Legally and politically important
Not cleared from scrutiny; further information requested; drawn to the attention of the Science and Technology, the Digital, Culture, Media and Sport Committee, the Home Affairs and the Exiting the EU Committees
Proposed Regulation concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications)
Article 16 and 114 TFEU; ordinary legislative procedure; QMV
Digital, Culture, Media and Sport
(38455), 5358/17 + ADDs 1–6, COM(17) 10
1.1The content of electronic communications (e-comms) may reveal sensitive information about the individuals involved in the communication, including medical conditions, sexual preferences, religious and political views. Disclosure could result in personal and social harm, even economic loss. The same applies to metadata derived from e-comms, including numbers called, websites visited, geographical location, time, date and durations of calls. This allows inferences to be drawn about private lives of the persons concerned. E-comms data may also reveal commercially sensitive information concerning business.
1.2The proposed Regulation aims to update the existing ePrivacy Directive which was adopted in 2002. The Directive supplemented the 1995 Data Protection Directive by providing more specific privacy rules for the e-comms sector. These included rules on itemised billing and on unsolicited marketing calls and emails. Later amendments of the Directive have added new provisions about information being stored on and accessed from the user’s computer (such as cookies), and requirements about reporting data breaches. The Directive was transposed into UK law through the Privacy and Electronic Communications Regulations (PECR), which were last updated in 2016..
1.3The proposal is linked to the new General Data Protection Regulation (GDPR) and is also relevant to the proposed Regulation to apply similar rules to the GDPR to EU institutions, agencies and bodies.
1.4The main changes under the new proposal are aimed at:
1.5The Government now writes with an update on delays in the negotiations. Uncertainties to be resolved also overlap with the GDPR and the extent to which “ancillary services” and “content data” are covered by the proposal. On timing, the Government confirms that the Presidency is aiming for a General Approach at the end of June 2018.
1.6We thank the Minister for her helpful letter. We ask her to continue to keep us up-to-date as we are concerned about the implications for the UK should the Regulation not be agreed when the UK still has a vote, but during the implementation period. We ask her to comment on that eventuality. If an adopted proposal were not to apply to the UK before the end of an implementation period, could the Minister tell us whether the UK would want to align with it anyway for the purposes of its future trading relationship with the EU?
1.7In our Report on the proposed Regulation to revise data protection rules applying to EU institutions we asked the Minister about an aspect of the proposed ePrivacy Regulation which her current letter does not address. We set it out below and request that the Minister respond in due course:
“3.8…. In particular, have there been any UK objections to restrictions in the text under negotiation or to amendments being proposed by the European Parliament (EP) to prevent or limit the ability of UK authorities to access encrypted communications used by some “Over-the-top” (OTT) providers such as What’s App for national security purposes? We note in this respect that:
“The Home Secretary (Amber Rudd) has spoken on many occasions about the Government’s desire to access such encrypted communications, in the fight against terrorism. See for example, her interview with the BBC reported on 1 August 201719 prior to her meeting with tech companies in Silicon Valley about Counter-Terrorism”.
1.8Related to 1.7 above, we would also be interested to hear from the Minister about any discussions in the Council concerning the extent to which, if at all, the proposed Regulation might affect Member State activities relating to national security. When she responds, we ask the Minister to take account of:
1.9In the meantime, we retain the proposal under scrutiny but draw it and this chapter to the attention of the Science and Technology Committee, the Digital, Culture Media and Sport Committee, the Home Affairs Committee and the Exiting the EU Committee.
Proposal for a Regulation of the European Parliament and the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications): (38455), + ADDs 1–6, COM (17) 10.
1.10We most recently considered this proposal as part of our Report chapter on Data Protection and the EU Institutions. In that chapter we said about the current proposal:
“Finally, the Minister also provides us with a short update on the proposed e-Privacy Regulation. Discussions have not progressed on this proposal in Council. This is partially due to great uncertainty over the text’s effect and its relation to the GDPR, with many Member States yet to take a position. She adds:
“In addition to the crossover with the GDPR, discussions have focused on seeking clarity about which types of processing fall under the proposal’s scope, on the effects of the proposed limited range of circumstances for processing e-comms data, and on the proposed new cookies rules. The UK has posed six questions to the Commission on the effect of the proposed rules for cookies. These questions were adopted by the Presidency, and the Commission has recently produced a non-paper in response. The Government is currently analysing the Commission’s answers.”
1.11The Minister for Digital and the Creative Industries (Margot James) provides us with the following update on the proposed ePrivacy Regulation. This includes responses to some of the questions asked by our predecessor Committee.
1.12On progress in the negotiations, the Minister says:
“There have been relatively few meetings on this proposal, as this was not a specific priority of previous Presidencies. Discussions have yet to move forward, partially due to considerable uncertainty over the proposal’s effect and its relation to the General Data Protection Regulation (GDPR), with many Member States yet to take a position on the text until its impact is clarified.
“Although progress has been made recently on these issues, there is unfortunately still no agreed interpretation of the measure’s scope in Council. This letter sets out the Government’s current understanding and we will write with further information when the position develops.”
1.13She then turns to the question of the relationship between the ePrivacy proposal and the GDPR. First, she explains the dual purpose of the ePrivacy proposal:
“The Government understands that the draft ePrivacy Regulation aims both to complement and particularise the GDPR. However, the proposed text is not clear as to the circumstances when the ePrivacy Regulation, versus the GDPR, applies to data, and when both measures would apply at the same time.”
1.14She then considers each of these purposes:
“In terms of complementing, it offers protection for areas not covered by the GDPR. These include protection for non-personal data such as that of companies, and protection against nuisance calls and spam.”
