The European Council has published proposed amendments to the first draft (published in January 2017). These changes focus on the Articles not the Recitals and it has been stressed that amendments will be made in incremental stages. The document states, “This first redraft aims mainly at clarifying certain elements and outlining specific issues to be examined for the purposes of advancing the discussions on the file.”
Ongoing discussions continue surrounding these changes and delegations have been invited to express their views. The Direct Marketing Association’s comments can be found here.
Outlined below are some of the key changes proposed:
1. Subject Matter – Article 1
Amendments have been made seeking to clarify the difference in subject matter regarding legal persons vs natural persons and alignment with the GDPR.
2. Definitions – Article 4
The definitions are likely to be amended in further updates to the text, as it has been identified that more detailed analysis is required. A definition of “information society service” has been added. The word “mail” has been replaced by “message”, as the former was deemed too restrictive. Article 4a has been added on Consent (this was previously Article 9), and the definition of consent has been simplified and aligned to the GDPR. An additional obligation has been added to remind end-users of the possibility to withdraw consent. This reminder has been extended from 6 months but to no longer than 12 months.
4. Confidentiality of electronic communications data – Article 5
New text has been included in Article 5(2) for further discussion surrounding clarifying that machine-to-machine communications are covered as long as they are related to an end user.
5. Permitted processing of electronic communications – Article 6
Delegations have proposed different legal grounds to be included for the purposes of data processing. This will be discussed further, as several stakeholders have suggested including legitimate interests as an additional ground for processing. (Legitimate Interests are one of 6 lawful grounds for the processing of personal data under the GDPR).
6. Storage and erasure of electronic communications – Article 7
The current provision has been criticised for being too strict, requiring erasure or anonymisation of data when it is no longer needed. This is an area where the Council has specifically sought the views of delegations.
7. Information and options for privacy settings to be provided – Article 10
The amended text clarifies that the term “third parties” was not meant to refer to “third party cookies” but to “any other parties than the end user.” It also clarifies that the end user will be asked to consent to settings upon installation or upon “first usage” of the software. There is to be further discussion surrounding this and allowing end users to easily change privacy settings.
8. Publicly available directories – Article 15
The wording here has been more closely aligned with Article 12 of the current directive. Delegations are to discuss to whom obligations of Article 15 should be addressed, taking into account the difficulty for providers of publicly available directories to obtain consent of end-users.
9. Direct Marketing Communications – Article 16
The heading of Article 16 has been changed from “Unsolicited Communications”. The soft opt-in exemption has been retained as per the first draft. There remains some ambiguity in the text as to whether B2B communications will be viewed as distinct from B2C, further clarity is being sought.
1o. Supervisory Authorities (Articles 18-20)
A requirement has been identified for more flexibility with regard to supervisory authorities. It’s proposed that DPAs will be kept as authorities for monitoring the application of the Regulation, however discussions are on-going surrounding concerns that some of the provisions within the proposed Regulation could stretch beyond the expertise of DPAs.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.