Although the "Regulation on Privacy and Electronic Communications" (ePrivacy Regulation) is not expected to be adopted until later in 2020, it is already casting its shadow. In this article, I would like to give you an overview of what the ePrivacy Regulation is all about, what the current legal situation for the use of tracking tools looks like and how this could change under the EPVO. At the end, I will briefly explain why I think the new regulation is important. But don't panic: Just as, contrary to all predictions, the world will not change when the GDPR on 25.05.2018, this is also not to be expected for the validity of the ePrivacy Regulation.
The E-Privacy Regulation (EPR) is a draft regulation of the European Commission currently under discussion at European level, which is intended to replace the E-Privacy Directive(Directive 2002/58/EC, last amended by Directive 2009/136/EC; E-Privacy Directive), which has been in force since 2002, and adapt it to the current state of the art (e.g. so-called over-the-top services, i.e. IP-based communication services, are not currently covered by the E-Privacy Directive).
As a European regulation, the GDPR will apply directly and immediately throughout the European Union. Unlike the ePrivacy Directive, it will not be dependent on transposition into national law by the individual member states. Incidentally, this transposition of the ePrivacy Directive into national law has never taken place in Germany as far as the data protection part relevant to website operators is concerned.
The ePrivacy Regulation aims to protect the confidentiality of communications as well as the confidentiality and integrity of users' end devices.
In simple terms, users should be protected from being spied on without their knowledge when they visit a website or use an email or messenger service.
In contrast to GDPR, not only natural persons (people) but also legal entities (companies and associations) are protected. The ePrivacy Regulation specifies and supplements GDPR with regard to electronic communications data, which are personal data.
The ePrivacy Regulation not only regulates communication via (traditional) voice telephony, text messages (SMS) and email, but also communication via VoIP telephony, messenger services and web-based email services. It also applies to machine-to-machine communication, which is becoming increasingly important (keyword "Internet of Things").
The EPVO pays particular attention to how information is stored or sent, requested or processed by users' end devices (e.g. PCs and smartphones). This is because sensitive personal data is practically always stored on these end devices (e.g. emails and messages, images, contact and location data). Users of end devices should therefore be protected from tracking tools being used to secretly monitor their activities without their knowledge (e.g. cookies, browser fingerprinting and similar technologies for tracking user behavior).
The original intention was for the ePrivacy Regulation to enter into force at the same time as GDPR . The European Commission had already published its draft ePrivacy Regulation at the beginning of January 2017. However, as the European Parliament and the Council of the European Union must also be involved in the legislative process, numerous provisions of the ePrivacy Regulation are currently still under political discussion. Due to the complexity of the legislative process, it is unlikely that the ePrivacy Regulation will come into force in 2019. In addition, there is likely to be a transitional period, similar to that of GDPR , until the ePrivacy Regulation actually comes into force.
Tracking tools are used to trace the behavior of internet users: How often is a website visited by a specific user or how often is a messenger service used? (If the behavior of a specific user is "analyzed", is it no longer a pure analytics and statistics tool, but a tracking tool?) What content do sent messages have? Which articles are looked for and ordered in a webshop? Which social media accounts are users logged in to? Is a linked article clicked on and purchased? (Affiliate marketing).
Data isn't just collected when users visit a website or use the service but often for a long time afterwards. This is because the cookies, web beacons etc., set on the device are usually not deleted when the service is terminated. They often remain on the user's end device for several months and continue to send data without the user being aware of it.
In many cases, the data collected in this way is not just collected and processed by the service provider itself but is also passed on to third parties.
The consequence is that a large number of user profiles are created without the user being aware.
Preliminary note: Due to the subject matter, the next part is somewhat formulated in legalese. If you're not interested in these subtleties, you can also skip this part and go straight to section 3.
In Germany, the requirements for electronic information and communication services are regulated in the Telemedia Act (TMG). The Telemedia Act came into force in 2007 and was last amended in September 2017. However, the ePrivacy Directive, which was amended in 2009 and regulates the storage of and access to information stored on the user's terminal device in its Art. 5 Para. 3, has not been formally transposed into German law. The background to this is that the Federal Government did not consider this necessary due to the regulations already contained in Section 15 (3) TMG. The data protection provisions of the Telemedia Act (Section 4; Sections 11 et seq. TMG), which regulate the obligations of service providers, were also not adapted to GDPR .
The consequence of this is that the conflict rule of Art. 95 GDPR, which regulates the relationship between GDPR and the ePrivacy Directive, is not applicable. As a direct application of the ePrivacy Directive is also out of the question (unlike European regulations, European directives do not apply directly and immediately), GDPR continues to take precedence.
