Although the 'Regulation on privacy and electronic communications' (ePrivacy Regulation ) is not expected to be adopted until 2020, it is already casting its shadow. In this article I would like to give you an overview of what is ePrivacy Regulation involved, what the current legal situation is for the use of tracking tools and how it might change under the EPVO. At the end, I will briefly explain why the new regulation is important in my view. But don't panic: Just as, contrary to all predictions, the world is being treated with GDPR on 25.05.2018, this is also not to be expected for the validity of theePrivacy Regulation
The ePrivacy Regulation (EPVO) is a European-level Draft Regulation of the European Commissionthat replaces the e-privacy directive that has been in force since 2002 (Directive 2002/58/ECas last amended by Directive 2009/136/ECE-Privacy Directive) and adapt them to the current state of the art (e.g. so-called over-the-top services, i.e. IP-based communication services, are currently not covered by the E-Privacy Directive).
As a European regulation, the EPVO will be directly and immediately applicable throughout the European Union. In contrast to the e-Privacy Directive, it will not depend on the implementation into national law by the individual member states. This implementation of the e-privacy directive into national law has never taken place in Germany, incidentally, as far as the data protection part relevant to website operators is concerned.
It is ePrivacy Regulation intended to protect the confidentiality of communications and the confidentiality and integrity of users' terminal equipment.
In simple terms, users should be protected from being spied on without their knowledge when visiting a website or using an e-mail or messenger service.
Unlike the GDPR , not only natural persons (people) but also legal persons (companies and associations) are protected. This ePrivacy Regulation specifies and complements the protection of personal data with regard GDPR to electronic communication data, which are personal data.
This not only ePrivacy Regulation regulates communication via (classic) voice telephony, text messages (SMS) and e-mail, but also communication via VoIP telephony, messenger services and web-based e-mail services. It also applies to the increasingly important machine-to-machine communication (keyword "Internet of Things").
EPVO pays particular attention to the way in which information is stored or sent, requested or processed by users' terminal equipment (e.g. PCs and smartphones). This is because sensitive personal data (e.g. e-mails and messages, pictures, contact and location data) are practically always stored on these end devices. Therefore, end users should be protected against the use of tracking tools to secretly monitor their activities without their knowledge (e.g. cookies, browser fingerprinting and similar technologies to track user behaviour).
Originally it was intended that it would come into force at the ePrivacy Regulation same time as the GDPR The European Commission had already published its draft EPVO at the beginning of January 2017. However, since the European Parliament and the Council of the European Union must also be involved in the legislative procedure, numerous regulations of the ePrivacy Regulation EPVO are still under political discussion. Due to the complexity of the legislative procedure, it is not expected that the ePrivacy Regulation EPVO will enter into force before the end of 2019. Furthermore, there will probably be a transitional period similar to that for the GDPR EPVO until it actually comes into force.
Tracking tools are used to trace the behaviour of Internet users: How often is a website visited by a specific user or a messenger service used (if the behaviour of a specific user is "analysed", it is no longer a pure analytics and statistics tool, but a tracking tool)? What content do sent messages have? Which articles are searched and ordered in a webshop? Which social media accounts are you logged in to? Is a linked article clicked and purchased (affiliate marketing)?
Data is not only collected when visiting the website or using the service, but often for a long time after that. This is because the cookies, counting pixels etc. set on the terminal device are usually not deleted when the service is terminated. They often remain on the user's end device for several months and continue to send data without the user being aware of this.
In many cases, the data collected in this way is not only collected and processed by the service provider itself, but often also passed on to third parties.
The consequence is that a large number of user profiles are created without the user being aware of it.
Preliminary remark: This part is necessarily somewhat legally formulated. If you are not interested in these subtleties, you can also read on at 3.
In Germany, the requirements for electronic information and communication services are defined in German Telemedia Act (TMG) regulated. The Telemedia Act came into force in 2007 and was last amended in September 2017. However, the ePrivacy Directive, which was amended in 2009 and regulates in its Art. 5 (3) the storage of and access to information stored in the user's terminal equipment, was not formally transposed into German law. The background to this is that the Federal Government did not consider this necessary on the basis of the provisions already contained in Section 15 (3) TMG. Nor have the data protection provisions of the German Telemedia Act (Section 4; §§ 11 et seq. TMG), which regulate the obligations of service providers, been adapted to thoseGDPR .
As a consequence, the conflict rule of Art. 95 GDPR, which governs the relationship between the ePrivacy Directive GDPR and the Directive, is not applicable. Since a direct application of the e-privacy directive is also out of the question (unlike European regulations, European directives are not directly and immediately applicable), the Primacy of application of the GDPR .
