10 July 2001. Thanks to Anonymous.


Since you published Maurizio Turco's minority opinion on Echelon and Marco Cappato's Draft Electronic Data Privacy Report, I thought you might be interested in the attached documents: The first is the second minority opinion drafted by Ilka Schroeder MEP (Germany) and signed by MEPs Alima Boumediene-Thiery (France) and Patricia McKenna (Ireland), all of them Greens. Main difference as compared to Cappato: They call for an abolition of secret services as they think it will never be possible to actually control them.

The second is the opinion drafted by Ilka Schroeder and voted in the Industry Committee on June 12th. Since it's a so-called Reinforced Hughes Procedure between The Civil Liberties and the Industry Committe, the Liberties one is obliged to take the Industry Committee position in very strong account. Both stress the importance of a high level of personal data protection, with the main difference being that Cappato is in favour of an opt-out regulation for spam (the vote will be tomorrow, we'll see how it will be voted), while Schroeder and the Industry Committee are in favour of opt-in.


Second minority opinion drafted by Ilka Schroeder MEP (Germany) and signed by MEPs Alima Boumediene-Thiery (France) and Patricia McKenna (Ireland)

This report makes an important point in emphasising that Echelon does exist. But it stops short of drawing political conclusions. It is hypocritical for the European Parliament to criticise the Echelon interception practice while taking part in plans to establish a European secret service.

No effective public control mechanism of secret services and their undemocratic practices exists globally. It is in the nature of secret services that they cannot be controlled. They must therefore be abolished. This report serves to legitimise a European Secret service which will infringe fundamental rights - just as Echelon does.

For the majority of the Parliament, the focus is the industry whose profit interests are supposedly threatened by industrial espionage. However the vital issue is that no one can communicate in confidence over distances any more. Political spying is a much greater threat than economic spying.

This report constantly plays down these dangers of Echelon, while it remains silent to the ENFOPOL interception planning in the EU. For every society it is a fundamental decision whether to live under permanent control. By adopting this report the European Parliament shows that it is not concerned about protecting human rights and citizen's liberties.


EUROPEAN PARLIAMENT

1999             2004

Committee on Industry, External Trade, Research and Energy

2000/0189 (COD)
Rev2

02 July 2001

OPINION

Committee on Industry, External Trade, Research and Energy

Committee on Citizens' Freedoms and Rights, Justice and Home Affairs

on the proposal for European Parliament and Council directive concerning the processing of personal data and the protection of privacy in the electronic communications sector

(COM(2000) 385 – C5-0439/2000 – 2000/0189(COD))

Draftsperson: Ilka Schröder


AD\444539EN.doc

PE 286.135


PROCEDURE

The Committee on Industry, External Trade, Research and Energy appointed Ilka Schröder draftsperson at its meeting of 22 June 2001.

It considered the draft opinion at its meetings of 13 September 2000, 25 April 2001, 25 and 29 May 2001 and 12 June 2001.

At the last meeting it adopted the following amendments with 1 abstention.

The following were present for the vote: Carlos Westendorp y Cabeza, chairman Peter Michael Mombaur, vice-chairman; .Ilka Schröder, draftsman; Konstantinos Alyssandrakis, Ward Beysen (for Willy C.E.H. De Clercq), Yves Butel, Massimo Carraro, Giles Bryan Chichester, Nicholas Clegg, Harlem Désir, Raina A. Mercedes Echerer (for Caroline Lucas), Colette Flesch, Christos Folias, Glyn Ford, Jacqueline Foster (for Roger Helmer), Neena Gill (for Mechtild Rothe), Norbert Glante, Alfred Gomolka (for Werner Langen), Michel Hansenne, Hans Karlsson, Rolf Linkohr, Eryl Margaret McNally, Erika Mann, Angelika Niebler, Reino Paasilinna, Elly Plooij-van Gorsel, John Purvis, Daniela Raschhofer, Imelda Mary Read, Christian Foldberg Rovsing, Gilles Savary (for François Zimeray), Konrad K. Schwaiger, Esko Olavi Seppänen, Astrid Thors, Jaime Valdivielso de Cué, W.G. van Velzen, Alejo Vidal-Quadras Roca, Dominique Vlasto, Olga Zrihen Zaari.


