EU Data Protection Supervisor's Opinion on ePrivacy Directive for Private Networks, Slides of Communication

Download EU Data Protection Supervisor's Opinion on ePrivacy Directive for Private Networks and more Slides Communication in PDF only on Docsity! I Resolutions, recommendations and opinions OPINIONS European Data Protection Supervisor 2008/C 181/01 Opinion of the European Data Protection Supervisor on the Proposal for a Directive of the European Parliament and of the Council amending, among others, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 II Information INFORMATION FROM EUROPEAN UNION INSTITUTIONS AND BODIES Commission 2008/C 181/02 Authorisation for State aid pursuant to Articles 87 and 88 of the EC Treaty — Cases where the Commission raises no objections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 2008/C 181/03 Non-opposition to a notified concentration (Case COMP/M.5162 — Avnet/Horizon) (1) . . . . . . . . . . . . . . . . . . . . . . 17 Official Journal of the European Union EN (1) Text with EEA relevance (Continued overleaf) Contents PageNotice No 1 ISSN 1725-2423 English edition Volume 51 C181 Information and Notices 18 July 2008 IV Notices NOTICES FROM EUROPEAN UNION INSTITUTIONS AND BODIES Commission 2008/C 181/04 Euro exchange rates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 NOTICES FROM MEMBER STATES 2008/C 181/05 Information communicated by Member States regarding State aid granted under Commission Regulation (EC) No 1628/2006 on the application of Articles 87 and 88 of the EC Treaty to national regional investment aid (1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 2008/C 181/06 Information communicated by Member States regarding State aid granted under Commission Regulation (EC) No 70/2001 on the application of Articles 87 and 88 of the EC Treaty to State aid to small and medium-sized enterprises (1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 2008/C 181/07 Information communicated by Member States regarding State aid granted under Commission Regulation (EC) No 68/2001 on the application of Articles 87 and 88 of the EC Treaty to training aid (1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 2008/C 181/08 Information communicated by Member States regarding State aid granted under Commission Regulation (EC) No 1628/2006 on the application of Articles 87 and 88 of the EC Treaty to national regional investment aid (1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 V Announcements PROCEDURES RELATING TO THE IMPLEMENTATION OF THE COMMON COMMERCIAL POLICY Commission 2008/C 181/09 Notice of initiation of a partial interim review of the anti-dumping measures applicable to imports of farmed salmon originating in Norway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 PROCEDURES RELATING TO THE IMPLEMENTATION OF THE COMPETITION POLICY Commission 2008/C 181/10 Prior notification of a concentration (Case COMP/M.5231 — Bain Capital/D&M) — Candidate case for simplified procedure (1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Contents (continued) PageNotice No (1) Text with EEA relevance (Continued on inside back cover) EN 2. The Proposal aims at enhancing the protection of individuals' privacy and personal data in the elec- tronic communications sector. This is done not by entirely reshaping the existing ePrivacy Directive but rather by proposing ad hoc amendments to it, which mainly aim at strengthening the security- related provisions and improving the enforcement mechanisms. 3. The Proposal is part of a wider reform of the five EU telecom Directives (‘the telecoms package’). In addition to the proposals for the review of the telecoms package (1) the Commission has also adopted at the same time a Proposal for a Regulation establishing the European Electronic Communications Market Authority (2). 4. The remarks contained in this Opinion are limited to the proposed amendments to the ePrivacy Direc- tive unless such proposed amendments rely on concepts or provisions contained in proposals for review of the telecoms package. In addition, some comments contained in this Opinion refer to provi- sions of the ePrivacy Directive which have not been amended by the Proposal. 5. This Opinion addresses the following topics: (i) the scope of the ePrivacy Directive, in particular, the services concerned (proposed amendment to Article 3(1)); (ii) the notification of security breaches (proposed amendment creating Article 4(3) and 4(4)); (iii) the provisions on cookies, spyware and similar devices (proposed amendment to Article 5(3)); (iv) the legal actions initiated by electronic communication services providers and other legal persons (proposed amendment creating Article 13(6)); and (v) the strengthening of the enforcement provisions (proposed amendment creating Article 15a). Consultation with the EDPS and broader public consultation 6. The Proposal was sent by the Commission to the EDPS on 16 November 2007. The EDPS understands this communication as a request to advise Community institutions and bodies, as foreseen in Article 28(2) of Regulation (EC) No 45/2001 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (hereinafter ‘Regulation (EC) No 45/2001’). 7. Prior to the adoption of the Proposal, the Commission informally consulted the EDPS on the draft Proposal, which the EDPS welcomed as it gave him an opportunity to make some suggestions on the draft proposal prior to its adoption by the Commission. The EDPS is glad to see that some of his suggestions have been reflected in the Proposal. 8. The adoption of the Proposal was preceded by a wide public consultation exercise, a practice valued by the EDPS. Indeed in June 2006 the Commission launched a public consultation on its Communica- tion on the Review of the telecoms package where the Commission described its views on the situa- tion and put forward some proposals for amendments (3). The Article 29 Data Protection Working Party (‘WP 29’), of which the EDPS is a member, used this opportunity to provide its views on the proposed amendments in an Opinion adopted on 26 September 2006 (4). 