Compensation for breach of the proposed ePrivacy Regulation [Ongoing updates]

29 September, 2017
| 1 Comment

Last major update: 15 January 2018

Note: a line was added at the end on 7 June 2018.

Compensation and ePrivacy (via edri)Parallel to my interest in compensation for breach of the General Data Protection Regulation [GDPR; Regulation (EU) 2016/679], I am also interested in the question of compensation for breach of the proposed ePrivacy Regulation (hereafter: pePR; see, eg, the EU Commission’s proposal for a Regulation on Privacy and Electronic Communications; on which see Flash Eurobarometer 443 Report on e-Privacy (pdf download)).

Article 22 of the Commission’s proposal provides:

Any end-user of electronic communications services who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the infringer for the damage suffered, unless the infringer proves that it is not in any way responsible for the event giving rise to the damage in accordance with Article 82 of Regulation (EU) 2016/679.

The emphasised words appear in exactly the same form in Article 82(1) GDPR. The remainder of Article 82 provides circumstances where an infringer is not responsible for the event giving rise to the damage and thus not liable for breach of the GDPR, and those circumstances apply mutatis to an infringer who would not be liable for breach of the pePR. This is not surprising: Article 22 of the pePR appears in a list of Articles (from 18 to 24) in which the supervision and enforcement of the pePR, and remedies for its breach, are integrated with those provided by the GDPR. The effect of Article 22 is to provide for compensation for breach of the pePR on the same basis as compensation is available for breach of the GDPR.

The Article 29 Working Party issued its Opinion 01/2017 (pdf) on the pePR on 4 April 2017. The European Data Protection Supervisor has commented three times: a Preliminary Opinion on the review of the ePrivacy Directive (2002/58/EC) (Opinion 5/2016 (pdf)) on 22 July 2016; an Opinion on the proposed ePrivacy Regulation (Opinion 06/2017 (pdf)) on 24 April 2017; and Recommendations on specific aspects of the proposed ePrivacy Regulation (pdf) on 5 October 2017 [the EDPS Recommendations]. Meanwhile, the Draft Opinion (pdf) by Rapporteur Kaja Kallas for the Parliament’s Committee on Industry, Research and Energy [ITRE], was published on 22 May 2017, and adopted on 2 October 2017, and the formal Opinion (pdf) was published on 4 October 2017. All of these documents are silent on the issue of compensation in Article 22, which did not come as a surprise to me, as I had thought that the provisions of Article 22 pePR were entirely uncontroversial.

Nevertheless, Article 22 pePR has been subject to many proposed amendments as the pePR has worked its way through the EU’s institutions. For example, Amendment 127 put forward by Marju Lauristin, Rapporteur for the Parliament’s Committee on Civil Liberties, Justice and Home Affairs [LIBE], in her Draft Report on the Proposal (pdf) on 9 June 2017 proposed to delete from Article 22 pePR the cross-reference to Article 82 GDPR (pp79-80, 85). This amendment makes little sense to me, given the integration between the pePR and the GDPR. On the other hand, Amendment 797 put forward to LIBE by MEPs Axel Voss, Heinz K Becker, and Elissavet Vozemberg-Vrionidi, on 14 July 2017, proposed (pdf) that Article 22 pePR should simply provide that “Article 82 of Regulation (EU) 2016/679 shall apply” (p47). This amendment makes sense to me, as it would simplify the integration between the pePR and the GDPR. LIBE was due to vote on these amendments at its meeting of 12 October 2017, but, as Jennifer Baker reported for IAPP, the LIBE vote was delayed because agreement among MEPs on the text was difficult to reach; and she predicted that, “while work continues apace, reaching a deal before the GDPR comes into force next May is still a tall order”.

Voss was the first Rapporteur on this issue for the Parliament’s Committee on Legal Affairs [JURI], and Amendment 37 in his Draft Opinion (pdf) of 6 July 2017 is precisely the same as LIBE proposed Amendment 797 (p27). JURI adopted Amendment 37 at its meeting of 2 October 2017, and it appears as Amendment 50 in Pavel Svoboda’s Opinion (pdf) of 5 October 2017 for JURI to LIBE.