SHORT JUSTIFICATION

This proposal for a Directive, which forms part of the new regulatory framework for telecommunications, is not a totally new piece of legislation: it is intended to supersede the existing Directive 97/66/EC, and is but a particular implementation of the principles embodied in the general data protection Directive.

However, the proposed text is not just a technical adaptation. As telecommunications become present in all aspects and at all moments of daily life, the amount of information that can be collected increases in quantity and accurateness. The new technologies that state-of-the-art telecommunications make available entail specific problems which entail a quantum leap in the significance of such information as traffic or location data.

In both fields of political rights and freedoms and exposure to commercial targetting, the citizens are entitled to a safeguard of their privacy. The general 1995 Directive, however imperfect it can be judged, covers the content information. Both for this kind of information and for traffic data, we are aware of - though of course not happy with - the limitations as to the competence of Parliament in particular and more generally the EU at large when it comes to the protection of the individual against misuse of information by public authorities. Still the issue should be pointed out that wherever there are possibilities for law enforcement authorities and security services to legally intercept, there will always be the risk of abuse - be it by the authorities themselves which may exceed their competences, be it by unauthorized natural or legal persons.

A strict control on how the technical data is collected, stored and processed, by whom, and towards what end, is therefore a pre-condition to prevent such abuses. In particular technological tools must be implemented and use to ensure that information collected towards a given aim is not used outside of the field for which its collection is legitimate, and that it does not exceed tthe requirements of this use.

Proper information of the subscribers and users must be ensured, and an enlightened consent be obtained prior to any data collection that is necesserary for a given service.

More generally, It is foreseeable that with future technologies such as broadband access in connection with an always online status, Internet-based telephony, location-based services for UMTS mobile phones, the borders between different kinds of data - traffic data, location data, user data, contents data - will become more and more undistinguishable. It should be made clear therefore that wherever different kinds of data melt in a way that they cannot be separated any more, the strictest rules should apply, e.g. when traffic data and contents data become so entangled that they can't be separated any more, the rules for content data should apply to the whole "data ball".

AMENDMENTS

The {ITRE}Committee on Industry, External Trade, Research and Energy calls on the {LIBE}Committee on Citizens' Freedoms and Rights, Justice and Home Affairs, as the committee responsible, to incorporate the following amendments in its report:

<SubAmend>

Text proposed by the Commission1

 

Amendments by Parliament

(Amendment 1)
Recital 8

(8) The Member States, providers and users concerned, together with the competent Community bodies, should cooperate in introducing and developing the relevant technologies where this is necessary to apply the guarantees provided for by this Directive and taking particular account of the objectives of minimising the processing of personal data and of using anonymous or pseudonymous data where possible.

__________________

1 OJ C 365 19.12.2000, p. 223
(8) The Member States, providers and users concerned, together with the competent Community bodies, should ensure that the processing of personal data is limited to a minimum and uses anonymous or pseudonymous data wherever possible and they must cooperate in introducing and developing the relevant technologies where this is necessary to apply the guarantees provided for by this Directive.

Justification

This wording insists on the priority that protection of the personal information must enjoy, compared to the rather weak formulation in the Commission's proposal.




(Amendment 2)
Recital 14

(14) Measures should be taken to prevent unauthorised access to communications in order to protect the confidentiality of communications, including both the contents and any data related to such communications, by means of public communications networks and publicly available electronic communications services. National legislation in some Member States only prohibits intentional unauthorised access to communications. (14) Measures should be taken to prevent unauthorised access to communications in order to protect the confidentiality of communications, including both the contents and any data related to such communications, by means of public communications networks and publicly available electronic communications services. These measures should include the facilitation of proven cryptography and anonymisation or pseudonymisation tools.

Justification

Effective protection cannot rely on legal measures only, whatever their extent. The general availability of adequate tools must be ensured.