This means that since the GDPR came into force on 25.08.2018, the legal basis for the processing of personal data by service providers has been solely Art. 6(1) GDPR. The corresponding provisions of the Telemedia Act are no longer applicable.
This will probably only change when the new ePrivacy Regulation comes into force: As things stand at present, the provisions of the ePrivacy Regulation will take precedence over the corresponding provisions of the GDPR, provided they pursue the same objective.
"*" indicates required fields
The current legal basis for the use of tracking tools is Art. 6(1) GDPR. This means that tracking tools may generally only be used if either
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (point (f) of the first subparagraph of Article 6(1) GDPR)
- the data subject has given consent to the processing of personal data concerning him or her for one or more specific purposes (point (a) of the first subparagraph of Article 6(1) GDPR).
If a service provider has overriding legitimate interests in the use of tracking tools, the user's consent is not required.
The legitimate interests of the service provider can be real, economic and non-material.
Often, of course, it will be a matter of commercial interests. These may include, for example, saving the customer's shopping cart in an online store or integrating web fonts, map services and social media plugins on a website. However, web analysis and statistics tools about website visitors or the use of advertising trackers are also considered legitimate interests.
If the respective data processing is necessary to safeguard these legitimate interests, these must be weighed against the interests or fundamental rights and freedoms of the user. These include protection against economic disadvantages, the right to respect for private life and communication in accordance with Art. 7 of the Charter of Fundamental Rights of the European Union (CFR), the fundamental right to data protection in accordance with Art. 8 CFR and the right to informational self-determination.
When weighing up the respective interests, the effects of the intended data processing and its susceptibility to misuse are particularly important. In addition, the user's reasonable expectations of the service and whether the user can reasonably foresee that the intended data processing may take place must also be taken into account.
Whether the legitimate interests of the service provider (or a third party) outweigh the legitimate interests of the user is sometimes difficult to decide in individual cases.
It's important to note here that the service provider must demonstrate that his legitimate interests prevail. In the case of a dispute, if this proof is not successful the collection of data was illegal and the service provider should expect a fine.
The balancing of interests should therefore be comprehensible for supervisory authorities and well documented.
If the service provider cannot base the integration of a tracking tool on a legitimate interest, the consent of the user is mandatory.
The conditions for effective consent are regulated in Art. 7 GDPR. These are:
- formulated clearly;
- use clear and simple language;
- clearly distinguishable from other matters;
- prior notice of the right of withdrawal at any time;
- compliance with the prohibition of coupling (i.e. that service must not be made conditional on the granting of consent to the processing of personal data unrelated to the service).
Consent may also be given by implication, i.e. by conclusive action. However, explicit consent is always required when special categories of personal data are processed (see Art. 9 (2)(a) GDPR).
Consent can also be revoked at any time. Therefore, data processing must cease from the moment the data subject has withdrawn his or her consent.
Unless only technically necessary cookies are set, a succinct notice in a so-called "cookie banner", which is then merely confirmed by clicking on an "OK" button, is not sufficient.
The draft ePrivacy Regulation published by the European Commission at the beginning of January 2017 is currently still undergoing political discussion. Among other things, there are opinions from the European Data Protection Committee and the European Data Protection Supervisor, amendments from the European Parliament and discussion papers from the Council of the European Union.
It is therefore not clear what the exact wording of the ePrivacy Regulation will be.
In view of the ongoing "data scandals" of recent times, however, data privacy activists in particular are increasingly campaigning to ensure that the ePrivacy Regulation does not fall short of the current level of protection under the ePrivacy Directive and the GDPR.
In a paper published at Mai 2018, the European Data Protection Board argued that the confidentiality of electronic communications requires special protection that must go beyond GDPR . Therefore, the legitimate interests of the service provider should no longer be a legal basis for the processing of content and metadata of electronic communications in future.
Should this view prevail, tracking tools may only be used with the user's prior consent (e.g. by means of a checkbox).
Contrary to all prophecies of doom, the ePrivacy Regulation is a sensible and long overdue regulation. After all, we shouldn't just accept the complete monitoring of user behavior simply because it is technically possible.
That's why it's a good thing website operators and service providers must provide clear and transparent information in advance about what data is collected when a website is visited or a service is used, to whom this data is passed and for what purposes. This is the only way website visitors and users can decide whether it's worthwhile for them to visit the site or use the service and to disclose their data.
As soon as the final text of the ePrivacy Regulation is known, you should check in particular whether and, if so, from when you need to obtain additional consent. It is worth staying on top of the ePrivacy Regulation so that you can implement this and everything else required in peace and quiet.
Featured image: Scott Webb [Pexels]