Erhvervs-, Vækst- og Eksportudvalget 2015-16
ERU Alm.del Bilag 340
Offentligt
1654150_0001.png
05 July 2016
Danish response to the Commission’s consultation on the revision of
the e-Privacy-directive
The Danish Government would like to thank the Commission for the opportunity
to give its view on the existing e-Privacy Directive (EPD) and the up-coming
revision of the Directive. We welcome the Commission’s open process and
broad involvement of stakeholders at an early stage, which is crucial for the
future regulation in this area.
The Danish Government is a strong supporter of the Digital Single Market. The
EU must make progress on all the elements in the strategy for the Digital Single
Market. We need a Digital Single Market that is open to competition, innovation
and new business models. We should strive to make the regulatory framework
better by reducing unjustified barriers, removing unnecessary burdens and mak-
ing all our legislation fit for the digital age.
Accordingly, the Danish Government is in favour of an up-date of the EPD in
light of the significant technological and societal developments following digi-
talisation since the adoption of the directive in 2002 and the latest revision in
2009. The revision of the EPD should seek a balanced approach, ensuring actual
protection of personal data and privacy without imposing unnecessary burdens
on the industry or hamper innovation.
It is from this perspective the Danish Government replies to the consultation.
The reply is not structured around the Commission’s questionnaire. However,
the Danish Government has strived to cover the themes from the questionnaire.
The Danish Government concludes that the revision of the EPD should focus on
the following:
Striving for a coherent legislative framework by eliminating overlapping
regulation from the general data protection regulation (GDPR) and re-
moving sector specific regulation where appropriate.
Exploring the possibility to simplify the e-Privacy regulation by inte-
grating provisions that are still considered necessary in other parts of the
telecommunication framework regulation and possibly repealing the
EPD.
Ensuring a level playing field for the electronic communications sector
and companies providing similar services (OTT), preferably by reducing
ERU, Alm.del - 2015-16 - Bilag 340: Regeringens svar på Kommissionens høring vedr. revision af e-databeskyttelsesdirektivet, fra erhvervs- og vækstministeren
2/5
the regulatory burden rather than extending the scope of the EPD’s pre-
sent sector specific regulation.
Ensuring a more balanced “cookie” regulation. The regulation
should be amended in a manner that will both decrease industry
costs of implementation and protect the privacy of users.
Introducing a technology neutral regulatory approach to unsolicited
communication (SPAM) to prepare for future technological develop-
ments.
I: General remarks
The Danish Government welcomes the revision of the EPD in order to ensure an
up-to-date European legislation which should be relevant, coherent and not un-
necessary burdensome for businesses in the digital age.
The EPD was introduced in 2002 (and revised in 2009) as a set of additional data
protection and privacy measures with particular focus on the electronic commu-
nications sector and digital direct marketing which was deemed not sufficiently
covered by the current general data protection legislation.
The Danish Government supports the general aim of securing a high level of
privacy and personal data protection in a digitalized world in order to enhance
digital trust.
The relevance of maintaining the EPD should, however, be thoroughly exam-
ined. The fast technological development followed by new business models and
market players calls for an evaluation of both market conditions and the level of
consumer protection.
The evaluation should especially take into account the revision of the general
framework of data protection with the adoption of the GDPR, strengthening
protection of personal data and privacy and imposing obligations on businesses
and the public sector in general. The Danish Government urges the Commission
to conduct a thorough evaluation of the two legal acts in order to avoid any over-
laps and to deregulate where possible.
Furthermore, the Danish Government supports the approach presented in the
Commission Communication on Online Platforms and the Digital Single Market
(COM (2016) 288 final) to explore possibilities to simplify the e-Privacy legisla-
tion and we further propose to integrate provisions that are still considered nec-
essary in other parts of the telecommunications framework regulation or other
relevant regulation and possibly repeal the EPD.
These general observations are supplemented with the following remarks on
specific provisions.
ERU, Alm.del - 2015-16 - Bilag 340: Regeringens svar på Kommissionens høring vedr. revision af e-databeskyttelsesdirektivet, fra erhvervs- og vækstministeren
3/5
II: Remarks to the specific content of the e-Privacy Directive and proposals for
changes
II.1 Scope of the e-directive
As stated above, the Danish Government finds that the starting point of the revi-
sion of the EPD should be a thorough evaluation of the relevance of sustaining
sector specific regulation regarding protection of personal data and privacy.
Securing a level playing field for providers offering the same services
regardless of the technology used is important. The starting point should
be reducing the regulatory burden and preferably roll-back the sector spe-
cific regulation. However, if an evaluation concludes that some provisions
are still relevant, the Danish Government suggests to integrate such provi-
sions in other parts of the telecommunications framework regulation or
other relevant regulation and possibly repeal the EPD.
II.2: Ensuring security and confidentiality of services
Security provision in article 4
The general goal of protecting personal data through appropriate technical and
organisational measures as stated in article 4 (1) is highly respected by the Dan-
ish Government. However, due to corresponding rules in the new GDPR there
does not seem to be a separate need to uphold the sector specific rule on this.
