|Published (Last):||16 April 2006|
|PDF File Size:||20.90 Mb|
|ePub File Size:||8.24 Mb|
|Price:||Free* [*Free Regsitration Required]|
Euro exchange rates. Notice of initiation of a partial interim review of the anti-dumping measures applicable to imports of farmed salmon originating in Norway.
Having regard to the Treaty establishing the European Community, and in particular its Article ,. The Proposal aims at enhancing the protection of individuals' privacy and personal data in the electronic communications sector. This is done not by entirely reshaping the existing ePrivacy Directive but rather by proposing ad hoc amendments to it, which mainly aim at strengthening the security-related provisions and improving the enforcement mechanisms.
The remarks contained in this Opinion are limited to the proposed amendments to the ePrivacy Directive unless such proposed amendments rely on concepts or provisions contained in proposals for review of the telecoms package. In addition, some comments contained in this Opinion refer to provisions of the ePrivacy Directive which have not been amended by the Proposal.
Prior to the adoption of the Proposal, the Commission informally consulted the EDPS on the draft Proposal, which the EDPS welcomed as it gave him an opportunity to make some suggestions on the draft proposal prior to its adoption by the Commission. The adoption of the Proposal was preceded by a wide public consultation exercise, a practice valued by the EDPS. The EDPS fully supports the aims of the Commission in adopting a Proposal enhancing the protection of individuals' privacy and personal data in the electronic communications sector.
When data breaches occur, notification has clear benefits, it reinforces the accountability of organizations, is a factor that drives companies to implement stringent security measures and it permits the identification of the most reliable technologies towards protecting information.
Furthermore, it allows the affected individuals the opportunity to take steps to protect themselves from identify theft or other misuse of their personal information. Also positive is the strengthening of the investigatory powers of national regulatory authorities as it will enable them to assess whether or not any processing of data is carried out in compliance with the law and to identify infringers Addition of Article 15a 3. To be able to stop unlawful processing of personal data and infringements of privacy as soon as possible is a necessary measure in order to protect the rights and freedoms of individuals.
To this end the proposed Article 15a 2 which recognizes the national regulatory authorities' power to order the cessation of infringements is much welcomed as it will enable them to bring seriously unlawful processing to an immediate halt. Among others, the approach is based on the belief that while no new data protection principles are necessary, there is a need for more specific rules to address data protection issues raised, by new technologies such as the Internet, RFID, etc, as well as tools that contribute to enforce and make effective data protection legislation such as enabling legal entities to initiate actions for violation of data protection and obliging data controllers to notify security breaches.
Despite the overall positive approach of the Proposal, the EDPS regrets that the Proposal is not as ambitious as it could have been. Indeed, since the application of the provisions contained in the ePrivacy Directive as well as careful analysis of the subject has shown that some of its provisions are far from clear, generating legal uncertainty and compliance problems.
For example, this is the case regarding the extent to which semi-public providers of electronic communication services are covered by the ePrivacy Directive. One would have hoped that the Commission would have made use of the review of the telecom package, and in particular of the ePrivacy Directive, to resolve some of the outstanding problems.
Furthermore, in dealing with new issues, such as the setting up of a mandatory breach notification system, the Proposal only offers a partial solution, not including within the scope of the organizations obliged to notify security breaches, entities that process very sensitive types of data such as on-line banks or providers of on-line health services.
The EDPS regrets this approach. The EDPS is hopeful that as the Proposal makes its way through the legislative process, the legislator will take into account the comments and proposals contained in this Opinion towards solving the issues that the Commission's Proposal has failed to address.
Scope of the ePrivacy Directive, in particular, services concerned. A key issue in the current ePrivacy Directive is the question of its scope of application.
The Proposal contains some positive elements towards defining and clarifying the scope of the Proposal, particularly, the services concerned by the Directive, which are discussed below under Section i.
Unfortunately, the proposed amendments do not solve all existing problems. As discussed under Section ii below, the amendments unfortunately do not seek to broaden the scope of application of the Directive to include electronic communication services in private networks. The EDPS finds this provision positive as it clarifies that a number of RFID applications fall within the scope of the ePrivacy Directive, thus removing some uncertainty on this point and definitively removing misunderstandings or misinterpretation of the law.
