ePrivacy Regulation, Preamble 11 to 20.
(11) The services used for communications purposes, and the technical means of their delivery, have evolved considerably. End-users increasingly replace traditional voice telephony, text messages (SMS) and electronic mail conveyance services in favour of functionally equivalent online services such as Voice over IP, messaging services and web-based e-mail services. In order to ensure an effective and equal protection of end-users when using functionally equivalent services, this Regulation uses the definition of electronic communications services set forth in the Directive (EU) 2018/1972.
That definition encompasses not only internet access services and services consisting wholly or partly in the conveyance of signals but also interpersonal communications services, which may or may not be number-based, such as for example, Voice over IP, messaging services and web-based e-mail services.
(11a) The protection of confidentiality of communications is crucial also as regards interpersonal communications services that are ancillary to another service; therefore, the processing of electronic communications data in the context of the provision of such type of minor ancillary services should be covered by this Regulation.
(11aa) In all the circumstances where electronic communication is taking place between a finite, that is to say not potentially unlimited, number of end-users which is determined by the sender of the communications, e.g. any messaging application allowing two or more people to connect and communicate, such services constitute interpersonal communications services. Conversely, a communications channel does not constitute an interpersonal communications service when it does not enable direct interpersonal and interactive exchange of information via electronic communications networks between a finite number of persons, whereby the persons initiating or participating in the communication determine its recipient(s).
This is for example the case when the entity providing the communications channel is at the same time a communicating party, such as a company that operates a communications channel for customer care that allows customers solely to communicate with the company in question. Also, where access to an electronic communications is available for anyone, e.g. communications in an electronic communications channel in online games which is open to all persons playing the game, such channel does not constitute an interpersonal communications feature. This reflects the end-users' expectations regarding the confidentiality of a service.
(12) The use of machine-to-machine and Internet of Things services, that is to say services involving an automated transfer of data and information between devices or software-based applications with limited or no human interaction, is emerging. In order to ensure full protection of the rights to privacy and confidentiality of communications, and to promote a trusted and secure Internet of Things in the digital single market, this Regulation, in particular the requirements relating to the confidentiality of communications, should apply to the transmission of such services.
The transmission of machine-to-machine or Internet of Things services regularly involves the conveyance of signals via an electronic communications network and, hence, constitutes an electronic communications service. This Regulation should apply to the provider of the transmission service if that transmission is carried out via a publicly available electronic communications service or network. Conversely, where the transmission of machine-to-machine or Internet of Things services is carried out via a private or closed network such as a closed factory network, this Regulation should not apply.
Typically, providers of machine-to-machine or Internet of Things services operate at the application layer (on top of electronic communications services). These service providers and their customers who use IoT services are in this respect end-users, and not providers of the electronic communication service and therefore benefit from the protection of confidentiality of their electronic communications data. Specific safeguards could also be adopted under sectorial legislation, as for instance Directive 2014/53/EU.
(13) The development of fast and efficient wireless technologies has fostered the increasing availability for the public of internet access via wireless networks accessible by anyone in public and semi-private spaces such as 'hotspots' situated at different places within a city, department stores, shopping malls and hospitals. To the extent that those communications networks are provided to an undefined group of end-users, regardless if these networks are secured with passwords or not, the confidentiality of the communications transmitted through such networks should be protected.
The fact that wireless electronic communications services may be ancillary to other services should not stand in the way of ensuring the protection of confidentiality of communications data and application of this Regulation. Therefore, this Regulation should apply to electronic communications data using publicly available electronic communications services and public electronic communications networks. In contrast, this Regulation should not apply to closed groups of end-users such as home (fixed or wireless) networks or corporate networks or networks to which the, access is limited to a pre-defined group of end-users, e.g. to family members or, members of a corporation.