The same goes with the provisions in Article 4 on data breach notifications
which are also introduced in general by the GDPR. A dual regime of notification
obligations may cause unnecessary administrative burdens and risk of non-
compliance for the telecom industry as they are forced to make an individual
assessment of which notification procedure to follow for each data breach event
(especially to which authority a notification should be addressed).
Confidentiality and use of data – Articles 5, 6 and 9.
-
The rules on “cookies” in Article 5
Article 5 (3) which extends the general principle of confidentiality to the user’s
terminal equipment in connection with the use of “cookies” and other technolo-
gies seems to have been the most controversial provision of the EPD. It has been
criticised by both businesses and consumers, particularly following the introduc-
tion in 2009 of the requirement of prior consent.
The Danish Government finds it necessary that the regulation on cookies and
similar technologies is thoroughly evaluated in light of the GPDR in order to
determine whether the GPDR offers the same level of protection and therefore
could replace the specific cookie regulation.
ERU, Alm.del - 2015-16 - Bilag 340: Regeringens svar på Kommissionens høring vedr. revision af e-databeskyttelsesdirektivet, fra erhvervs- og vækstministeren
4/5
The provision has proved counterproductive in terms of raising consumer
awareness and vigilance on privacy. The constant stream of “cookie pop-up-
boxes” that users experience on websites today, following the requirements of
prior consent, eclipses the general goal of privacy protection as consumers are
“fatigued” or unintentionally mislead by the information.
Furthermore, the current regulation is burdensome to the industry as information
regarding cookies and consent mechanisms have to be implemented on almost
all websites. Cookies are used as a natural part of the internet and are regulated
almost regardless of the purpose for which they are used. Thus, the current regu-
lation does not distinguish between data collected for privacy intrusive purposes
or less intrusive purposes. Further to this, the cookie legislation has created con-
siderable uncertainty especially for businesses using new technologies even
when no privacy intrusion can be detected. This is due to the broad approach to
cookies or similar technologies and the lack of clarification within the current
legislation,
Hence, the cookie legislation has become an example of the complexity and
difficulty in regulating new techniques using traditional protection mechanisms.
The Danish Government would like to stress the need for a more balanced cook-
ie regulation in order to ensure actual protection of personal data and privacy
without undermining innovation and digital growth. In light of the adoption of
the GDPR it should - as stated above - be carefully analysed whether the pur-
pose of the cookie regulation is now embraced by the horizontal rules in the
GDPR.
A solution of adding new exceptions to the requirement of information and con-
sent for the usage of cookies and similar technologies has been widely discussed.
Due to the rapid pace in which both the technologies and usage patterns of the
web evolves The Danish Government believes that it would be unwise to hard-
code specific exceptions into primary legislation, which should be kept technol-
ogy neutral. Therefore, if specific legislation is needed in this area it is important
that the regulation is related to the purpose for which data is being collected
rather than related to the technique used.
-
Specifically on traffic and location data in Articles 6 and 9
It should be carefully analysed whether the regulation of traffic and location data
are sufficiently covered by the GPDR and adequately protected by the principles
herein (i.e. request for consent or other legal base, data minimisation and storage
limitation) hence also eliminating the need for sector specific rules.
The Danish Government finds that both traffic data and location data relevant
for electronic communications providers pursuant to EPD are to be considered
personal data.
ERU, Alm.del - 2015-16 - Bilag 340: Regeringens svar på Kommissionens høring vedr. revision af e-databeskyttelsesdirektivet, fra erhvervs- og vækstministeren
5/5
It has been argued that repealing articles 6 and 9 in the EPD would broaden the
possibilities for using such data as the legal grounds for processing are not lim-
ited to consent or to the specific legitimate interests mentioned in articles 6 and
9
.
However, the GDPR, especially in regards to processing based on legitimate
interest, contains several safeguards and limitations for processing.
The protection within the GDPR should therefore be considered sufficient fol-
lowing both the general principles on data processing and the right for the data
subject to object to processing, including for direct marketing.
And so, the Danish government would argue for repealing articles 6 and 9 in the
EPD.
II.3 Consumer rights – non-itemised bills, control over call line identifi-
cation, automatic call forwarding and subscribers directory
The consumer rights provisions should be carefully evaluated to assess
whether they are still necessary taken into account technological devel-
opments as well as changes in consumer habits.
In order to simplify the legal framework the Danish Government finds
that the provisions – if considered necessary - are more suitably placed
within other parts of the telecommunication framework regulation and
should be considered in the up-coming revision of the framework.
II.4 Unsolicited commercial communications
The Danish Government finds article 13 on unsolicited commercial com-
munications still relevant with the given opt-in and opt-out solutions
However, in regards to direct marketing telephone calls and direct mar-
keting communications to legal persons the possibility for member states
to choose between an opt-in or an opt-out solution should be revoked in
order to ensure a level playing field for businesses.
Following the technological development article 13 should be modified in
order to make the provision up to data and future proof, hence technology
neutral.
The provision should also be clarified as direct marketing in established
customer relations should be possible for all products within the shops
selection of products and services as long as this is within the reasonable
expectations of the costumer.
The provision would be more appropriately placed within the e-commerce
directive as it is based on e-mails, which is send from web based content
services rather than from public communication networks.