Publication date: December 6, 2023
What is e-Privacy Directive?
The Directive, commonly known as e-Privacy, refers to Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). It is a European legal act with a broad scope of privacy issues. Its purpose is to ensure the protection of data originating from electronic communications and the privacy of users, in other words, of terminal equipment (computers, telephones, tablets). According to Article 1 of the e-Privacy Directive „This Directive provides for the harmonisation of the national provisions required to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy and confidentiality, with respect to the processing of personal data in the electronic communication sector and to ensure the free movement of such data and of electronic communication equipment and services in the Community”. In addition, according to Article 3 of the e-Privacy Directive, „This Directive shall apply to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the Community, including public communications networks supporting data collection and identification devices”.
According to Article 5(3) of the e-Privacy Directive, „Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.” In the guidelines, the whole of Article 5(3) was analysed in detail and the key statements were given appropriate wording.
On 14 November 2023, the European Data Protection Board (EDPB) adopted technical guidelines to Article 5(3) of the e-Privacy Directive. The action taken by the EDPB aims to indicate which technical operations (new emerging tracking techniques) fall under the e-Privacy directive and to make the law more effective for administrators. The guidelines, which have been published following an initial public consultation, will specifically apply to anyone using new tracking techniques, especially for advertising purposes. The guidelines only focus on the application of Article 5(3) of the e-Privacy Directive. However, there is no information relating to the granting of consent and the exceptions that apply.
With a view to Article 5(3) of the e-Privacy Directive, the EDPB Guidelines analyse elements such as “information”, “terminal equipment”, “electronic communications networks”, “gaining access” and “stored information” or “storage”. The guidelines outline how popular tracking methods work in practice. Through the analysis conducted, common tracking techniques include URL and pixel tracking, local processing, IP address-only tracking, IoT (Internet of Things) reporting and unique identifiers.
The emergence of new tracking methods both to replace existing tracking tools (e.g. cookies due to the discontinuation of third-party cookie support) and to create new business models has become an important data protection issue. Although Article 5(3) of the e-Privacy Directive is a regulation used in practice for certain tracking technologies (such as cookies), there is a need to remove ambiguities related to the application of this legal provision to new tracking tools.
3.1) Notion of “Information”
The EDPB notes in its technical guidance that all operations carried out must relate to ‘information’. The crux of the matter is that information includes both personal and non-personal data, regardless of how the data was stored and by whom. In the guidelines, the EDPB notes that the purpose of Article 5(3) is to protect the private sphere of the user. However, certain intrusions are possible which do not include personal data, e.g. through viruses stored on the user’s terminal.
3.2) Notion of “Terminal equipment”
The EDPB indicates how the subscriber’s/user’s end devices on which tracking technologies are placed are to be understood. A terminal device is to be understood as a device that is the end point of communication. It does not include a communication relay and devices that only transmit information. In addition, the EDPB outlines that the purpose of the e-Privacy Directive is not only to protect the private sphere of natural persons, but also of legal persons with regard to their right to correspond. Furthermore, according to the guidelines, a user may own, rent or share a terminal device. Multiple users may additionally use the same terminal device in the context of multiple communications (e.g. a connected car), and a single communication may involve more than one terminal device. Finally, the EDPB points out that Article 5(3) does not depend on whether the user initiated the communication or whether the user was even aware of it.
3.3) Notion of “Electronic Communications Networks”
The EDPB refers to the definition of “electronic communications network” in the European Electronic Communications Code EU Directive 2018/1972. According to this legal act, „electronic communications network means transmission systems, whether or not based on a permanent infrastructure or centralised administration capacity, and, where applicable, switching or routing equipment and other resources, including network elements which are not active, which permit the conveyance of signals by wire, radio, optical or other electromagnetic means, including satellite networks, fixed (circuit- and packet-switched, including internet) and mobile networks, electricity cable systems, to the extent that they are used for the purpose of transmitting signals, networks used for radio and television broadcasting, and cable television networks, irrespective of the type of information conveyed”. Notable comments on the definition include that there is no restriction on the number of terminal equipment present at any time on the network. The EDPB points out that for Article 5(3) of the e-Privacy Directive to apply, there must be public availability of the communications service over an electronic communications network. If a network is made available to a limited group of recipients, e.g. by paying a subscription fee, it does not mean that such a network is private.
3.4) Notion of “Gaining access”
The EDPB indicates that storage and access need not be cumulative for Article 5(3) to apply and that the two concepts are independent of each other. In addition, the guidelines state that both operations, need not be carried out by the same entity.
3.5) Notion of “Stored information” or “Storage”
The guidelines analyse the term storage in the context of Article 5(3) of the e-Privacy Directive. Storage means the placing of information on a physical electronic medium which is part of the user’s terminal equipment. According to the guidelines, storage does not depend on the type of medium on which the installation is stored, i.e. HDD, SSD or RAM. Article 5(3) also covers magnetic media or processor cache. The media can be connected internally e.g. SATA, externally e.g. USB or via a network protocol.
Article 5(3) is commonly known as the ‘Cookie Principles’, but it is clear from the Guidelines that it is broader than cookies and includes other tracking techniques. One of the main implications of the proposed Guidelines is that, according to the EDPB, user consent will be required for a tracking technique in a very wide range of circumstances.