This means that, since the entry into force of the GDPR Telemedia Act, i.e. since 25 May 2018, the legal basis for the processing of personal data by service providers has been exclusively Article 6 (1GDPR ); the corresponding provisions of the Telemedia Act are no longer applicable.
This will probably only change when the ePrivacy Regulation new law comes into force: As things stand at present, the provisions of the EPVO will take GDPR precedence over the corresponding provisions of the Regulation, provided that they pursue the same objective.
The current legal basis for the use of tracking tools is Article 6 1 GDPR. This means that tracking tools may generally only be used if either
- the processing for the purpose of preserving rightful interests the controller or a third party, except where such interests or fundamental rights and freedoms of the data subject which require the protection of personal data are overridden, in particular where the data subject is a child point f (GDPR) of the first subparagraph of Article 6 1.
- the person concerned shall give his Consent to the processing of personal data relating to him/her for one or more specified purposes point a GDPR of the first subparagraph of Article 6 1.
Where a service provider predominant legitimate interests for the use of tracking tools, no consent of the user is required.
The legitimate interests of the service provider can be real, economic and non-material.
Often, of course, it will be commercial interests trade. These can, for example, consist of storing the customer's shopping basket in an online shop or integrating web fonts, map services and social media plugins on a website. But also web analysis and statistical tools about site visitors or the use of advertising trackers are to be considered legitimate interests.
If the respective data processing is necessary to safeguard these legitimate interests, these must be weighed against the interests or fundamental rights and freedoms of the user. These include protection against economic disadvantages, the right to respect for private life and communications in accordance with Art. 7 of the Charter of Fundamental Rights of the European Union (CRCh)the basic data protection right according to Art. 8 GRCh and the right to informational self-determination.
When weighing up the respective interests, the effects of the intended data processing and its susceptibility to misuse are particularly important. Other factors to be taken into account include what reasonable expectations the user has of the service and whether he can reasonably foresee that the intended data processing will possibly take place.
Whether the legitimate interests of the service provider (or a third party) or the interests of the user outweigh the legitimate interests of the user is sometimes difficult to decide in individual cases.
It should be noted that the service provider must demonstrate that his legitimate interests prevail. If this proof is not successful in the case of a dispute, the data collection was illegal and the service provider must expect a fine.
The balancing of interests should therefore be a matter for supervisory authorities traceable be and well documented will be.
If the service provider cannot base the integration of a tracking tool on a legitimate interest, the consent of the user is mandatory.
The conditions for effective consent are GDPR regulated in Art. 7. These are:
- Understandable form;
- clear and simple language;
- Distinctness from other situations;
- prior notice of the right of withdrawal at any time;
- compliance with the prohibition of tying (i.e. that a service must not be made conditional on the granting of consent to the processing of personal data unrelated to the service).
Consent may also be given by implication, i.e. by conclusive action. However, explicit consent is always required when special categories of personal data are processed see Article 9 2 a GDPR.
It should also be noted that consent can be revoked at any time. Therefore, data processing must cease from the moment the data subject has withdrawn his or her consent.
If not only technically necessary cookies are set, a succinct hint is given in a so-called "Cookie Banner", which is then only confirmed by clicking on an "OK" button, unsatisfactory.
The European Commission has published the draft of the ePrivacy Regulation is currently still under political discussion. It has received comments from, inter alia European Data Protection Committee and the European Data Protection Supervisoramendments of the European Parliament and discussion papers of the Council of the European Union.
It is therefore not clear what the ePrivacy Regulation exact wording will be.
In view of the ongoing "data scandals" of recent times, however, data protectionists in particular are increasingly campaigning to ensure that the EPVO does not fall short of the current level of protection under the ePrivacy Directive and the GDPR ePrivacy Directive.
The European Data Protection Committee has in a paper dated May 2018 expressed the view that the confidentiality of electronic communications requires special protection, which must go beyond that GDPR Therefore, the legitimate interests of the service provider should no longer be the legal basis for the processing of content and metadata of electronic communications in the future.
If this view prevails, tracking tools should only be used with the prior consent of the user (e.g. by means of a checkbox).
Contrary to all prophecies of doom, the EPVO is a sensible and long overdue regulation. After all, the complete monitoring of our user behaviour, which is now technically possible, should not be accepted just like that.
It is therefore a good thing that website operators and service providers must provide clear and transparent information in advance about what data is collected when a website is visited or a service is used and to whom it is passed on and for what purposes. Only in this way can website visitors and users decide whether it is really worthwhile for them to visit site or use the service and to disclose their data.
As soon as the final text is ePrivacy Regulation known, you should first of all check whether and, if necessary, when you have to obtain additional consent. So that you can implement this and everything else necessary in peace and quiet, it's worth staying ePrivacy Regulation on the ball.
Picture: Scott Webb | Pexels