18.7.2008C 181/2 Official Journal of the European UnionEN (1) The proposed amendments to the telecoms Directives are put forward in the following Proposals: (i) proposal for a Direc- tive of the European Parliament and of the Council amending Directive 2002/21/EC on a common regulatory framework for electronic communications networks and services, Directive 2002/19/EC on access to, and interconnection of, elec- tronic communications networks and services, and Directive 2002/20/EC on the authorisation of electronic communica- tions networks and services, 13 November 2007, COM(2007) 697 final; (ii) proposal for a Directive of the European Parliament and of the Council amending Directive 2002/22/EC on universal service and users' rights relating to electronic communications networks, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on consumer protection cooperation, 13 November 2007, COM(2007) 698 final. (2) Proposal for a Regulation of the European Parliament and of the Council establishing the European Electronic Communica- tions Market Authority, 13 November 2007, COM(2007) 699 final. (3) Communication on the EU Regulatory Framework for electronic communications networks and services (SEC(2006) 816) adopted on 29 June 2006. The Communication was complemented by a Commission Staff Working Document (COM(206) 334 final). (4) Opinion 8/2006 on the review of the regulatory Framework for Electronic Communications and Services, with focus on the ePrivacy Directive, adopted on 26 September 2006. EDPS overall views 9. On the whole the EDPS views on the Proposal are positive. The EDPS fully supports the aims of the Commission in adopting a Proposal enhancing the protection of individuals' privacy and personal data in the electronic communications sector. The EDPS particularly welcomes the adoption of a mandatory security breach notification system (Amendment to Article 4 of the ePrivacy Directive, adding para- graphs 3 and 4). When data breaches occur, notification has clear benefits, it reinforces the account- ability of organizations, is a factor that drives companies to implement stringent security measures and it permits the identification of the most reliable technologies towards protecting information. Furthermore, it allows the affected individuals the opportunity to take steps to protect themselves from identify theft or other misuse of their personal information. 10. The EDPS welcomes other amendments in the Proposal such as the ability for legal persons with legiti- mate interest to have a cause of action against those who infringe some of the provisions of the ePrivacy Directive (Amendment to Article 13, adding paragraph 6). Also positive is the strengthening of the investigatory powers of national regulatory authorities as it will enable them to assess whether or not any processing of data is carried out in compliance with the law and to identify infringers (Addition of Article 15a(3)). To be able to stop unlawful processing of personal data and infringements of privacy as soon as possible is a necessary measure in order to protect the rights and freedoms of individuals. To this end the proposed Article 15a(2) which recognizes the national regulatory authori- ties' power to order the cessation of infringements is much welcomed as it will enable them to bring seriously unlawful processing to an immediate halt. 11. The approach of the Proposal and most of the proposed amendments are in line with the views on the future data protection policy which were put forward in previous EDPS Opinions such as the Opinion on the implementation of the Data protection Directive (1). Among others, the approach is based on the belief that while no new data protection principles are necessary, there is a need for more specific rules to address data protection issues raised, by new technologies such as the Internet, RFID, etc, as well as tools that contribute to enforce and make effective data protection legislation such as enabling legal entities to initiate actions for violation of data protection and obliging data controllers to notify security breaches. 12. Despite the overall positive approach of the Proposal, the EDPS regrets that the Proposal is not as ambitious as it could have been. Indeed, since 2003 the application of the provisions contained in the ePrivacy Directive as well as careful analysis of the subject has shown that some of its provisions are far from clear, generating legal uncertainty and compliance problems. For example, this is the case regarding the extent to which semi-public providers of electronic communication services are covered by the ePrivacy Directive. One would have hoped that the Commission would have made use of the review of the telecom package, and in particular of the ePrivacy Directive, to resolve some of the outstanding problems. Furthermore, in dealing with new issues, such as the setting up of a mandatory breach notification system, the Proposal only offers a partial solution, not including within the scope of the organizations obliged to notify security breaches, entities that process very sensitive types of data such as on-line banks or providers of on-line health services. The EDPS regrets this approach. 13. The EDPS is hopeful that as the Proposal makes its way through the legislative process, the legislator will take into account the comments and proposals contained in this Opinion towards solving the issues that the Commission's Proposal has failed to address. 18.7.2008 C 181/3Official Journal of the European UnionEN (1) Opinion of the European Data Protection Supervisor of 25 July 2007 on the Communication from the Commission to the European Parliament and the Council on the follow-up of the Work Programme for better implementation of the Data Protection Directive (OJ C 255, 27.10.2007, p. 1). II. ANALYSIS OF THE PROPOSAL II.1. Scope of the ePrivacy Directive, in particular, services concerned 14. A key issue in the current ePrivacy Directive is the question of its scope of application. The Proposal contains some positive elements towards defining and clarifying the scope of the Proposal, particularly, the services concerned by the Directive, which are discussed below under Section (i). Unfortunately, the proposed amendments do not solve all existing problems. As discussed under Section (ii) below, the amendments unfortunately do not seek to broaden the scope of application of the Directive to include electronic communication services in private networks. 15. Article 3 of the ePrivacy Directive describes the services concerned by the Directive, in other words, the services to which the obligations set forth in the Directive apply: ‘This Directive shall apply to the processing of personal data in connection with the provision of publicly available electronic communication services in public communications networks’. 