Last updated: 9 October 2017
Parallel to my interest in compensation for breach of the General Data Protection Regulation [GDPR; Regulation (EU) 2016/679], I am also interested in the question of compensation for breach of the proposed ePrivacy Regulation (hereafter: pePR; see, eg, the EU Commission’s proposal for a Regulation on Privacy and Electronic Communications).
Article 22 of the Commission’s proposal provides:
Any end-user of electronic communications services who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the infringer for the damage suffered, unless the infringer proves that it is not in any way responsible for the event giving rise to the damage in accordance with Article 82 of Regulation (EU) 2016/679.
The emphasised words appear in exactly the same form in Article 82(1) GDPR. The remainder of Article 82 provides circumstances where an infringer is not responsible for the event giving rise to the damage and thus not liable for breach of the GDPR, and those circumstances apply mutatis to an infringer who would not be liable for breach of the pePR. This is not surprising: Article 22 of the pePR appears in a list of Articles (from 18 to 24) in which the supervision and enforcement of the pePR, and remedies for its breach, are integrated with those provided by the GDPR. The effect of Article 22 is to provide for compensation for breach of the pePR on the same basis as compensation is available for breach of the GDPR.
[Update: The Article 29 Working Party issued its Opinion 01/2017 (pdf) on the pePR on 4 April 2017. The European Data Protection Supervisor has commented three times: a Preliminary Opinion on the review of the ePrivacy Directive (2002/58/EC) (Opinion 5/2016 (pdf)) on 22 July 2016; an Opinion on the proposed ePrivacy Regulation (Opinion 06/2017 (pdf)) on 24 April 2017; and Recommendations on specific aspects of the proposed ePrivacy Regulation (pdf) on 5 October 2017 [the EDPS Recommendations]. Meanwhile, the Draft Opinion (pdf) by Rapporteur Kaja Kallas for the Parliament’s Committee on Industry, Research and Energy [ITRE], was published on 22 May 2017, and adopted on 2 October 2017. All of these documents are silent on the issue of compensation in Article 22, which did not come as a surprise to me, as I had thought that the provisions of Article 22 pePR were entirely uncontroversial.]
Nevertheless, Article 22 pePR has been subject to many proposed amendments as the pePR has worked its way through the EU’s institutions. For example, Amendment 127 put forward by Marju Lauristin, Rapporteur for the Parliament’s Committee on Civil Liberties, Justice and Home Affairs [LIBE], in her Draft Report on the Proposal (pdf) on 9 June 2017 proposed to delete from Article 22 pePR the cross-reference to Article 82 GDPR (pp79-80, 85). This amendment makes little sense to me, given the integration between the pePR and the GDPR. On the other hand, Amendment 797 put forward to LIBE by MEPs Axel Voss, Heinz K Becker, and Elissavet Vozemberg-Vrionidi, on 14 July 2017, proposed (pdf) that Article 22 pePR should simply provide that “Article 82 of Regulation (EU) 2016/679 shall apply” (p47). This amendment makes sense to me, as it would simplify the integration between the pePR and the GDPR. LIBE will vote on these amendments at its meeting of 12 October 2017.
[Update: Jennifer Baker writes for IAPP that the LIBE vote
will be delayed by at least a week. Originally scheduled for Octber 12, agreement among MEPs on the text has been difficult to reach, … Once LIBE does finally vote on its position, its text will then be put to the European Parliament as a whole in plenary. Once that is done, discussions can move ahead with the European Commission and national representatives. So while work continues apace, reaching a deal before the GDPR comes into force next May is still a tall order.]
Voss is the Rapporteur on this issue for the Parliament’s Committee on Legal Affairs [JURI], and Amendment 37 in his Draft Opinion (pdf) of 6 July 2017 is precisely the same as LIBE proposed Amendment 797 (p27). [Update: JURI adopted Amendment 37 at its meeting of 2 October 2017].
Meanwhile, Amendment 509 put forward to Parliament’s Committee on the Internal Market and Consumer Protection [IMCO] by Sabine Verheyen MEP on 12 July 2017 proposed (pdf) the deletion of Article 22 in its entirety (p162). At its meeting on 28 September 2017, IMCO voted to adopt this amendment. This makes no sense at all to me, as it would entirely rupture the integration between the pePR and the GDPR on this issue.
On 8 September 2017, the Estonian Presidency of the Council proposed (pdf) (pp10, 28) that Article 22 be amended as follows:
Any end-user of electronic communications services who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the infringer for the damage suffered
, unless the infringer proves that it is not in any way responsible for the event giving rise to the damage in accordance with Article 82 of Regulation (EU) 2016/679.
The Presidency’s report explained that it was proposed to delete the phrase in strikethrough because Article 82 GDPR “should apply in its entirety and the deleted phrase represented only one of the elements provided for in that article” (para 57; p10). This amendment and explanation make perfect sense to me, as it would complete the integration between the pePR and the GDPR on this issue.
[Update: The Presidency’s proposals were considered at the meetings of the Council’s Working Party on Telecommunications and Information Society [WP TELE] on 19, 20 and 25 September. The Presidency then published a revised text (pdf), focusing on Articles 1 to 5 pePR and related recitals, to be considered at the WP TELE meeting of 18 October.
Meanwhile, one of the key messages in the EDPS Recommendations (pdf) of 5 October 2017 is that the pePR should particularise and complement the GDPR; the former should not lower the level of protection provided in the GDPR, and indeed should provide a higher level of protection where possible. Moreover,
unnecessary repetitions of GDPR provisions should be avoided for the sake of clarity and legal certainty: selectively repeating some GDPR provisions risks failing to include important provisions.
I entirely agree with these sentiments; as an example of giving effect to them, a footnote this last sentence provides, in part,
… the remedies in Article 21 could merely refer to the respective articles of the GDPR and be complemented by the categories of persons entitled to remedies, such as end-users.
Given the logic of the text, that footnote could just as easily have included Article 22. It certainly provides support for the Presidency’s proposals relating to Article 22, and probably provides even greater support for the Voss amendment (LIBE proposed Amendment 797; JURI Amendment 37).]
It will be interesting to see not only which of these various amendments – if any – LIBE adopts, but also what the Parliament subsequently makes of all this on 23 October 2017. The Transport and Telecommunications Council is due to consider a progress report on pePR on 4 and 5 December 2017. And it will be even more interesting to see what emerges from the subsequent trilogue meetings between representatives of the Parliament, the Council and the Commission. For all its faults, when it comes to compensation, Article 82 GDPR is the only game in town; and the closer Article 22 pePR cleaves to it, the better. Hence, I think that the Presidency’s suggestion is the best on offer, IMCO’s suggestion is the worst, and the Voss amendment (LIBE proposed Amendment 797; JURI Amendment 37) is a good potential compromise. I will update this post as the position develops. Watch this space.
Note: as well as the indicated updates, typos have been corrected, some links have been added, and some text has been interchanged to make the narrative more chronological.