Documents considered by the Committee on 16 January 2019 Contents

3Privacy and Electronic Communications

Committee’s assessment

Legally and politically important

Committee’s decision

Not cleared from scrutiny; further information requested; drawn to the attention of the Digital, Culture, Media and Sport Committee, the Science and Technology Committee, the Home Affairs Committee, the Justice Committee, the Joint Committee on Human Rights and the Exiting the EU Committee

Document details

Proposed Regulation on the respect for private life and protection of personal data in electronic communications and repealing Directive 2002/58/EC

Legal base

Articles 16 and 114 TFEU; ordinary legislative procedure; QMV

Department

Digital, Culture, Media and Sport

Document Number

(38455), 5358/17 + ADDs 1–6, COM(17) 10

Summary and Committee’s conclusions

3.1This proposed ePrivacy Regulation was published in January 2017 to replace the current 2002 Directive on the privacy and protection of personal data relating to electronic communications (e-comms). E-coms can concern highly sensitive information about an individual. For example, medical conditions, sexual preferences, religious and political views, or commercially sensitive information about a business. Disclosure could result in personal and social harm, even economic loss. Once adopted, the Regulation could have major implications for the way that sectors such as technology, digital advertising and publishing do business and for individual privacy.

3.2The current Directive covers confidentiality of e-coms provided via traditional communication services (e.g. emails, SMS). But the proposal will update the rules in the Directive to apply to “Over the Top” services, including internet-based messaging such as What’s App and Voice over Internet Protocol (e.g. Skype). It will also govern the use of cookies, other tracking technologies as well as email marketing.

3.3The Commission had planned for the proposed Regulation to come into force at the same time as the GDPR on 25 May 2018. However, the proposal has proved very controversial, resulting in slow progress in negotiations in the Council. The main point of contention concerns when providers of voice, email, video and other messaging services can use the content and metadata of communications in their services. The European Parliament (EP) has taken a restrictive approach in its position on the proposal adopted in October 2017. It considers that processing should only be permitted subject to explicit consent or where “strictly necessary” for specified purposes. Businesses and some Member States want a different approach which aligns more with the GDPR and allows processing on grounds of “legitimate interests”. As a compromise the Council has instead been looking at the inclusion of some additional processing grounds, as evident in the latest progress report16 which was discussed at the 4 December Telecoms Council. Rules governing cookies and other tracking technologies have also proved contentious.

3.4An account of the scope and content of the proposed Regulation and the Government’s view of it are set out in our previous Reports (listed at the end of this chapter). In our last letter to the Minister for Digital and the Creative Industries (Margot James MP) of 27 June 2018, we questioned what might be implications of delayed negotiations for the UK as an exiting Member State. The Minister now writes in response and to update us on progress in the Council in her letter of 20 December 2018. In summary, the Government:

3.5The Minister then addresses specific questions we have raised during our previous scrutiny, under the following headings.

Online child abuse

3.6The Minister first addresses a question raised informally with officials since the date of our last letter because it was of interest to the Science and Technology Committee. This concerns the need to combat online child abuse.17 She says that:

Encryption

3.7Responding to our question about the UK’s position on the proposed Article 1718 of the text concerning encryption, the Minister says the article has now been removed. However, it was replicated in Article 40(3)19 of the recently recast European Electronic Communications Code (EECC). She adds:

“The scope of Article 40(3) targets network and service operators; Over The Top Providers (OTTs) would not come under its scope as they do not control signal conveyance across the network. In the EECC negotiations there was consensus across the majority of Member States to explicitly remove proposed mandatory encryption requirements”.

3.8She then explains why the Government is not in favour of requirements for “end-to-end” encryption. Despite the benefits of encrypting some e-coms, for example relating to the provision of banking services, encryption is open to abuse by a minority of service providers and users:

National security

3.9Addressing our question about whether national security activities are caught by the proposal, the Minister explains that:

Applicability of the proposal to the UK

3.10In our past scrutiny of the proposal, we have also asked about the implications of the Regulation either being adopted during the implementation period or adopted afterwards, assuming the Withdrawal Agreement is ratified. The Minister reiterates that timing of the application of the proposal, which is deferred after adoption for two years in the current text, remains uncertain. She adds that the UK will take an “active diplomatic interest in any measures which will affect the UK during the implementation period as part of our dialogue with the Institutions and Member States”.