16. Therefore, the services concerned by the ePrivacy Directive are the providers of public electronic communication services in public networks (‘PPECS’). The definition of a PPECS is provided under Article 2(c) of the Framework Directive (1). Public communication networks are defined under Article 2(d) of the Framework Directive (2). Examples of PPECS include providing access to the Internet, transmission of information through electronic networks, mobile and telephone connec- tions, etc. (i) Proposed amendment to Article 3 of the ePrivacy Directive: Services concerned to include public communica- tion networks supporting data collection and identification devices 17. The Proposal amends Article 3 of the ePrivacy Directive by specifying that public electronic communi- cation networks include ‘public communication networks supporting data collection and identification devices ’. Recital 28 explains that the development of applications entailing the collection of information, including personal data, using radio frequencies, such as RFID, must be subject to the ePrivacy Direc- tive when they are connected or make use of public communication networks or services. 18. The EDPS finds this provision positive as it clarifies that a number of RFID applications fall within the scope of the ePrivacy Directive, thus removing some uncertainty on this point and definitively removing misunderstandings or misinterpretation of the law. 19. Indeed, under the current Article 3 of the ePrivacy Directive certain RFID applications are already covered by the Directive. This happens for several cumulative reasons. Firstly, because RFID applica- tions fall within the definition of electronic communication services. Secondly, because they are provided over an electronic communication network insofar as the applications are supported by a transmission system that conveys signals in a wireless way. And finally, the network may be public 18.7.2008C 181/4 Official Journal of the European UnionEN (1) Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory frame- work for electronic communications networks and services (OJ L 108, 24.4.2002, p. 33). The Framework Directive deli- mits what should be understood by electronic communication system, namely: (i) An ‘electronic communications service’ is a service that is normally provided for a fee and consists of conveying signals on networks and includes telecommunica- tions and transmission services in networks. (ii) Services that provide content transmitted using electronic communications networks and services are excluded from the definition of electronic communications services. (iii) Provision of services means the establishment, operation, control, or making available of a network. (iv) Electronic communications services do not include information society services, which are defined in the E-Commerce Directive as service[s], normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services. (2) Public communications network means an electronic communications network used wholly or mainly for the provision of publicly available electronic communications services. 32. Furthermore, by broadening the scope of the obligation, the benefits described above, expected from the imposition of this obligation, will not be limited to one sector of activity, that of providers of publicly available electronic communication services, but will be expanded to information society services in general. Indeed, the imposition of security breach notification obligations upon information society services such as on-line banks will not only increase their accountability but also motivate such actors to strengthen their security measures and thus avoid future potential security breaches. 33. There are other precedents where the ePrivacy Directive already applies to entities other than PPECS, such as Article 5 on the confidentiality of communications and Article 13 on spam. This confirms that in the past the legislator, very wisely, took the decision to broaden the scope of application of certain provisions of the ePrivacy Directive because it felt that it was appropriate and necessary. The EDPS hopes that currently the legislator will not hesitate to take a similar sensible and flexible approach and broaden the scope of application of Article 4 in order to include providers of informa- tion society services. To this end, it would be sufficient to insert in Article 4(3) a reference to the providers of information society services as follows: ‘In case of a breach of security leading to the acci- dental or … the provider of publicly available communication services and the provider of information society services, shall … notify the subscriber concerned and the national regulatory authority of such a breach’. 34. The EDPS views this obligation and its application to both PPECS and information society service providers as a first step of a development which may eventually be applied to all data controllers in general. Specific legal framework for security breaches to be addressed through comitology 35. The Proposal does not address a number of questions related to the obligation to provide notification on security breaches. Examples of issues that need to be addressed are the circumstances of the notice, the format and the procedures applicable. Instead, Article 4(4) of the Proposal leaves these decisions for adoption through a ‘comitology’ committee (1), namely the Communications Committee set up by Article 22 of the Framework Directive, pursuant to Council Decision of 28 June 1999. In particular, such measures would be adopted in accordance with Article 5 of the Council Decision of 28 June 1999 which set up rules for the Regulatory procedure, as regards ‘measures of general scope designed to apply essential provisions of basic instruments’. 36. The EDPS does not oppose the choice of leaving all these issues to implementing legislation. Adoption of legislation through comitology is likely to shorten the legislative procedure. Also, comitology will help to ensure harmonization which is a goal that should be definitively sought. 37. Taking into account the large number of issues that will need to be addressed in the implementing measures and their relevance, as highlighted below, it seems appropriate to tackle them altogether in a single piece of legislation rather than in a piecemeal approach whereby some of the issues would be addressed in the ePrivacy Directive whereas others would be left to implementing legislation. Thus, the Commission's approach consisting in leaving these decisions to implementing legislation, to be adopted after consulting the EDPS, and hopefully other stakeholders (see point below), is to be welcomed. Issues that will need to be addressed through implementing measures 38. The relevance of the implementing measures is highlighted if one foresees with some level of detail the issues that will need to be addressed by the implementing measures. Indeed, implementing measures may determine the standards under which notices must be delivered. For example, they will specify what constitutes a security breach, the conditions under which notices to individuals and to the autho- rities must be delivered, the timing for the notice and notification. 