Article 6 of ePrivacy Regulation: Permitted Processing of Electronic Communications Data (Proposed Text)
The proposed text for ePrivacy Regulation Article 6 from the 4th of May, 2018 is below, covering the permitted processing of electronic communications data. This will likely change in the next month or two as they are meeting to discuss the changes to the current ePrivacy Directive. We will update accordingly. Negotiations continue about the precise text and the current version gives one year from the date of entry into force for implementation. We will post the full text when it is available.
Article 6: Permitted processing of electronic communications data
1. Providers of electronic communications networks and services shall be permitted to process electronic communications data only if:
(a) it is necessary to achieve the transmission of the communication, for the duration necessary for that purpose; or
(b) it is necessary to maintain or restore the security of electronic communications networks and services, or detect technical faults and/or errors and/or security risks and/or attacks in the transmission of electronic communications, for the duration necessary for that purpose.
2. Without prejudice to paragraph 1, providers of electronic communications networks and services shall be permitted to process electronic communications metadata only if:
(a) it is necessary for the purposes of network management or network optimisation, provided that the purpose or purposes concerned could not be fulfilled by processing information that is made anonymous and for the duration necessary for that purpose, or to meet mandatory quality of service requirements pursuant to [Directive establishing the European Electronic Communications Code] or Regulation (EU) 2015/2120 [Footnote 9] for the duration necessary for that purpose; or
(b) it is necessary for performance of the contract to which the end-user is party, to the extent necessary for billing, calculating interconnection payments, detecting or stopping fraudulent, or abusive use of, or subscription to, electronic communications services; or
(c) the end-user concerned has given consent to the processing of communications metadata for one or more specified purposes, including for the provision of services to such end-users, provided that the purpose or purposes concerned could not be fulfilled by processing information that is made anonymous; or
(d) it is necessary to protect the vital interest of a natural person, in the case of emergency, upon request of a competent authority, in accordance with Union or Member State law; or
(e) it is necessary for the purpose of statistical counting, provided that:
– the processing is limited to electronic communications meta-data that constitutes geolocation data that is pseudonymised,
– the processing could not be carried out by processing information that is made anonymous, and the geolocation data is erased or made anonymous when it is no longer needed to fulfil the purpose, and
– the geolocation data is not used to determine the nature or characteristics of an end-user or to build a profile of an end-user.
(f) it is necessary for statistical counting not permitted in accordance with point (e) or for scientific research, provided it is based on Union or Member State law which shall be proportionate to the aim pursued and provide for specific measures, including encryption and pseudonymisation, to safeguard fundamental rights and the interest of the end-users. Processing of electronic communications metadata under this point shall be done in accordance with paragraph 6 of Article 21 and paragraphs 1, 2 and 4 of Article 89 of Regulation (EU) 2016/679.
[Footnote 9: Regulation (EU) 2015/2120 of the European Parliament and of the Council of 25 November 2015 laying down measures concerning open internet access and amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services and Regulation (EU) No 531/2012 on roaming on public mobile communications networks within the Union (OJ L 310, 26.11.2015, p. 1–18).]
Previous (Article 5) | Index | Next (Article 7)
Improve Data Privacy for GDPR or CCPA with Clarip
The Clarip team and enterprise privacy management software are ready to meet your compliance automation challenges. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If compliance with the California Consumer Privacy Act is your focus until 2020, ask us about our CCPA software. Handle automation of data subject access requests with our DSAR Portal, or provide the right to opt out of the sale of personal information with the consent management software.
Need to improve your GDPR compliance solution? Clarip offers modular GDPR software that can fill in gaps in your privacy program. Choose from the data mapping software for an automated solution to understanding your data collection and sharing, conduct privacy risk assessments with DPIA software, or choose the cookie consent manager for ePrivacy.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.