall apply (EU) 2016/679 shall apply to the to the consultation of the supervisory consultation of the supervisory authority. authority. 3a. The provider of the electronic Deleted, now covered under point (c) communications service may of paragraph 2 and point (a) process electronic paragraph 3 of Article 6. communications data solely for the provision of an explicitly requested service, for purely individual usage, only for the duration necessary for that purpose and without the consent of all users only where such requested processing does not adversely affect the fundamental rights and interests of another user or users. Article 6b [previous art 6(2)] Deleted, see proposal in Article 6.2. Permitted processing of electronic communications metadata

1. Without prejudice to Article (6) 1, providers of electronic communications networks and services may shall be permitted to process electronic communications metadata only if:

(a) it is necessary for the purposes of network management or network optimisation, or to meet technical quality of service requirements pursuant to Directive (EU) 2018/1972 or Regulation (EU) 2015/212020, for the duration necessary for that purpose; or

(b) it is necessary for the performance of an electronic communications service contract to which the end-user is party, or if necessary for billing, calculating interconnection payments, detecting or stopping fraudulent, or abusive use of, or subscription to, electronic communications services; or

(c) the end-user concerned has given consent to the processing of communications metadata for one or more specified purposes including for the provision of specific services to such end-users, provided that the purpose or purposes concerned could not be fulfilled by processing information that is made anonymous; or

(d) it is necessary in order to protect the vital interest of a natural person; or

(e) in relation to metadata that constitute location data, it is necessary for scientific or historical research purposes or statistical purposes, provided that: i. such data is pseudonymised; ii. the processing could not be carried out by processing information that is made anonymous, and the location data is erased or made anonymous when it is no longer needed to fulfil the purpose; and iii. the location data is not used to determine the nature or characteristics of an end-user or to build a profile of an end-user.

(f) in relation to metadata other than location data, it is necessary for scientific or historical research purposes or statistical purposes, provided that such processing is in accordance with Union or Member State law and subject to appropriate safeguards, including encryption and pseudonymisation, to protect fundamental rights and the interest of the end-users and is in accordance with paragraph 6 of Article 21 and paragraphs 1, 2 and 4 of Article 89 of Regulation (EU) 2016/679.

2a. Data processed under point e and f of paragraph 1 of this article may also be used for the development, production and dissemination of official national and European statistics to the extent necessary for this purpose and in accordance, respectively, with national or Union law.

2. Without prejudice to Article 6 (3), electronic communications metadata processed pursuant to paragraph 1 (e) shall not be shared by the provider with any third party unless it has been made anonymous. Article 6c [Previous art Delete. We oppose the addition of a 6(2a)] Compatible processing of possibility to further process metadata electronic communications under this Regulation. metadata As noted, this Regulation already clarifies and provides more 1. Where the processing for a opportunity for the processing of purpose other than that for which communications content and the electronic communications metadata for providers in comparison metadata have been collected with the existing ePrivacy Directive. under paragraph 1 of Articles 6 Further opportunities for processing, and 6b is not based on the end- in particular ones where the end-users user's consent or on a Union or would not be able to consent to such Member State law which processing, would erode the objective constitutes a necessary and of this Regulation, the right it seeks to proportionate measure in a protect, and risk falling below the democratic society to safeguard current level of protection guaranteed the objectives referred to in Article in the EU. 11, the provider of electronic communications networks and services shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the electronic communications metadata are initially collected, take into account, inter alia:

(a) any link between the purposes for which the electronic communications metadata have been collected and the purposes of the intended further processing; (b) the context in which the electronic communications metadata have been collected, in particular regarding the relationship between end-users concerned and the provider; (c) the nature of the electronic communications metadata as well as the modalities of the intended further processing, in particular where such data or the intended further processing could reveal categories of data, pursuant to Articles 9 or 10 of Regulation (EU) 2016/679; (d) the possible consequences of the intended further processing for end-users; (e) the existence of appropriate safeguards, such as encryption and pseudonymisation. 2. Such processing, if considered compatible, may only take place, provided that: (a) the processing could not be carried out by processing information that is made anonymous, and electronic communications metadata is erased or made anonymous as soon as it is no longer needed to fulfil the purpose, and (b) the processing is limited to electronic communications metadata that is pseudonymised, and (c) the electronic communications metadata is not used to determine the nature or characteristics of an end-user or to build a profile of an end-user, which produces legal effects concerning him or her or similarly significantly affects him or her. 3. For the purposes of paragraph 1 of this Article, the providers of electronic communications networks and services shall not, without prejudice to Article 6 (3), share such data with any third parties, unless it is made anonymous. Article 7 - Storage and erasure of electronic communications data 1. Without prejudice to point (b) of 1. Without prejudice to point (b) of 1.Without prejudice to point (b) of 1.Without prejudice to point (b) of Article 6(1) and points (a) and (b) of Article 6(1) 6(1b) and points (a) and Article 6(1) and points (a) and (b) Article 6(1) and points (a) and (b) of Article 6(3), the provider of the (b) of Article 6(3), the provider of the of Article 6(3), The provider of the Article 6(3), to Article 6 (3), the electronic communications service electronic communications service electronic communications service provider of the electronic shall erase electronic shall erase electronic shall erase electronic communications service shall erase communications content or make that communications content or make communications content or make that electronic communications content or data anonymous after receipt of that data anonymous after receipt data anonymous when it is no make that data anonymous when it electronic communication content by of electronic communication longer necessary for the purpose is no longer necessary for the the intended recipient or recipients. content, when it is no longer of processing in accordance to purpose of processing permitted Such data may be recorded or stored necessary for the provision of article 6 (1) and 6a (1) after receipt under this Regulation. Such data by the end-users or by a third party such service, as requested by the of electronic communication may be recorded or stored by the end- entrusted by them to record, store or intended recipient or recipients content by the intended recipient users or by a third party entrusted by otherwise process such data, in user. Such data may be recorded or or recipients. Such data may be them to record, store or otherwise accordance with Regulation (EU) stored by the end-users or by a third recorded or stored by the end- process such data, in accordance with 2016/679. party entrusted by them to record, users or by a third party entrusted Regulation (EU) 2016/679. store or otherwise process such data. by them to record, store or The user may process the data in otherwise process such data, in accordance with Regulation (EU) accordance with Regulation (EU) 2016/679. 2016/679. 2. Without prejudice to point (b) of 2. Without prejudice to point (b) of 2. Without prejudice to points (b), (c) 2. Without prejudice to point (b) of Article 6(1) and points (a) and (c) of Article 6(1) 6(1b) and points (a) and and (d) of Article 6 (1), points (c), Article 6(1) and points (a) and (c) of Article 6(2), the provider of the (c) of Article 6(2), the provider of the (d), (e), (f), point (g) of Article 6b, Article 6(2), Article 6 (2) the provider electronic communications service electronic communications service Article 6c and points (b) to (g) of of the electronic communications shall erase electronic shall erase electronic Article 8 (1) the provider of the service shall erase electronic communications metadata or make communications metadata or make electronic communications service communications metadata or make that data anonymous when it is no that data anonymous when it is no shall erase electronic that data anonymous when it is no longer needed for the purpose of the longer needed necessary for the communications metadata or make longer needed for the purpose of the transmission of a communication. purpose of the transmission of a that data anonymous when it is no transmission of a providing an communication provision of such longer needed for the purpose of the electronic communication service or service, as requested by the user. transmission of a providing an another purpose permitted under electronic communication service. this Regulation. 3. Where the processing of electronic 3. Where the processing of electronic 3. Where the processing of electronic 3. Where the processing of electronic communications metadata takes communications metadata takes communications metadata takes communications metadata takes place place for the purpose of billing in place for the purpose of billing in place for the purpose of billing in for the purpose of billing in accordance with point (b) of Article accordance with point (b) of Article accordance with point (b) of Article accordance with point (b) of Article 6(2), the relevant metadata may be 6(2), the relevant strictly necessary 6b (1), the relevant metadata may be 6(2), the relevant strictly necessary kept until the end of the period during metadata may be kept until the end of kept until the end of the period during metadata may be kept until the end of which a bill may lawfully be the period during which a bill may which a bill may lawfully be the period during which a bill may challenged or a payment may be lawfully be challenged or a payment challenged, or a payment may be lawfully be challenged or a payment pursued in accordance with national may be pursued in accordance with pursued in accordance with national may be pursued in accordance with law. national law. law. national law.