18.7.2008 C 181/7Official Journal of the European UnionEN (1) Law-making procedures in the EC which involve committees composed of the representatives of the governments of the Member States at the level of civil servants. 39. The EDPS considers that the ePrivacy Directive and particularly Article 4 should not contain any exception to the obligation to notify. In this regard, the EDPS is glad with the Commission's approach embodied in Article 4 which sets forth an obligation to notify and does not foresee any exception to it but allows this and other questions to be dealt with by implementing legislation. Although the EDPS is aware of arguments that might justify the setting up of some exceptions to the obligation, the EDPS favors this and other questions to be carefully addressed through implementing legislation, after a thor- ough and global debate of all the issues at stake. As indicated above, the complex nature of the ques- tions related to the obligation to provide notification on security breaches, including whether excep- tions or limitations are appropriate, calls for its treatment in a unified way, i.e. in a single piece of legislation which exclusively deals with this issue. Consultation with the EDPS and the need to broaden the consultation 40. Taking into account the extent to which the implementing measures will affect the protection of the personal data of individuals, it is important that prior to the adoption of these measures the Commis- sion engages in a proper consultation exercise. For this reason, the EDPS welcomes Article 4(4) of the Proposal which explicitly establishes that prior to adopting implementing measures, the Commission will consult the European Data Protection Supervisor. Such measures will not only concern but have an important impact on the protection of personal data and privacy of individuals. It is important therefore to seek the advice of the EDPS as required under Article 41 of Regulation (EC) No 45/2001. 41. In addition to consultation with the EDPS, it may be appropriate to include a provision establishing that draft implementation measures will be subject to public consultation, in order to obtain advice and encourage the sharing of experience of best practices in these matters. This will provide a proper channel not only to industry but also other stakeholders, including other data protection authorities and the Article 29 Working Party to put forward their views. The need for public consultation is rein- forced if one takes into account that the procedure for adoption of legislation is comitology, with limited intervention of the European Parliament. 42. The EDPS notes that Article 4(4) of the Proposal foresees that the Commission will also consult the Electronic Communications Market Authority prior to adopting implementing rules. In this regard, the EDPS values the principle of consulting the Electronic Communications Market Authority as deposi- tary of ENISA's experience and knowledge on network and information security issues. Until the Elec- tronic Communications Market Authority is created it may be appropriate as an interim solution to foresee in the proposed amendment (Article 4(4)) the consultation of ENISA. II.3. Provision on cookies, spyware and similar devices: Amendment to Article 5(3) 43. Article 5(3) of the ePrivacy Directive addresses the issue of technologies that permit the access to information and the storage of information in the users' terminal equipment, via electronic communi- cation networks. An example of the application of Article 5(3) is the use of cookies (1). Other exam- ples include the use of technologies such as spyware (hidden espionage programs) and Trojan horses (programs hidden in messages or in other apparently innocent software). The aim of such technologies and purposes varies enormously, whereas some are perfectly harmless or even useful for the user, other objectives are clearly very harmful and threatening. 18.7.2008C 181/8 Official Journal of the European UnionEN (1) Cookies are placed by ISSP (websites) in users' terminal equipments, for different purposes, including recognizing a visitor when he/she revisits a website. In practice when a cookie is sent to an Internet user by a website, the user's computer is assigned a unique number (i.e. the computer that received cookies from website A become ‘computer holder of cookie 111’). The website keeps this number as a reference. If the user/s of the computer that received the cookie 111 does not delete the cookie file, the next time he/she visits the same website, the site will be able to identify the computer as the holder of cookie 111. The website naturally deduces that this computer has visited on previous occasions. The mechanism that allows a website to recognize a computer as a repeat visitor is simple. When the visiting computer holds cookies, such as cookie 111, and visits the site that on an earlier visited generated that cookie, it will search the hard disk of the user for the cookie file number. If the user's browser finds a cookie file to match the reference number kept by the website, it informs the website that the computer holds a cookie 111. 44. Article 5(3) of the ePrivacy Directive sets forth the conditions that apply when gaining access to or storing information on the terminal equipment of users using, among others, the technologies mentioned above. In particular, pursuant to Article 5(3): (i) Internet users must be provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing; and (ii) Internet users must be allowed to refuse such processing, i.e. to opt out from the processing of information retrieved from his/her terminal equipment. Benefits of the proposed amendment 45. The existing Article 5(3) of the ePrivacy Directive limits its scope of application to situations where access to information and the storage of information in the users' terminal equipment is carried out via electronic communication networks. This includes the situation described above regarding the use of cookies as well as other technologies such as spyware delivered via electronic communication networks. However, it is far from clear whether Article 5(3) applies in situations where similar technol- ogies (cookies/spyware and the likes) are distributed through software provided on external storage media and downloaded into the users' terminal equipment. Given that the threat to privacy exists inde- pendently of the communication channel, the limitation of Article 5(3) to one communication channel only is unfortunate. 