Although the "Regulation on Privacy and Electronic Communications" (ePrivacy Regulation) is not expected to be adopted until later in 2020, it is already casting its shadow. In this article, I would like to give you an overview of what the ePrivacy Regulation is all about, what the current legal situation for the use of tracking tools looks like and how this could change under the EPVO. At the end, I will briefly explain why I think the new regulation is important. But don't panic: Just as, contrary to all predictions, the world did not come to an end when the GDPR came into force on 25.05.2018, the same is not to be expected for the validity of the ePrivacy Regulation.
I. The ePrivacy Regulation
1 What is the ePrivacy Regulation?
The E-Privacy Regulation (EPR) is a draft regulation of the European Commission currently under discussion at European level, which is intended to replace the E-Privacy Directive(Directive 2002/58/EC, last amended by Directive 2009/136/EC; E-Privacy Directive), which has been in force since 2002, and adapt it to the current state of the art (e.g. so-called over-the-top services, i.e. IP-based communication services, are not currently covered by the E-Privacy Directive).
As a European regulation, the GDPR will apply directly and immediately throughout the European Union. Unlike the ePrivacy Directive, it will not be dependent on transposition into national law by the individual member states. Incidentally, this transposition of the ePrivacy Directive into national law has never taken place in Germany as far as the data protection part relevant to website operators is concerned.
2. What is the aim of the ePrivacy Regulation?
The ePrivacy Regulation aims to protect the confidentiality of communications as well as the confidentiality and integrity of users' end devices.
In simple terms, users should be protected from being spied on without their knowledge when visiting a website or using an email or messenger service.
Unlike the GDPR, not only natural persons (humans) but also legal entities (companies and associations) are protected. The ePrivacy Regulation specifies and supplements the GDPR with regard to electronic communication data, which is personal data.
3. What does the ePrivacy Regulation regulate?
The ePrivacy Regulation not only regulates communication via (traditional) voice telephony, text messages (SMS) and email, but also communication via VoIP telephony, messenger services and web-based email services. It also applies to machine-to-machine communication, which is becoming increasingly important (keyword "Internet of Things").
The EPVO pays particular attention to how information is stored or sent, requested or processed by users' end devices (e.g. PCs and smartphones). This is because sensitive personal data is practically always stored on these end devices (e.g. emails and messages, images, contact and location data). Users of end devices should therefore be protected from tracking tools being used to secretly monitor their activities without their knowledge (e.g. cookies, browser fingerprinting and similar technologies to track user behavior).
4 When is the ePrivacy Regulation coming?
The original intention was for the ePrivacy Regulation to enter into force at the same time as the GDPR. The European Commission had already published its draft of the ePrivacy Regulation at the beginning of January 2017. However, as the European Parliament and the Council of the European Union must also be involved in the legislative process, numerous provisions of the ePrivacy Regulation are currently still under political discussion. Due to the complexity of the legislative process, it is unlikely that the ePrivacy Regulation will come into force in 2019. In addition, there is likely to be a transitional period, similar to the GDPR, until the ePrivacy Regulation actually comes into force.
II Legal situation for the use of tracking tools
1. What are tracking tools?
Tracking tools are intended to make the behavior of Internet users comprehensible: How often is a website accessed by a specific user or a messenger service used (if the behavior of a specific user is "analyzed", it is no longer a pure analytics and statistics tool, but a tracking tool)? What is the content of messages sent? Which items are searched for and ordered in a web store? Which social media accounts are logged into? Is a linked article clicked on and purchased (affiliate marketing)?
The data is not only collected when the website is visited or the service is used, but often long after that. This is because the cookies, tracking pixels etc. set on the end device are usually not deleted when the service is closed. They often remain on the user's device for several months and continue to send data without the user being aware of it.
In many cases, the data collected in this way is not only collected and processed by the service provider itself, but is often also passed on to third parties.
As a result, a large number of user profiles are created without the user being aware of it.
2. Where is the use of tracking tools currently regulated?
Preliminary remark: This part is necessarily somewhat legally formulated. If you are not interested in these subtleties, you can easily continue reading at 3.
In Germany, the requirements for electronic information and communication services are regulated in the Telemedia Act (TMG). The Telemedia Act came into force in 2007 and was last amended in September 2017. However, the ePrivacy Directive, which was amended in 2009 and regulates the storage of and access to information stored on the user's terminal device in its Art. 5 Para. 3, has not been formally transposed into German law. The background to this is that the Federal Government did not consider this necessary due to the regulations already contained in Section 15 (3) TMG. The data protection provisions of the Telemedia Act (Section 4; Sections 11 et seq. TMG), which regulate the obligations of service providers, were also not adapted to the GDPR.
The consequence of this is that the conflict rule of Art. 95 GDPR, which regulates the relationship between the GDPR and the ePrivacy Directive, is not applicable. Since direct application of the ePrivacy Directive is also out of the question (unlike European regulations, European directives do not apply directly and immediately), the GDPR continues to take precedence.
This means that since the GDPR came into force on May 25, 2018, the legal basis for the processing of personal data by service providers has been exclusively Art. 6 (1) GDPR; the corresponding provisions of the Telemedia Act have no longer been applicable since then.