(Amendment 3)
Recital 15

(15) The data relating to subscribers processed within electronic communications networks to establish connections and to transmit information contain information on the private life of natural persons who have a right to respect for their correspondence. The legitimate interests of legal persons should also be protected. Such data may only be stored to the extent that is necessary for the provision of the service for the purpose of billing and for interconnection payments, and for a limited time. Any further processing of such data which the provider of the publicly available electronic communications services may want to perform for the marketing of its own electronic communications services or for the provision of value added services, may only be allowed if the subscriber has agreed to this on the basis of accurate and full information given by the provider of the publicly available electronic communications services about the types of further processing it intends to perform and about the subscriber's right not to give or to withdraw his consent to such processing. Traffic data used for marketing of own communications services or for the provision of value added services should also be erased or made anonymous after the provision of the service. Service providers should always keep subscribers informed of the types of data they are processing and the purposes and duration for which this is done. (15) The data relating to subscribers processed within electronic communications networks to establish connections and to transmit information contain information on the private life of natural persons who have a right to respect for their correspondence. The legitimate interests of legal persons should also be protected. Such data may only be stored to the extent that is necessary for the provision of the service for the purpose of billing and for interconnection payments, and for a limited time. Any further processing of such data which the provider of the publicly available electronic communications services may want to perform for the marketing of its own electronic communications services or for the provision of value added services, may only be allowed if the subscriber has agreed to this on the basis of accurate and full information given by the provider of the publicly available electronic communications services about the types of further processing it intends to perform and about the subscriber's right not to give or to withdraw through an easy and proportionate procedure his or her consent to such processing, and provided that refusing this consent does not in any way restrict his or her ability to subscribe to the services or enjoy the full extent of his or her rights under the contract. Traffic data used for marketing of own communications services or for the provision of value added services should also be erased or made irreversibly anonymous after the provision of the service. Service providers should always keep subscribers informed of the types of data they are processing and the purposes and duration for which this is done.

(Note: gender-marked qualifications to be adapted throughout the text with a view towards sex neutrality).

Justification

Such protective measures become void if they are too complicated to exercise or if they jeopardise the rights and possibilities that subscribers expect from the services.



(Amendment 4)
Recital 15 a (new)

 

(15a) For the interpretation of article 6 of this directive it must be noted that systems for the provision of electronic communications networks and services should be designed to limit the amount of personal data necessary to a strict minimum. Any activities related to the provision of the electronic communications service that go beyond the transmission of a communication and the billing thereof must be based on aggregated, unidentifiable traffic data.

  Where such activities cannot be based on aggregated data, for instance for the purpose of customer care, maintenance, quality control or fraud detection by the provider of a electronic communications network or service, they should be considered as value added services for which the prior consent of the subscriber is required. In these cases the data needed for these specific purposes may be processed for a period of maximum 2 months.

Justification

This new recital clarifies that the storage of traffic data should be limited to the minimum necessary for the transmission of a communication. Anything that goes further than that, may be subject to abuse or intrusion to the fundamental privacy of the user, and should therefore be protected by aggregation and anonymisation.

Cases can occur where the data should not be aggregated or made anonymous in order to offer services to users, without infringing their privacy-rights. These cases are customer care (for instance in case of a malfunction of the service of an individual subscriber), maintenance, quality control and fraud detection by the provider (and not of the law enforcement agencies, which have their provisions in article 15). For these cases an exception can be made, with the prior consent of the subscriber concerned.

Therefore this recital is useful.



(Amendment 5)
Recital 16

(16) The introduction of itemised bills has improved the possibilities for the subscriber to check the accuracy of the fees charged by the service provider but, at the same time, it may jeopardise the privacy of the users of publicly available electronic communications services. Therefore, in order to preserve the privacy of the user, Member States should encourage the development of electronic communication service options such as alternative payment facilities which allow anonymous or strictly private access to publicly available electronic communications services, for example calling cards and facilities for payment by credit card. (16) The introduction of itemised bills has improved the possibilities for the subscriber to check the accuracy of the fees charged by the service provider but, at the same time, it may jeopardise the privacy of the users of publicly available electronic communications services. Therefore, in order to preserve the privacy of the user, Member States should encourage the development of electronic communication service options such as alternative payment facilities which allow anonymous or strictly private access to publicly available electronic communications services, for example calling cards.

Justification

Credit cards are not an adequate example in this context.