This happens for several cumulative reasons. Firstly, because RFID applications fall within the definition of electronic communication services. Secondly, because they are provided over an electronic communication network insofar as the applications are supported by a transmission system that conveys signals in a wireless way. And finally, the network may be public and private. However, the proposed amendment will eliminate any remaining doubt about it and thus provide more legal certainty.
However, such measures should be adopted in another context, not as part of this Proposal. While the EDPS welcomes the clarification described above, he regrets that the Proposal has not tackled the issue of the increasingly blurred distinction between private and public networks. Furthermore, the EDPS regrets that the definition of services covered by the ePrivacy Directive has not been broadened to include private networks.
As it currently stands, Article 3 1 of the ePrivacy Directive applies only to electronic communication services in public networks.
The EDPS notes the tendency of services to increasingly become a mixture of private and public ones. Think for example of universities allowing thousands of students to use Internet and e-mail.
Furthermore, private networks such as those of employers providing employees with Internet access, hotels or apartment owners providing guests with telephone and e-mail as well as Internet cafes have an impact on the data protection and privacy of their users which suggests that they should also be covered by the scope of application of the ePrivacy Directive. Also, under German law, data protection authorities have found that allowing private email usage within a company can cause the company to be deemed as an operator of public telecommunications services, and thus to fall under the ePrivacy Directive's provisions.
Notification of Security Breaches: Amendment to Article 4. Article 4 of the ePrivacy Directive is amended with the inclusion of two new paragraphs 3 and 4 which set forth an obligation to notify security breaches. The EDPS welcomes these provisions Article 4 3 and 4 4 introducing a mandatory notification of security breaches.
The notification of security breaches carries positive effects from the perspective of the protection of personal data and privacy, which have already been tested in the United States where breach notification legislation at state level has been in place for several years already.
Indeed, the simple fact of having to publicly notify security breaches causes organizations to implement stronger security standards that protect personal information and prevent breaches.
Furthermore, the notification of security breaches will help to identify and carry out reliable statistical analysis regarding the most effective security solutions and mechanisms. For a long time there has been a shortage of hard data about information security failures and the most appropriate technologies to protect information. Finally, the notification of security breaches makes individuals aware of the risks they face when their personal data are compromised and helps them to take the necessary measures to mitigate such risks.
In sum, this obligation reduces the likelihood of individuals becoming victims of identity theft and also may help victims to take the actions necessary to resolve problems. While the EDPS is pleased with the security breach notification system set forth under Articles 4 3 and 4 4 , he would have favored their application at a wider scale to include providers of information society services.
The reasons that justify imposing the security breach notification upon providers of public electronic communication services, i. PPECS, also exist regarding other organizations which also process massive amounts of personal data, the disclosure of which may be particularly harmful to data subjects. This includes on-line banks, data brokers and other on-line providers such as those who process sensitive data which includes health data, political views, etc.
The compromise of information held by on-line banks and on-line business which may include not only bank account numbers but also credit card details may trigger identity theft, in which case it is essential for individuals to be made aware in order to take the necessary measures.
In the latter case on-line health , if not financial damage, surely individuals are likely to suffer non-economic damage when sensitive information is compromised. Furthermore, by broadening the scope of the obligation, the benefits described above, expected from the imposition of this obligation, will not be limited to one sector of activity, that of providers of publicly available electronic communication services, but will be expanded to information society services in general.
Indeed, the imposition of security breach notification obligations upon information society services such as on-line banks will not only increase their accountability but also motivate such actors to strengthen their security measures and thus avoid future potential security breaches. There are other precedents where the ePrivacy Directive already applies to entities other than PPECS, such as Article 5 on the confidentiality of communications and Article 13 on spam. This confirms that in the past the legislator, very wisely, took the decision to broaden the scope of application of certain provisions of the ePrivacy Directive because it felt that it was appropriate and necessary.
The EDPS hopes that currently the legislator will not hesitate to take a similar sensible and flexible approach and broaden the scope of application of Article 4 in order to include providers of information society services. The EDPS views this obligation and its application to both PPECS and information society service providers as a first step of a development which may eventually be applied to all data controllers in general. Specific legal framework for security breaches to be addressed through comitology.
