Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

EU: How to comply with the ePrivacy Directive - EDPB guidelines on the technical scope of Article 5(3)

Timea Bana, Partner at Dentons, explores the evolving landscape of data protection in the digital age, delving into the significance of European Data Protection Board (EDPB) guidelines to navigate complexities arising from technological advancements, offering clarity for entities such as online advertisers and businesses engaged in digital services.

zhihao/Moment via Getty Images

Introduction

The EDPB has published for public consultation its guidelines on the technical scope of Article 5(3) of the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) (the ePrivacy Directive), which regulates the storage and access of information on users' terminal equipment. The guidelines aim to provide clarity on the concepts and conditions for the applicability of Article 5(3) of the ePrivacy Directive and to illustrate use cases involving changing and emerging technologies, such as tracking pixels, local processing, IP tracking, and Internet of Things (IoT) devices. They are relevant for any market player that uses or provides electronic communications services over public networks, seeking to comply with the ePrivacy Directive and respect the privacy and integrity of the user's terminal equipment.

The ePrivacy Directive, a legal instrument that proceeded and complements the General Data Protection Regulation (GDPR) in electronic communications, aims to protect the confidentiality of information stored or accessed on users' or subscribers' terminal equipment, such as computers, smartphones, tablets, smart TVs, or connected cars. Article 5(3) of the ePrivacy Directive states that such storage or access is only allowed with the consent of the user or subscriber unless strictly necessary for the provision of a service requested by the user or subscriber. 

However, the ePrivacy Directive was adopted in 2002 and amended in 2009, before the rapid development and proliferation of new technologies and services that rely on the storage and access of information on users' terminal equipment. These technologies include online advertising, web analytics, social media, cloud computing, artificial intelligence (AI), machine learning, biometrics, blockchain, or IoT devices. The emergence of these technologies poses new challenges and questions for the interpretation and application of Article 5(3) of the ePrivacy Directive, as well as for the protection of users' privacy and the integrity of their terminal equipment.

To address these challenges and questions, the EDPB, an independent body composed of the national data protection authorities of the EU Member States and the European Data Protection Supervisor (EDPS), has published guidelines on the technical scope of Article 5(3) of the ePrivacy Directive for public consultation. The EDPB is responsible for ensuring the consistent application of the GDPR and the ePrivacy Directive across the EU, as well as for providing guidance and advice on data protection issues.

The EDPB emphasizes that the application of Article 5(3) of the ePrivacy Directive requires that the following conditions must be met simultaneously:

  • the operations carried out related to 'information;'
  • they involve the 'terminal equipment' of a user or subscriber;
  • they are made in the context of the 'provision of publicly available electronic communications services in public communications networks;'
  • and they constitute a 'gaining of access' or 'storage.'

Regarding the definition of these conditions, the EDPB provides the following explanations in the guidelines:

  • Information: The concept of information is broader than that of personal data. This means that the term 'information' extends beyond being related to an identified or identifiable natural person. The consent requirement applies regardless of how the data is stored and by whom, whether it is stored by an external entity (including other entities than the one having access), by the user, by a manufacturer, or any other scenario. 
  • Terminal equipment of a user or subscriber: The ePrivacy Directive protects users' privacy not only in relation to the confidentiality of their information but also by safeguarding the integrity of the user's terminal equipment. If a device merely transmits information without being an endpoint of communication or making changes to that information, it would not be considered terminal equipment in this context. Consequently, Article 5(3) of the ePrivacy Directive does not apply. The EDPB emphasizes that a terminal may consist of any number of individual pieces of hardware which together form the terminal equipment. This may or may not take the form of a physically enclosed device containing all the display, processing, storage, and peripheral hardware (e.g., smartphones, laptops, connected cars or TVs, or smart glasses). According to the ePrivacy Directive, the protection of the confidentiality of the information stored on a user's terminal equipment and the integrity of the user's terminal equipment also concerns the right to respect for the correspondence or legitimate interests of legal persons. Therefore, terminal equipment that allows such correspondence and the legitimate interests of legal persons to be carried out is also protected under Article 5(3) of the ePrivacy Directive. The EDPB underlines that it is indifferent whether a user owns, rents, or uses terminal equipment under another legal title, whether terminal equipment is used by more than one user (e.g., connected car), or whether communication may involve more than one terminal equipment. The protection provided by the ePrivacy Directive also covers cases where the electronic communication was not initiated by the user, or even if the user was not aware of it.
  • Electronic communications network: The definition in the European Electronic Communications Code (Directive 2018/1972) is neutral with regard to transmission technologies. According to this definition, an electronic communications network is any network system that allows the transmission of electronic signals between its nodes, regardless of the equipment and protocols used. The definition of an electronic communications network covers all types of infrastructure. It includes networks that may or may not be managed by an operator, networks that may or may not be jointly managed by a group of operators, or even ad hoc networks in which terminal equipment may dynamically join or leave a network of other terminal equipment using short-range transmission protocols. The EDPB stresses that the definition of network does not impose any limitations on the number of terminal equipment units present on the network at any given time. However, for Article 5(3) of the ePrivacy Directive to apply, the communications service must be publicly available over the communications network. The EDPB also notes that the fact that the network is made available to a limited subset of the public (e.g., subscribers, whether paying or not) does not make such a network private.
  • Gaining access: On the concept of gaining access, the EDPB clarified that storage and access do not have to be cumulative for Article 5(3) of the ePrivacy Directive to apply. The notion of 'gaining access' is independent of the notion of 'storing information.' Furthermore, the two operations do not have to be carried out by the same entity. According to the EDPB, Article 5(3) of the ePrivacy Directive applies whenever the accessing entity intends to gain access to information stored in the terminal equipment and actively takes steps towards that end. 
  • Stored information and storage: Storage of information within the meaning of Article 5(3) of the ePrivacy Directive refers to the placing of information on a physical electronic storage medium that is part of a user's or subscriber's terminal equipment. Typically, information is stored in a user's or subscriber's terminal equipment by instructing software on the terminal equipment to generate specific information. Storage through such instructions is considered to be directly initiated by the other party (e.g., browser cookie storage, customized software). The EDPB points out that the ePrivacy Directive does not set requirements for the length of time that information must persist on a storage medium to be counted as stored or the amount of information to be stored. According to the guidelines, the storage medium includes but is not limited to, HDD, SSD, RAM, and CPU cache, and it may be connected internally (e.g., via a SATA connection), externally (e.g., via a USB connection), or through a network protocol (e.g., a network-attached storage device). The EDPB states that as long as the networked storage medium constitutes a functional equivalent of a local storage medium, such storage medium will be considered part of the terminal equipment (see above). 'Stored information' may also be stored by the user or subscriber, by a hardware manufacturer, or by any other entity. 