(Amendment 6)
Recital 18, last sentence

The privacy options which are offered on a per-line basis do not necessarily have to be available as an automatic network service but may be obtainable through a simple request to the provider of the publicly available electronic communications service. The privacy options which are offered on a per-line basis do not necessarily have to be available as an automatic network service but may be obtainable free of charge through a simple and standardised request to the provider of the publicly available electronic communications service.

Justification

These privacy options are an essential right and not a "value added service". The necessity to be able to use them on all kinds of networks or origination points (public payphones, third-party lines, etc.) requires that they can be activated with identical codes on all networks.



(Amendment 7)
Recital 21 a (new)

  (21a) Spamming – the bulk sending of untargeted unsolicited emails – is already covered by special protection measures, in particular by Article 7(1) of Directive 2000/31/EC, by Articles 6 and 7 of the general data protection Directive 95/46/EC, by Directive 84/450/EEC on misleading advertising and by Directive 93/13/EC on unfair terms in consumer contracts.

Justification

Existing, current legislation can be used to combat spam and, therefore, there exists no need for a new, rigid and cost-increasing legislation that most likely will not have an effect on spam.



(Amendment 8)
Article 2, paragraph 2, point (b)

(b) ‘traffic data’ means any data processed in the course of or for the purpose of the transmission of a communication over an electronic communications network; (b) ‘traffic data’ means any data processed in the course of or necessary to ensure the transmission of a communication over an electronic communications network;

Justification

This amendement makes it possible that service providers retain only what is generally necessary to ensure communication over an electronic network, which does not include transient storage of traffic data during transmission nor all the (additional) information that could be asked by various interested parties.



(Amendment 9)
Article 2, point (e a) (new)

  (e a) "Electronic mail" means any text, voice, sound or image message sent over an electronic communications network which can be stored in the network or in the recipient’s terminal equipment, which is addressed directly or indirectly to one or more natural or legal persons.

 Justification

This addition ensures that emails, SMS-messages, sound-attachments, pictures as well as digital movies are included in the scope of this Directive.



(Amendment 10)
Article 5, paragraph 2

2. Paragraph 1 shall not affect any legally authorised recording of communications and the related traffic data in the course of lawful business practice for the purpose of providing evidence of a commercial transaction or of any other business communication. 2. Paragraph 1 shall not affect any legally authorised recording of communications and the related traffic data in the course of lawful business practice for the purpose of providing evidence of a commercial transaction or of any other business communication. Employment relationship and industrial relations are not to be regarded as business communication within the sense of this paragraph.

Justification

Business communication should only encompass the operational activity of an organisation.



(Amendment 11)
Article 5, paragraph 2 a (new)

  2a. Member States shall prohibit the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user without the prior, explicit consent of the subscriber or user concerned. This shall not prevent any technical storage or access for the sole purpose of carrying out of facilitating the transmission of a communication over an electronic communications network.

 Justification

Terminal equipment of users of electronic communications networks and any information stored on such equipment are part of the private sphere of the users requiring protection under the European Convention for the protection of Human Rights and fundamental freedoms. So-called cookies, spyware, web bugs, hidden identifiers and other similar devices that enter the users´ terminal equipment without their explicit knowledge or explicit consent in order to gain access to information, to store hidden information or to trace the activities of the user may seriously intrude the privacy of these users. The use of such devices should therefore be prohibited unless the explicit, well-informed and freely given consent of the user concerned has been obtained. 



(Amendment 12)
Article 6, paragraph 1

1. Traffic data relating to subscribers and users processed for the purpose of the transmission of a communication and stored by the provider of a public communications network or service must be erased or made anonymous upon completion of the transmission, without prejudice to the provisions of paragraphs 2, 3 and 4. 1. Traffic data relating to subscribers and users processed for the purpose of the transmission of a communication and stored by the provider of a public communications network or service must be erased or made irreversibly anonymous upon completion of the transmission, with due regard for the requirements of paragraphs 2, 3 and 4, and so as to allow for proper implementation of paragraph 6.

Justification

The need for further exploitation of data is not per se a legitimate reason for lifting the requirement of individual protection when alternative means exist such as pseudonymisation, statistical format, etc.