The Proposal does not address a number of questions related to the obligation to provide notification on security breaches. Examples of issues that need to be addressed are the circumstances of the notice, the format and the procedures applicable.
The EDPS does not oppose the choice of leaving all these issues to implementing legislation. Adoption of legislation through comitology is likely to shorten the legislative procedure.
Also, comitology will help to ensure harmonization which is a goal that should be definitively sought. Taking into account the large number of issues that will need to be addressed in the implementing measures and their relevance, as highlighted below, it seems appropriate to tackle them altogether in a single piece of legislation rather than in a piecemeal approach whereby some of the issues would be addressed in the ePrivacy Directive whereas others would be left to implementing legislation.
Thus, the Commission's approach consisting in leaving these decisions to implementing legislation, to be adopted after consulting the EDPS, and hopefully other stakeholders see point below , is to be welcomed. Issues that will need to be addressed through implementing measures. The relevance of the implementing measures is highlighted if one foresees with some level of detail the issues that will need to be addressed by the implementing measures.
Indeed, implementing measures may determine the standards under which notices must be delivered. For example, they will specify what constitutes a security breach, the conditions under which notices to individuals and to the authorities must be delivered, the timing for the notice and notification. The EDPS considers that the ePrivacy Directive and particularly Article 4 should not contain any exception to the obligation to notify.
In this regard, the EDPS is glad with the Commission's approach embodied in Article 4 which sets forth an obligation to notify and does not foresee any exception to it but allows this and other questions to be dealt with by implementing legislation. Although the EDPS is aware of arguments that might justify the setting up of some exceptions to the obligation, the EDPS favors this and other questions to be carefully addressed through implementing legislation, after a thorough and global debate of all the issues at stake.
As indicated above, the complex nature of the questions related to the obligation to provide notification on security breaches, including whether exceptions or limitations are appropriate, calls for its treatment in a unified way, i.
Consultation with the EDPS and the need to broaden the consultation. Taking into account the extent to which the implementing measures will affect the protection of the personal data of individuals, it is important that prior to the adoption of these measures the Commission engages in a proper consultation exercise. For this reason, the EDPS welcomes Article 4 4 of the Proposal which explicitly establishes that prior to adopting implementing measures, the Commission will consult the European Data Protection Supervisor.
Such measures will not only concern but have an important impact on the protection of personal data and privacy of individuals. In addition to consultation with the EDPS, it may be appropriate to include a provision establishing that draft implementation measures will be subject to public consultation, in order to obtain advice and encourage the sharing of experience of best practices in these matters.
This will provide a proper channel not only to industry but also other stakeholders, including other data protection authorities and the Article 29 Working Party to put forward their views. The need for public consultation is reinforced if one takes into account that the procedure for adoption of legislation is comitology, with limited intervention of the European Parliament.
Provision on cookies, spyware and similar devices: Amendment to Article 5 3. Article 5 3 of the ePrivacy Directive addresses the issue of technologies that permit the access to information and the storage of information in the users' terminal equipment, via electronic communication networks. Other examples include the use of technologies such as spyware hidden espionage programs and Trojan horses programs hidden in messages or in other apparently innocent software.
The aim of such technologies and purposes varies enormously, whereas some are perfectly harmless or even useful for the user, other objectives are clearly very harmful and threatening. Article 5 3 of the ePrivacy Directive sets forth the conditions that apply when gaining access to or storing information on the terminal equipment of users using, among others, the technologies mentioned above. The existing Article 5 3 of the ePrivacy Directive limits its scope of application to situations where access to information and the storage of information in the users' terminal equipment is carried out via electronic communication networks.
Technical storage for the purpose of facilitating the transmission.
LEY 181-09 PDF
Fenrizahn The witness has denied the suggestion that he did not visit the spot nor did he conduct any proceedings at the spot. He has admitted that he returned St. He has also deposed that after the inspection crime team over its report which is Ex. Z ten of the P;oPrty. He has denied the suggestion that he has falsely implicated Sushil at the instance of Vimal who had alleged that he had some loan to Sushil.