Monday 10th December 2018

ePrivacy Proposal

This text is a draft proposal published by the European Council on 4th May, 2018

Chapter 1 (Articles 1 - 4)

General provisions

Chapter 2 (Articles 5 - 11)

Protection of electronic communications of end-users and of the integrity of their terminal equipment

Chapter 3 (Articles 12 - 17)

End-users' rights to control electronic communications

Chapter 4 (Articles 18 - 20)

Independent supervisory authorities and enforcement

Chapter 5 (Articles 21 - 24)

Remedies, liability and penalties

Chapter 6 (Articles 25 - 26)

Delegated Acts and Implementing Acts

Chapter 7 (Articles 27 - 29)

Final provisions

Recitals (1-42)

Select an Article

Select a Recital

Article 8

Protection of end-users’ terminal equipment information

1. The use of processing and storage capabilities of terminal equipment and the collection of information from end-users’ terminal equipment, including about its software and hardware, other than by the end-user concerned shall be prohibited, except on the following grounds:

(a) it is necessary for the sole purpose of carrying out the transmission of an electronic communication over an electronic communications network; or

(b) the end-user has given his or her consent; or

(c) it is necessary for providing an information society service requested by the end-user; or

(d) it is necessary for audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end-user or by a third party on behalf of the provider of the information society service provided that conditions laid down in Article 28 of Regulation (EU) 2016/679 are met; or

(da) it is necessary to maintain or restore the security of information society services, prevent fraud or detect technical faults for the duration necessary for that purpose; or

(e) it is necessary for a security update provided that:

(i) security updates are necessary and do not in any way change the privacy settings chosen by the end-user are not changed [sic],

(ii) the end-user is informed in advance each time an update is being installed, and

(iii) the end-user is given the possibility to postpone or turn off the automatic installation of these updates; or

2. The collection of information emitted by terminal equipment of the end-user to enable it to connect to another device and, or to network equipment shall be prohibited, except on the following grounds:

(a) it is done exclusively in order to, for the time necessary for, and for the purpose of establishing or maintaining a connection; or

(b) the end-user has given his or her consent; or

(c) it is necessary for the purpose of statistical counting that is limited in time and space to the extent necessary for this purpose and the data is made anonymous or erased as soon as it is no longer needed for this purpose.

2a. For the purpose of paragraph 2 points (b) and (c), a clear and prominent notice shall be displayed informing of, at least, the modalities of the collection, its purpose, the person responsible for it and the other information required under Article 13 of Regulation (EU) 2016/679 where personal data are collected, as well as any measure the end-user of the terminal equipment can take to stop or minimise the collection.

2b. For the purpose of paragraph 2 points (b) and (c), the collection of such information shall be conditional on the application of appropriate technical and organisational measures to ensure a level of security appropriate to the risks, as set out in Article 32 of Regulation (EU) 2016/679, have been applied.

3. The information to be provided pursuant to paragraph 2a may be provided in combination with standardized icons in order to give a meaningful overview of the collection in an easily visible, intelligible and clearly legible manner.

4. [The Commission shall be empowered to adopt delegated acts in accordance with Article 25 determining the information to be presented by the standardized icon and the procedures for providing standardized icons.]