46. The EDPS is therefore pleased with the Amendment to Article 5(3) which, by removing the reference to ‘electronic communication networks’, in fact, broadens the scope of application of Article 5(3). Indeed, the amended version of Article 5(3) encompasses both situations where access to information and the storage of information in the users' terminal equipment is carried out via electronic communi- cation networks but also via other external data storage media such as CDs, CD-ROMs, USB Keys, etc. Technical storage for the purpose of facilitating the transmission 47. The last sentence of Article 5(3) of the ePrivacy Directive remains unmodified in its amended version. Pursuant to the last sentence, the requirements of the first paragraph of Article 5(3) ‘shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communi- cation over an electronic communication network or as strictly necessary in order to provide an information society service …’. Thus, the mandatory rules of the first sentence of Article 5(3) (the need to provide informa- tion and offer the possibility to refuse) will not apply when access to the terminal equipment of the user or the storage of information has the sole purpose of facilitating a transmission or when it is strictly necessary for providing information society services requested by the user. 48. The Directive does not describe when the access or storage of information has the sole purpose of facilitating a transmission or providing information. One situation that would clearly be covered by this exception is the establishment of an Internet connection. This is because to establish an Internet connection is necessary to obtain an IP address (1). The computer of the end user will be asked to disclose to the Internet access provider certain information about itself and in return the Internet access provider will provide him an IP address. In this case, information stored in the end user term- inal equipment will be transferred to the Internet access provider for the purpose of providing the user with access to the Internet. In this case, the Internet access provider is exempted from both the obliga- tion to announce this collection of information and to provide the right to refuse insofar as it is needed to provide the service. 49. Once connected to the Internet, if a user wants to view a given website, he/she must send a request to the server where the website is hosted. The latter will respond if it knows where to send the informa- tion, i.e. if it knows the user's IP address. Because of how this address is stored, it again requires the website which the user wants to visit to access information on the Internet users' terminal equipment. Clearly this transaction would also fall within the scope of the exception. Indeed, in these cases it seems appropriate to be outside the scope of application of the requirements of Article 5(3). 18.7.2008 C 181/9Official Journal of the European UnionEN (1) An IP address (Internet Protocol address) is a unique address that certain electronic devices use in order to identify and communicate with each other on a computer network utilizing the Internet Protocol standard (IP) — in simpler terms, a computer address. Any participating network device — including routers, switches, computers, infrastructure servers (e.g. NTP, DNS, DHCP, SNMP, etc.), printers, Internet fax machines, and some telephones— can have its own address that is unique within the scope of the specific network. Some IP addresses are intended to be unique within the scope of the global Internet, while others need to be unique only within the scope of an enterprise. 63. The EDPS considers that, if legislation supports regulators to assist their counterpart in other coun- tries, it will undoubtedly assist the cross border enforcement. It is therefore appropriate for the Proposal to enable the Commission to create the conditions to ensure cross-border cooperation, including the procedures for sharing information. III. CONCLUSIONS AND RECOMMENDATIONS 64. The EDPS fully welcomes the Proposal. The proposed amendments strengthen the protection of indivi- duals' privacy and personal data in the electronic communications sector and this is done with a light touch, without creating unjustified and unnecessary burdens upon organizations. More specifically, the EDPS considers that for the most part the proposed amendments should not be modified insofar as they fulfill properly their pursued objective. Point 69 below lists the amendments that the EDPS would hope to remain unmodified. 65. Notwithstanding the overall positive consideration of the Proposal, the EDPS considers that some of its amendments should be improved to ensure that they effectively provide for a proper protection of the personal data and the privacy of individuals. This is particularly true regarding the provisions on security breach notification and for those that deal with the legal actions initiated by electronic communication service providers for violation of spam provisions. In addition, the EDPS regrets that the Proposal fails to tackle some issues, not properly dealt with in the current ePrivacy Directive, missing the opportunity of this review exercise to resolve the outstanding problems. 66. To solve both problems, i.e. issues not properly addressed in the Proposal and those not dealt with at all, this Opinion has put forward some drafting proposals. Points 67 and 68 summarize the problems and propose specific language. The EDPS calls upon the legislator to take them into account as the Proposal makes its way through the legislative process. 