Similarly, this Regulation does not apply to data processed by services or networks used for purely internal communications purposes between public institutions, courts, court administrations, financial, social and employment administrations. As soon as electronic communications data is transferred from such a closed group network to a public electronic communications network, this Regulation applies to such data, including when it is M2M/IoT and personal/home assistant data. The provisions of this Regulation regarding the protection of end-users' terminal equipment information also apply in the case of terminal equipment connected to a closed group network such as a home (fixed or wireless) network which in turn is connected to a public electronic communications network.
(14) Electronic communications data should be defined in a sufficiently broad and technology neutral way so as to encompass any information concerning the content transmitted or exchanged (electronic communications content) and the information concerning an end-user of electronic communications services processed for the purposes of transmitting, distributing or enabling the exchange of electronic communications content; including data to trace and identify the source and destination of a communication, geographical location and the date, time, duration and the type of communication.
Whether such signals and the related data are conveyed by wire, radio, optical or electromagnetic means, including satellite networks, cable networks, fixed (circuit- and packet-switched, including internet) and mobile terrestrial networks, electricity cable systems, the data related to such signals should be considered as electronic communications metadata and therefore be subject to the provisions of this Regulation. Electronic communications metadata may include information that is part of the subscription to the service when such information is processed for the purposes of transmitting, distributing or exchanging electronic communications content.
(15) Electronic communications data should be treated as confidential. This means that any interference of electronic communications data, whether directly by human intervention or through the intermediation of automated processing by machines, without the consent of the communicating parties should be prohibited. Interception of electronic communications data may occur, for example, when someone other than the communicating parties, listens to calls, reads, scans or stores the content of electronic communications, or the associated metadata for purposes other than the exchange of communications.
Interception also occurs when third parties monitor websites visited, timing of the visits, interaction with others, etc., without the consent of the end-user concerned. As technology evolves, the technical ways to engage in interception have also increased. Such ways may range from the installation of equipment that gathers data from terminal equipment over targeted areas, such as the so-called IMSI (International Mobile Subscriber Identity) catchers, to programs and techniques that, for example, surreptitiously monitor browsing habits for the purpose of creating end-user profiles.
Other examples of interception include capturing payload data or content data from unencrypted wireless networks and routers, including browsing habits without the end-users' consent. (15aa) In order to ensure the confidentiality of electronic communications data, providers of electronic communications services should apply security measures in accordance with Article 40 of Directive (EU) 2018/1972 and Article 32 of Regulation (EU) 2016/679.
(15aaa) Moreover, trade secrets are protected in accordance with Directive (EU) 2016/943.
(15a) The prohibition of interception of electronic communications content under this Regulation should apply until receipt of the content of the electronic communication by the intended addressee, i.e. during the end-to-end exchange of electronic communications content between end-users. Receipt implies that the end-user gains control over, and has the possiblity to interact with, the individual electronic communications content, for example by recording, storing, printing or otherwise processing such data, including for security purposes.
The exact moment of the receipt of electronic communications content may depend on the type of electronic communications service that is provided. For instance, depending on the technology used, a voice call may be completed as soon as either of the end-users ends the call.
For electronic mail or instant messaging, depending on the technology used, the moment of receipt may be as soon as the addressee has collected the message, typically from the server of the electronic communications service provider. Upon receipt, electronic communications content and related metadata should be erased or made anonymous in such a manner that no natural or legal person is identifiable, by the provider of the electronic communications service except when processing is permitted under this Regulation After electronic communications content has been received by the intended end-user or end-users, it may be recorded or stored by those end-users. End-users are free to mandate a third party to record or store such data on their behalf.
(16) The prohibition of processing, including storage of communications is not intended to prohibit any automatic, intermediate and transient processing, including storage of this information insofar as this takes place for the sole purpose of carrying out the transmission in the electronic communications network.
Processing of electronic communications data by providers of electronic communications services and networks should only be permitted in accordance with this Regulation. It should not prohibit the processing of electronic communications data without consent of the end-user to ensure the security, including the availability, authenticity, integrity or confidentiality, of the electronic communications services, including for example checking security threats such as the presence of malware or viruses, or the identification of phishing.