4. Union or Member state law may Deleted. This legislation is not a law provide that the electronic enforcement instrument and does not communications metadata is have the appropriate legal basis for retained, including under any such measures to be proposed. retention measure that respects Furthermore, the proposed language the essence of the fundamental does not fully take into account the rights and freedoms and is a case law of the CJEU and contradicts necessary and proportionate the objective of this Regulation which measure in a democratic society, is to protect individual’s right to in order to safeguard the privacy. Additionally, introducing this prevention, investigation, provision would lead to considerable detection or prosecution of legal uncertainty as the relationship to criminal offences or the execution data retention exceptions laid down of criminal penalties, and the under Article 11 is unclear. safeguarding against and the prevention of threats to public security, for a limited period. The duration of the retention may be extended if threats to public security of the Union or of a Member State persists. Article 8 - Protection of Article 8 - Protection of Article 8 - Protection of end- Article 8 - Protection of information stored in and related to information transmitted to, stored in, users' terminal equipment information information transmitted to, stored in, end-users’ terminal equipment related to, processed by and stored in and related to end-users’ related to, processed by and collected from end-users’ terminal terminal equipment collected from end-users’ terminal equipment equipment 1. The use of processing and storage 1. The use of processing and storage 1. The use of processing and storage 1. The use of processing and storage capabilities of terminal equipment and capabilities of terminal equipment and capabilities of terminal equipment and capabilities of terminal equipment and the collection of information from end- the collection of information from end- the collection of information from end- the collection of information from end- users’ terminal equipment, including users’ terminal equipment, including users’ terminal equipment, including users’ terminal equipment, including about its software and hardware, about its software and hardware, about its software and hardware, about its software and hardware, other other than by the end-user concerned other than by the end-user concerned other than by the end-user concerned than by the end-user concerned shall shall be prohibited, except on the shall be prohibited, except on the shall be prohibited, except on the be prohibited, except on the following following grounds: following grounds: following grounds: grounds: (a) it is necessary for the sole (a) it is strictly necessary for the (a) it is necessary for the sole (a) it is strictly necessary for the sole purpose of carrying out the sole purpose of carrying out the purpose of providing carrying out purpose of providing carrying out transmission of an electronic transmission of an electronic the transmission an electronic the transmission an electronic communication over an electronic communication over an electronic communication service over an communication service over an communications network; or communications network; or electronic communications electronic communications network; or network; or (b) the end-user has given his or her (b) the end-user has given his or her consent; or specific consent; or (b) the end-user has given his or her (b) the end-user has given his or her (c) it is necessary for providing an consent; or consent; or information society service requested (c) it is strictly technically by the end-user; or necessary for providing an (c) it is strictly necessary for (c) it is strictly technically necessary information society service providing an information society for providing an information society (d) if it is necessary for web audience specifically requested by the end- a service specifically requested by a service specifically requested by measuring, provided that such user; or the end-user; or the end-user; or measurement is carried out by the provider of the information society (d) if it is technically necessary for (d) if it is necessary for the sole (d) if it is technically necessary for service requested by the end-user. web audience measuring the reach purpose of web audience the sole purpose of mere statistical of an information society service measuring, provided that such counting for web audience requested by the user, provided that measurement is carried out by the measuring the reach of an such measurement is carried out by provider of the service requested by information society service the provider of the information the end-user, or by a third party, or requested by the user, provided that: society service requested by the by third parties jointly on behalf of - such measurement is carried out by end-user, or on behalf of the or jointly with provider of the the provider of the information provider, or by a web analytics service requested provided that, society service requested by the agency acting in the public where applicable, the conditions end-user,: interest including for scientific laid down in Articles 26 or 28 of - the processing shall be limited in purpose; that the data is Regulation (EU) 2016/679 are met; time and space to the extent strictly aggregated and the user is given a or necessary for this purpose; possibility to object; and further - that the data is instantly provided that no personal data is aggregated; made accessible to any third party - the data shall be deleted and that such measurement does immediately after the purpose is not adversely affect the fulfilled; fundamental rights of the user; - that such processing does not Where audience measuring takes adversely affect the fundamental place on behalf of an information rights of the user; society service provider, the data - further provided that no personal collected shall be processed only data is made accessible to any for that provider and shall be kept third party; or separate from the data collected in the course of audience measuring on behalf of other providers; or (da) it is necessary to ensure (da) it is necessary to maintain or (e) it is strictly necessary to security, confidentiality, integrity, restore the security of information maintain or restore the security, availability and authenticity of the society services or terminal confidentiality, integrity and terminal equipment of the end- equipment of the end-user, prevent authenticity of the terminal user, by means of updates, for the fraud or prevent or detect equipment of the end-user, prevent duration necessary for that technical faults for the duration fraud or prevent or detect technical purpose, provided that: necessary for that purpose; or (e) faults, including by the means of it is necessary for a software updates and software updates, for (i) this does not in any way update provided that: the duration necessary for that change the functionality of the purpose, provided that: hardware or software or the (i) such update is necessary for privacy settings chosen by the security reasons and does not in (i) such update is necessary for user; any way change the privacy security reasons and does not in settings chosen by the end-user, any way change the privacy (ii) the user is informed in settings chosen by the end-user, advance each time an update is (ii) the end-user is informed in being installed; and advance each time an update is (ii) the end-user is informed in being installed, and advance each time an update is (iii) the user has the possibility to being installed, and postpone or turn off the automatic (iii) the end-user is given the installation of these updates; possibility to postpone or turn off (iii) the end-user is given the the automatic installation of these possibility to postpone or turn off (d b) in the context of employment updates; or the automatic installation of these relationships, it is strictly updates; or technically necessary for the execution of an employee's task, (f) it is necessary to locate terminal (f) it is necessary to locate terminal where: equipment when an end-user equipment when an end-user makes an emergency makes an emergency (i) the employer provides and/or is communication either to the single communication either to the single the user of the terminal European emergency number ‘112’ European emergency number ‘112’ equipment; or a national emergency number, or a national emergency number, in (ii) the employee is the user of the in accordance with Article 13(3). accordance with Article 13(3). terminal equipment; and (iii) it is not further used for (g) where the processing for monitoring the employee. purpose other than that for which Explanation: We oppose the the information has been collected additional language suggested by the under this paragraph is not based Council that would introduce on the end-user's consent or on a measures related to law enforcement Union or Member State law which activities that shall not be covered by constitutes a necessary and this Regulation or would have the proportionate measure in a effect to extend the scope of permitted democratic society to safeguard processing. the objectives referred to in Article 11 the person using processing and storage capabilities or collecting information processed by or emitted by or stored in the end-users’ terminal equipment shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the electronic communications data are initially collected, take into account, inter alia: (i) any link between the purposes for which the processing and storage capabilities have been used or the information have been collected and the purposes of the intended further processing; (ii) the context in which the processing and storage capabilities have been used or the information have been collected, in particular regarding the relationship between end-users concerned and the provider; (iii) the nature the processing and storage capabilities or of the collecting of information as well as the modalities of the intended further processing, in particular where such intended further processing could reveal categories of data, pursuant to Article 9 or 10 of Regulation (EU) 2016/679; (iv) the possible consequences of the intended further processing for end-users; (v) the existence of appropriate safeguards, such as encryption and pseudonymisation. (h) Such further processing in accordance with paragraph 1 (g), if considered compatible, may only take place, provided that: (i) the information is erased or made anonymous as soon as it is no longer needed to fulfil the purpose, (ii) the processing is limited to information that is pseudonymised, and (iii) the information is not used to determine the nature or characteristics of an end-user or to build a profile of an end- user. (i) For the purposes of paragraph 1 (g) and (h), data shall not be shared with any third parties unless the conditions laid down in Article 28 of Regulation (EU) 2016/697 are met, or data is made anonymous. 1a. No user shall be denied 1a. No user shall be denied access access to any information society to any information society service service or functionality, regardless or functionality, regardless of of whether this service is whether this service is remunerated or not, on grounds remunerated or not, on grounds that he or she has not given his or that he or she has not given his or her consent under Article 8(1)(b) to her consent under Articles 8(1)(b) the processing of personal and 8(2)(b) to the processing of information and/or the use of personal information and/or the processing or storage capabilities use of processing or storage of his or her terminal equipment capabilities of his or her terminal that is not necessary for the equipment that is not necessary for provision of that service or the provision of that service or functionality. functionality.

1b. End-users shall be able to express their consent, withdraw consent and, object to the processing of data related to or processed by their terminal equipment via signals which shall be binding on electronic communication services providers. The European Commission shall, by way of delegated acts, develop and approve signals that shall be binding on, and enforceable against, any party. The EDPB shall provide a binding opinion on whether the draft signals, amendment or extension complies with this Regulation and develop relevant guidelines for their use pursuant Article 19(2)(bb).

1c. Hardware and software placed on the market shall, by default, have privacy protective settings activated to prevent other parties than end-users from transmitting to, accessing, or storing information on the terminal equipment and from processing information already stored on or collected from that equipment. Users shall be able to easily modify these settings however service providers shall not nudge end- users to modify settings that would lower end-users’ privacy protection. Design and language dark patterns shall be prohibited.

Explanation: Point 1b could be deleted if similar language is introduced in Article 4a. We provide both options to the legislators. 2. The collection of information 2. The collection if processing of 2. The collection of information 2. The collection processing of emitted by terminal equipment to information emitted by terminal emitted by terminal equipment of the information emitted by terminal enable it to connect to another device equipment to enable it to connect to end-user to enable it to connect to equipment of the end-user to enable and, or to network equipment shall be another device and, or to network another device and, or to network it to connect to another device and, or prohibited, except if: equipment shall be prohibited, except equipment shall be prohibited, except to network equipment shall be if: on the following grounds if: prohibited, except on the following grounds if: (a) it is done exclusively in order to, (a) it is done exclusively in order to, (a) it is done exclusively in order to, (a) it is done exclusively in order to, for for the time necessary for, and for the for the time necessary for, and for the for the time necessary for, and for the the time necessary for, and for the purpose of establishing a connection; sole purpose of establishing a purpose of establishing or sole purpose of establishing or or connection requested by the user; maintaining a connection; or maintaining a connection requested or by the user; or (aa) the user has been informed Deleted. and has given consent; or (ab) the risks are mitigated. (b) a clear and prominent notice is Deleted. (b) the end-user has given (b) the end-user has given consent. displayed informing of, at least, the consent; or modalities of the collection, its purpose, the person responsible for it (c) it is necessary for the purpose and the other information required of statistical purposes that is under Article 13 of Regulation (EU) limited in time and space to the 2016/679 where personal data are extent necessary for this purpose collected, as well as any measure the and the data is made anonymous end-user of the terminal equipment or erased as soon as it is no longer can take to stop or minimise the needed for this purpose, collection. (d) it is necessary for providing a service requested by the end-user. The collection of such information Deleted. Not found. Thecollection processing of such shall be conditional on the application information shall be conditional on the of appropriate technical and application of appropriate technical organisational measures to ensure a and organisational measures to level of security appropriate to the ensure a level of security appropriate risks, as set out in Article 32 of to the risks, as set out in Article 32 of Regulation (EU) 2016/679, have been Regulation (EU) 2016/679, have been applied. applied. 2a. For the purpose of points (d) 2a. For the purpose of paragraph 2 2a. For the purpose of paragraph 1 of paragraph 1 and (ab) of points (b) and (c), a clear and points (b) to (d) and paragraph 2 paragraph 2, the following controls prominent notice is shall be points (b) to (c), a clear and shall be implemented to mitigate displayed informing of, at least, the prominent notice is shall be displayed the risks: modalities of the collection, its including information required under (a) the purpose of the data purpose, the person responsible for it Article 13 of Regulation (EU) 2016/679 collection from the terminal and the other information required where personal data are collected, as equipment shall be restricted to under Article 13 of Regulation (EU) well as any measure the end-user of mere statistical counting; and 2016/679 where personal data are the terminal equipment can take to (b) the processing shall be collected, as well as any measure the prevent the collection. limited in time and space to the end-user of the terminal equipment extent strictly necessary for this can take to stop or minimise the purpose; and collection. (c) the data shall be deleted or anonymised immediately after the purpose is fulfilled; and (d) the users shall be given effective possibilities to object that do not affect the functionality of the terminal equipment. 2b. The information referred to in 2b. For the purpose of paragraph 2 2c. The collection of such information points (aa) and (ab) of paragraph 2 points (b) and (c), the collection of under this Article shall be conditional shall be conveyed in a clear and such information shall be conditional on the application of appropriate prominent notice setting out, at on the application of appropriate technical and organisational measures the least, details of how the technical and organisational to ensure a level of security information will be collected, the measures to ensure a level of security appropriate to the risks, as set out in purpose of processing, the person appropriate to the risks, as set out in Article 32 of Regulation (EU) responsible for it and other Article 32 of Regulation (EU) 2016/679, have been applied. information required under Article 2016/679, have been applied. 13 of Regulation (EU) 2016/679, where personal data are collected. The collection of such information shall be conditional on the application of appropriate technical and organisational measures to ensure a level of security appropriate to the risks, as set out in Article 32 of Regulation (EU) 2016/679. 3. The information to be provided 3. The information to be provided 3. The information to be provided 3. The information to be provided pursuant to point (b) of paragraph 2 pursuant to point (b) of paragraph 2 pursuant to paragraph 2a may be pursuant to point (b) of paragraph 2 may be provided in combination with paragraph 2b may be provided in provided in combination with paragraph 2b may be provided in standardized icons in order to give a combination with standardized icons standardized icons in order to give a combination with standardized icons in meaningful overview of the collection in order to give a meaningful meaningful overview of the collection order to give a meaningful overview of in an easily visible, intelligible and overview of the collection in an easily in an easily visible, intelligible and the collection in an easily visible, clearly legible manner. visible, intelligible and clearly legible clearly legible manner. intelligible and clearly legible manner. manner. 4. The Commission shall be 4. The Commission shall be 4. The Commission shall be 4. The Commission shall be empowered to adopt delegated acts empowered to adopt delegated acts empowered to adopt delegated acts empowered to adopt delegated acts in in accordance with Article 27 in accordance with Article 27 in accordance with Article 25 accordance with Article 25 determining the information to be determining the information to be determining the information to be determining the information to be presented by the standardized icon presented by the standardized icon presented by the standardized icon presented by the standardized icon and the procedures for providing and the procedures for providing and the procedures for providing and the procedures for providing standardized icons. standardized icons. standardized icons. standardized icons. Article 9 - Consent Deleted. See Article 4a. 1. The definition of and conditions for 1. The definition of and conditions for Deleted. See Article 4a. consent provided for under Articles consent provided for under Articles 4(11) and 7 of Regulation (EU) 4(11) and 7 of in Regulation (EU) 2016/679/EU shall apply. 2016/679/EU shall apply. 2. Without prejudice to paragraph 1, 2. Without prejudice to paragraph 1, Deleted. See Article 4a. where technically possible and where technically possible and feasible, for the purposes of point (b) feasible, for the purposes of point (b) of Article 8(1), consent may be of Article 8(1), consent may be expressed by using the appropriate expressed or withdrawn by using technical settings of a software the appropriate technical settings application enabling access to the of a specifications for electronic internet. communications services or information society services which allow for specific consent for specific purposes and with regard to specific service providers actively selected by the user in each case, pursuant to paragraph 1. When such technical specifications are used by the user's terminal equipment or the software application enabling access to the internet running on it, they may signal the user's choice based on previous active selections by him or her. These signals shall be binding on, and enforceable against, any other party. 3. End-users who have consented to 3. End-users who have consented Deleted. See Article 4a. the processing of electronic to the processing of electronic communications data as set out in communications data as set out in point (c) of Article 6(2) and points (a) point (c) of Article 6(2) and points (a) and (b) of Article 6(3) shall be given and (b) of Article 6(3), point (b) of the possibility to withdraw their Article 8(1) and point (aa) of Article consent at any time as set forth under 8(2) shall be given the possibility to Article 7(3) of Regulation (EU) withdraw their consent at any time as 2016/679 and be reminded of this set forth under Article 7(3) of possibility at periodic intervals of Regulation (EU) 2016/679 and be 6 months, as long as the processing reminded of this possibility at continues. periodic intervals of 6 months, as long as the processing continues. 3 a. Any processing based on See Article 4a. consent must not adversely affect the rights and freedoms of individuals whose personal data are related to or transmitted by the communication, in particular their rights to privacy and the protection of personal data. Article 10 - Information and Article 10 - Information and Deleted. Now covered under Article 8, in options for privacy settings to be options for privacy settings to be particular 8.1b and 8.1c to develop provided provided measures laid down in corresponding recitals by all three institutions. 1. Software placed on the market 1. Software placed on the market Deleted. Now covered under Article 8, in permitting electronic communications, permitting electronic communications, particular 8.1b and 8.1c to develop including the retrieval and including the retrieval and measures laid down in corresponding presentation of information on the presentation of information on the recitals by all three institutions. internet, shall offer the option to internet, shall offer the option to prevent third parties from storing prevent third parties from storing information on the terminal equipment information on the terminal of an end-user or processing equipment of an end-user or information already stored on that processing information already equipment. stored on that equipment: (a) by default, have privacy protective settings activated to prevent other parties from transmitting to or storing information on the terminal equipment of a user and from processing information already stored on or collected from that equipment, except for the purposes laid down by Article 8(1), points (a) and (c);