67. The amendments contained in the Proposal where the EDPS would strongly favor modification, include the following: (i) Security breach notification: As formulated, the proposed amendment adding Article 4(4) applies to providers of public electronic communication services in public networks (ISPs, network operators) who are compelled to notify national regulatory authorities and their customers of security breaches. The EDPS fully supports this obligation. However, the EDPS considers that the obligation should also apply to providers of information society services which often process sensi- tive personal information. Thus, on-line banks and insurers, on-line providers of health services and any other on-line business would also have to comply with the obligation. To this end, the EDPS suggests inserting in Article 4(3) a reference to the providers of information society services as follows: ‘In case of a breach of security … the provider of publicly available communication services and the provider of information society services, shall … notify the subscriber concerned and the national regulatory authority of such a breach’. (ii) Legal actions initiated by providers of public electronic communication services in public networks: As formulated, the proposed amendment adding Article 13(6) provides civil law reme- dies for any individual or legal person particularly for electronic communication service providers to fight infringements of Article 13 of the ePrivacy Directive which deals with spam. The EDPS is satisfied with this provision. However, the EDPS does not see the rationale for this new capability to be limited to the infringement of Article 13. The EDPS suggests enabling legal persons to take legal actions for infringement of any provision of the ePrivacy Directive. To achieve the above, the EDPS suggests converting Article 13(6) into a separate Article (Article 14). In addition, the language of Article 13(6) should be slightly amended as follows: Where it says ‘pursuant to this Article’ it should say ‘pursuant to this Directive’. 18.7.2008C 181/12 Official Journal of the European UnionEN 68. The scope of application of the ePrivacy Directive which is currently limited to providers of public electronic communication networks is one of the most worrisome issues that the Proposal has failed to address. The EDPS considers that the Directive should be amended to broaden its application to include providers of electronic communication services also in mixed (private/public) and private networks. 69. The amendments that the EDPS would strongly favor to remain unmodified include the following: (i) RFID: The proposed amendment to Article 3 according to which electronic communication networks include ‘public communication networks supporting data collection and identification devices’ is fully satisfactory. This provision is very positive as it clarifies that a number of RFID applications must comply with the ePrivacy Directive, thus removing some legal uncertainty on this point. (ii) Cookies/spyware: The proposed amendment to Article 5(3) is to be welcomed because as a result the obligation to inform and give the right to oppose to have cookies/spyware stored in one's terminal equipment will also apply when such devices are placed through external data storage media such as CD-ROMs, USB Keys. However, the EDPS suggests that a minor amendment be made to the last part of Article 5(3) which consists in deleting the word ‘facilitating’ from the sentence. (iii) Choice of comitology with consultation to the EDPS and conditions/limitations to the obligation to notify: The proposed amendment adding Article 4(4) regarding security breach notification leaves up to comitology, after having sought the EDPS's advice, the decision of complex questions regarding the circumstances/format procedures of the security breach notifica- tion system. The EDPS strongly supports this unified approach. Legislation on security breach notification is a topic on its own that needs to be addressed, after a careful debate and analysis. Linked to this matter is the call by some stakeholders to draw up exceptions to the obligation to notify security breaches in Article 4(4). The EDPS strongly opposes this approach. He rather favors that the overall subject of the notification, how to notify, in which circumstances the notifi- cation may be shortened or somehow limited, to be analyzed holistically, after undertaking a proper debate. (iv) Enforcement: The proposed amendment adding Article 15a contains many helpful elements to be kept which will contribute to ensuring effective compliance, including the strengthening of the investigatory powers of national regulatory authorities (Article 15a(3)) and the creation of the national regulatory authorities' power to order the cessation of infringements. Done at Brussels, 10 April 2008. Peter HUSTINX European Data Protection Supervisor 18.7.2008 C 181/13Official Journal of the European UnionEN II (Information) INFORMATION FROM EUROPEAN UNION INSTITUTIONS AND BODIES COMMISSION Authorisation for State aid pursuant to Articles 87 and 88 of the EC Treaty Cases where the Commission raises no objections (2008/C 181/02) Date of adoption of the decision 15.10.2007 Reference number of the aid N 204/06 and N 605/06 Member State Spain Region Extremadura, Andalucía, Canarias, Castilla y León, Cataluña, Galicia, Baleares, Castilla la Mancha, Asturias y Valencia Title Ayudas para compensar los daños causados por los incendios (verano 2005) Legal basis Real Decreto-Ley no 11/2005, de 22 de julio Real Decreto no 949/2005, de 29 de julio Real Decreto no 609/2006, de 19 de mayo Type of measure Aid scheme Objective Compensation for losses in agricultural production caused by fires Form of aid Direct grant, interest rate subsidy, tax relief Budget EUR 4 million Budget heading of EUR 20 million for interest rate subsidies Intensity Up to 100 % of the cost of the production losses Duration Until the final payment is made Economic sectors Agriculture (livestock and beekeeping sector) Name and address of the granting authority Entidad Estatal de Seguros Agrarios Ministerio de Agricultura, Pesca y Alimentación C/ Miguel Ángel no 25, 5a planta E-28010 Madrid 18.7.2008C 181/14 Official Journal of the European UnionEN Non-opposition to a notified concentration (Case COMP/M.5162 — Avnet/Horizon) (Text with EEA relevance) (2008/C 181/03) On 26 June 2008, the Commission decided not to oppose the above notified concentration and to declare it compatible with the common market. This decision is based on Article 6(1)(b) of Council Regulation (EC) No 139/2004. The full text of the decision is available only in English and will be made public after it is cleared of any business secrets it may contain. It will be available: — from the Europa competition website (http://ec.europa.eu/comm/competition/mergers/cases/). This website provides various facilities to help locate individual merger decisions, including company, case number, date and sectoral indexes, — in electronic form on the EUR-Lex website under document number 32008M5162. EUR-Lex is the on-line access to European law (http://eur-lex.europa.eu). 