Eprivacy Regulation EP Rapporteurs draft report from Mike O'Neill on 2017-06-14 (public-tracking@w3.org from June 2017)

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Wed, 14 Jun 2017 20:03:56 +0100
To: <public-tracking@w3.org>
Message-ID: <153b01d2e540$f91cd650$eb5682f0$@baycloud.com>
This is what ePR Articles 8,9 and 10 look like when assembled from the
Parliament rapporteur’s draft report. It still has to be debated and voted
on and then the Council will have their say.

 

http://www.europarl.europa.eu/sides/getDoc.do?type=COMPARL&reference=PE-606.
011&format=PDF&language=EN&secondRef=01 .

 

 

 

Article 8

 

Protection of information stored in and related to users’ terminal equipment

1.	The use of processing and storage capabilities of terminal equipment
and the collection of information from users’ terminal equipment, or making
information available through the terminal equipment, including information
about or generated by its software and hardware, other than by the user
concerned shall be prohibited, except on the following grounds:

 

a.	it is strictly technically necessary for the sole purpose of
carrying out the transmission of an electronic communication over an
electronic communications network; or 
b.	the user has given his or her specific consent, which shall not be
mandatory to access the service; or it is necessary for providing an
information society service requested by the end-user; or 
c.	if it is strictly technically necessary for web audience measuring,
provided that such measurement is carried out by the provider of the
information society service requested by the user, or

 

d.	if it is technically necessary for web audience measuring of the
information society service requested by the user, provided that such
measurement is carried out by the provider, or on behalf of the provider, or
by an independent web analytics agency acting in the public interest or for
scientific purpose; and further provided that no personal data is made
accessible to any other party and that such web audience measurement does
not adversely affect the fundamental rights of the user;

 

e.	if it is necessary for a security update, provided that:

i.	security updates are discreetly packaged and do not in any way
change the privacy settings chosen by the user;

ai.	the user is informed in advance each time an update is being
installed; and

bi.	the user has the possibility to turn off the automatic installation
of these updates;

 

f.	if it is necessary in the context of employment relationships,
where:

 

i.	the employer provides certain equipment; 

ai.	the employee is the user of this equipment; and

bi.	the interference is strictly necessary for the functioning of the
equipment by the employee

 

No user shall be denied access to any information society service or
functionality, regardless of whether this service is remunerated or not, on
grounds that he or she has not given his or her consent under Article
8(1)(b) to the processing of personal information and/or the use of storage
capabilities of his or her terminal equipment that is not necessary for the
provision of that service or functionality.

 

 

 

 

2.	The collection of information emitted by terminal equipment to
enable it to connect to another device and, or to network equipment shall be
prohibited, except if: 

 

a.	it is done exclusively in order to, for the time necessary for, and
for the purpose of establishing a connection; or
b.	the user has been informed and has given consent; or
c.	the data are anonymised and the risks are adequately mitigated.

 

3.	For the purpose of point (c) of paragraph 2, the following controls
shall be implemented to mitigate the risks:

 

a.	the purpose of the data collection from the terminal equipment shall
be restricted to mere statistical counting; and
b.	the tracking shall be limited in time and space to the extent
strictly necessary for this purpose; and
c.	the data shall be deleted or anonymised immediately after the
purpose is fulfilled; and
d.	he users shall be given effective opt-out possibilities.

 

 

 

4.	The information referred to in points (b) and (c) of paragraph 2
shall be conveyed in a clear and prominent notice setting out, at the least,
details of how the information will be collected, the purpose of collection,
the person responsible for it and other information required under Article
13 of Regulation (EU) 2016/679, where personal data are collected. The
collection of such information shall be conditional on the application of
appropriate technical and organisational measures to ensure a level of
security appropriate to the risks, as set out in Article 32 of Regulation
(EU) 2016/679.

 

 

 

Article 9

 

1.	The definition of and conditions for consent provided for under
Articles 4(11) and 7 of Regulation (EU) 2016/679/EU shall apply.

 

2.	Without prejudice to paragraph 1, where technically possible and
feasible, for the purposes of point (b) of Article 8(1), consent may be
expressed by using technical specifications of electronic communications
services. When such technical specifications are used by the user, they
shall be binding on, and enforceable against, any other party.

 

 

3.	Users who have consented to the processing of electronic
communications data as set out in point (c) of Article 6(2) and points (a)
and (b) of Article 6(3), point (b) of Article 8(1) and point (b) of Article
8(2) shall be given the possibility to withdraw their consent at any time as
set forth under Article 7(3) of Regulation (EU) 2016/679 and be reminded of
this possibility at periodic intervals of 6 months, as long as the
processing continues.

 

Article 10

 

1.	Software placed on the market permitting electronic communications,
including the retrieval and presentation of information on the internet,
shall:

 

a.	by default, offer privacy protective settings to prevent other
parties from storing information on the terminal equipment of a user and
from processing information already stored on that equipment;
b.	upon installation, inform and offer the user the possibility to
change or confirm the privacy settings options defined in point (a) by
requiring the user's consent to a setting;
c.	make the setting defined in points (a) and (b) easily accessible
during the use of the software; and
d.	offer the user the possibility to express specific consent through
the settings after the installation of the software.

 

2.	For the purpose of points (a) and (b) of paragraph 1, the settings
shall include a signal which is sent to the other parties to inform them
about the user's privacy settings. These settings shall be binding on, and
enforceable against, any other party.
Received on Wednesday, 14 June 2017 19:05:12 UTC