In addition to the conceptual explanations, the EDPB has also provided a number of use cases to illustrate the application of Article 5(3) of the ePrivacy Directive in relation to some changing and evolving technologies. The following are examples of these use cases:

  • Tracking URL and pixel: If the tracking pixel or the tracked URL is distributed over a public communications network, it is clear that it constitutes storage on the terminal equipment of the user, at least through the caching mechanism of the client-side software. Therefore, Article 5(3) of the ePrivacy Directive applies. Including a tracking pixel or a tracking link in the content sent to the user constitutes an instruction to the terminal equipment to send back the targeted information (i.e., the specified identifier). In the case of dynamically generated tracking pixels, the distribution of the applicative logic (usually a JavaScript code) constitutes the instruction. Consequently, the collection of the identifiers provided by tracking pixels and tracked URLs does constitute a 'gaining of access', thus Article 5(3) ePrivacy Directive is applicable to that step as well. 
  • Local processing: If, at any point, the processed information provided is sent back over the network (e.g., to a server), such an operation would constitute 'access to information already stored.' The fact that this information is produced locally does not prevent the application of Article 5(3) of the ePrivacy Directive.
  • Tracking based on IP only: Gaining access to IP addresses triggers the application of Article 5(3) of the ePrivacy Directive only if such information originates from the terminal equipment of a user or subscriber. While it is not systematically the case (e.g., when CGNAT12 is activated), the static outbound IPv4 originating from a user's router would fall within that case, as well as IPV6 addresses since they are partly defined by the host. Unless the entity can ensure that the IP address does not originate from the terminal equipment of a user or subscriber, Article 5(3) of the ePrivacy Directive is applicable. 
  • Intermittent and mediated IoT reporting: If the IoT device has a direct connection to a public communications network (e.g., through the use of Wi-Fi or a cellular SIM card), the IoT device could be instructed by the manufacturer to always stream the collected information but still locally cache the information first (e.g., until a connection is available). In situations where the IoT device is connected to a public communications network, it would be considered a terminal. The fact that the information is streamed or cached for intermittent reporting does not change the nature of the information. In both situations, Article 5(3) of the ePrivacy Directive would apply as there is 'access' by instructing the IoT device to send the dynamically stored data to the remote server. If the IoT device does not have a direct connection to a public communication network and may be instructed to relay the information to another device via a point-to-point connection (e.g., via Bluetooth), the other device is usually a smartphone, which may or may not pre-process the information before sending it to the server. The transmission of data to the relay could fall outside the scope of Article 5(3) of the ePrivacy Directive if the communication does not take place on a public communications network. However, the information received by the relay device would be considered to be stored by a terminal, and Article 5(3) of the ePrivacy Directive would apply once this relay is instructed to send such information to a remote server. 
  • Unique identifier: The fact that the information is supplied by the user would not preclude the application of Article 5(3) ePrivacy Directive with regard to storage, as this information is temporarily stored on the terminal before being collected. In the context of the collection of 'unique identifiers' on websites or mobile applications, the collecting entity instructs the browser (by distributing client-side code) to send this information. Therefore, a 'gaining of access' takes place and Article 5(3) of the ePrivacy Directive applies. 

The importance of the EDPB guidelines lies in the fact that the EDPB aims to address data protection issues raised by the ongoing development of technology. While cookies currently represent the most commonly used technology, the EDPB acknowledges that newer technologies, such as tracking links and pixels, are continually evolving. In this context, the EDPB not only provides conceptual explanations but also offers use cases to demonstrate the appropriate privacy practices to be applied in such situations. Once finalized, the EDPB guidelines will certainly be useful for many market players to comply with Article 5(3) of the ePrivacy Directive. For example, the guidelines may be particularly relevant to manufacturers of IoT devices, companies engaged in online advertising, or website operators. In this context, it is recommended to follow the further publications of the EDPB and, in case of any doubt, to consult an expert in the field of privacy and data protection.

Timea Bana Partner
[email protected]
Dentons, Hungary