18.7.2008 C 181/17Official Journal of the European UnionEN IV (Notices) NOTICES FROM EUROPEAN UNION INSTITUTIONS AND BODIES COMMISSION Euro exchange rates (1) 17 July 2008 (2008/C 181/04) 1 euro = Currency Exchange rate USD US dollar 1,5849 JPY Japanese yen 167,43 DKK Danish krone 7,4588 GBP Pound sterling 0,79140 SEK Swedish krona 9,4778 CHF Swiss franc 1,6145 ISK Iceland króna 122,11 NOK Norwegian krone 8,0640 BGN Bulgarian lev 1,9558 CZK Czech koruna 23,142 EEK Estonian kroon 15,6466 HUF Hungarian forint 230,13 LTL Lithuanian litas 3,4528 LVL Latvian lats 0,7027 PLN Polish zloty 3,2235 RON Romanian leu 3,5620 SKK Slovak koruna 30,318 Currency Exchange rate TRY Turkish lira 1,9109 AUD Australian dollar 1,6246 CAD Canadian dollar 1,5860 HKD Hong Kong dollar 12,3581 NZD New Zealand dollar 2,0661 SGD Singapore dollar 2,1414 KRW South Korean won 1 603,13 ZAR South African rand 11,9765 CNY Chinese yuan renminbi 10,8111 HRK Croatian kuna 7,2271 IDR Indonesian rupiah 14 498,67 MYR Malaysian ringgit 5,1232 PHP Philippine peso 70,631 RUB Russian rouble 36,8300 THB Thai baht 52,985 BRL Brazilian real 2,5190 MXN Mexican peso 16,2001 18.7.2008C 181/18 Official Journal of the European UnionEN (1) Source: reference exchange rate published by the ECB. NOTICES FROM MEMBER STATES Information communicated by Member States regarding State aid granted under Commission Regulation (EC) No 1628/2006 on the application of Articles 87 and 88 of the EC Treaty to national regional investment aid (Text with EEA relevance) (2008/C 181/05) Aid No XR 37/08 Member State France Region Corse 87(3)c Title of aid scheme or the name of the undertaking receiving ad hoc aid supplement Mesures fiscales d'aide à l'investissement en Corse: crédit d'impôt et exonération de taxe professionnelle Legal basis Articles 244 quater E et 1466 C du code général des impôts Type of measure Aid scheme Annual budget EUR 43 million Maximum aid intensity 15 % In conformity with Article 4 of the Regulation Date of implementation 1.1.2007 Duration 31.12.2012 Economic sectors — NACE A, D (sine DA 15.2, DF 23.1, DF 24.7, DJ 27.1, DJ 27.2, DJ 27.3, DM 34, DM 35.1), DM 35.1 A, E, F, G, GA 50.2, GA 52.7, H, I, J, JA 65.2, JA 67, K, KA 72, KA 72.5, KA 74, M, N, O, O92 Name and address of the granting authority Ministère de l'économie, des finances et de l'emploi 139, rue de Bercy F-75012 Paris Internet address of the publication of the aid scheme http://www.legifrance.gouv.fr/./affichCode.do?cidTexte=LEGITEXT000006069577 Other information — 18.7.2008 C 181/19Official Journal of the European UnionEN Information communicated by Member States regarding State aid granted under Commission Regulation (EC) No 68/2001 on the application of Articles 87 and 88 of the EC Treaty to training aid (Text with EEA relevance) (2008/C 181/07) Reference number of the aid XT 49/08 Member State Czech Republic Region Regiony soudržnosti NUTS II Střední Čechy, Jihozápad, Severozápad, Severový- chod, Jihovýchod, Střední Morava, Moravskoslezsko Title (and/or name of the beneficiary) Operační program Podnikání a inovace 2007–2013. Podprogram Inovace – školení Legal basis Zákon č. 47/2002 Sb., o podpoře malého a středního podnikání. Zákon č. 218/2000 Sb., o rozpočtových pravidlech a o změně některých souvi- sejících zákonů Type of measure Aid scheme Budget Annual budget: CZK 45 million Overall budget: — Maximum aid intensity In conformity with Article 4(2)-(7) of the Regulation Date of implementation 1.6.2007 Duration 31.12.2008 Objective Specific training Economic sectors Manufacture of transport equipment Other manufacturing Other services Name and address of the granting authority Ministerstvo průmyslu a obchodu Na Františku 32 CZ-110 15 Praha Reference number of the aid XT 52/08 Member State Poland Region PL 421 — Podregion szczeciński Title (and/or name of the beneficiary) Wojewódzka Handlowa Spółdzielnia Inwalidów ZPCH Legal basis Art. 30, 31 ustawy z dnia 20 kwietnia 2004 r. o Narodowym Planie Rozwoju (Dz.U. nr 116, poz. 1206). Rozporządzenie Ministra Gospodarki i Pracy z dnia 21 września 2004 r. w sprawie przyjęcia Uzupełnienia programu operacyjnego — Program Inicjatywy Wspólnotowej EQUAL dla Polski 2004–2006 (Dz.U. nr 214, poz. 2172). Umowa szkoleniowa nr SZCZECIN/WHSI/4/2007 z dnia 7 grudnia 2007 r. 18.7.2008C 181/22 Official Journal of the European UnionEN Type of measure Ad hoc Budget Annual budget: — Overall budget: EUR 508,9 Maximum aid intensity In conformity with Article 4(2)-(7) of the Regulation Date of implementation 7.12.2007 Duration 14.12.2007 Objective General training Economic sectors All sectors eligible for training aid Name and address of the granting authority Zachodniopomorska Szkoła Biznesu Żołnierska 53 PL-71-210 Szczecin Reference number of the aid XT 53/08 Member State Poland Region PL 421 — Podregion szczeciński Title (and/or name of the beneficiary) Wojewódzka Handlowa Spółdzielnia Inwalidów ZPCH Legal basis Art. 30, 31 ustawy z dnia 20 kwietnia 2004 r. o Narodowym Planie Rozwoju (Dz.U. nr 116, poz. 1206). Rozporządzenie Ministra Gospodarki i Pracy z dnia 21 września 2004 r. w sprawie przyjęcia Uzupełnienia programu operacyjnego — Program Inicjatywy Wspólnotowej EQUAL dla Polski 2004–2006 (Dz.U. nr 214, poz. 2172). Umowa szkoleniowa nr SZCZECIN/WHSI/2/2007 z dnia 5 listopada 2007 r. Type of measure Ad hoc Budget Annual budget: — Overall budget: EUR 586,64 Maximum aid intensity In conformity with Article 4(2)-(7) of the Regulation Date of implementation 5.11.2007 Duration 16.11.2007 Objective General training Economic sectors All sectors eligible for training aid Name and address of the granting authority Zachodniopomorska Szkoła Biznesu Żołnierska 53 PL-71-210 Szczecin 18.7.2008 C 181/23Official Journal of the European UnionEN Information communicated by Member States regarding State aid granted under Commission Regulation (EC) No 1628/2006 on the application of Articles 87 and 88 of the EC Treaty to national regional investment aid (Text with EEA relevance) (2008/C 181/08) Aid No XR 10/08 Member State Malta Region Malta Title of aid scheme or the name of the undertaking receiving ad hoc aid supplement Investment Aid Scheme Legal basis Investment Aid Regulations Type of measure Aid scheme Annual budget MTL 13 million Maximum aid intensity 30 % In conformity with Article 4 of the Regulation Date of implementation 1.1.2008 Duration 31.12.2013 Economic sectors Limited to specific sectors NACE D, K072, K0731, K07482, K07486, M0803, N0851, O0921 Name and address of the granting authority Malta Enterprise Enterprise Centre San Gwann SGN 3000 Malta Internet address of the publication of the aid scheme www.maltaenterprise.com