(b) upon installation, inform and offer the user the possibility to change or confirm the privacy settings options defined in point (a) by requiring the user's consent to a setting and offer the option to prevent other parties from processing information transmitted to, already stored on or collected from the terminal equipment for the purposes laid down by Article 8(1) points (a), (c), (d) and (da);

(c) offer the user the possibility to express specific consent through the settings after the installation of the software. 2. Upon installation, the software 2. Upon installation, the software Deleted. Now covered under Article 8, in shall inform the end-user about the shall inform the end-user about particular 8.1b and 8.1c to develop privacy settings options and, to the privacy settings options and, measures laid down in corresponding continue with the installation, require to continue with the installation, recitals by all three institutions. the end-user to consent to a setting. require the end-user to consent to a setting. Before the first use of the software, the software shall inform the user about the privacy settings and the available granular setting options according to the information society service accessed. These settings shall be easily accessible during the use of the software and presented in a manner that gives the user the possibility for making an informed decision. 1a. For the purpose of.: Now covered under Article 8, in particular 8.1b and 8.1c to develop (a) points (a) and (b) of paragraph measures laid down in corresponding 1, recitals by all three institutions.

(b) giving or withdrawing consent pursuant to Article 9(2) of this Regulation, and

(c) objecting to the processing of personal data pursuant to Article 21(5) of Regulation (EU) 2017/679, the settings shall lead to a signal based on technical specifications which is sent to the other parties to inform them about the user's intentions with regard to consent or objection. This signal shall be legally valid and be binding on, and enforceable against, any other party. 1b. In accordance with Article 9 Now covered under Article 8, in paragraph 2, such software shall particular 8.1b and 8.1c to develop ensure that a specific information measures laid down in corresponding society service may allow the user recitals by all three institutions. to express specific consent. A specific consent given by a user pursuant to point (b) of Article 8(1) shall prevail over the existing privacy settings for that particular information society service. Without prejudice to paragraph 1, where a specified technology has been authorised by the data protection board for the purposes of point (b) of Article 8(1), consent may be expressed or withdrawn at any time both from within the terminal equipment and by using procedures provided by the specific information society service. 3. In the case of software which has 3. In the case of software which has Deleted. Now covered under Article 8, in already been installed on 25 May already been installed on 25 May particular 8.1b and 8.1c to develop 2018, the requirements under 2018, [xx.xx.xxxx], the requirements measures laid down in corresponding paragraphs 1 and 2 shall be complied under paragraphs 1, 1a and 2 1b recitals by all three institutions. with at the time of the first update of shall be complied with at the time of the software, but no later than 25 the first update of the software, but no August 2018. later than 25 August 2018 six months after [the date of entry into force of this Regulation]. Article 11 - Restrictions Deleted. Article 11 - Restrictions Article 11 - Restrictions 1. Union or Member State law may Deleted. 1. Union or Member State law may 1. Union or Member State law in line restrict by way of a legislative restrict by way of a legislative with Union law may restrict by way of measure the scope of the obligations measure the scope of the obligations a legislative measure the scope of the and rights provided for in Articles 5 to and rights provided for in Articles 5 to obligations and rights provided for in 8 where such a restriction respects 8 where such a restriction respects Articles 5 6 to 8 where such a the essence of the fundamental rights the essence of the fundamental rights restriction respects the essence of the and freedoms and is a necessary, and freedoms and is a necessary, fundamental rights and freedoms and appropriate and proportionate appropriate and proportionate is a necessary, appropriate and measure in a democratic society to measure in a democratic society to proportionate measure in a democratic safeguard one or more of the general safeguard one or more of the general society to safeguard one or more of public interests referred to in Article public interests referred to in Article the general public interests referred to 23(1)(a) to (e) of Regulation (EU) 23(1) (c) to (e), (i) and (j) of in Article 23(1)(a) to (e) (d) of 2016/679 or a monitoring, inspection Regulation (EU) 2016/679 or a Regulation (EU) 2016/679 or a or regulatory function connected to monitoring, inspection or regulatory monitoring, inspection or the exercise of official authority for function connected to the exercise of regulatory function connected to such interests. official authority for such interests. the exercise of official authority for 1a. Article 23 (2) of Regulation (EU) such interests. 2016/679 shall apply to any legislative measures referred to in 1a. Union or Member State law in paragraph 1. line with Union law may restrict by way of a legislative measure the scope of the rights provided for in Article 5 where such a restriction fully respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the following general public interests: (a) national security; (b) defence; (c) public security; (d) the prevention, investigation, detection or prosecution of serious criminal offences, unauthorised use of electronic communication systems or the execution of criminal penalties, including the safeguarding against and the prevention of serious and immediate threats to public security.

1b. In particular, any legislative measure referred to in paragraphs 1 and 1a shall contain specific provisions at least, where relevant, pursuant to Article 23(2) of Regulation (EU) 2016/679. 2. Providers of electronic Deleted. 2. Providers of electronic 2. Providers of electronic communications services shall communications services shall communications services shall establish internal procedures for establish internal procedures for establish internal procedures for responding to requests for access to responding to requests for access to responding to requests for access to end-users’ electronic communications end-users’ electronic communications end-users’ electronic communications data based on a legislative measure data based on a legislative measure data based on a legislative measure adopted pursuant to paragraph 1. adopted pursuant to paragraph 1. adopted pursuant to paragraph 1. They shall provide the competent They shall provide the competent They shall provide the competent supervisory authority, on demand, supervisory authority, on demand, supervisory authority, on demand, with information about those with information about those with information about those procedures, the number of requests procedures, the number of requests procedures, the number of received, the legal justification received, the legal justification requests received, the legal invoked and their response. invoked and their response. justification invoked and their response.

Explanation: The second part of the article is covered under Article 11b. Article 11a - Restrictions on See above, part of content moved to the rights of the user Article 11. 1. Union or Member State law to See above, part of content moved to which the provider is subject may Article 11. restrict by way of a legislative measure the scope of the obligations and principles relating to processing of electronic communications data provided for in Articles 6, 7 and 8 of this Regulation in so far as its provisions correspond to the rights and obligations provided for in Regulation (EU) 2016/679, when such a restriction fully respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the general public interests referred to in Article 23(1) (a) to (d) of Regulation (EU) 2016/679.

2. In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, pursuant to Article 23(2) of Regulation (EU) 2016/679. Article 11b - Restrictions on See above, part of content moved to confidentiality of communications Article 11. Union or Member State law may See above, part of content moved to restrict by way of a legislative Article 11. measure the scope of the rights provided for in Article 5 where such a restriction fully respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the following general public interests: (a) national security; (b) defence; (c) public security; (d) the prevention, investigation, detection or prosecution of serious criminal offences, unauthorised use of electronic communication systems or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

