Although the "Regulation on Privacy and Electronic Communications" (ePrivacy Regulation ) is expected to be adopted in the course of 2020, it is already casting its shadow. In this article, I would like to give you an overview of what the ePrivacy Regulation is all about, what the current legal situation for the use of tracking tools looks like and how this could change under the EPVO. At the end, I briefly outline why the new regulation is important from my perspective. But don't panic: Just as the world, contrary to all predictions, will change with the coming into force of the GDPR 25.05.2018 did not come to an end, the same is not to be expected for the validity of ePrivacy Regulation .
The ePrivacy Regulation (EPVO) is a draft European Commission regulation currently under discussion at European level. draft regulation of the European Commissionwhich replaces the e-privacy directive (Directive 2002/58/EClast amended by Directive 2009/136/EC; E-Privacy Directive), which has been in force since 2002, and to adapt it to the current state of technology (e.g. so-called over-the-top services, i.e. IP-based communication services, are currently not covered by the E-Privacy Directive).
As a European regulation, the new ePrivacy Regulation will be directly and immediately applicable throughout the European Union. In contrast to the ePrivacy Directive, it will not depend on the implementation into national law by the individual member states. Incidentally, the current ePrivacy Directive, for which the data protection part is relevant for website operators, has never been implemented into national law in Germany.
The ePrivacy Regulation is intended to protect the confidentiality of communications and the confidentiality and integrity of end-user devices.
In simple terms, users should be protected from being spied on without their knowledge when they visit a website or use an email or messenger service.
Unlike the GDPR, not only natural persons (people) should be protected, but also legal persons (companies and associations). This ePrivacy Regulation specifies and extends the protection of personal data with regard to GDPR relevant electronic communication data, which is personal data.
This ePrivacy Regulation would not only regulate communication via (classic) voice telephony, text messages (SMS), and email, but also communication via VoIP telephony, messenger services, and web-based email services. It also applies to the increasingly important machine-to-machine communication ("Internet of Things").
It pays particular attention to the way in which information is stored or sent, requested or processed by users' devices (e.g. PCs and smartphones). This is because sensitive personal data (e.g. emails and messages, pictures, contact, and location data) are practically always stored on these end devices. Therefore, end users should be protected against the use of tracking tools to secretly monitor their activities without their knowledge (e.g. cookies, browser fingerprinting, and similar technologies used to track user behavior).
It was originally intended that the ePrivacy Regulation would come into force at the same time as the GDPR. The European Commission had already published its draft Regulation at the beginning of January 2017. However, since the European Parliament and the Council of the European Union must also be involved in the legislative procedure, numerous points from the ePrivacy Regulation are still under political discussion. Due to the complexity of the legislative procedure, the ePrivacy Regulation isn't expected to come into force before the end of 2019. Furthermore, similar to the GDPR, there will probably be a transitional period until it actually comes into force.
Tracking tools are used to trace the behavior of internet users: How often is a website visited by a specific user or how often is a messenger service used? (If the behavior of a specific user is "analyzed", is it no longer a pure analytics and statistics tool, but a tracking tool?) What content do sent messages have? Which articles are looked for and ordered in a webshop? Which social media accounts are users logged in to? Is a linked article clicked on and purchased? (Affiliate marketing).
Data isn't just collected when users visit a website or use the service but often for a long time afterwards. This is because the cookies, web beacons etc., set on the device are usually not deleted when the service is terminated. They often remain on the user's end device for several months and continue to send data without the user being aware of it.
In many cases, the data collected in this way is not just collected and processed by the service provider itself but is also passed on to third parties.
The consequence is that a large number of user profiles are created without the user being aware.
Preliminary note: Due to the subject matter, the next part is somewhat formulated in legalese. If you're not interested in these subtleties, you can also skip this part and go straight to section 3.
In Germany, the requirements for electronic information and communication services are set out in the Telemedia Act (TMG) regulated. The Telemedia Act came into force in 2007 and was last amended in September 2017. However, the E-Privacy Directive, amended in 2009, which in its Art. 5 (3) regulates the storage of and access to information stored in the user's terminal equipment, has not been formally transposed into German law. The background to this is that the Federal Government did not consider this necessary due to the regulations already contained in Section 15 (3) TMG. The data protection provisions of the Telemedia Act (Section 4; Sections 11 et seq. TMG), which regulate the obligations of service providers, have also not been adapted to GDPR .
The consequence of this is that the conflict rule of Art. 95 GDPR , which regulates the relationship between GDPR and the e-Privacy Directive, is not applicable. Since a direct application of the ePrivacy Directive is also out of the question (unlike European regulations, European directives do not apply directly and immediately), the primacy of application of the GDPR .