Other information — 18.7.2008C 181/24 Official Journal of the European UnionEN Commission address for correspondence: European Commission Directorate-General for Trade Directorate H Office: J-79 4/23 B-1049 Brussels Fax (32-2) 295 65 05 7. Non-co-operation In cases in which any interested party refuses access to or does not provide the necessary information within the time limits, or significantly impedes the investigation, provisional or final findings, affirmative or negative, may be made in accordance with Article 18 of the basic Regulation, on the basis of the facts avail- able. Where it is found that any interested party has supplied false or misleading information, the information shall be disregarded and use may be made, in accordance with Article 18 of the basic Regulation, of the facts available. If an interested party does not cooperate or cooperates only partially, and findings are there- fore based on best facts available, in accordance with Article 18 of the basic Regulation, the result may be less favourable to that party than if it had cooperated. 8. Schedule of the investigation The investigation will be concluded, according to Article 11(5) of the basic Regulation, within 15 months of the date of the publication of this notice in the Official Journal of the European Union. 9. Other interim reviews under Article 11(3) of the basic Regulation The scope of the current review is as set out in point 3 above. Any party wishing to claim a review on the basis of other grounds may do so in accordance with the provisions of Article 11(3) of the basic Regulation. The present product scope review has no effect on the period of application of the current anti-dumping measures. 10. Processing of personal data It is noted that any personal data collected in this investigation will be treated in accordance with Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (1). 11. Hearing Officer It is also noted that if interested parties consider that they are encountering difficulties in the exercise of their rights of defence, they may request the intervention of the Hearing Officer of DG Trade. He acts as an interface between the interested parties and the Commission services, offering, where necessary, mediation on procedural matters affecting the protection of their interests in this proceeding, in particular with regard to issues concerning access to file, confidentiality, extension of time limits, and the treatment of written and/or oral submission of views. For further information and contact details, interested parties may consult the Hearing Officer's web pages on the website of DG Trade (http://ec.europa.eu/trade). 18.7.2008 C 181/27Official Journal of the European UnionEN (1) OJ L 8, 12.1.2001, p. 1. PROCEDURES RELATING TO THE IMPLEMENTATION OF THE COMPETITION POLICY COMMISSION Prior notification of a concentration (Case COMP/M.5231 — Bain Capital/D&M) Candidate case for simplified procedure (Text with EEA relevance) (2008/C 181/10) 1. On 9 July 2008, the Commission received a notification of a proposed concentration pursuant to Article 4 of Council Regulation (EC) No 139/2004 (1) by which the undertaking Bain Capital Investors LLC (USA) acquire(s) within the meaning of Article 3(1)(b) of the Council Regulation control of the whole of the undertaking D&M Holdings Inc. (Japan) by way of public bid. 2. The business activities of the undertakings concerned are: — for Bain Capital Investors LLC: private equity investment firm, — for D&M Holdings Inc.: design, production, marketing and distribution of audio visual electronic products. 3. On preliminary examination, the Commission finds that the notified transaction could fall within the scope of Regulation (EC) No 139/2004. However, the final decision on this point is reserved. Pursuant to the Commission Notice on a simplified procedure for treatment of certain concentrations under Council Regulation (EC) No 139/2004 (2) it should be noted that this case is a candidate for treatment under the procedure set out in the Notice. 4. The Commission invites interested third parties to submit their possible observations on the proposed operation to the Commission. Observations must reach the Commission not later than 10 days following the date of this publication. Observations can be sent to the Commission by fax ((32-2) 296 43 01 or 296 72 44) or by post, under reference number COMP/M.5231 — Bain Capital/D&M, to the following address: European Commission Directorate-General for Competition Merger Registry J-70 B-1049 Bruxelles/Brussel 18.7.2008C 181/28 Official Journal of the European UnionEN (1) OJ L 24, 29.1.2004, p. 1. (2) OJ C 56, 5.3.2005, p. 32. Prior notification of a concentration (Case COMP/M.5227 — Robert Bosch/Samsung/JV) (Text with EEA relevance) (2008/C 181/11) 1. On 10 July 2008, the Commission received a notification of a proposed concentration pursuant to Article 4 of Council Regulation (EC) No 139/2004 (1) by which the undertakings Robert Bosch GmbH (‘Bosch’, Germany) and Samsung SDI Co. Ltd (‘Samsung SDI’, South-Korea) acquire within the meaning of Article 3(1)(b) of the Council Regulation joint control of SB LiMotive Ltd (‘SB LiMotive’, South-Korea) by way of purchase of shares in a newly created company constituting a joint venture. 2. The business activities of the undertakings concerned are: — for undertaking Bosch: technologies for the automobile industry, industrial technology, building tech- nology, consumer goods, — for undertaking Samsung SDI: displays for monitors, mobile phones and other portable devices, rechargeable batteries for mobile phones, laptops, cameras and camcorders, — for undertaking SB LiMotive: development, production and marketing of lithium-ion battery systems for application in hybrid electric and other electric vehicles. 3. On preliminary examination, the Commission finds that the notified transaction could fall within the scope of Regulation (EC) No 139/2004. However, the final decision on this point is reserved. 4. The Commission invites interested third parties to submit their possible observations on the proposed operation to the Commission. Observations must reach the Commission not later than 10 days following the date of this publication. Observations can be sent to the Commission by fax ((32-2) 296 43 01 or 296 72 44) or by post, under reference number COMP/M.5227 — Robert Bosch/Samsung/JV, to the following address: European Commission Directorate-General for Competition Merger Registry J-70 B-1049 Bruxelles/Brussel 18.7.2008 C 181/29Official Journal of the European UnionEN (1) OJ L 24, 29.1.2004, p. 1.