2. In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, pursuant to Article 23(2) of Regulation (EU) 2016/679. Article 11 c - Article 11 c - Documentation Documentation and reporting of and reporting of restrictions restrictions 1. Providers of electronic 1. Providers of electronic communications services shall communications services shall keep documentation about keep documentation about requests made by competent requests made by authorities to authorities to access access communications content or communications content or metadata pursuant to Article metadata pursuant to Article 11.This documentation shall 11b(2).This documentation shall include for each request: include for each request: (a) the identity of the body making (a) the in-house staff member who the request; handled the request; (b) the purpose for which the (b) the identity of the body making information was sought; the request; (c) the date and time of the request; (c) the purpose for which the (d) the legal basis and authority for information was sought; the request; (d) the date and time of the (e) the judicial authorisation of the request; request; (e) the legal basis and authority for (f) the number of users to whose the request, including the identity data the request related; and status or function of the (g) the type of data provided to the official submitting the request; requesting authority; and (f) the judicial authorisation of the (h) the period covered by the data. request; The documentation shall be made (g) the number of users to whose available to the competent data the request related; supervisory authority upon (h) the data provided to the request. requesting authority; and (i) the period covered by the data. 2. Providers of electronic The documentation shall be made communications services shall available to the competent publish once per year a report with supervisory authority upon statistical information about data request. access requests by law enforcement authorities pursuant 2. Providers of electronic to Article. communications services shall The report shall include, at least: publish once per year a report with statistical information about data (a) the number of requests; access requests by law (b) the categories of purposes for enforcement authorities pursuant the request; to Articles 11a and 11b. The report (c) the categories of data shall include, at least: requested; (d) the legal basis and authority for (a) the number of requests; the request; (b) the categories of purposes for (e) the number of users to whose the request; data the request related; (c) the categories of data (f) the period covered by the data; requested; (g) the number of negative and (d) the legal basis and authority for positive responses to those the request; requests. (e) the number of users to whose The report will make sure to data the request related; differentiate each entity of the (f) the period covered by the data; group to which the provider may (g) the number of negative and belong. positive responses to those requests. 3. Member States' public authorities shall publish once per 3. Member States' competent year a report with statistical authorities shall publish once per information per month about data year a report with statistical access requests pursuant to Article information per month about data 11, including requests that were access requests pursuant to not authorised by a judge, Articles 11a and 11b, including including, but not limited to, the requests that were not authorised following points: by a judge, including, but not limited to, the following points: (a) the number of requests; (b) the categories of purposes for (a) the number of requests; the request; (b) the categories of purposes for (c) the categories of data the request; requested; (c) the categories of data (d) the legal basis and authority for requested; the request; (d) the legal basis and authority for (e) the number of users to whose the request; data the request related; (e) the number of users to whose (f) the period covered by the data; data the request related; (g) the number of negative and (f) the period covered by the data; positive responses to those (g) the number of negative and requests. positive responses to those The reports shall also contain requests. statistical information per month The reports shall also contain about any other restrictions statistical information per month pursuant to Article 11. about any other restrictions pursuant to Articles 11a and 11b. CHAPTER III - NATURAL CHAPTER III - NATURAL CHAPTER III NATURAL We do not provide comments on this AND LEGAL PERSONS' RIGHTS AND LEGAL PERSONS' RIGHTS AND LEGAL PERSONS' END- chapter which falls outside our scope TO CONTROL ELECTRONIC TO CONTROL ELECTRONIC USERS' RIGHTS TO CONTROL of work, with the exception of Article COMMUNICATIONS COMMUNICATIONS ELECTRONIC 17. COMMUNICATIONS Article 12 - Presentation and restriction of calling and connected line identification 1.Where presentation of the calling 1.Where presentation of the calling 1. Where presentation of the calling No comment and connected line identification is and connected line identification is and connected line identification is offered in accordance with Article offered in accordance with Article offered in accordance with Article [107] of the [Directive establishing the [107] of the [Directive establishing the [115] of the Directive (EU) 2018/1972, European Electronic Communication European Electronic Communication the providers of number-based Code], the providers of publicly Code], the providers of publicly interpersonal communications available number-based interpersonal available number-based interpersonal services shall provide the following: communications services shall communications services shall (a) the calling end-user with the provide the following: provide the following: possibility of preventing the (a)the calling end-user with the (a)the calling end-user with the presentation of the calling line possibility of preventing the possibility of preventing the identification on a per call, per presentation of the calling line presentation of the calling line connection or permanent basis; identification on a per call, per identification on a per call, per (b) the called end-user with the connection or permanent basis; connection or permanent basis; possibility of preventing the (b)the called end-user with the (b)the called end-user with the presentation of the calling line possibility of preventing the possibility of preventing the identification of incoming calls; presentation of the calling line presentation of the calling line (c) the called end-user with the identification of incoming calls; identification of incoming calls; possibility of rejecting incoming calls (c)the called end-user with the (c)the called end-user with the where the presentation of the calling possibility of rejecting incoming calls possibility of rejecting incoming calls line identification has been prevented where the presentation of the calling where the presentation of the calling by the calling end-user; line identification has been prevented line identification has been prevented (d) the called end-user with the by the calling end-user; by the calling end-user; possibility of preventing the (d)the called end-user with the (d)the called end-user with the presentation of the connected line possibility of preventing the possibility of preventing the identification to which the calling end- presentation of the connected line presentation of the connected line user is connected. identification to the calling end-user. identification to the calling end-user. 2. The possibilities referred to in 2. The possibilities referred to in 2. The possibilities referred to in No comment points (a), (b), (c) and (d) of points (a), (b), (c) and (d) of paragraph 1 shall be provided to end- paragraph 1 shall be provided to end- paragraph 1 shall be provided to end- users by simple means and free of users by simple means and free of users by simple means and free of charge. charge. charge. 3. Point (a) of paragraph 1 shall also 3. Point (a) of paragraph 1 shall also 3. Point (a) of paragraph 1 shall also No comment apply with regard to calls to third apply with regard to calls to third apply with regard to calls to third countries originating in the Union. countries originating in the Union. countries originating in the Union. Points (b), (c) and (d) of paragraph 1 Points (b), (c) and (d) of paragraph 1 Points (b), (c) and (d) of paragraph 1 shall also apply to incoming calls shall also apply to incoming calls shall also apply to incoming calls originating in third countries. originating in third countries. originating in third countries. 4. Where presentation of calling or 4. Where presentation of calling or 4. Where presentation of calling or No comment connected line identification is connected line identification is connected line identification is offered, providers of publicly available offered, providers of publicly available offered, providers of number-based number-based interpersonal number-based interpersonal interpersonal communications communications services shall communications services shall services shall provide information to provide information to the public provide information to the public the public regarding the options set regarding the options set out in points regarding the options set out in points out in paragraph 1 and the (a), (b), (c) and (d) of (a), (b), (c) and (d) of exceptions set forth in Article 13. paragraph 1. paragraph 1. Article 13 -Exceptions to Article 13 - Exceptions to Article 13 - Exceptions to No comment presentation and restriction of presentation and restriction of presentation and restriction of calling calling and connected line calling and connected line and connected line identification in identification identification relation to emergency communications 1. Regardless of whether the calling 1. Regardless of whether the calling 1. Regardless of whether the calling No comment end-user has prevented the end-user has prevented the end-user has prevented the presentation of the calling line presentation of the calling line presentation of the calling line identification, where a call is made to identification, where a call is made to identification, where emergency emergency services, providers of emergency services, providers of communications are made to publicly available number-based publicly available number-based emergency services, providers of interpersonal communications interpersonal communications number-based interpersonal services shall override the elimination services shall override the elimination communications services shall of the presentation of the calling line of the presentation of the calling line override the elimination of the identification and the denial or identification and the denial or presentation of the calling line absence of consent of an end-user absence of consent of an end-user identification and the denial or for the processing of metadata, on a for the processing of metadata, on a absence of consent of an end-user for per-line basis for organisations per-line basis for organisations the processing of metadata, on a per- dealing with emergency dealing with emergency line basis for organisations dealing communications, including public communications, including public with emergency communications, safety answering points, for the safety answering points, for the including public safety answering purpose of responding to such purpose of responding to such points, for the purpose of responding communications. communications to such communications. 1a. Regardless whether the called No comment end-user rejects incoming calls where the presentation of the calling line identification has been prevented by the calling end-user, providers of number-based interpersonal communications services shall override this choice, where technically possible, when the calling end-user is an organisation dealing with emergency communications, including public safety answering points, for the purpose of responding to such communications. 2. Member States shall establish 2. Member States The Deleted. No comment more specific provisions with regard Commission shall establish more to the establishment of procedures specific provisions be empowered and the circumstances where to adopt implementing measures providers of publicly available in accordance with Article 26(1) number-based interpersonal with regard to the establishment of communication services shall procedures and the circumstances override the elimination of the where providers of publicly available presentation of the calling line number-based interpersonal identification on a temporary basis, communication services shall where end-users request the tracing override the elimination of the of malicious or nuisance calls. presentation of the calling line identification on a temporary basis, where end-users request the tracing of malicious or nuisance calls. 3. Notwithstanding Article 8(1), No comment regardless of whether the end-user has prevented access to the terminal equipment’s Global Navigation Satellite Systems (GNSS) capabilities or other types of terminal equipment based location data through the terminal equipment settings, when a call is made to emergency services, such settings may not prevent access to GNSS such location data to determine and provide the caller calling end-user's location to emergency services an organisation dealing with emergency communications, including public safety answering points, for the purpose of responding to such calls. Article 14 - Incoming call Article 14 - Incoming call Article 14 - Incoming call No comment blocking blocking Blocking Unwanted, malicious or nuisance calls Providers of publicly available Providers of publicly available 1. Providers of number-based No comment number-based interpersonal number-based interpersonal interpersonal communications communications services shall deploy communications services shall services shall deploy state of the art state of the art measures to limit the deploy state of the art measures to measures to limit the reception of reception of unwanted calls by end- limit the reception of unwanted unwanted, malicious or nuisance users and shall also provide the calls by end-users and shall also calls by end-users. called end-user with the following provide the called end-user with the 1a. Member States shall establish possibilities, free of charge: following possibilities, free of charge: more specific provisions with (a) to block incoming calls from (a) to block incoming calls from regard to the establishment of specific numbers or from anonymous specific numbers, or numbers transparent procedures and the sources; having a specific code or prefix circumstances where providers of (b) to stop automatic call forwarding identifying the fact that the call is a number-based interpersonal by a third party to the end-user's marketing call referred to in Article communication services shall terminal equipment. 16(3)(b), or from anonymous override, or otherwise address, the sources; elimination of the presentation of (b) to stop automatic call forwarding the calling line identification on a by a third party to the end-user's temporary basis, where end-users terminal equipment. request the tracing of unwanted, malicious or nuisance calls. 2. Providers of number-based interpersonal communications services shall also provide the called end-user with the following possibilities, free of charge: (a) to block, where technically feasible, incoming calls from specific numbers or from anonymous sources or from numbers using a specific code or prefix referred to in Article 16(3a); and (b) to stop automatic call forwarding by a third party to the end-user's terminal equipment. Article 15 - Publicly available directories 1. The providers of publicly available 1. The Without prejudice to 1. The providers of number-based No comment directories shall obtain the consent of Articles 12 to 22 of Regulation (EU) interpersonal communications end-users who are natural persons to 2016/679, the electronic services shall obtain the consent of include their personal data in the communication services providers end-users who are natural persons directory and, consequently, shall of publicly available directories to include their personal data in obtain consent from these end-users shall obtain the consent of end-users the directory and for inclusion of for inclusion of data per category of who are natural persons to include such data per category of personal personal data, to the extent that such their personal data in the publicly data, to the extent that such data are data are relevant for the purpose of available directory and, relevant for the purpose of the the directory as determined by the consequently, shall obtain consent directory as determined by the provider of the directory. Providers from these end-users for inclusion of provider of the directory. shall give end-users who are natural data per category of personal data, to 1aa. Notwithstanding paragraph 1, persons the means to verify, correct the extent that such data are relevant Member States may provide by law and delete such data. for the purpose of the directory as that the inclusion of personal data determined by the provider of the of an end-user who is a natural directory. Electronic person in a publicly available communication service providers directory can take place provided shall give end-users who are that he end-user who is a natural natural persons the means to verify, person shall have the right to correct, update, supplement and object to such inclusion. delete such data. When electronic communication service providers obtain consent of users, they shall make users' data available for public directory providers in an immediate, non-discriminatory and fair manner. 2. The providers of a publicly 2. The providers of a publicly 2. The providers of number-based No comment available directory shall inform end- available directory shall inform end- interpersonal communications users who are natural persons whose users who are natural persons services shall inform end-users who personal data are in the directory of whose personal data are in the are natural persons whose personal the available search functions of the directory of the available search data are in the directory of any directory and obtain end-users’ functions of the directory and obtain search functions that is not based consent before enabling such search end-users’ consent before on name or number in the directory functions related to their own data. enabling provide the users the and obtain the consent of end-users’ option to disable such search before enabling such search functions functions related to their own data. related to their own data. 3. The providers of publicly available 3. The electronic communication 3. The providers of number-based No comment directories shall provide end-users service providers of publicly interpersonal communications that are legal persons with the available directories shall provide services shall provide end-users that possibility to object to data related to end-users that are legal persons with are legal persons with the possibility them being included in the directory. the possibility to object to data related to object to data related to them being Providers shall give such end-users to them being included in the included in the directory. that are legal persons the means to directory. Electronic 3a. The providers of number-based verify, correct and delete such data. communication service providers interpersonal communications shall give such end-users that are services shall give end-users the legal persons the means to verify, means to verify, correct and delete correct and delete such data. For the data included in a publicly purposes of this Article, natural available directory. persons acting in a professional 3aa. Notwithstanding paragraphs capacity, such as independent 1aa to 3a, Member States may professionals, operators of small provide by law that the businesses or freelancers, shall be requirements under those equated with legal persons, as paragraphs apply to providers of regards their data related to their publicly available directories, in professional capacity. addition to or instead of, providers of number-based interpersonal communications services. 4. The possibility for end-users not to 4. Without prejudice to Article 4. The possibility for end-users not to No comment be included in a publicly available 12(5) of Regulation (EU) 2016/679, be included in a publicly available directory, or to verify, correct and the information to the users and directory, or to verify, correct and delete any data related to them shall the possibility for end-users not to delete any data related to them shall be provided free of charge. be included in a publicly available be provided free of charge. directory, or to verify, correct, update, supplement and delete any data related to them shall be provided free of charge and in an easily accessible manner by the electronic communication services providers. 4 a. Where the personal data of 4a. Where the personal data of the No comment the users of number- based end-users of number based interpersonal communications interpersonal communications services have been included in a services have been included in a publicly available directory before publicly available directory before this Regulation enters into force, this Regulation enters into force, the personal data of such users the personal data of such end- may remain included in a publicly users may remain included in a available directory, including publicly available directory, versions with search functions, including version with search unless the users have expressed functions, unless the end-users their objection against their data have expressed their objection being included in the directory or against their data being included in against available search functions the directory or against the use of related to their data. available search functions related to their data. Article 16 - Unsolicited Article 16 - Unsolicited Article 16 - Unsolicited and No comment communications communications direct marketing communications 1. Natural or legal persons may use 1. The use by natural or legal 1. Natural or legal persons shall be No comment electronic communications services persons may use of electronic prohibited from using electronic for the purposes of sending direct communications services, communications services for the marketing communications to end- including automated calling, purposes of sending direct marketing users who are natural persons that communications systems, semi- communications to end-users who have given their consent. automated systems that connect are natural persons unless they have the call person to an individual, given their prior consent. faxes, e-mail or other use of electronic communications services for the purposes of presenting or sending direct marketing communications to end-users who are natural persons that users, shall be allowed only in respect of users who have given their prior consent. 2. Where a natural or legal person 2. Where a natural or legal person 2. Notwithstanding paragraph 1, No comment obtains electronic contact details for obtains electronic contact details for where a natural or legal person electronic mail from its customer, in electronic mail from its customer, in obtains contact details for electronic the context of the sale of a product or the context of the sale of a product or message from end-users who are a service, in accordance with a service, in accordance with natural persons, in the context of the Regulation (EU) 2016/679, that Regulation (EU) 2016/679, that purchase of a product or a service, in natural or legal person may use these natural or legal person may use these accordance with Regulation (EU) electronic contact details for direct electronic contact details for direct 2016/679, that natural or legal person marketing of its own similar products marketing of its own similar products may use these contact details for or services only if customers are or services only if customers are direct marketing of its own similar clearly and distinctly given the clearly and distinctly given the products or services only if such end- opportunity to object, free of charge opportunity to object, free of charge users are clearly and distinctly given and in an easy manner, to such use. and in an easy manner, to such use. the opportunity to object, free of The right to object shall be given at The customer shall be informed charge and in an easy manner, to the time of collection and each time a about the right to object and shall be such use. The right to object shall be message is sent. given an easy way to exercise it at given at the time of collection of such the time of collection and each time a end-users' contact details and, if message is sent. that end-user has not initially refused that use, each time when a natural or legal persons sends a message to that end-user for the purpose of such direct marketing. 2a. Member States may provide by No comment law a set period of time, after the sale of the product or service occurred, within which a natural or legal person may use contact details of the end-user who is a natural person for direct marketing purposes, as provided for in paragraph. 3. Without prejudice to paragraphs 1 3. Without prejudice to paragraphs 1 3. Without prejudice to paragraphs 1 No comment and 2, natural or legal persons using and 2, natural or legal persons using and 2, natural or legal persons using electronic communications services electronic communications services electronic communications services for the purposes of placing direct for the purposes of placing direct for the purposes of placing direct marketing calls shall: marketing calls shall: marketing calls shall present the (a)present the identity of a line on (a)present the identity of a line on calling line identification assigned which they can be contacted; or which they can be contacted; or to them. (b)present a specific code/or prefix (b)present a specific code/or prefix identifying the fact that the call is a identifying the fact that the call is a marketing call. marketing call. 3 a. The masking of the identity 3a. Member States may require No comment and the use of false identities, natural or legal person using false return addresses or numbers electronic communications while sending unsolicited services for the purposes of communications for direct placing direct marketing calls to marketing purposes is prohibited. present a specific code or prefix identifying the fact that the call is a direct marketing call in addition to the obligation set out in paragraph 3. Member State requiring the use of such a specific code or prefix shall make it available for the natural or legal persons who use electronic communications services for the purposes of direct marketing calls. 4. Notwithstanding paragraph 1, 4. Notwithstanding paragraph 1, 4. Notwithstanding paragraph 1, No comment Member States may provide by law Member States may provide by law Member States may provide by law that the placing of direct marketing that the placing of direct marketing that the placing of direct marketing voice-to-voice calls to end-users who voice-to-voice calls to end-users voice-to-voice calls to end-users who are natural persons shall only be who are natural persons shall only are natural persons shall only be allowed in respect of end-users who be allowed in respect of end-users allowed in respect of end-users who are natural persons who have not who are natural persons who have are natural persons who have not expressed their objection to receiving not expressed their objection to expressed their objection to receiving those communications. receiving those communications. those communications. Member States shall provide that users can object to receiving the direct marketing voice-to-voice calls via a Do Not Call Register, thereby also ensuring that the user needs to opt- out only once. 5. Member States shall ensure, in the 5. Member States shall ensure, in the 5. Member States shall ensure, in the No comment framework of Union law and framework of Union law and framework of Union law and applicable national law, that the applicable national law, that the applicable national law, that the legitimate interest of end-users that legitimate interest of end-users that legitimate interest of end-users that are legal persons with regard to are legal persons with regard to are legal persons with regard to unsolicited communications sent by unsolicited communications sent by direct marketing communications means set forth under paragraph 1 means set forth under paragraph 1 sent by means set forth under are sufficiently protected. are sufficiently protected. paragraph 1 are sufficiently protected. 6. Any natural or legal person using 6. Any natural or legal person using 6. Any natural or legal person using No comment electronic communications services electronic communications services electronic communications services to to transmit direct marketing to transmit direct marketing send direct marketing communications shall inform end- communications shall inform end- communications shall, each time a users of the marketing nature of the users of the marketing nature of the direct marketing communication is communication and the identity of the communication and the identity of the sent: legal or natural person on behalf of legal or natural person on behalf of (a) reveal his or its identity and use whom the communication is whom the communication is effective return addresses or transmitted and shall provide the transmitted and shall provide the numbers; necessary information for recipients necessary information for recipients (b) inform end-users of the marketing to exercise their right to withdraw to exercise their right to withdraw nature of the communication and the their consent, in an easy manner, to their consent, in an easy manner and identity and contact details of the receiving further marketing free of charge, to receiving further legal or natural person on behalf of communications. marketing communications. whom the direct marketing communication is sent; (c) (d) clearly and distinctly give the end-users who are natural persons a means to object or to withdraw their consent, free of charge, at any time, and in an easy and effective manner, to receiving further direct marketing communications, and shall provide the necessary information to this end. This means shall also be given at the time of collection of the contact details according to paragraph 2. It shall be as easy to withdraw as to give consent. 7. The Commission shall be 7. The Commission shall be Deleted No comment empowered to adopt implementing empowered to adopt implementing measures in accordance with Article measures in accordance with Article 26(2) specifying the code/or prefix to 26(2) 26(1) specifying the code/or identify marketing calls, pursuant to prefix to identify marketing calls, point (b) of paragraph 3. pursuant to point (b) of paragraph 3. Article 17 - Information about Article 17 - Information about Deleted Article 17 - Information about detected security risks detected security risks detected security risks In the case of a particular risk that (1) In the case of a particular risk Deleted 1. In the case of a particular risk that may compromise the security of that may compromise the security may compromise the security of networks and electronic of networks and Providers of the networks and electronic communications services, the provider of an electronic communications services, hardware provider of an electronic communications services shall or software, the provider of an communications service shall inform inform end-users concerning such electronic communications service end-users concerning such risk and, risk and, where the risk lies shall inform end-users concerning where the risk lies outside the scope outside the scope of the such risk and, where the risk lies of the measures to be taken by the measures to be taken by the outside the scope of the measures to service provider, inform end-users of service provider, inform end-users be taken by the service provider, any possible remedies, including an of any possible remedies, inform end-users of any possible indication of the likely costs involved. including an indication of the likely remedies, including an indication of costs involved. comply with the the likely costs involved. Providers of security obligations as prescribed electronic communications Regulation (EU) 2016/679 and services shall also comply with the [European Electronic security obligations prescribed Communications Code]. As regards under Regulation (EU) 2016/679. the security of networks and services and related security obligations, the obligations of Article 40 of the [European Electronic Communications Code] shall apply mutatis mutandis to all services in the scope of this Regulation. This Article shall be without prejudice to the obligations provided for in Articles 32 to 34 of Regulation (EU) 2016/679 and the obligations provided for in Directive (EU) 2016/1148. (1a) Providers of electronic (1a) Providers of electronic communications services shall communications services shall ensure that there is sufficient ensure that there is sufficient protection in place against protection in place against unauthorised access or alterations unauthorised access or alterations to the electronic communications to the electronic communications data, and that the confidentiality data, and that the confidentiality and integrity of the communication and integrity of the communication in transmission or stored are also data in transmission or stored are guaranteed by technical measures also guaranteed by technical according to the state of the art, measures according to the state of such as cryptographic methods the art, such as cryptographic including end-to-end encryption of methods including end-to-end the electronic communications encryption of the electronic data. When encryption of communications data. When electronic communications data is encryption of electronic used, decryption by anybody else communications data is used, than the user shall be prohibited. decryption by anybody else than Notwithstanding Articles 11a and the concerned end-user shall be 11b of this Regulation, member prohibited. Notwithstanding Article States shall not impose any 11 of this Regulation, member obligations on electronic States shall not impose any communications service providers obligations on electronic or software manufacturers that communications service providers would result in the weakening of or software manufacturers that the confidentiality and integrity of would result in the weakening of their networks and services or the the confidentiality and integrity of terminal equipment, including the their networks and services or the encryption methods used. terminal equipment, including the encryption methods used. (1b) Providers of electronic (1b) Providers of electronic communications services, communications services, providers of information society providers of information society services, and manufacturers of services, and manufacturers of software permitting the retrieval software permitting the retrieval and presentation of information on and presentation of information on the internet shall not use any the internet shall not use any means, no matter if technical, means, no matter if technical, operational, or by terms of use or operational, or by terms of use or by contracts, that could prevent by contracts, that could prevent users and subscribers from users and subscribers from applying the best available applying the best available techniques against intrusions and techniques against intrusions and interceptions and to secure their interceptions and to secure their networks, terminal equipment and networks, terminal equipment and electronic communications. electronic communications. Notwithstanding Articles 11a and 11b of this Regulation, breaking, decrypting, restricting or circumventing such measure taken by users or subscribers shall be prohibited. (1c) In the case of a particular risk Deleted, covered under point 1. that may compromise the security of networks, electronic communications services, information society services or software, the relevant provider or manufacturer shall inform all subscribers of such a risk and, where the risk lies outside the scope of the measures to be taken by the service provider, inform subscribers of any possible remedies. It shall also inform the relevant manufacturer and service provider. CHAPTER IV - INDEPENDENT SUPERVISORY AUTHORITIES AND ENFORCEMENT Article 18 - Independent Article 18 - Independent Article 18 - Independent Article 18 - Independent supervisory authorities supervisory authorities Supervisory authorities supervisory authorities 0. Each Member State shall We suggest deleting the Council provide for one or more proposal. independent public authorities meeting the requirements set out in Articles 51 to 54 of Regulation (EU) 2016/679 to be responsible for monitoring the application of this Regulation. Member States may entrust the monitoring of the application of Articles 12 to 16 to the supervisory authority or authorities referred to in the previous subparagraph or to another supervisory authority or authorities having the appropriate expertise. 1. The independent supervisory 1. The independent supervisory Deleted. 1. The independent supervisory authority or authorities responsible for authority or authorities responsible for authority or authorities responsible for monitoring the application of monitoring the application of monitoring the application of Regulation (EU) 2016/679 shall also Regulation (EU) 2016/679 shall also Regulation (EU) 2016/679 shall also be responsible for monitoring the be responsible for monitoring the be responsible for monitoring the application of this Regulation. application of this Regulation. application of this Regulation. Chapter VI and VII of Regulation (EU) Chapter VI and VII of Regulation (EU) Chapter VI and VII of Regulation 2016/679 shall apply mutatis 2016/679 shall apply mutatis (EU) 2016/679 shall apply mutatis mutandis. The tasks and powers of mutandis. Where Regulation (EU) mutandis. The tasks and powers of the supervisory authorities shall be 2016/679 refers to data subjects, the supervisory authorities shall be exercised with regard to end-users. the tasks and powers of the exercised with regard to end-users. supervisory authorities shall be exercised with regard to end-users under this Regulation. Where Explanation: We suggest this partial Regulation (EU) 2016/679 refers to deletion as we provide clarification in data controllers, the tasks and the following points. powers of the supervisory authorities shall be exercised with regard to providers of electronic communications services and information society services, and manufacturers of software under this Regulation. 1ab. The supervisory authorities 1a. Chapter VI and VII of Regulation shall have investigative and (EU) 2016/679 shall apply mutatis corrective powers, including the mutandis. Where Regulation (EU) power to impose administrative 2016/679 refers to data subjects, the fines pursuant to article 23. tasks and powers of the supervisory 1b. Where more than one authorities shall be exercised with supervisory authority is regard to end-users under this responsible for monitoring the Regulation. Where Regulation (EU) application of this Regulation in a 2016/679 refers to data controllers Member State, such authorities and processors, the tasks and shall cooperate with each other to powers of the supervisory the extent necessary to perform authorities shall be exercised with their tasks. regard to providers of electronic communications services and information society services and the providers of any other services covered under Article 2 of this Regulation. 2.The supervisory authority or 2.The supervisory authority or 2. Where the supervisory authorities 2.The supervisory authority or authorities referred to in paragraph 1 authorities referred to in paragraph 1 are not the supervisory authorities authorities referred to in paragraph 1 shall cooperate whenever appropriate shall cooperate whenever appropriate responsible for monitoring the shall cooperate whenever appropriate with national regulatory authorities with national regulatory authorities application of Regulation (EU) with national regulatory authorities established pursuant to the [Directive established pursuant to the [Directive 2016/679, they shall cooperate with established pursuant to Directive (EU) Establishing the European Electronic Establishing the European Electronic the latter and, whenever appropriate, 2018/1972. Communications Code]. Communications Code]. with national regulatory authorities established pursuant to Directive (EU) 2018/1972 and other relevant authorities. Article 19 - European Data Protection Board The European Data Protection Board, The European Data Protection Board, 1. The European Data Protection 1. The European Data Protection established under Article 68 of established under Article 68 of Board, established under Article 68 of Board, established under Article 68 of Regulation (EU) 2016/679, shall have Regulation (EU) 2016/679, shall have Regulation (EU) 2016/679, shall have Regulation (EU) 2016/679, shall have competence to ensure the consistent competence to ensure the consistent the task to contribute to the competence the task, powers, and application of this Regulation. To that application of this Regulation. To that consistent application of Chapters I ressources to ensure contribute to end, the European Data Protection end, the European Data Protection and II and III of this Regulation. the consistent application of Chapters Board shall exercise the tasks laid Board shall exercise the tasks laid 2. To that end, the Board shall have I,II and III of this Regulation. down in Article 70 of Regulation (EU) down in Article 70 of Regulation (EU) the following tasks: 2016/679. The Board shall also have 2016/679. The Board shall also have (a) advise the Commission on any 2. To that end, the European Data the following tasks: the following tasks: proposed amendment of this Protection Board shall exercise the (a) advise the Commission on any (a) advise the Commission on any Regulation; (b) examine, on its own tasks laid down in Article 70 of proposed amendment of this proposed amendment of this initiative, on request of a Regulation (EU) 2016/679. the Board Regulation; Regulation; supervisory authority designated shall have the following tasks: (b) examine, on its own initiative, on (b) examine, on its own initiative, on in accordance with Article 18 (0) or (a) monitor and ensure the correct request of one of its members or on request of one of its members or on on request of the Commission, any application of this Regulation in the request of the Commission, any request of the Commission, any question covering the application of cases provided for in Article 65 of question covering the application of question covering the application of this Regulation in relation to the GDPR without prejudice to the this Regulation and issue guidelines, this Regulation and issue guidelines, Chapters I, II and III and issue tasks of national supervisory recommendations and best practices recommendations and best practices guidelines, recommendations and authorities; in order to encourage consistent in order to encourage consistent best practices in order to encourage (aa) advise the Commission on any application of this Regulation. application of this Regulation. consistent application of this issue regarding the protection of Regulation; personal data under this Regulation and the right to privacy, including on any proposed amendment of this Regulation; (b) examine, on its own initiative, on request of one of its members or on request of the Commission, any question covering the application of this Regulation in relation to Chapters I, II and III and issue guidelines, recommendations and best practices in order to encourage consistent application of this Regulation; (ba) draw up guidelines for (c) (ba) draw up guidelines for supervisory authorities supervisory authorities concerning concerning the application of the application of Articles 4a, 5, 6, 7 Article 9(1) and the particularities and 8; of expression of consent by legal entities; (bb) issue guidelines to determine (d) issue guidelines, (bb) provide an opinion to which technical specifications and recommendations and best determine one or more technical signalling methods fulfil the practices in order to facilitate specifications and signalling conditions and objectives cooperation, including exchange methods that best fulfil the pursuant to Article 10(1a); of information, between conditions and objectives pursuant supervisory authorities referred to to Article 4a(2), and 8 of this in paragraph 0 of Article 18 and/or Regulation and 21(5) of Regulation the supervisory authority (EU) 2016/679 as well as all other responsible for monitoring the elements of these regulations application of Regulation (EU) within 9 months from the entry into 2016/679; force of this Regulation. The Commission may, by way of implementing acts, decide that the approved technical specifications submitted to it have general validity within the Union.