Meanwhile, Amendment 509 put forward to Parliament’s Committee on the Internal Market and Consumer Protection [IMCO] by Sabine Verheyen MEP on 12 July 2017 proposed (pdf) the deletion of Article 22 in its entirety (p162). At its meeting on 28 September 2017, IMCO voted to adopt this amendment, and it appears as Amendment 65 in Eva Maydell’s Opinion (pdf) of 6 October 2017 for IMCO to LIBE. This makes no sense at all to me, as it would entirely rupture the integration between the pePR and the GDPR on this issue.

On 8 September 2017, the Estonian Presidency of the Council proposed (pdf) (pp10, 28) that Article 22 be amended as follows:

Any end-user of electronic communications services who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the infringer for the damage suffered, unless the infringer proves that it is not in any way responsible for the event giving rise to the damage in accordance with Article 82 of Regulation (EU) 2016/679.

The Presidency’s report explained that it was proposed to delete the phrase in strikethrough because Article 82 GDPR “should apply in its entirety and the deleted phrase represented only one of the elements provided for in that article” (para 57; p10). This amendment and explanation make perfect sense to me, as it would complete the integration between the pePR and the GDPR on this issue.
The Presidency’s proposals were considered at the meetings of the Council’s Working Party on Telecommunications and Information Society [WP TELE] on 19, 20 and 25 September. The Presidency subsequently published a revised text (pdf), focusing on Articles 1 to 5 pePR and related recitals, to be considered at the WP TELE meeting of 18 October, and another revised text (pdf), focussing on Articles 12 to 20 pePER and related recitals, to be considered at the WP TELE meeting of 25 October.

Meanwhile, one of the key messages in the EDPS Recommendations (pdf) of 5 October 2017 is that the pePR should particularise and complement the GDPR; the former should not lower the level of protection provided in the GDPR, and indeed should provide a higher level of protection where possible. Moreover,

unnecessary repetitions of GDPR provisions should be avoided for the sake of clarity and legal certainty: selectively repeating some GDPR provisions risks failing to include important provisions.

I entirely agree with these sentiments; as an example of giving effect to them, a footnote this last sentence provides, in part,

… the remedies in Article 21 could merely refer to the respective articles of the GDPR and be complemented by the categories of persons entitled to remedies, such as end-users.

Given the logic of the text, that footnote could just as easily have included Article 22. It certainly provides support for the Presidency’s proposals relating to Article 22, and probably provides even greater support for the Voss amendment (JURI Amendment 50; see also LIBE proposed Amendment 797; JURI proposed Amendment 37).

At its meeting on 19 October 2017, LIBE voted to adopt Lauristin’s draft report as amended; and this, in turn, was approved by the Parliament at its plenary session on 26 October 2017. This report seems (pdf) to contain no amendments to Article 22. The Transport and Telecommunications Council considered the pePR on 4 and 5 December 2017. The draft of the Regulation (pdf) proposed by the Estonian Presidency after that meeting contains the version of Article 22 which it had proposed on 8 September 2017, and which I think is the best version on offer.

It will be even more interesting to see what emerges from the subsequent trilogue meetings between representatives of the Parliament, the Council and the Commission (though they may not happen until the second half of 2018). For all its faults, when it comes to compensation, Article 82 GDPR is the only game in town; and the closer Article 22 pePR cleaves to it, the better. It looks as though Article 22 pePR might survive unamended; but, if it is to be amended, then I think that the Presidency’s suggestion is the best on offer, IMCO’s suggestion is the worst, and the Voss amendment is a good potential compromise.

Note: This post was constantly updated and rewritten as the proposed Regulation worked its way through the EU Parliament. But amendments are now closed (15 January 2018). Developments in trilogue will be dealt with in a new post or posts.

Update (7 June 2018): on 4 May 2018, the final proposals of the Bulgarian Presidency (pdf) relating to Article 22 reflected the September and December 2017 proposals of the Estonian Presidency.

ePrivacy, Privacy