Today, the Committee on Civil Liberties, Justice and Home Affairs (LIBE) in the European Parliament has discussed the proposal for a new ePrivacy Regulation by the European Commission. The draft report of the LIBE Committee is available here (9 June 2017)(PDF). The draft partially proposes major changes to the Commission’s original draft. The vote on the draft report in the European Parliament is still pending.
Amendment 82 seeks to extend the original Art. 8 (1) ePrivacy Regulation by one letter d b. Art. 8 (1) deals with the protection of the terminal equipment of users and information stored in this terminal equipment. Examples include mobile telephones or computers connected to the Internet.
Art. 8 (1) of the ePrivacy Regulation establishes strict requirements as to when information from the terminal equipment may be collected at all. Under Art. 8 (1), such a collection of information is prohibited in principle, except for one of the grounds set out in paragraph 1.
In addition, it should be pointed out that Art. 8 (1) has a very broad scope, since it is not (as is the case predominantly in the ePrivacy Regulation) directed at communication data but generally refers to “information”. Similarly, Art. 5 (3) of the still valid ePrivacy Directive (the so-called cookie directive) has a broad scope.
Amendment 82 of the draft report now proposes that a new legal basis will be included in Art. 8 (1), when information from terminal equipment may be collected. According to Art. 8 (1) (d b), this is the case when it is necessary in the context of employment relationships, where:
(i) the employer provides certain equipment;
(ii) the employee is the user of this equipment; and
(iii) the interference is strictly necessary for the functioning of the equipment by the employee.
So the amended Art. 8 (1) does not apply to “Bring Your Own Device” constellations.
Firstly, this exception reads as if it would in principle allow employers to monitor the activities of employees with regard to the use of equipment, such as PCs and mobile phones. However, if one considers this proposed scheme more precisely, it should be noted that the “interference” (in this case probably the access to the terminal equipment of the user; see, for example, Recital 20) is strictly necessary for the functioning of the equipment by the employee. The interference or access to the equipment and the information gathering can therefore only be carried out if the collection of information is strictly necessary for the functioning of the technical device.
The point here is that the employer could possibly not argue that he must have access to the equipment of his employees, in order to be able to check, for example, the use of the terminals he has provided. This access could not be seen as essential for the functioning of the equipment. This is at least one possible interpretation of the amendment.
In particular, the adding of this permission to access equipment in the employment relationship and the gathering of information from the equipment is also important because one has to keep in mind that the currently negotiated ePrivacy Regulation creates special standards (and constitutes a „lex specialis“) in comparison to the General Data Protection Regulation(GDPR) which will apply as of 25 May 2018. Thus, if a situation is covered by the Articles of the ePrivacy Regulation, the GDPR is displaced (including Art. 88 GDPR on data protection in the employment context). And again: Art. 8 (1) applies already when collecting “information”. Processing of personal data (as under the GDPR) is not required.