(Amendment 13)
Article 6, paragraph 6

6. Paragraphs 1, 2, 3 and 5 shall apply without prejudice to the possibility for competent authorities to be informed of traffic data in conformity with applicable legislation with a view to settling disputes, in particular interconnection or billing disputes. 6. Paragraphs 1, 2, 3 and 5 shall be implemented so as to allow for competent authorities to be informed of traffic data in conformity with applicable legislation with a view to settling disputes, in particular interconnection or billing disputes.

Justification

The need for further exploitation of data is not per se a legitimate reason for lifting the requirement of individual protection when alternative means exist such as pseudonymisation, statistical format, etc.



(Amendment 14)
Article 6, paragraph 6 a (new)

  6a. The duration of processing or retaining of data, mentioned in this directive, shall be limited to a reasonable period, with respect to the purposes of those processes, and will not be longer than several months.

The retained data, both content and traffic details, shall only be accessed by law enforcement authorities for purposes of investigating infringements covered by criminal law and shall not be accessed for the purpose of intelligence-gathering or data-mining.

Justification

Traffic data must be protected by the principle of confidentiality to the same extent as content data, as also stated in article 8 of the European Convention on Human Rights.There is no need for commerce to keep data except for very limited periods.Limitation of the duration of data-retaining (as well as anonymity of that data) will create confidence in electronic communications systems by citizens.

The second addition aims at avoiding that law enforcement takes precedence over the privacy and freedom of people. It is important to find a solution that is well founded, proportionate and well-balanced. Therefore investigations must in any case be proportionate, and can only be permitted as a consequence of reasonable doubts. This addition prevents so-called fishing expeditions and data-mining, which are harmful intrusions to the fundamental right of privacy of the European citizen.

Or. en

 

(Amendment 15)
Article 12, paragraph 1

1. Member States shall ensure that subscribers are informed , free of charge, about the purpose(s) of a printed or electronic directory of subscribers available to the public or obtainable through directory enquiry services, in which their personal data can be included and of any further usage possibilities based on search functions embedded in electronic versions of the directory. 1. Member States shall ensure that subscribers are informed, free of charge and before they are included in the directory, about the purpose(s) of a printed or electronic directory of subscribers available to the public or obtainable through directory enquiry services, in which their personal data can be included and of any further usage possibilities based on search functions embedded in electronic versions of the directory.

Justification

This addition improves the choice of consumers to be inserted or not in future directories. Deciding not to be included anymore in a directory which has already been published will not have the same effect as choosing not to be inserted in the first place.



(Amendment 16)
Article 12, paragraph 2

Member States shall ensure that subscribers are given the opportunity , free of charge, to determine whether their personal data are included in public directories, and if so, which, to the extent that such data are relevant for the purpose of the directory as determined by the provider of the directory, and to verify, correct or withdraw such data. Member States shall ensure that subscribers are given the opportunity , free of charge, to determine whether their personal data are included in public directories, and if so, which, to the extent that such data are relevant for the purpose of the directory as determined by the provider of the directory, and to verify, correct or withdraw such data. Subscribers shall be appropriately informed about the planned entry in a public directory. If the subscriber does not object, personal details may be included in the public directory.

Justification

The purpose of public directories is to make publicly available information easily accessible to everyone. Subscribers who have doubts about the inclusion of their personal data should have sufficient opportunity to object to such inclusion or to have their data deleted at any time.



(Amendment 17)
Article 9, paragraph 1, first sentence

Where electronic communications networks are capable of processing location data other than traffic data, relating to users or subscribers of their services, these data may only be processed when they are made anonymous, or with the consent of the users or subscribers to the extent and for the duration necessary for the provision of a value added service. Where electronic communications networks are capable of processing location data other than traffic data, relating to users or subscribers of their services, these data may only be collected, stored and processed when they are made anonymous, or with the consent of the users or subscribers to the extent and for the duration necessary for the provision of a value added service specifically asked for by the user.

Justification

The user's consent must be given in full awareness of its implications. Additionally, a more accurate definition of involved actions is necessary to avoid ambiguous situations.