This is not expected to change until the ePrivacy Regulation comes into force: As things stand at present, the provisions of the EPVO will take precedence over the corresponding provisions of the GDPR, provided they pursue the same objective.
"*" indicates required fields
3. what is the current legal situation for the use of tracking tools?
The current legal basis for the use of tracking tools is Art. 6 (1) GDPR. This means that tracking tools may generally only be used if either
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (point (f) of the first subparagraph of Article 6(1) GDPR)
or
- the data subject has given their consent to the processing of their personal data for one or more specific purposes (point (a) of the first subparagraph of Article 6(1) GDPR).
>> Details of the legitimate interests of the service provider
If a service provider has overriding legitimate interests in the use of tracking tools, the user's consent is not required.
For example, a checkbox would then be superfluous on a website. The website operator would only have to provide information about the tracking tools used in the privacy policy.
The legitimate interests of the service provider can be actual, economic and idealistic.
Often, of course, it will be a matter of commercial interests. These may include, for example, saving the customer's shopping cart in an online store or integrating web fonts, map services and social media plugins on a website. However, web analysis and statistics tools about website visitors or the use of advertising trackers are also considered legitimate interests.
If the respective data processing is necessary to safeguard these legitimate interests, these must be weighed against the interests or fundamental rights and freedoms of the user. These include protection against economic disadvantages, the right to respect for private life and communication in accordance with Art. 7 of the Charter of Fundamental Rights of the European Union (CFR ), the fundamental right to data protection in accordance with Art. 8 CFR and the right to informational self-determination.
When weighing up the respective interests, the effects of the intended data processing and its susceptibility to misuse are particularly important. In addition, the user's reasonable expectations of the service and whether the user can reasonably foresee that the intended data processing may take place must also be taken into account.
Whether the legitimate interests of the service provider (or a third party) or the interests of the user prevail is sometimes difficult to decide in individual cases.
It should be noted that the service provider must prove that its legitimate interests prevail. If this cannot be proven in the event of a dispute, the data collection was unlawful and the service provider must expect a fine.
The balancing of interests should therefore be comprehensible for supervisory authorities and well documented.
>> Details of the user's consent
If the service provider cannot base the integration of a tracking tool on a legitimate interest, the consent of the user is mandatory.
The requirements for effective consent are set out in Art. 7 GDPR. These are
- Comprehensible form;
- clear and simple language;
- Distinguishability from other facts;
- prior reference to the right of withdrawal at any time;
- Compliance with the prohibition of tying (i.e. that a service may not be made dependent on the granting of consent to the processing of personal data that is unrelated to the service).
Consent can also be given implicitly, i.e. by conclusive action. However, explicit consent is always required if special categories of personal data are processed (see Art. 9 (2) (a) GDPR).
It should also be noted that consent can be withdrawn at any time. Therefore, data processing must cease from the moment the data subject withdraws their consent.
Currently, consent for the use of cookies and similar technologies on websites is usually obtained by means of a so-called "checkbox", where the user must actively check a box (opt-in).
Unless only technically necessary cookies are set, a succinct notice in a so-called "cookie banner", which is then merely confirmed by clicking on an "OK" button, is not sufficient.
In any case, users must be informed about the tracking tools used in the privacy policy.
4. what is the likely legal situation for the use of tracking tools?
The draft ePrivacy Regulation published by the European Commission at the beginning of January 2017 is currently still undergoing political discussion. Among other things, there are opinions from the European Data Protection Committee and the European Data Protection Supervisor, amendments from the European Parliament and discussion papers from the Council of the European Union.
The exact wording of the ePrivacy Regulation therefore remains to be seen.
However, in view of the ongoing "data scandals" of recent times, data protection advocates in particular are increasingly campaigning for the EPVO not to fall short of the current level of protection provided by the ePrivacy Directive and the GDPR.
In a paper published in May 2018, the European Data Protection Board argued that the confidentiality of electronic communications requires special protection that must go beyond the GDPR. Therefore, the legitimate interests of the service provider should no longer be a legal basis for the processing of content and metadata of electronic communications in future.
Should this view prevail, tracking tools may only be used with the user's prior consent (e.g. by means of a checkbox).
III Why the ePrivacy Regulation is a good thing
Contrary to all prophecies of doom, the EPVO is a sensible and long overdue regulation. After all, the complete monitoring of our user behavior that is now technically possible should not simply be accepted.
It is therefore a good thing if website operators and service providers must provide clear and transparent information in advance about what data is collected when visiting a website or using a service and to whom it is passed on and for what purposes. Only in this way can website visitors and users decide whether visiting the website or using the service is really worth disclosing their data.
However, as a website operator, you don't have to bury your head in the sand now. As an immediate measure, it is best to check whether you can base all services integrated on your website on a legitimate interest or user consent. If not, you should obtain the missing user consent. In addition, you should above all present your tracking activities transparently in your privacy policy.
As soon as the final text of the ePrivacy Regulation is known, you should check in particular whether and, if so, from when you need to obtain additional consent. It is worth staying on top of the ePrivacy Regulation so that you can implement this and everything else required in peace and quiet.
Featured image: Scott Webb [Pexels]