RE: Eprivacy Regulation EP Rapporteurs draft report

Moreover, please note the remarks of the EU lawmaker on DNT (p. 87 of the draft report). I believe that it shows that there is clear support and appreciation for our work.

Article 10 of the proposal refers to options for privacy settings of tools and software used to enable users to prevent other parties from storing information on terminal equipment, or processing information stored on the equipment (Do-Not-Track mechanisms -DNTs-). The rapporteur shares the objective of the proposal but she considers that, in order to reflect the essential core principles of Union data protection law (privacy by design and by default), it must be amended. Indeed, these basic principles are not efficiently integrated in the ePrivacy proposal of the Commission. Therefore it is proposed first, that DNTs are technologically neutral to cover different kinds of technical equipment and software and, second, that DNTs, by default must configure their settings in a manner that prevents other parties from storing information on the terminal equipment or processing information stored on the equipment without the consent of the user, at the same time users should be granted the possibility to change or confirm the default privacy settings options at any moment upon installation. The settings should allow for granulation of consent by the user, taking into account the functionality of cookies and tracking techniques and DNTs should send signals to the other parties informing them of the user’s privacy settings. Compliance with these settings should be legally binding and enforceable against all other parties.

Regards,
Rob

-----Original message-----
From: Mike O'Neill
Sent: Wednesday, June 14 2017, 9:06 pm
To: public-tracking@w3.org
Subject: Eprivacy Regulation EP Rapporteurs draft report

This is what ePR Articles 8,9 and 10 look like when assembled from the Parliament rapporteur’s draft report. It still has to be debated and voted on and then the Council will have their say.

 
http://www.europarl.europa.eu/sides/getDoc.do?type=COMPARL&reference=PE-606.011&format=PDF&language=EN&secondRef=01 .

 
 
 
Article 8

 
Protection of information stored in and related to users’ terminal equipment

 

1. The use of processing and storage capabilities of terminal equipment and the collection of information from users’ terminal equipment, or making information available through the terminal equipment, including information about or generated by its software and hardware, other than by the user concerned shall be prohibited, except on the following grounds:

 
 1. it is strictly technically necessary for the sole purpose of carrying out the transmission of an electronic communication over an electronic communications network; or 
 2. the user has given his or her specific consent, which shall not be mandatory to access the service; or it is necessary for providing an information society service requested by the end-user; or 
 3. if it is strictly technically necessary for web audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the user, or
 
 1. if it is technically necessary for web audience measuring of the information society service requested by the user, provided that such measurement is carried out by the provider, or on behalf of the provider, or by an independent web analytics agency acting in the public interest or for scientific purpose; and further provided that no personal data is made accessible to any other party and that such web audience measurement does not adversely affect the fundamental rights of the user;
 
 1. if it is necessary for a security update, provided that:
  1. security updates are discreetly packaged and do not in any way change the privacy settings chosen by the user;
1. the user is informed in advance each time an update is being installed; and
1. the user has the possibility to turn off the automatic installation of these updates;

 
 1. if it is necessary in the context of employment relationships, where:
 
1. the employer provides certain equipment; 
1. the employee is the user of this equipment; and
1. the interference is strictly necessary for the functioning of the equipment by the employee

 
No user shall be denied access to any information society service or functionality, regardless of whether this service is remunerated or not, on grounds that he or she has not given his or her consent under Article 8(1)(b) to the processing of personal information and/or the use of storage capabilities of his or her terminal equipment that is not necessary for the provision of that service or functionality.

 
 
 
 
1. The collection of information emitted by terminal equipment to enable it to connect to another device and, or to network equipment shall be prohibited, except if: 

 
 1. it is done exclusively in order to, for the time necessary for, and for the purpose of establishing a connection; or
 2. the user has been informed and has given consent; or
 3. the data are anonymised and the risks are adequately mitigated.
 
1. For the purpose of point (c) of paragraph 2, the following controls shall be implemented to mitigate the risks:

 
1. the purpose of the data collection from the terminal equipment shall be restricted to mere statistical counting; and
2. the tracking shall be limited in time and space to the extent strictly necessary for this purpose; and
3. the data shall be deleted or anonymised immediately after the purpose is fulfilled; and
4. he users shall be given effective opt-out possibilities.

 
 
 
1. The information referred to in points (b) and (c) of paragraph 2 shall be conveyed in a clear and prominent notice setting out, at the least, details of how the information will be collected, the purpose of collection, the person responsible for it and other information required under Article 13 of Regulation (EU) 2016/679, where personal data are collected. The collection of such information shall be conditional on the application of appropriate technical and organisational measures to ensure a level of security appropriate to the risks, as set out in Article 32 of Regulation (EU) 2016/679.

 
 
 
Article 9

 
1. The definition of and conditions for consent provided for under Articles 4(11) and 7 of Regulation (EU) 2016/679/EU shall apply.

 
1. Without prejudice to paragraph 1, where technically possible and feasible, for the purposes of point (b) of Article 8(1), consent may be expressed by using technical specifications of electronic communications services. When such technical specifications are used by the user, they shall be binding on, and enforceable against, any other party.

 
 
1. Users who have consented to the processing of electronic communications data as set out in point (c) of Article 6(2) and points (a) and (b) of Article 6(3), point (b) of Article 8(1) and point (b) of Article 8(2) shall be given the possibility to withdraw their consent at any time as set forth under Article 7(3) of Regulation (EU) 2016/679 and be reminded of this possibility at periodic intervals of 6 months, as long as the processing continues.

 
Article 10

 
1. Software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, shall:

 
1. by default, offer privacy protective settings to prevent other parties from storing information on the terminal equipment of a user and from processing information already stored on that equipment;
2. upon installation, inform and offer the user the possibility to change or confirm the privacy settings options defined in point (a) by requiring the user's consent to a setting;
3. make the setting defined in points (a) and (b) easily accessible during the use of the software; and
4. offer the user the possibility to express specific consent through the settings after the installation of the software.

 
1. For the purpose of points (a) and (b) of paragraph 1, the settings shall include a signal which is sent to the other parties to inform them about the user's privacy settings. These settings shall be binding on, and enforceable against, any other party.