Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive
By Mugurel Olariu, RPD protectie date
The European Data Protection Board – CEPB, adopted on 14 Nov 2023 Guidelines 2/2023 on technical scope of art. 5(3) of ePrivacy Directive*1. The working instrument is in the public consultation phase until 28 Dec 2023.
In this guidelines, the EDPB addresses the applicability of Article 5(3) of the Electronic Privacy Directive – Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 on the processing of personal data and the protection of privacy in the electronic communications sector, as amended by Directive 2009/136/EC (hereinafter referred to as the “ePrivacy Directive” or “ePD”) to various technical solutions. This opinion extends Opinion 9/2014 of the Article 29 Working Party (hereafter “WP29”) on the application of the ePrivacy Directive to device fingerprinting and aims to provide a clear understanding of the technical operations covered by Article 5(3) of the Directive on electronic privacy.
According to Article 5(3) of the ePD, “storing information or obtaining access to information already stored in the terminal equipment of a subscriber or user” is permitted only on the basis of consent or necessity for specific established purposes. in that article. As recalled in Recital 24 of the ePD, the purpose of this provision is to protect users’ terminal equipment, as it is part of the users’ private sphere. It follows from the wording of the article and it has been clarified (for example, in Opinion 4/2012 of the Article 29 Working Group on the Consent Exception for Cookies – WP 194), that Article 5(3) of the ePD does not exclusively apply to cookies , but also “similar technologies”. However, there is currently no comprehensive list of technical operations covered by Article 5(3) of the ePD.
The emergence of new tracking methods both to replace existing tracking tools (e.g. cookies, due to the discontinuation of support for third-party cookies) and to create new business models has become a critical concern for the protection the data. Although the applicability of Article 5(3) of the ePrivacy Directive is well established and implemented for some tracking technologies such as cookies, it is necessary to remove ambiguities related to the application of the said provision to emerging tracking tools.
Opinion WP29 9/2014 on the application of the ePrivacy Directive to device fingerprinting (hereinafter “Opinion WP29 9/2014”) already clarified that fingerprinting falls within the technical scope of Article 5(3) ePD, but due to the new As technology advances, additional guidance is needed on currently observed tracking techniques. The technical landscape has evolved over the last decade with the increasing use of identifiers embedded in operating systems, as well as with the creation of new tools that allow information to be stored in terminals.
Ambiguities regarding the scope of Article 5(3) ePD have created incentives to implement alternative solutions to track internet users and have led to a tendency to circumvent the legal obligations under Article 5(3) ePD. All these and similar situations raise concerns and require further consideration to complement previous guidance from the EDPS.
The Guidelines identifies four key elements for the applicability of Article 5(3) of the ePrivacy Directive (section 2.1), namely “information”, “terminal equipment of a subscriber or user”, “obtaining access” and “stored information and storage”. The opinion further provides a detailed analysis of each element (sections 2.2 to 2.6).
Article 5(3) of the ePD applies if:
✔ CRITERION A: the operations performed relate to “information”. It should be noted that the term used is not “personal data” but “information”.
✔ CRITERION B: the operations performed involve a “terminal equipment” of a subscriber or user.
✔ CRITERION C: the operations performed are carried out in the context of “the provision of publicly accessible electronic communications services in public communications networks”.
✔ CRITERION D: the operations performed really constitute an “access” or “storage”. These two notions can be studied independently, as recalled in Opinion WP29 9/2014: “The use of the words ‘stored or accessed’ indicates that storage and access need not take place within the same communication and need not be carried out by same session.
For reasons of readability, the entity that gains access to the information stored in the user’s terminal equipment will be referred to below as the “access entity”.
In section 3, this analysis is applied to a non-exhaustive list of use cases representing common techniques, namely:
– URL and Pixel Tracking:
A tracking pixel is a hyperlink to a resource, usually an image file, embedded in a piece of content such as a website or email. This pixel usually serves no purpose related to the content itself; its sole purpose is to establish a communication by the client with the pixel host, which would otherwise not have occurred. Establishing a communication conveys various information to the pixel host depending on the specific use case.
In the case of an email, the sender may include a tracking pixel to detect when the recipient reads the email. Tracking pixels on websites may link to an entity that collects many such requests and thus track user behavior. Such tracking pixels may also contain additional identifiers as part of the link. These identifiers may be added by the website owner, possibly in connection with the user’s activity on that website. They can also be dynamically generated by client-side application logic. In some cases, links to legitimate images can also be used for the same purpose by adding additional information to the link.
– Local processing:
Some technologies rely on local processing instructed by software distributed on the users’ terminal, where the information produced by the local processing is then made available to selected actors via the client API. This may for example be the case of an API provided by the web browser, where locally generated results can be accessed remotely.
– Tracking based on IP only:
Some providers develop advertising solutions that rely on the collection of only one component, namely the IP address, to track the user’s browsing, in some cases across multiple domains. In this context, Article 5(3) ePD could apply even if the instruction to make the IP available was sent by a different entity than the recipient.
– Intermittent and mediated Internet of Things (IoT) reporting:
IoT (Internet of Things) devices produce information continuously over time, for example through sensors embedded in the device, which may or may not be pre-processed locally. In many cases, the information is made available to a remote server, but the methods of collection vary.
Some IoT devices have a direct connection to a public communications network, for example by using WIFI or a cellular SIM card. IoT devices could be instructed by the manufacturer to always transmit the collected information, but still cache the information locally first, for example until a connection is available.
Other IoT devices do not have a direct connection to a public communications network and could be instructed to transmit the information to another device via a point-to-point connection (e.g. via Bluetooth). The other device is generally a smartphone that may or may not pre-process the information before sending it to the server.
– Unique identifier:
A common tool used by advertising companies is the notion of “unique identifiers” or “persistent identifiers”. Such identifiers are usually derived from persistent personal data (name and surname, email, phone number, etc.), which are indexed on the user’s device, collected and shared among several operators to uniquely identify a person on different data sets (usage data collected through the use of the website or application, customer relationship management (CRM) data related to online or offline purchase or subscription, etc.). On websites, persistent personal data is generally obtained in the context of logging in or subscribing to newsletters.
In the context of “unique identifier” collection on websites or mobile applications, the collecting entity instructs the browser (by distributing client-side code) to send that information. As such, a “gain of access” takes place and Article 5(3) ePD applies.
Industry controllers, especially those who operate on-line, are directly interested generically in complying with the RGPD and in particular in the concrete ways of qualifying the different technical solutions mentioned in Guidelines 2/2023 of the EDPB.
————————————————————
1. https://edpb.europa.eu/our-work-tools/documents/public-consultations/2023/guidelines-22023-technical-scope-art-53-eprivacy_ro