(Amendment 18)
Article 13, paragraph 2

2. Member States shall take appropriate measures to ensure that, free of charge, unsolicited communications for purposes of direct marketing, by means other than those referred to in paragraph 1, are not allowed either without the consent of the subscribers concerned or in respect of subscribers who do not wish to receive these communications, the choice between these options to be determined by national legislation. 2. Member States shall take appropriate measures to ensure that unsolicited communications for purposes of direct marketing, by means other than those referred to in paragraph 1, are not allowed without the prior, explicit and specific consent of the subscribers concerned and that subscribers who do not wish to receive these communications or wish to withdraw their previous consent can request it free of charge and through a procedure as straightforward as the one they can use to give their consent.

Justification

The user's consent must be given in full awareness of its implications. Additionally, the present frequent situation where accepting to receive unsollicited information is made easy (eg. ticking a checkbox on a web page) and cancelling or refusing is made difficult (eg. sending a registered letter to a postal address).



(Amendment 19)
Article 14, paragraph 3

3. Where required, the Commission shall adopt measures to ensure that terminal equipment incorporates the necessary safeguards to guarantee the protection of personal data and privacy of users and subscribers, in accordance with Directive 1999/5/EC and Council Decision 87/95/EEC 3. As concerns arise with categories of products, it shall be necessary to adopt measures to ensure that terminal equipment is constructed in a way that is compatible with users’ right to protect and control the use of their personal data, in accordance with Directive 1999/5/EC and Council Decision 87/95/EEC

 

Justification

This amendment makes sure that the privacy of users and their personal data are better protected. Prohibiting development of technical equipment to infringe users´ rights has a stronger prevention-effect than reacting against the infringement itself.

This amendment clarifies that terminal equipment should not infringe individuals´ privacy, instead of the original putting which suggests that terminal equipment should incorporate safeguards.



(Amendment 20)
Article 15, paragraph 1

1. Member States may adopt legislative measures to restrict the scope of the rights and obligations provided for in Article 5, Article 6, Article 8(1) to (4), and Article 9 of this Directive when such restriction constitutes a necessary measure to safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system, as referred to in Article 13(1) of Directive 95/46/EC 1. Member States may adopt legislative measures to restrict the scope of the rights and obligations provided for in Article 5, Article 6, Article 8(1) to (4), and Article 9 of this Directive when such restriction constitutes a necessary measure to safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system, as referred to in Article 13(1) of Directive 95/46/EC. These restrictions must contain for each specific case a demonstrable, democratically controllable need.

Justification

In order to prevent infringements with the European convention on Human Rights, the mentioned restrictions must be clearly documented, in a way which can be controlled in a democratic way, for instance by a parliamentary committee for national security.



(Amendment 21)
Article15, paragraph 3

3. The Working Party on the Protection of Individuals with regard to the Processing of Personal Data instituted by Article 29 of Directive 95/46/EC shall also carry out the tasks laid down in Article 30 of that Directive with regard to matters covered by this Directive, namely the protection of fundamental rights and freedoms and of legitimate interests in the electronic communications sector. 3. The Working Party on the Protection of Individuals with regard to the Processing of Personal Data instituted by Article 29 of Directive 95/46/EC shall also carry out the tasks laid down in Article 30 of that Directive with regard to matters covered by this Directive, namely the protection of fundamental rights and freedoms and of legitimate interests in the electronic communications sector.

The Working Party shall take the utmost account of the views of all interested parties, including industry and consumers. The Working Party shall state to what extent the views of interested parties have been heard and taken into account and shall give interested parties the opportunity to comment within a reasonable time frame, proportionate to the importance of the issue considered.

Justification

Since the Working group is currently composed only of members of the national Data Protection Authorities, the advice from the Working Party can be provided in a more transparent way by enabling discussion with interested parties like industry and consumer organisations. This will result in improvements in balancing interests involved, providing a greater sense of reality and more practical advises and opinions.



(Amendment 22)
Article 16

Article 12 shall not apply to editions of directories published before the national provisions adopted pursuant to this Directive enter into force. Article 12 shall not apply to directories published before the national provisions adopted pursuant to this Directive enter into force.

Justification

This deletion prevents that copies of directories which have already been published and distributed, might have to be confiscated.

Moreover, electronic available directories should also enjoy a transitional arrangement, which will be achieved by this amendment.


HTML by Cryptome.