Security measures are essential to prevent personal data breaches in electronic communications. Spam electronic messages may also affect the availability of the respective services and could potentially impact the performance of networks and services, which justifies the processing of electronic communications data to mitigate this risk. Such security measures, including anti-spam measures, should be proportionate and should be performed in the least intrusive manner.
Providers of electronic communications services are encouraged to offer end-users the possibility to check electronic messages deemed as spam in order to ascertain whether they were indeed spam.
(16a) The protection of the content of electronic communications pertains to the essence of the fundamental right to respect for private and family life, home and communications protected under Article 7 of the Charter. Any interference with the content of electronic communications should be allowed only under very clear defined conditions, for specific purposes and be subject to adequate safeguards against abuse. This Regulation provides for the possibility of providers of electronic communications services to process electronic communications content in transit, with the informed consent of all the end-users concerned.
For example, providers may offer services that entail the scanning of emails to remove certain pre-defined material. Given the sensitivity of the content of communications, this Regulation sets forth a presumption that the processing of such content data will result in high risks to the rights and freedoms of natural persons. When processing such type of content, the provider of the electronic communications service should consult the supervisory authority if necessary pursuant to Article 36 (1) of Regulation (EU) 2016/679. Such consultation should be in accordance with Article 36 (2) and (3) of Regulation (EU) 2016/679.
The presumption does not encompass the processing of content to provide a service requested by the end-user where the end-user has consented to such processing and it is carried out for the purposes and duration strictly necessary and proportionate for such service.
(16b) Services that facilitate end-users everyday life such as index functionality, personal assistant, translation services and services that enable more inclusion for persons with disabilities such as text-to-speech services are emerging. Processing of electronic communication content might be necessary also for some functionalities used normally in services for individual use, such as searching and organising the messages in email or messaging applications. Therefore, as regards the processing of electronic communications content for services requested by the end-user for their own individual use, consent should only be requested required from the end-user requesting the service taking into account that the processing should not adversely affect fundamental rights and interest of another end-user concerned.
Processing of electronic communications data should be allowed with the prior consent of the end-user concerned and to the extent necessary for the provision of the requested functionalities. (16c) Providers of electronic communications services may, for example, obtain the consent of the end-user for the processing of electronic communications data, at the time of the conclusion of the contract, and any moment in time thereafter. In some cases, the legal person having subscribed to the electronic communications service may allow a natural person, such as an employee, to make use of the service in accordance with Regulation 2016/679.
(17) The processing of electronic communications metadata can be useful for businesses, consumers and society as a whole. Vis-à-vis Directive 2002/58/EC, this Regulation broadens the possibilities for providers of electronic communications services to process electronic communications metadata. However, end-users attach great importance to the confidentiality of their communications, including their online activities, and they also want to control the use of electronic communications metadata for purposes other than conveying the communication.
Therefore, providers of electronic communications networks and services should be permitted to process electronic communications metadata after having obtained the endusers' consent. In addition, those providers should be permitted to process an end-user’s electronic communications metadata where it is necessary for the provision of an electronic communications service based on a contract with that end-user and for billing related to that contract. Examples of commercial usages of electronic communications metadata by providers of electronic communications services may include the provision of heat maps; a graphical representation of data using colours to indicate the presence of individuals.
To display the traffic movements in certain directions during a certain period of time, an identifier is necessary to link the positions of individuals at certain time intervals. This identifier would be missing if anonymous data were to be used and such movement could not be displayed. Such usage of electronic communications metadata could, for example, benefit public authorities and public transport operators to define where to develop new infrastructure, based on the usage of and pressure on the existing structure.
Where a type of processing of electronic communications metadata, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, a data protection impact assessment and, as the case may be, a consultation of the supervisory authority should take place prior to the processing, in accordance with Articles 35 and 36 of Regulation (EU) 2016/679.
