(Dieser Artikel ist auch in deutscher Sprache verfügbar)

On 25 June 2008, the European Parliament's Standing Committee on Civil Liberties, Justice and Home Affairs asked for measures to correct the European Commission's proposal to amend the Directive on Privacy and Electronic Communications (called ePrivacy Directive).

"We have introduced a few points directed towards better consumer protection and manageability" in order to "improve data protection overall and bring it in line with the changed situation" stated Rapporteur for the project MEP Alexander Alvaro (FDP).

Peter Hustinx, the European Data Protection Supervisor (EDPS), adopted, on 14 April, an Opinion on the European Commission's proposal amending, among others, the ePrivacy Directive. The EDPS basically supported the EC proposal giving a few recommendations such as the obligation to notify any breach of security not only from providers of public electronic communication services in public networks but also from providers of information society services which process sensitive personal data.

What the MEPs are now asking for is a procedure to inform users, in case of security breaches at service providers and a better protection from surveillance. For the measures requiring providers of electronic services to inform users of breaches of data protection, the MEPs intend to involve an intermediary body. The companies will inform national telecommunications regulators or other "competent authorities" on "serious" security breaches of personal data and the regulatory bodies will decide if consumers need to be rapidly informed. The companies might also be asked to report the occurrence of security problems in their annual reports.

One of the aspects that was largely debated within the Committee was related to the collection of personal data such as IP addresses, a compromise being reached in the end considering that an online identity should be specifically considered as an item of personal information needing special protection when it is related to an individual in combination with other information. The EP Committee asked the European Commission to submit, in consultation with EU data protection officials, within the next two years, specific draft legislation for treating IP addresses as personal data.

Alvaro's proposal to apply the provision allowing member states to enact their own legislation to relax protection of connection and location data for public security and the prevention, detection and prosecution of criminal acts or illegal use of electronic communications systems, to cases when ownership rights are infringed, failed as concerns have been expressed by data protection officials, such as German data protection commissioner Peter Schaar.

However Alvaro succeeded in passing several other proposals such as the future application of the directive to publicly accessible private telecommunications networks including university networks or social networks such as StudiVZ or Facebook. Companies offering applications attempting to access personal data on hard drives, or other IT systems, such as USB flash drives, will have to get the user's consent beforehand on the basis of the opt-in principle. Alvaro drew the attention that a user setting his browser to accept cookies would be considered to give consent to data collection. However, according to the directive, in the future, cookies for storing user data using the Flash multimedia application will require separate consent.

According to Alvaro, the amendments proposed by the Standing Committee on Civil Liberties, Justice and Home Affairs will be incorporated into the report of the Internal Market and Consumer Protection committee, primarily responsible for the telecommunications package. The entire package for regulating telecommunications companies and ISPs will be voted in September after a first reading at a plenary session. The European Council will be then required to submit comments.

During its 66th plenary session that took place in Brussels between 24-25 June, the Article 29 Working Party expressed its opinion on the review of the E-privacy Directive fully supporting "the proposed strengthening of Article 4 'Security' by requiring providers of publicly available communication services to notify security breaches, and underlines the importance of informing all persons concerned when their personal data have been compromised or are at risk of being compromised."

However, the Working Party 29 considers there are issues that still need to be covered such as the need to extend the scope of the obligation to notify security breaches to the providers of information society services as well as the scope of the recipients of the notification to include all persons concerned rather than only the "subscribers".

MEPs adopt draft "e-privacy directive" reforms (27.06.2008)
http://www.heise.de/english/newsticker/news/110110

Press Release - Article 29 Working Party (26.06.2008)
http://ec.europa.eu/justice_home/fsj/privacy/news/docs/pr_30_06_08_en....

Working Party Article 29, Opinion on the review of the Directive 2002/58/EC on privacy and electronic communications (ePrivacy Directive) (15.05.2008)
http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2008/ wp150_en.pdf

EDRIgram - EDPS endorses data breach notification provision in ePrivacy Directive (23.04.2008)
http://www.edri.org/edrigram/number6.8/edps-data-breach-notification