On Friday 4 May, the Bulgarian Presidency of the Council of the EU submitted another compromise proposal on the confidentiality of electronic communications, which particularly clarifies the notion of communication “in transmission” and excludes “national security and defence” from the scope of the future regulation. It will be discussed on 16 and 17 May next in the Tele and Dapix working parties.
It should be pointed out that the draft regulation on the table aims to enhance online confidentiality while allowing service providers to use the personal data of customers that have given their prior consent (see EUROPE 11700). Although the European Parliament has already adopted its position, the Council is still working on its own position. A discussion at the Tele working party is planned for 16 May next and a joint Tele and Dapix group is planned for 17 May next to discuss data retention. An orientation debate is also expected at the Telecommunications Council for 8 June.
New compromise to be scrutinised
The compromise proposes to tackle several sensitive issues, such as processing data without authorisation (article 6), device confidentiality (article 8) and data retention (article 11).
Article 6. The Bulgarian paper explains that data processing can be authorised in the event of security risks (art. 6(1)(b)). With regard to the processing of metadata (art. 6(2)), it introduces safeguards for optimisation situations and network management and reduces billing opportunities, whilst calling on member states to give their ideas regarding the reasons linked to the protection of vital interests.
Article 8. The main change to the provisions on confidentiality of devices involves the Internet of Things (IoT). The text stipulates that the consent of the user can be circumvented if the use of data is necessary for the provision of a service, including services related to the Internet of Things (connected devices such as connected thermostats), requested by the end user. The Bulgarian paper also adds a number of clarifications to article 10 involving information and options to provide to users with regard to confidentiality parameters. It therefore explains that this article does not apply to software that is no longer maintained and that the provider can, in all cases, request authorisation from the user, irrespective of the confidentiality parameters chosen.
Article 11. This article is also covered by the working party on data protection (Dapix) and focuses on data retention. The Commission is proposing to restrict the scope of the regulation's provisions (article 5 to 8) on the basis of certain reasons pertaining to the general regulation on data protection (2016/679). In its compromise proposal, the Bulgarian Presidency suggests adding to the list the protection of the person concerned or the rights and freedoms of others and implementation of requests pertaining to civil law. It also more explicitly indicates that in connection with article 2, the activities relating to national defence and security are excluded from the scope of application. The new casting also stipulates that the regulation will not apply to the communications of people who have passed away. It also describes the references to “ancillary services whose operations are linked to communication”.
It should also be pointed out that the Bulgarian Presidency proposes to interpret the term, “in transmission”, as the period between which person A sends a message and when person B actually reads it, rather than the physical movement of the message. The document can be consulted at the following page: https://bit.ly/2KJGQLy . (Original version in French by Sophie Petitjean)