(17aa) Further processing for purposes other than for which the metadata where initially collected may take place without the consent of the end-users concerned, provided that such processing is compatible with the purpose for which the metadata are initially collected, certain additional conditions and safeguards set out by this Regulation are complied with, including the requirement to genuinely anonymise the result before sharing the analysis with third parties. As end-users attach great value to the confidentiality of their communications, including their physical movements, such data cannot be used to determine the nature or characteristics on an end-user or to build a profile of an end-user, in order to, for example, avoid that the data is used for segmentation purposes, to monitor the behaviour of a specific end-user or to draw conclusions concerning the private life of an end-user.
For the same reason, the end-user must be provided with information about these processing activities taking place and given the right to object to such processing. (17a) The processing of electronic communications metadata should also be regarded to be permitted where it is necessary in order to protect an interest which is essential for the life of the end-users who are natural persons or that of another natural person.
Processing of electronic communications metadata for the protection of vital interests of the end-user may include for instance processing necessary for humanitarian purposes, including for monitoring epidemics and their spread or in humanitarian emergencies, in particular natural and manmade disasters. Processing of electronic communications metadata of an enduser for the protection of the vital interest of an end-user who is a natural person should in principle take place only where the processing cannot be manifestly based on another legal basis and where the protection of such interests cannot be ensured without that processing.
(17b) Processing of electronic communication metadata for scientific research or statistical purposes could also be considered to be permitted processing. This type of processing should be subject to safeguards to ensure privacy of the endusers by employing appropriate security measures such as encryption and pseudonymisation. In addition, end-users who are natural persons should be given the right to object.
Processing for statistical counting and scientific purposes should only result in aggregated data, and not be used in support of measures or decisions regarding any particular natural person. In particular, such data should not be used to determine the nature or characteristics of an end-user, to build an individual profile or to draw conclusions concerning an end-user private life.
Such usage of electronic communications metadata could, for example, benefit public authorities and public transport operators to define where to develop new infrastructure, based on the usage of and pressure on the existing structure. Such usage should also include processing that is necessary for the development, production and dissemination of official national or European statistics in accordance with national or Union law, to the extent necessary for this purpose.
(18) End-users may consent to the processing of their metadata to receive specific services such as protection services against fraudulent activities (by analysing usage data, location and customer account in real time). In the digital economy, services are often supplied against counter-performance other than money, for instance by endusers being exposed to advertisements.
For the purposes of this Regulation, consent of an end-user, regardless of whether the latter is a natural or a legal person, should have the same meaning and be subject to the same conditions as the data subject's consent under Regulation (EU) 2016/679.
Basic broadband internet access and voice communications services are to be considered as essential services for individuals to be able to communicate and participate to the benefits of the digital economy. Consent for processing electronic communications data from internet or voice communication usage will not be valid if the data subject end-user has no genuine and free choice or is unable to refuse or withdraw consent without detriment.
(19) Third parties are legal or natural person that do not provide an electronic communications service to the end-user concerned. However, sometimes the same legal or natural person can also provide different kind of services to the same end-user, for example information society service such as cloud storage. With respect to the provision of this other service, the same legal person is normally deemed to be a third party. If the other service is necessary for the provision of the electronic communication service, such as automatic storage of the messages in the cloud by web-based email, the provider of such a service normally is not deemed to be a third party.
(20) Terminal equipment of end-users of electronic communications networks and any information relating to the usage of such terminal equipment, in particular where such information is processed by, stored in, or collected from such equipment, or where information is collected from it or processed in order to enable it to connect to another device and or network equipment, are part of the end-user's private sphere, including the privacy of one’s communications, and require protection in accordance with the Charter of Fundamental Rights of the European Union. Given that such equipment contains or processes information that may reveal details of an individual's emotional, political, social complexities, including the content of communications, pictures, the location of individuals by accessing the device’s GPS capabilities, contact lists, and other information already stored in the device, the information related to such equipment requires enhanced privacy protection.
