Tag Archive for: GDPR

EuroISPA publishes Position Paper on Data Retention

Data retention frameworks refer to the regulation of what data should be stored or archived, where that should happen, and for exactly how long. The obligation of data storage stems from the possibility of law enforcement authorities to request such data to Electronics Communications Services Providers at any time.

In light of the current discussions within the High-Level Group on access to data for effective law enforcement, EuroISPA has published this Position Paper on Data Retention. This paper is a testament to EuroISPA’s collective dedication to identifying the practical, operational and economic consequences and challenges of data retention at both the national and cross-border level.

Allowing law enforcement authorities to prevent and prosecute serious crimes needs while safeguarding the fundamental rights of users and electronic communications services providers is not an easy task, as shown by several rulings of the Court of Justice of the EU. EuroISPA has put together a list of imperative requirements to provide guidance on how to achieve the right balance between the interests and obligations of all parties involved.

EuroISPA, a pan-European association which represents over 3,300 Internet Services Providers (ISPs), works to advocate for the needs both of the wider industry and of users. This position paper is one example of how the association’s members work together to draft recommendations for EU policy makers that can be implemented by the industry in order to tackle the issue at hand.

NEWS: ePrivacy Regulation – EuroISPA welcomes progress but full alignment with GDPR remains crucial

Brussels, 10 February 2021 – EuroISPA welcomes the conclusion of the discussions in Council on the ePrivacy Regulation. After over four years of complex deliberations, we are now looking forward to the start of the negotiations with the European Parliament and the European Commission. The current text is the first step towards greater legal clarity and interoperability between the ePrivacy Regulation and the GDPR regimes. This clarity is needed for businesses in Europe to plan, operate, and innovate as well as to allow for the commercial support of the free and open internet. We welcome the introduction of further compatible processing and the performance of a contract as legal grounds for metadata processing. We believe that these must be preserved during the future negotiations if we want to have a coherent and harmonised EU data framework which ensures legal certainty for European businesses. However, we consider that further work on the text is still necessary.

We regret that the Council agreed text reinstated a previous version of the “compliance with a legal obligation”, so restricting even further that legal ground and diverging from the GDPR.

In view of the negotiations, we would like to reiterate the key areas which are worth clarifying:

  • Material scope: We believe that to ensure consistency in the EU acquis, it would be necessary to further define the interplay with the GDPR and clarify when the GDPR stops applying and the ePrivacy starts.
  • B2B processing: In the business-to-business (B2B) context, providers of electronic communications services generally will not have a relationship with the end-users of their services. Clarification is therefore needed that, in such circumstances, consent can be provided by the enterprise customer.
  • Enforcement: There is a need to ensure that supervisory authorities, and enforcement and cooperation mechanisms are consistent with the GDPR standards. We need to avoid a situation where providers could be subject to oversight by multiple supervisory authorities for the same activities across the EU.
  • M2M processing: The application to machine-to-machine (M2M) communications must be limited in scope to high risk instances, instead of applying to any kind of such communications, so as to limit the risk of making a wide range of critical enterprise processes highly burdensome.
  • Privacy-preserving technologies: The industry strives to keep developing privacy-protective data processing alternatives (i.e. on-device machine learning, new aggregation techniques, and other privacy-enhancing advances). The ePrivacy Regulation should not restrict innovative and privacy-protective new approaches that are designed to benefit individuals and strengthen their privacy online.

We look forward to the beginning of the negotiations and we remain willing technical partners to the institutions in defending the much-needed flexibility on the legal basis and the interoperability with the GDPR.