Monday 10th December 2018

ePrivacy Proposal

This text is a draft proposal published by the European Council on 4th May, 2018

Chapter 1 (Articles 1 - 4)

General provisions

Chapter 2 (Articles 5 - 11)

Protection of electronic communications of end-users and of the integrity of their terminal equipment

Chapter 3 (Articles 12 - 17)

End-users' rights to control electronic communications

Chapter 4 (Articles 18 - 20)

Independent supervisory authorities and enforcement

Chapter 5 (Articles 21 - 24)

Remedies, liability and penalties

Chapter 6 (Articles 25 - 26)

Delegated Acts and Implementing Acts

Chapter 7 (Articles 27 - 29)

Final provisions

Recitals (1-42)

Select an Article

Select a Recital

Article 6

Permitted processing of electronic communications data

1. Providers of electronic communications networks and services shall be permitted to process electronic communications data only if:

(a) it is necessary to achieve the transmission of the communication, for the duration necessary for that purpose; or

(b) it is necessary to maintain or restore the security of electronic communications networks and services, or detect technical faults and/or errors and/or security risks and/or attacks in the transmission of electronic communications, for the duration necessary for that purpose.

2. Without prejudice to paragraph 1, providers of electronic communications networks and services shall be permitted to process electronic communications metadata only if:

(a) it is necessary for the purposes of network management or network optimisation, provided that the purpose or purposes concerned could not be fulfilled by processing information that is made anonymous and for the duration necessary for that purpose, or to meet mandatory quality of service requirements pursuant to [Directive establishing the European Electronic Communications Code] or Regulation (EU) 2015/21209 for the duration necessary for that purpose; or

(b) it is necessary for performance of the contract to which the end-user is party, to the extent necessary for billing, calculating interconnection payments, detecting or stopping fraudulent, or abusive use of, or subscription to, electronic communications services; or

(c) the end-user concerned has given consent to the processing of communications metadata for one or more specified purposes, including for the provision of services to such end-users, provided that the purpose or purposes concerned could not be fulfilled by processing information that is made anonymous; or

(d) it is necessary to protect the vital interest of a natural person, in the case of emergency, upon request of a competent authority, in accordance with Union or Member State law; or

(e) it is necessary for the purpose of statistical counting, provided that:

the processing is limited to electronic communications meta-data that constitutes geolocation data that is pseudonymised,

the processing could not be carried out by processing information that is made anonymous, and the geolocation data is erased or made anonymous when it is no longer needed to fulfil the purpose, and

the geolocation data is not used to determine the nature or characteristics of an end-user or to build a profile of an end-user

(f) it is necessary for statistical counting not permitted in accordance with point (e) or for scientific research, provided it is based on Union or Member State law which shall be proportionate to the aim pursued and provide for specific measures, including encryption and pseudonymisation, to safeguard fundamental rights and the interest of the end-users. Processing of electronic communications metadata under this point shall be done in accordance with paragraph 6 of Article 21 and paragraphs 1, 2 and 4 of Article 89 of Regulation (EU) 2016/679.

3. Without prejudice to paragraph 1, providers of the electronic communications networks and services shall be permitted to process electronic communications content only:

(aa) for the purpose of the provision of an explicitly requested services [sic] by an end-user for purely individual use if the requesting end-user has given consent and where such requested processing does not adversely affect fundamental rights and interest of another person concerned and does not exceed the duration necessary for the provision of the requested services and is limited to that purpose only; or

(b) if all end-users concerned have given their consent to the processing of their electronic communications content for one or more specified purposes that cannot be fulfilled by processing information that is made anonymous, and the provider has prior to the processing carried out an assessment of the impact of the envisaged processing operations on the protection of electronic communications data and consulted the supervisory authority. Article 36(2) and (3) of Regulation (EU) 2016/679 shall apply to the consultation of the supervisory authority.

3a. For the purposes of point (e) of paragraph 2, the provider of the electronic communications service shall:

(a) exclude electronic communications metadata that constitue geolocation data that reveal special categories of personal data pursuant to Article 9 of Regulation (EU) 2016/679 from processing;

(b) not share such data with third parties, unless it is made anonymous;

(c) prior to the processing carry out an assessment of the impact of the envisaged processing operations on the protection of electronic communications data and consult the supervisory authority. Points (2) and (3) of Article 36(2) and (3) of Regulation (EU) 2016/679 shall apply to the consultation of the supervisory authority; and

(d) inform the end-user of specific processing on the basis of point (f) of paragraph 2 and give the right to object to such processing.

4. A third party on behalf of a provider of electronic communications network or services shall be permitted to process electronic communications data in accordance with paragraphs 1 to 3 provided that conditions laid down in Article 28 of Regulation (EU) 2016/679 are met.


9 Regulation (EU) 2015/2120 of the European Parliament and of the Council of 25 November 2015 laying down measures concerning open internet access and amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services and Regulation (EU) No 531/2012 on roaming on public mobile communications networks within the Union (OJ L 310, 26.11.2015, p. 1–18).