Furthermore, the so-called spyware, web bugs, hidden identifiers, tracking cookies and other similar unwanted tracking tools can enter end-user's terminal equipment without their knowledge in order to gain access to information, to store hidden information and to trace the activities. Information related to the end-user’s device may also be collected remotely for the purpose of identification and tracking, using techniques such as the so-called ‘device fingerprinting’, often without the knowledge of the end-user, and may seriously intrude upon the privacy of these end-users. Techniques that surreptitiously monitor the actions of end-users, for example by tracking their activities online or the location of their terminal equipment, or subvert the operation of the end-users’ terminal equipment pose a serious threat to the privacy of end-users.
Therefore, the use of processing and storage capabilities and the collection of information from end-user's terminal equipment should be allowed only with the end-user's consent or for other specific and transparent purposes as laid down in this Regulation. The information collected from end-user’s terminal equipment can often contain personal data.
(20aa) In light of the principle of purpose limitation laid down in Article 5 (1) (b) of Regulation (EU) 2016/679, it should be possible to process in accordance with this Regulation data collected from the end-user's terminal equipment for purposes compatible with the purpose for which it was collected from the enduser’s terminal equipment.
(20aaa) The responsibility for obtaining consent for the storage of a cookie or similar identifier lies on the entity that makes use of processing and storage capabilities of terminal equipment or collects information from end-users’ terminal equipment, such as an information society service provider or ad network provider. Such entities may request another party to obtain consent on their behalf. The end-user's consent to storage of a cookie or similar identifier may also entail consent for the subsequent readings of the cookie in the context of a revisit to the same website domain initially visited by the end-user.
Conversely, in some cases, making access to website content dependent on consent to the use of such cookies may be considered, in the presence of a clear imbalance between the end-user and the service provider as depriving the end-user of a genuine choice. This would normally be the case for websites providing certain services, such as those provided by public authorities. Similarly, such imbalance could exist where the end-user has only few or no alternatives to the service, and thus has no real choice as to the usage of cookies for instance in case of service providers in a dominant position.
To the extent that use is made of processing and storage capabilities of terminal equipment and information from end-users’ terminal equipment is collected for other purposes than for what is necessary for the purpose of providing an electronic communication service or for the provision of the service requested, consent should be required. In such a scenario, consent should normally be given by the end-user who requests the service from the provider of the service.
(20a) End-users are often requested to provide consent to the storage and access to stored data in their terminal equipment, due to the ubiquitous use of tracking cookies and similar tracking technologies. As a result, end-users may be overloaded with requests to provide consent.
This can lead to a situation where consent request information is no longer read and the protection offered by consent is undermined. Implementation of technical means in electronic communications software to provide specific and informed consent through transparent and user-friendly settings, can be useful to address this issue. Where available and technically feasible, an end user may therefore grant, through software settings, consent to a specific provider for the use of processing and storage capabilities of terminal equipment for one or multiple specific purposes across one or more specific services of that provider.
For example, an end-user can give consent to the use of certain types of cookies by whitelisting one or several providers for their specified purposes. Providers of software are encouraged to include settings in their software which allows endusers, in a user friendly and transparent manner, to manage consent to the storage and access to stored data in their terminal equipment by easily setting up and amending whitelists and withdrawing consent at any moment. In light of end-user’s self-determination, consent directly expressed by an end-user should always prevail over software settings.
Any consent requested and given by an end-user to a service should be directly implemented, without any further delay, by the applications of the end user’s terminal. If the storage of information or the access of information already stored in the end-user’s terminal equipment is permitted, the same should apply.
Note: This is not the final text of the ePrivacy Regulation. This is the text of the ePrivacy Regulation Proposal of the Council of the European Union from 10.2.2021.