Explanation: Process similar to Codes of Conducts under Article 40 GDPR. (bc) issue guidelines, (da) issue guidelines, (bc) issue guidelines, recommendations and best recommendations and best recommendations and best practices in accordance with point practices in accordance with point practices in accordance with point (b) of this paragraph for the (b) of this paragraph to assess for 2 (b) of this paragraph for the purpose of further specifying the different types of electronic purpose of further specifying the criteria and requirements for types communications services the criteria and requirements for types of services that may be requested moment in time of receipt of of services that may be requested for purely individual or work- electronic communications for purely individual or work- related usage as referred to in content; related usage as referred to in Article 6(3a): Article 6(2)(c) and Article 6 (3) (a): (bd) issue guidelines, (db) issue guidelines, (bd) issue guidelines, recommendations and best recommendations and best recommendations and best practices in accordance with point practices in accordance with point practices in accordance with point (b) of this paragraph for the (b) of this paragraph on the (b) of this paragraph for the purpose of further specifying the provision of consent in the context purpose of further specifying the criteria and requirements for: of Articles 6 to 6b and 8 of this criteria and requirements for: (i) measuring the reach of an Regulation by end-users who are (i) measuring the reach of an information society service legal persons and or in an information society service referred referred to in Article 8(1) point (d); employment relationship; (e) to in Article 8(1) point (d); (ii) security updates referred to in provide the Commission with an (ii) security updates referred to in Article 8(1) point (da); opinion on the icons referred to in Article 8(1) point (e); (iii) the interference in the context paragraph 3 of Article 8; (ii) the processing of information of employment relationships (f) emitted by the terminal equipment referred to in Article 8(1) point (g) referred to in Article 8(2); (db); (h) promote the exchange of (iv) technical specifications and (iv) the processing of information knowledge and documentation on signalling methods that fulfil the emitted by the terminal equipment legislation on protection of conditions for consent and referred to in Article 8(2) (); electronic communications of end- objection pursuant to Article 8(2a); (v) technical specifications and users and of the integrity of their (v) software settings referred to in signalling methods that fulfil the terminal equipment as laid down in Article 8 (1a), (1b) and (1c); and conditions for consent and Chapter II and practice relevant (vi) technical measures to ensure objection pursuant to Article 8(2a); supervisory authorities world confidentiality and integrity of the (vi) software settings referred to wide; communication pursuant to Article in Article 10(1a) and (1b); and 3. Where the Commission requests 17. (vii) technical measures to ensure advice from the Board, it may confidentiality and integrity of the indicate a time limit, taking into communication pursuant to Article account the urgency of the matter. 17(1a), (1b) and (1c). 4. The Board shall forward its opinions, guidelines, recommendations, and best practices to the Commission and make them public. 5. The Board shall consult the (be) maintain a publicly accessible supervisory authorities referred to electronic register of decisions in Article 18 (0) before any of the taken by supervisory authorities tasks referred to in paragraph 2. and courts on issues handled in the 6. The Board shall, where consistency mechanism. appropriate, consult interested parties and give them the opportunity to comment within a reasonable period. The Board shall, without prejudice to Article 76 of Regulation (EU) 2016/679, make the result of the consultation procedures publicly available. Article 20 - Cooperation and Article 20 - Cooperation and Article 20 - Cross-border Article 20 - Cooperation and consistency procedures consistency procedures cooperation and consistency consistency procedures procedures Each supervisory authority shall Each supervisory authority shall Each supervisory authority shall Each supervisory authority shall contribute to the consistent contribute to the consistent contribute to the consistent contribute to the consistent application application of this Regulation application of this Regulation application of this Regulation of this Regulation throughout the throughout the Union. For this throughout the Union. For this throughout the Union and cooperate Union. For this purpose, the purpose, the supervisory authorities purpose, the supervisory authorities with each other and with the supervisory authorities shall cooperate shall cooperate with each other and shall cooperate with each other and Commission. with each other and the Commission the Commission in accordance with the Commission in accordance with in accordance with Chapter VII of Chapter VII of Regulation (EU) Chapter VII of Regulation (EU) Regulation (EU) 2016/679 regarding 2016/679 regarding the matters 2016/679 regarding the matters the matters covered by this covered by this Regulation. covered by this Regulation. Regulation.