“In terms of particularising the GDPR, the draft Regulation provides specific rules for processing that already falls under the GDPR. This means that a GDPR article will not apply if there is a more specific, relevant article in the ePrivacy Regulation. For example, Article 6 of the proposed ePrivacy Regulation sets down the limited range of circumstances (“legal bases”) under which metadata may be processed. If a provider is processing personal metadata, Article 6 of the ePrivacy Regulation displaces Article 6 of the GDPR, which sets out a wider range of legal bases for processing personal data. But as the proposed ePrivacy Regulation does not have a right to access personal data or a right to erasure, the articles in the GDPR containing these rights will still apply. In this way, both the GDPR and the ePrivacy Regulation may apply at the same time to particular processing.”
1.15However, the Minister explains that the situation is more complex, depending on the type of data involved and this is giving rise to some uncertainty:
“However, I also understand that the Commission intended the scope of the proposal to vary, depending on the type of data. The proposal makes a distinction between the content of communications (“content data”) and other data associated with the communication (“metadata”), e.g. timestamps. While the ePrivacy Regulation will always apply to processing of metadata, content data only falls under its scope during transmission. For example, when a data controller is composing an email containing a customer’s personal data, it is the GDPR alone that applies to the content data. The ePrivacy Regulation will only apply while the email is being transmitted. Since this was not clear in the original proposal, the revised text published by the Estonian Presidency in December last year explicitly states when content data is in its scope.
“Nevertheless, there is still lack of clarity as to whether transmission ends when the recipient receives the email, or when it is received by the provider’s servers. Resolving this ambiguity is crucial since there are number of processing activities that providers currently do with content data that may be permissible under the GDPR but not under the ePrivacy Regulation. These include scanning the content of emails for spam and enabling translation, and certain accessibility features such as text to speech for users.”
1.16Additionally, there is “even greater uncertainty” concerning the proposed Regulation’s application to so-called “ancillary services”. These are services which enable communications to take place though not actually communication services themselves:
“A potential example of an ancillary service is a gaming website that allows players to chat during games. The Commission’s impact assessment for this proposal did not include the costs on ancillary services, nor an assessment of the potentially vast range of services this may capture.
“Recent discussions in Council centred on what an ancillary service could be; some progress was made but there was no firm agreed outcome. The proposal’s focus on merely whether the supplier enables communication to take place, rather than whether it deliberately provides a communication service, could capture a wide variety of services. This could potentially include services that allow for co-authoring of documents, and personal blogs that allow certain users to leave comments. Such services, if caught, would then need to comply with the proposal’s obligations, including the limited permitted circumstances for processing electronic communications data. As the implications of the scope are considerable, the Government is highly concerned with this lack of clarity and is pushing for progress on a common interpretation in Council.”
1.17The Minister tells us that a wide range of stakeholders who are potentially affected by the proposal have been consulted on an ongoing basis over the last year. This has been through a series of roundtables, bilateral meetings, and requests for written comments. The Minister comments:
“These have allowed the Government to gather comprehensive and diverse evidence about ePrivacy’s impact, given its highly technical nature, and we recognise the concerns that have been raised by stakeholders in relation to the proposal.”
1.18Finally, the Minister refers to the Presidency’s aim to secure a General Approach by the end of June 2018, so that trilogue negotiations could take place with the European Parliament before the June 2019 elections. She comments:
“The Government’s view is that the two significant areas of ambiguity outlined above need urgent resolution before there can be work on the proposal’s provisions. This is not only due to the need to ensure legal uncertainty for individuals and businesses, but also because the scope of the proposal has a considerable impact on proper assessment of its provisions. The Government’s priority therefore is to continue the work recently begun with other Member States towards a common interpretation of the scope in Council and reflect this in the text once discussions begin again, likely in March.”
1.19She also commits to providing us with further updates as developments emerge.
Thirty first Report, HC 71–xxiv (2016–17),(8 February 2017); also see (38446), 5034/17: Sixteenth Report, HC 301–xiv (2017–18), , (28 February 2018).
3 Cookies are small pieces of data that a browser can be asked to save/store when a user visits a website. Cookies will then allow the website to recognise the device when a user visits again and so to gain a better idea of his/her preferences over time and to use the information for targeted advertising. There are many types of cookies, classified according to their lifespan or to which domain is hosting the cookies.
4 By a 2009 Directive (2009/136/EC) and Commission Regulation (611/2013).
7 Proposed Regulation on the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies and on the free movement of such data and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC: (38446), 5034/17, COM(17) 8.
8 In other words, without having to pay them.
9 They fall outside of the definition of “electronic communications services” under the current ePrivacy Directive.
10 These have become popular substitutes for traditional telecoms services, e.g. online chat applications instead of mobile SMS, and Voice over IP technology (VoIP) instead of telephone calls.
11 38446, : Proposal for a Regulation on data protection rules applicable to EU institutions, bodies, offices and agencies, repealing Regulation (EC) No 45/2001 and Decision 1247/2002/EC
12 Order for Reference to the Court of Justice of the European Union, Privacy International v Foreign Secretary (1) Home Secretary (2) GCHQ(3) MI5 (4) and MI6(5),
13 Thirty first Report, HC 71–xxiv (2016–17), (8 February 2017).
14 Joined Cases: Tele 2 Sverige AB v Post- och telestyrelsen; Watson and Others v Secretary of State for the Home Department.
15 (38446), 5034/17: Sixteenth Report, HC 301–xiv (2017–18), , (28 February 2018).
Published: 27 March 2018