3.11If an adopted Regulation is only applicable after the implementation period, the Government would need to assess whether there would be any advantage to aligning UK law with it.

3.12We thank the Minister for her letter.

3.13We turn to the timing of any progress in the negotiations. As the Minister’s most recent letter now indicates, it remains unclear when, if at all, an adopted proposal would apply to the UK. Based on that information and the current state of play in the Brexit negotiations, the following scenarios are possible:

3.14We note that the Romanian Presidency’s agenda suggests that they may aim for a general approach on the proposal for the June 7 Telecoms Council.21 However, by that time we anticipate that the UK will have exited the EU with or without a deal. This reinforces our view that the proposal is likely to be adopted at a time when the UK cannot exert any influence over its final shape or content and yet be affected by it.

3.15Given the potential impact this proposal could have in either “deal” or “no deal” scenarios and in the context of a future trading relationship with the EU, we ask the Government to keep us as closely informed as possible of any developments in the negotiations. In the absence of any progress in January and February, at the very least we request a “state of play” update in early March, well before the UK’s exit from the EU on 29th.

3.16Turning to the question of the Privacy International reference to the Court of Justice (CJEU), the Minister’s view of the timing of the hearing and any future judgment is very helpful. When she next writes, we would appreciate her confirmation that she agrees with our understanding that:

3.17We look forward to receiving the Minister’s next letter. In the meantime, the proposal remains under scrutiny. We draw this chapter and the document to the attention of the Digital, Culture, Media and Sport Committee, the Science and Technology Committee, the Home Affairs Committee, the Justice Committee, the Joint Committee on Human Rights and the Exiting the EU Committee.

Full details of the documents:

Proposal for a Regulation of the European Parliament and the Council concerning the respect for private life and protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications): (38455), 5358/17 + ADDs 1–6, COM(17) 10.

Previous Committee Reports

Twenty first Report, HC 301–xx (2017–19), chapter 1 (21 March 2018); Thirty first Report, HC 71–xxiv (2016–17), chapter 6 (8 February 2017); also see (38446), 5034/17: Sixteenth Report, HC 301–xiv (2017–18), chapter 3, (28 February 2018).


16 See Presidency paper (Council document 2017/0003), progress report on the proposal for a Regulation on Privacy and Electronic Communications

17 See the ongoing inquiry of the Science and Technology Committee into the “Impact of social media and screen-use on young people’s health”.

18 Proposed Article 17 on” Information about detected security risks” stated
“In the case of a particular risk that may compromise the security of networks and electronic communications services, the provider of an electronic communications service shall inform end-users concerning such risk and, where the risk lies outside the scope of the measures to be taken by the service provider, inform end-users of any possible remedies, including an indication of the likely costs involved”.

19 Our addition. Article 40 (3) provides that “Member States shall ensure that in the case of a particular and significant threat of a security incident in public electronic communications networks or publicly available electronic communications services, providers of such networks or services shall inform their users potentially affected by such a threat of any possible protective measures or remedies which can be taken by the users. Where appropriate, providers shall also inform their users of the threat itself”.

20 Section 3(3) EUWA states that “ or the purposes of this Act, any direct EU legislation is operative immediately before exit day if (a)in the case of anything which comes into force at a particular time and is stated to apply from a later time, it is in force and applies immediately before exit day”. As the Explanatory Notes state:” It is only if the provision is “stated to apply” from a later time (see section 3(3)(a)), and that time falls on or after exit day, that the provision would not fall within the ambit of the section. So, where there is a stated date of application, and this date falls after exit day, the provision is not converted. This means that, provided it is not expressly stated to apply from a date falling on or after exit day, EU legislation which is in force before exit day will be converted even if it has some effect which crystallises after exit day.

21 See also Politico, Pay Wall, 4 January 2019.




Published: 22 January 2019