CHAPTER V - REMEDIES, LIABILITY AND PENALTIES CHAPTER V - REMEDIES, Article 21 - Remedies LIABILITY AND PENALTIES Article 21 - Remedies 1. Without prejudice to any other 1. Without prejudice to any other 1. Without prejudice to any other 1. Without prejudice to any other administrative or judicial remedy, administrative or judicial remedy, administrative or judicial remedy, administrative or judicial remedy, every end-user of electronic every end-user of electronic every end-user shall have the right every end-user of electronic communications services shall have communications services and, where to an effective judicial remedy in communications services shall have the same remedies provided for in applicable, every body, relation to any infringement of the same remedies provided for in Articles 77, 78, and 79 of Regulation organisation or association, shall rights under this Regulation, the Articles 77, 78, and 79 and 82 of (EU) 2016/679. have the same remedies provided for right to lodge a complaint with a Regulation (EU) 2016/679. in Articles 77, 78, 79 and 80 of supervisory authority and the right Regulation (EU) 2016/679. to an effective judicial remedy against any legally binding decision of a supervisory authority concerning them. 1a. The remedies mentioned under paragraph 1 of this Article can be exercised against by the entities mentioned in Article 3(2). The supervisory authorities shall apply the cooperation and consistency procedures referred to in Article 20 of this Regulation in case of cross- border processing as defined in Article 2 (23) of Regulation (EU) 2016/679 when the entity is a controller or a processor having a main establishment in the EU. 1aa. Without prejudice to any other administrative or non-judicial remedy, each data subject or end- user shall have the right to an effective judicial remedy where the supervisory authority did not adopt a final decision on a complaint lodged pursuant to Article 77 of Regulation (EU) 2016/679 within nine months. This period of nine months: - shall be extended to twelve months when the case is submitted to the cooperation and consistency procedure - shall be suspended for a maximum of two months when the subject-matter is referred to the European Data Protection Board pursuant to Article 65 of Regulation (EU) 2016/679. 1 a. Without prejudice to any other 1a Articles 77-80 of Regulation These points are moved in other parts administrative or non-judicial (EU) 2016/679 shall apply mutatis of the Article or clarified. remedy, every end-user of mutandis. electronic communications services shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning him or her. End-users shall also have such a right where the supervisory authority does not handle a complaint or does not inform the end- user within three months on the progress or outcome of the complaint lodged. Proceedings against a supervisory authority shall be brought before the court of the Member State where the supervisory authority is established. 1 b. Every end-user of the communications services shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed. Those proceedings against a provider of electronic communication service, the provider of a publicly available directory, software provider enabling electronic communication or persons sending direct marketing commercial communications or collecting information related to or stored in the end-users terminal equipment shall be brought before the courts of the Member State where they have an establishment. Alternatively, such proceedings shall be brought before the court of the Member State of the habitual residence of the end-user. 2.Any natural or legal person other 2.Any natural or legal person other 2. Any natural or legal person other 2.Any natural or legal person other than end-users adversely affected by than end-users adversely affected by than end-users adversely affected by than end-users adversely affected by infringements of this Regulation and infringements of this Regulation and infringements of this Regulation, infringements of this Regulation and having a legitimate interest in the having a legitimate interest in the including a provider of electronic having a legitimate interest in the cessation or prohibition of alleged cessation or prohibition of alleged communications services protecting cessation or prohibition of alleged infringements, including a provider of infringements, including a provider of its legitimate business interests, shall infringements, including a provider of electronic communications services electronic communications services have a right to bring legal electronic communications services protecting its legitimate business protecting its legitimate business proceedings in respect of such protecting its legitimate business interests, shall have a right to bring interests, shall have a right to bring infringements. interests, shall have a right to bring legal proceedings in respect of such legal proceedings in respect of such legal proceedings in respect of such infringements. infringements. infringements. 3. Article 80 of Regulation (EU) 2016/679 shall be applicable for any violation of this Regulation for the benefit of all end-users. 4. Any body, organisation or association referred to in paragraph 1 of this Article, independently of a data subject’s mandate, has the right to lodge, in that Member State, a complaint with the supervisory authority which is competent if it considers that the rights of a data subject under this Regulation have been infringed as a result of the processing. Article 22 - Right to compensation and liability Any end-user of electronic Any end-user of electronic Any person who has suffered Any end-user of electronic communications services who has communications services who has material or non-material damage as a communications services who has suffered material or non-material suffered material or non-material result of an infringement of this suffered material or non-material damage as a result of an infringement damage as a result of an infringement Regulation shall have the right to damage as a result of an infringement of this Regulation shall have the right of this Regulation shall have the right receive compensation from the of this Regulation shall have the right to receive compensation from the to receive compensation from the infringer for the damage suffered in to receive compensation from the infringer for the damage suffered, infringer for the damage suffered, accordance with Article 82 of infringer for the damage suffered unless the infringer proves that it is unless the infringer proves that it is Regulation (EU) 2016/679. unless the infringer proves that it is not not in any way responsible for the not in any way responsible for the in any way responsible for the event event giving rise to the damage in event giving rise to the damage in giving rise to the damage in accordance with Article 82 of accordance with Article 82 of accordance with Article 82 of Regulation (EU) 2016/679. Regulation (EU) 2016/679. Regulation (EU) 2016/679. Article 23 - General conditions for imposing administrative fines 1.For the purpose of this Article, 1. For the purpose of this Article, 1. Article 83 of Regulation (EU) 1.For the purpose of this Article, Chapter VII of Regulation (EU) Chapter VII of Regulation (EU) 2016/679 shall apply mutatis Chapter VII , paragraphs 1 to 3 of 2016/679 shall apply to infringements 2016/679 shall apply to infringements mutandis to infringements of this Article 83 of Regulation (EU) of this Regulation. of this Regulation, mutatis Regulation. 2016/679 shall apply to infringements mutandis. of this Regulation. The fine shall be paid either by the entities mentioned in Article 3(2) or by their representative designated in accordance with Article 3(3). 2.Infringements of the following 2.Infringements of the following 2. Infringements of the following 2.Infringements of the following provisions of this Regulation shall, in provisions of this Regulation shall, in provisions of this Regulation shall, in provisions of this Regulation shall, in accordance with paragraph 1, be accordance with paragraph 1, be accordance with paragraph 1, be accordance with paragraph 1, be subject to administrative fines up to subject to administrative fines up to subject to administrative fines up to subject to administrative fines up to EUR 10 000 000, or in the case of an EUR 10 000 000, or in the case of an EUR 10 000 000, or in the case of an EUR 10 000 000, or in the case of an undertaking, up to 2 % of the total undertaking, up to 2 % of the total undertaking, up to 2 % of the total undertaking, up to 2 % of the total worldwide annual turnover of the worldwide annual turnover of the worldwide annual turnover of the worldwide annual turnover of the preceding financial year, whichever is preceding financial year, whichever is preceding financial year, whichever is preceding financial year, whichever is higher: higher: higher: higher: (a) the obligations of any legal or Deleted (a) the obligations of any legal or (a) the obligations of any legal or natural person who process natural person who process electronic natural person who process electronic electronic communications data communications data pursuant to communications data pursuant to pursuant to Article 8; Article 8; Article 8; (a a) the obligations of the (a a) the obligations of the providers of electronic providers of electronic communications services communications services pursuant pursuant to Article 11c; to Article 11c; (b) the obligations of the provider of Deleted Deleted (b) the obligations of the provider of software enabling electronic software enabling electronic communications, pursuant to Article communications, pursuant to Article 8 10; (1a), (1b) and (1c) 10; (b a) the obligations of the No comment. providers of publicly available number-based interpersonal communication services pursuant to Articles 12, 13 and 14. (c) the obligations of the providers of (c) the obligations of the providers of (c) the obligations of the providers of (c) the obligations of the providers of publicly available directories pursuant publicly available directories pursuant publicly available directories pursuant publicly available directories pursuant to Article 15; to Article 15; to Article 15; to Article 15; (d)the obligations of any legal or (d) the obligations of any legal or (d) the obligations of any legal or (d) the obligations of any legal or natural person who uses electronic natural person who uses electronic natural person who uses electronic natural person who uses electronic communications services pursuant to communications services pursuant to communications services pursuant to communications services pursuant to Article 16. Article 16. Article 16. Article 16. (e) the obligation to designate a (e) the obligation to designate a representative pursuant to Article 3 representative pursuant to Article 3 number 2. (3). 3. Infringements of the principle of 3. Infringements of the principle of 3. Infringements of the principle of 3. Infringements of the principle of confidentiality of communications, confidentiality of communications, confidentiality of communications, confidentiality of communications, permitted processing of electronic permitted processing of electronic permitted processing of electronic permitted processing of electronic communications data, time limits for communications data, time limits communications data, time limits for communications data, time limits erasure pursuant to Articles 5, 6, and for erasure pursuant to Articles 5, erasure pursuant to Articles 5, 6, and for erasure pursuant to Articles 5, 7 shall, in accordance with paragraph 6, and 7 following provisions of 7 shall, in accordance with paragraph 6, and 7 following provisions of this 1 of this Article, be subject to this Regulation shall, in accordance 1 of this Article, be subject to Regulation shall, in accordance with administrative fines up to 20 000 000 with paragraph 1 of this Article, be administrative fines up to 20 000 000 paragraph 1 of this Article, be EUR, or in the case of an subject to administrative fines up to EUR, or in the case of an subject to administrative fines up to 20 undertaking, up to 4 % of the total 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total 000 000 EUR, or in the case of an worldwide annual turnover of the undertaking, up to 4 % of the total worldwide annual turnover of the undertaking, up to 4 % of the total preceding financial year, whichever is worldwide annual turnover of the preceding financial year, whichever is worldwide annual turnover of the higher. preceding financial year, whichever is higher. preceding financial year, whichever is higher: higher: (a) the principle of confidentiality (a) the principle of confidentiality of communications pursuant to of communications pursuant to Article 5; Article 5; b) the permitted processing of b) the permitted processing of electronic communications data, electronic communications data, pursuant to Article 6; pursuant to Article 6; (c) the time limits for erasure and (c) the time limits for erasure and the confidentiality obligations the confidentiality obligations pursuant to Article 7; pursuant to Article 7; (d) the obligations of any legal or (d) the obligations of any legal or natural person who process natural person who process electronic communications data electronic communications data pursuant to Article 8; pursuant to Article 8; (e) the requirements for consent (e) the requirements for consent pursuant to Article 9; pursuant to Article 4a; (f) the obligations of the provider (f) the obligations of the provider of software enabling electronic of software and hardware enabling communications, pursuant to electronic communications, Article 10; pursuant to Article 8 (1a), (1b) and (g) the obligations of the (1c); providers of electronic (ff) the obligations to provide the communications services, of the possibilities listed under Article providers of information society 12(1) of the information listed services, or of the manufacturers under Article 12 (2); of software permitting the retrieval (fff) the obligation to override the and presentation of information on elimination of the presentation of the internet pursuant to Article 17. the calling line identification pursuant to Article 13(1) and (2); (ffff) the obligation to block incoming calls or to stop automatic calls pursuant to Article 14; (g) the obligations of the providers of electronic communications services, of the providers of information society services, or of the manufacturers of software permitting the retrieval and presentation of information on the internet pursuant to Article 17; (f) Non-compliance with an order by a supervisory authority as referred to in Article 18. 4. Member States shall lay down the 4. Member States shall lay down 4. Member States shall lay down the 4. Member States shall lay down rules on penalties for infringements of the rules on penalties for rules on penalties for infringements of the rules on penalties for Articles 12, 13, 14, and 17. infringements of Articles 12, 13, Articles 12, 13 and 14. infringements of Articles 12, 13, 14, 14, and 17. In the event that the and 17. When the same or linked same act or omission by the same action or processing operation person results in non-compliance infringes several provisions of this with both Regulation (EU) 2016/679 Regulation and of Regulation (EU) and this Regulation, then the 2016/679, the total amount of the maximum administrative fine shall administrative fine shall not exceed be no more than the maximum the highest amount applicable administrative fine applicable under this Regulation or under under this Regulation for that type Regulation (EU) 2016/679. of infringement. 5. Non-compliance with an order by a 5. Non-compliance with an order by a 5. Non-compliance with an order by a 5. Non-compliance with an order by supervisory authority as referred to in supervisory authority as referred to in supervisory authority as referred to in a supervisory authority as referred Article 18, shall be subject to Article 18, shall be subject to Article 18, shall be subject to to in Article 18, shall be subject to administrative fines up to 20 000 000 administrative fines up to 20 000 000 administrative fines up to 20 000 000 administrative fines up to 20 000 EUR, or in the case of an EUR, or in the case of an EUR, or in the case of an 000 EUR, or in the case of an undertaking, up to 4 % of the total undertaking, up to 4 % of the total undertaking, up to 4 % of the total undertaking, up to 4 % of the total worldwide annual turnover of the worldwide annual turnover of the worldwide annual turnover of the worldwide annual turnover of the preceding financial year, whichever is preceding financial year, whichever is preceding financial year, whichever is preceding financial year, whichever higher. higher. higher. is higher. 6. Without prejudice to the corrective 6. Without prejudice to the corrective 6. Without prejudice to the corrective 6. Without prejudice to the corrective powers of supervisory authorities powers of supervisory authorities powers of supervisory authorities powers of supervisory authorities pursuant to Article 18, each Member pursuant to Article 18, each Member pursuant to Article 18, each Member pursuant to Article 18, each Member State may lay down rules on whether State may lay down rules on whether State may lay down rules on whether State may lay down rules on whether and to what extent administrative fines and to what extent administrative and to what extent administrative and to what extent administrative may be imposed on public authorities fines may be imposed on public fines may be imposed on public fines may be imposed on public and bodies established in that authorities and bodies established in authorities and bodies established in authorities and bodies established in Member State. that Member State. that Member State. that Member State. 7. The exercise by the supervisory authority of its powers under this 7. The exercise by the supervisory 7. The exercise by the supervisory 7. The exercise by the supervisory Article shall be subject to appropriate authority of its powers under this authority of its powers under this authority of its powers under this procedural safeguards in accordance Article shall be subject to appropriate Article shall be subject to appropriate Article shall be subject to appropriate with Union and Member State law, procedural safeguards in accordance procedural safeguards in accordance procedural safeguards in accordance including effective judicial remedy and with Union and Member State law, with Union and Member State law, with Union and Member State law, due process. including effective judicial remedy including effective judicial remedy including effective judicial remedy and 8. Where the legal system of the and due process. and due process. due process. Member State does not provide for administrative fines, this Article may 8. Where the legal system of the 8. Where the legal system of the 8. Where the legal system of the be applied in such a manner that the Member State does not provide for Member State does not provide for Member State does not provide for fine is initiated by the competent administrative fines, this Article may administrative fines, this Article may administrative fines, this Article may supervisory authority and imposed by be applied in such a manner that the be applied in such a manner that the be applied in such a manner that the competent national courts, while fine is initiated by the competent fine is initiated by the competent fine is initiated by the competent ensuring that those legal remedies are supervisory authority and imposed by supervisory authority and imposed by supervisory authority and imposed by effective and have an equivalent effect competent national courts, while competent national courts, while competent national courts, while to the administrative fines imposed by ensuring that those legal remedies ensuring that those legal remedies ensuring that those legal remedies supervisory authorities. In any event, are effective and have an equivalent are effective and have an equivalent are effective and have an equivalent the fines imposed shall be effective, effect to the administrative fines effect to the administrative fines effect to the administrative fines proportionate and dissuasive. Those imposed by supervisory authorities. In imposed by supervisory authorities. In imposed by supervisory authorities. In Member States shall notify to the any event, the fines imposed shall be any event, the fines imposed shall be any event, the fines imposed shall be Commission the provisions of their effective, proportionate and effective, proportionate and effective, proportionate and laws which they adopt pursuant to this dissuasive. Those Member States dissuasive. Those Member States dissuasive. Those Member States paragraph by [xxx] and, without delay, shall notify to the Commission the shall notify to the Commission the shall notify to the Commission the any subsequent amendment law or provisions of their laws which they provisions of their laws which they provisions of their laws which they amendment affecting them. adopt pursuant to this paragraph by adopt pursuant to this paragraph by adopt pursuant to this paragraph by [xxx] and, without delay, any [xxx] and, without delay, any [xxx] and, without delay, any subsequent amendment law or subsequent amendment law or subsequent amendment law or amendment affecting them. amendment affecting them. amendment affecting them. Article 24 - Penalties 1. Member States shall lay down the 1.Member States shall lay down the 1.Member States shall lay down the 1. Member States shall lay down the rules on other penalties applicable to rules on other penalties applicable to rules on other penalties applicable to rules on other penalties applicable to infringements of this Regulation in infringements of this Regulation in infringements of this Regulation in infringements of this Regulation in particular for infringements which are particular for infringements which are particular for infringements which are particular for infringements which are not subject to administrative fines not subject to administrative fines not subject to administrative fines not subject to administrative fines pursuant to Article 23, and shall take pursuant to Article 23, and shall take pursuant to Article 23, and shall take pursuant to Article 23, and shall take all measures necessary to ensure all measures necessary to ensure all measures necessary to ensure all measures necessary to ensure that that they are implemented. Such that they are implemented. Such that they are implemented. Such they are implemented. Such penalties penalties shall be effective, penalties shall be effective, penalties shall be effective, shall be effective, proportionate and proportionate and dissuasive. proportionate and dissuasive. proportionate and dissuasive. dissuasive.

