Keeping track of Article 5(3): EDPB publishes proposed Guidelines
On 14 November 2023, the European Data Protection Board (EDPB) published proposed Guidelines on the Technical Scope of Article 5(3) of the ePrivacy Directive for public consultation. These include some potentially contentious interpretations and will be of particular interest to anyone who uses established or new tracking techniques, especially for adtech purposes.
The EDPB cites Article 70(1)(e) of the GDPR as its basis for adopting these Guidelines. This enables the EDPB to adopt guidelines on the application of the GDPR only. Surprisingly, the EDPB has not explained how it considers itself to be entitled to adopt guidelines on the ePrivacy Directive under Article 70(1)(e), or if these Guidelines are intended to operate differently than Guidelines relating to the GDPR. This may be one of the points that the EDPB will be asked to clarify in submissions on these proposed Guidelines, which can be made up to 28th December 2023.
What is Article 5(3)?
Article 5(3) requires Member States to ensure that:
The Guidelines consider in some detail the EDPB’s interpretation of the following key elements required for Article 5(3) to apply:
Information
The operations carried out must relate to ‘information’. Importantly, information includes both personal data and non-personal data, regardless of how this data was stored and by whom. The EDPB notes that the goal of Article 5(3) is to protect the user’s private sphere and that there can be scenarios which intrude upon such which do not involve personal data and it gives the example of viruses stored on a user’s terminal. In opining on this point, the EDPB has not referred to Article 3 of the ePrivacy Directive, which provides that “This Directive shall apply to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the Community, including public communications networks supporting data collection and identification devices.”
Terminal equipment
The EDPB makes some interesting points on what, in its view, constitutes ‘terminal equipment’ (i.e. a device which tracking technologies are placed on), including:
- A device which is not an endpoint of a communication and only conveys information is not terminal equipment. As such, if a device solely acts as a communication relay, it should not be considered terminal equipment under Article 5(3).
- Terminal equipment may be comprised of any number of individual pieces of hardware, which together form the terminal equipment. This may or may not take the form of a physically enclosed device hosting all the display, processing, storage and peripheral hardware (e.g. smartphones, hardware, laptops, connected cars or connected TVs, smart glasses).
- The ePrivacy Directive is not limited to the protection of the private sphere of natural persons but also concerns the right to respect for their correspondence or the legitimate interests of legal persons (e.g. companies). As such, a terminal equipment which allows for this correspondence and the legitimate interests of legal persons is protected by Article 5(3).
- The user may own, rent or otherwise be provided with the terminal equipment.
- Multiple users may share the same terminal equipment in the context of multiple communications (e.g. a connected car) and a single communication may involve more than one terminal equipment.
- Article 5(3) is not dependent on whether the communication was initiated by the user or even on whether they are aware of it.
Electronic Communications Network
The EDPB states that it is important to bear in mind that the ePrivacy Directive applies to the provision of publicly available electronic communication services in public communications networks in the Community, with the result that the concept of an “electronic communications network” is an important point regarding the scope of Article 5(3) applies. The EDPB notes that the ePrivacy Directive does not define an ‘electronic communications network’ (“ECN”) and that the concept is set out in the European Electronic Communications Code (Directive (EU) 2018/1972) (“EECC”) which defines it as:
The Guidelines make the following notable points on the EECC’s definition of an ECN:
- The definition of an ECN is neutral with respect to the transmission of technologies. An ECN is any network system that allows transmission of electronic signals between its nodes, regardless of the equipment and protocols used.
- An ECN does not depend on the public or private nature of the infrastructure nor on the way the network is deployed or managed. It is broad enough to cover any type of infrastructure including networks managed or not by an operator, networks co-managed by a group of operators or even ad-hoc networks in which terminal equipment may dynamically join or leave a mesh of other terminal equipment using short range transmission protocols.
- There is no limitation with regard to the number of terminal equipment present in the network at any time.
- The public availability of the communication service over the ECN is necessary for Article 5(3) to apply. The fact that a network is only made available to a limited subset of the public (e.g. paying subscribers) does not make such a network private.
Gaining Access
The Guidelines state that storage and access do not need to be cumulatively present for Article 5(3) to apply and the notion of ‘gaining access’ is independent from ‘storing information’. In addition, the two operations do not need to be carried out by the same entity. Notably, the Guidelines opine that whenever the accessing entity wishes to gain access to information stored in the terminal equipment and actively takes steps to that end, Article 5(3) would apply. The Guidelines provide a couple of examples of these practices:
- For cookies, the accessing entity instructs the terminal equipment to proactively send information on each HTTP call.
- For Javascript code, where the accessing entity instructs the browser of the user to send asynchronous requests with the targeted content.
‘Stored Information’ or ‘Storage’
The Guidelines analyse what ‘storage’ means in the context of Article 5(3). The storage of information refers to placing information on a physical electronic storage medium that is part of a user’s terminal equipment. The Guidelines add that typically information is not stored in the user’s terminal equipment through direct access by another party but rather by instructing software on the terminal to generate specific information (e.g. through established protocols such as browser cookies storage as well as customised storage). The Guidelines make a couple of notable points in relation to the notion of storage:
- There is no upper or lower limit on the length of time that storage information must persist in a storage medium for there to be ‘storage’ and thus it may be transient.
- There is no upper or lower limit on the amount of information to be stored.
- Storage does not depend on the type of medium on which the information is stored. Typical examples include hard disc drives (HDD), solid state drives (SSD), flash drives and random-access memory (RAM). Article 5(3) can also cover less typical scenarios involving a medium such as magnetic types or CPU caching, The medium may be connected internally (e.g. through a SATA connection), externally (e.g. through a USB connection) or through a network protocol.
Use cases
The Guidelines note that there are various identifiers and information which are widely used that may fall within Article 5(3). As an observation, it is striking the breadth of tracking techniques which are expressly identified by the EDPB as potentially being within the scope of Article 5(3). These include emails with pixels, URL tracking, local javascript processing, advertising identifiers, IP address transmission, transmission by IoT devices and unique identifiers.
What’s the impact?
Art 5(3) is commonly known as the ‘Cookies Rule’ but it is clear from the Guidelines that it has a wider remit than cookies and captures other tracking techniques. One of the main implications of these proposed Guidelines is that, according to the EDPB, a user’s consent will be required for tracking techniques in a very broad range of circumstances.
What’s next?
The Guidelines are open for public consultation until 28 December.
This document has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.
Select how you would like to share using the options below