This means that since the GDPR came into force on 25.08.2018, the legal basis for the processing of personal data by service providers has been solely Art. 6(1) GDPR. The corresponding provisions of the Telemedia Act are no longer applicable.
This will probably only change when the new ePrivacy Regulation comes into force: As things stand at present, the provisions of the ePrivacy Regulation will take precedence over the corresponding provisions of the GDPR, provided they pursue the same objective.
The current legal basis for the use of tracking tools is Art. 6(1) GDPR. This means that tracking tools may generally only be used if either
- the processing is necessary to protect legitimate interests of the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child (Article 6(1), first subparagraph, point (f) GDPR )
- the data subject gives his or her consent to the processing of personal data concerning him or her for one or more specific purposes (Article 6(1), first subparagraph, point (a) GDPR ).
If a service provider has overriding legitimate interests for the use of tracking tools, consent of the user is not required.
The legitimate interests of the service provider can be real, economic and non-material.
Often, of course, it will be economic interests are involved. These may, for example, consist of saving the customer's shopping cart in an online shop or integrating web fonts, map services and social mediaPlugins on a website. But also web analysis and statistics tools about page visitors or the use of advertising trackers are considered legitimate interests.
If the respective data processing is necessary to safeguard these legitimate interests, these must be weighed against the interests or fundamental rights and freedoms of the user. These include protection against economic disadvantages, the right to respect for private life and communications pursuant to Art. 7 of the Charter of Fundamental Rights of the European Union (CFR)the fundamental right to data protection under Article 8 of the CFR and the right to informational self-determination.
When weighing up the respective interests, the effects of the intended data processing and its susceptibility to abuse are of primary importance. In addition, it must be taken into account, among other things, what reasonable expectations the user has of the service and whether he can reasonably foresee that the intended data processing may take place.
Whether the legitimate interests of the service provider (or a third party) outweigh the legitimate interests of the user is sometimes difficult to decide in individual cases.
It's important to note here that the service provider must demonstrate that his legitimate interests prevail. In the case of a dispute, if this proof is not successful the collection of data was illegal and the service provider should expect a fine.
The balancing of interests should therefore be comprehensible for supervisory comprehensible and well documented be well documented.
If the service provider cannot base the integration of a tracking tool on a legitimate interest, the consent of the user is mandatory.
The conditions for effective consent are regulated in Art. 7 GDPR. These are:
- formulated clearly;
- use clear and simple language;
- clearly distinguishable from other matters;
- prior notice of the right of withdrawal at any time;
- compliance with the prohibition of coupling (i.e. that service must not be made conditional on the granting of consent to the processing of personal data unrelated to the service).
Consent may also be given by implication, i.e. by conclusive action. However, explicit consent is always required when special categories of personal data are processed (see Art. 9 (2)(a) GDPR).
Consent can also be revoked at any time. Therefore, data processing must cease from the moment the data subject has withdrawn his or her consent.
Unless only technically necessary cookies are set, a succinct notice in a so-called "cookie banner", which is then only confirmed by clicking on an "OK" button, is not sufficient.
The European Commission's draft of the new draft of the ePrivacy Regulation is currently still under political discussion. There are opinions on it, among others, from the European Data Protection Committee and the European Data Protection Supervisoramendments of the European Parliament and discussion papers of the Council of the European Union.
It is therefore not clear what the exact wording of the ePrivacy Regulation will be.
In view of the ongoing "data scandals" of recent times, however, data privacy activists in particular are increasingly campaigning to ensure that the ePrivacy Regulation does not fall short of the current level of protection under the ePrivacy Directive and the GDPR.
For example, the European Data Protection Board in a paper published in May 2018 the European Data Protection Board argued that the confidentiality of electronic communications requires special protection, which must go beyond GDPR . Therefore, the legitimate interests of the service provider should no longer be a legal basis for the processing of content and metadata of electronic communications in the future.
If this view holds, tracking tools should only be used with the prior consent of the user (e.g. by means of a checkbox).
Contrary to all prophecies of doom, the ePrivacy Regulation is a sensible and long overdue regulation. After all, we shouldn't just accept the complete monitoring of user behavior simply because it is technically possible.
That's why it's a good thing website operators and service providers must provide clear and transparent information in advance about what data is collected when a website is visited or a service is used, to whom this data is passed and for what purposes. This is the only way website visitors and users can decide whether it's worthwhile for them to visit the site or use the service and to disclose their data.
As soon as the final text of ePrivacy Regulation is known, you should check above all whether and, if so, from when you need to obtain additional consents. To ensure that you can implement this and everything else required at your leisure, it's worth staying on top of ePrivacy Regulation .
Article image: Scott Webb [Pexels]