POSITION | DIGITALISATION | E-PRIVACY REGULATION
E-Privacy Regulation German industry’s recommendations for the trialogue
May 2021 The top three achievements of the Council that must be maintained German industry welcomes the efforts of the Portuguese Presidency to reach an agreement on a more workable compromise for the E-Privacy regulation. The General Approach of the Council based on this text (Document 6087/21 from 10 February 2021) is a reasonable working basis for the negotiations between EU-Commission, Council and EU Parliament. German industry stands behind the protection of confidentiality of communications and privacy. Still, it is important to find the right balance between protection of communications and privacy on the one hand and strengthening Europe´s innovation potential and competitiveness in the global challenge posed by the data economy on the other. The BDI is convinced that that a high level of innovation and competitiveness can go hand in hand with the protection of individual rights. The BDI welcomes in principle the improvements that have been made in the Council for a greater alignment with the General Data Protection Regulation (GDPR) which has been a major concern of businesses. Further, the reintroduction of further compatible processing for metadata is to be welcomed and must be maintained in the upcoming trialogue negotiations. For the upcoming trialogues the following top three topics are essential for industry and should be taken in mind by policy makers. 1. Alignment of E-Privacy Regulation and GDPR must be ensured The demarcation between E-privacy regulation and EU general data protection regulation (GDPR) must be clear and coherence between the two regimes is essential. When it comes to data protection 85 percent of companies in Germany describe unclarity and legal uncertainty as a general obstacle to the commercial use of data. Therefore, harmonisation between E-Privacy and the GDPR is of utmost importance for companies, especially SMEs. The distinction between data at rest (GDPR) and data in transmission (E-Privacy) must be clear. More alignment between the E-Privacy and GDPR in this regard has been achieved in the Council and must be maintained. Still there is room for improvement for stronger alignment even in the regulation itself, e.g. by a legal basis for the further processing of terminal equipment data that is made anonymous.
Stefanie Ellen Stündel | Digitalisation and Innovation | T: +32 27921015 | S.Stuendel@bdi.eu | www.bdi.eu
E-Privacy Regulation
2. Further compatible processing of metadata is important for innovation (Article 6c) German industry acknowledges positively the efforts made in Article 6c for introducing the principle of compatible further processing of electronic communication metadata in the Council text. For many digital services such as Internet of Things or digital mobility it is important to have the possibility to further process metadata in alignment with the risk-based approach along the lines of the GDPR. A solely consent based approach for the further processing of data does not take into consideration that new analytics methods often need to operate on a critical mass of pseudonymized data to be able to create meaningful insights, which cannot be achieved only with consent. Furthermore, a full alignment for further processing of metadata and terminal equipment data could help to reach more clarity and simplification. 3. Consent to Software updates must be possible for the legal entity Further clarification is needed to ensure that the legal entity can give consent to software-updates on behalf of their employee on terminal equipment used in the context of the employment. Almost every company today uses connected terminal equipment for business purposes. Industry, retail, health services – all sectors work with tablets, laptops or smartphones to process customer data, control robots or generate medical files. The software needed for this must always be updated to the version which meets the company’s needs so that digitised processes can function seamlessly in offices, factories and hospitals. To ensure this seamless functioning, companies – as end-users – must be able to decide what security-critical software updates need to be made in order to be able to protect its IT security infrastructure and beyond. As end-users, companies and legal entities must therefore be able to give consent for a software update. Where the use of in-house devices is concerned, legal entities must be able to carry out security updates, provided that the provisions of GDPR and rules on employee protection are complied with.
E-Privacy Regulation
Impressum Federation of German Industries (BDI) Breite Straße 29, 10178 Berlin www.bdi.eu T: +49 30 2028-0 Editor Stefanie Ellen Stündel Senior Manager T: +32 27921015 S.Stuendel@bdi.eu
EU Transparency Register: 1771817758-48 BDI document number: D 1384