2. Each Member State shall notify to 2. Each Member State shall notify to 2. Each Member State shall notify to 2. Each Member State shall notify to the Commission the provisions of its the Commission the provisions of its the Commission the provisions of its the Commission the provisions of its law which it adopts pursuant to law which it adopts pursuant to law which it adopts pursuant to law which it adopts pursuant to paragraph 1, no later than 18 months paragraph 1, no later than 18 months paragraph 1, no later than 18 months paragraph 1, no later than 18 months after the date set forth under Article after the date set forth under Article after the date set forth under Article after the date set forth under Article 29(2) and, without delay, any 29(2) and, without delay, any 29(2) and, without delay, any 29(2) and, without delay, any subsequent amendment affecting subsequent amendment affecting subsequent amendment affecting subsequent amendment affecting them. them. them. them. CHAPTER VI - DELEGATED ACTS AND IMPLEMENTING ACTS Article 25 - Exercise of the delegation 1. The power to adopt delegated acts 1. The power to adopt delegated acts 1. The power to adopt delegated acts 1. The power to adopt delegated acts is conferred on the Commission is conferred on the Commission is conferred on the Commission is conferred on the Commission subject to the conditions laid down in subject to the conditions laid down in subject to the conditions laid down in subject to the conditions laid down in this Article. this Article. this Article. this Article.

2. The power to adopt delegated acts 2. The power to adopt delegated acts 2. The power to adopt delegated acts 2. The power to adopt delegated acts referred to in Article 8(4) shall be referred to in Article 8(4) shall be referred to in Article 8(4) shall be referred to in Articles 4a and 8(4) shall conferred on the Commission for an conferred on the Commission for an conferred on the Commission for an be conferred on the Commission for indeterminate period of time from [the indeterminate period of time from [the indeterminate period of time from [the an indeterminate period of time from data of entering into force of this data of entering into force of this data of entering into force of this [the data of entering into force of this Regulation]. Regulation]. Regulation]. Regulation].

3. The delegation of power referred to 3. The delegation of power referred to 3. The delegation of power referred to 3. The delegation of power referred to in Article 8(4) may be revoked at any in Article 8(4) may be revoked at any in Article 8(4) may be revoked at any in Articles 4a and 8(4) may be time by the European Parliament or time by the European Parliament or time by the European Parliament or revoked at any time by the European by the Council. A decision to revoke by the Council. A decision to revoke by the Council. A decision to revoke Parliament or by the Council. A shall put an end to the delegation of shall put an end to the delegation of shall put an end to the delegation of decision to revoke shall put an end to the power specified in that decision. It the power specified in that decision. It the power specified in that decision. It the delegation of the power specified shall take effect the day following the shall take effect the day following the shall take effect the day following the in that decision. It shall take effect the publication of the decision in the publication of the decision in the publication of the decision in the day following the publication of the Official Journal of the European Official Journal of the European Official Journal of the European decision in the Official Journal of the Union or at a later date specified Union or at a later date specified Union or at a later date specified European Union or at a later date therein. It shall not affect the validity therein. It shall not affect the validity therein. It shall not affect the validity specified therein. It shall not affect the of any delegated acts already in of any delegated acts already in of any delegated acts already in validity of any delegated acts already force. force. force. in force.

4. Before adopting a delegated act, 4. Before adopting a delegated act, 4. Before adopting a delegated act, 4. Before adopting a delegated act, the Commission shall consult experts the Commission shall consult experts the Commission shall consult experts the Commission shall consult experts designated by each Member State in designated by each Member State in designated by each Member State in designated by each Member State in accordance with the principles laid accordance with the principles laid accordance with the principles laid accordance with the principles laid down in the Inter-institutional down in the Inter-institutional down in the Inter-institutional down in the Inter-institutional Agreement on Better Law-Making of Agreement on Better Law-Making of Agreement on Better Law-Making of Agreement on Better Law-Making of 13 April 2016. 13 April 2016. 13 April 2016. 13 April 2016.

5. As soon as it adopts a delegated 5. As soon as it adopts a delegated 5. As soon as it adopts a delegated 5. As soon as it adopts a delegated act, the Commission shall notify it act, the Commission shall notify it act, the Commission shall notify it act, the Commission shall notify it simultaneously to the European simultaneously to the European simultaneously to the European simultaneously to the European Parliament and to the Council. Parliament and to the Council. Parliament and to the Council. Parliament and to the Council.

6. A delegated act adopted pursuant 6. A delegated act adopted pursuant 6. A delegated act adopted pursuant 6. A delegated act adopted pursuant to Article 8(4) shall enter into force to Article 8(4) shall enter into force to Article 8(4) shall enter into force to Articles 4a and 8(4) shall enter into only if no objection has been only if no objection has been only if no objection has been force only if no objection has been expressed either by the European expressed either by the European expressed either by the European expressed either by the European Parliament or the Council within a Parliament or the Council within a Parliament or the Council within a Parliament or the Council within a period of two months of notification of period of two months of notification of period of two months of notification of period of two months of notification of that act to the European Parliament that act to the European Parliament that act to the European Parliament that act to the European Parliament and the Council or if, before the and the Council or if, before the and the Council or if, before the and the Council or if, before the expiry expiry of that period, the European expiry of that period, the European expiry of that period, the European of that period, the European Parliament and the Council have both Parliament and the Council have both Parliament and the Council have both Parliament and the Council have both informed the Commission that they informed the Commission that they informed the Commission that they informed the Commission that they will will not object. That period shall be will not object. That period shall be will not object. That period shall be not object. That period shall be extended by two months at the extended by two months at the extended by two months at the extended by two months at the initiative of the European Parliament initiative of the European Parliament initiative of the European Parliament initiative of the European Parliament or of the Council. or of the Council. or of the Council. or of the Council. Article 26 - Committee 1. The Commission shall be assisted 1. For the purpose of Articles 1. The Commission shall be assisted 1. For the purpose of Articles 13(2) by the Communications Committee 13(2) and 16(7), the Commission by the Communications Committee and 16(7), the Commission shall be established under Article 110 of the shall be assisted by the established under Article 118 of assisted by the Communications [Directive establishing the European Communications Committee Directive (EU) 2018/1972. That Committee established under Article Electronic Communications Code]. established under Article 110 of the committee shall be a committee 118 of Directive (EU) 2018/1972. That That committee shall be a committee [Directive establishing the European within the meaning of Regulation (EU) committee shall be a committee within within the meaning of Regulation Electronic Communications Code]. No 182/2011. That committee shall the meaning of Regulation (EU) No (EU) No 182/2011 That committee shall be a committee be a committee within the meaning 182/2011. That committee shall be a within the meaning of Regulation of Regulation (EU) No 182/2011 committee within the meaning of (EU) No 182/2011 Regulation (EU) No 182/2011 2.Where reference is made to this 2.Where reference is made to this 2.Where reference is made to this 2.Where reference is made to this paragraph, Article 5 of Regulation paragraph, Article 5 of Regulation paragraph, Article 5 of Regulation paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply. (EU) No 182/2011 shall apply. (EU) No 182/2011 shall apply. (EU) No 182/2011 shall apply. CHAPTER VII - FINAL PROVISIONS Article 27 - Repeal 1. Directive 2002/58/EC is repealed 1. Directive 2002/58/EC and 1. Directive 2002/58/EC is repealed 1. Directive 2002/58/EC and with effect from 25 May 2018. Commission Regulation 611/2013 with effect from [1August 2022]. Commission Regulation 611/2013 is is are repealed with effect from 25 are repealed with effect from (day of 2. References to the repealed May 2018 [XXX]. 2. References to the repealed entry into force of this Regulation). Directive shall be construed as Directive shall be construed as references to this Regulation. 2. References to the repealed references to this Regulation. 2. References to the repealed Directive shall be construed as Directive shall be construed as references to this Regulation. references to this Regulation. Article 28 - Monitoring and evaluation clause By 1 January 2018 at the latest, the By 1 January 2018 [the date of By [1 August 2024] at the latest, By 1 January 2018 [the date of entry Commission shall establish a detailed entry into force of this Regulation] the Commission shall establish a into force of this Regulation] at the programme for monitoring the at the latest, the Commission shall detailed programme for monitoring latest, the Commission shall establish effectiveness of this Regulation. establish a detailed programme for the effectiveness of this Regulation. a detailed programme for monitoring monitoring the effectiveness of this the effectiveness of this Regulation Regulation No later than three years after the No later than three years after the No later than three years after the No later than three years after the date of application of this Regulation, date of application of this Regulation, date of application of this Regulation, date of application of this Regulation, and every three years thereafter, the and every three years thereafter, the and every three years thereafter, the and every three years thereafter, the Commission shall carry out an Commission shall carry out an Commission shall carry out an Commission shall carry out an evaluation of this Regulation and evaluation of this Regulation and evaluation of this Regulation and evaluation of this Regulation and present the main findings to the present the main findings to the present the main findings to the present the main findings to the European Parliament, the Council European Parliament, the Council European Parliament, the Council European Parliament, the EDPB, the and the European Economic and and the European Economic and and the European Economic and Council and the European Economic Social Committee. The evaluation Social Committee. The evaluation Social Committee. The evaluation and Social Committee. The evaluation shall, where appropriate, inform a shall, where appropriate, inform a shall, where appropriate, inform a shall, where appropriate, inform a proposal for the amendment or repeal proposal for the amendment or repeal proposal for the amendment or repeal proposal for the amendment or repeal of this Regulation in light of legal, of this Regulation in light of legal, of this Regulation in light of legal, of this Regulation in light of legal, technical or economic developments. technical or economic developments. technical or economic developments. technical or economic developments. Article 29 - Entry into force and application 1.This Regulation shall enter into 1.This Regulation shall enter into 1.This Regulation shall enter into 1.This Regulation shall enter into force force on the twentieth day following force on the twentieth day following force on the twentieth day following on the twentieth day following that of that of its publication in the Official that of its publication in the Official that of its publication in the Official its publication in the Official Journal of Journal of the European Union. Journal of the European Union. Journal of the European Union. the European Union. 2.It shall apply from 25 May 2018. 2. It shall apply from [one year the 2. This Regulation shall apply from 2. It shall apply from [12 months date of entry into force of this [24 months from the date of entry from the date of entry into force of Regulation]. into force of this Regulation]. this Regulation].