European Data Protection Board Releases Statement on the Revision of the ePrivacy Regulation

On 28 May 2018, the European Data Protection Board (the “EDPB”) released a statement on the revision of the ePrivacy Regulation (the “proposed Regulation”) and its impact on the protection of individuals in relation to the privacy and confidentiality of their communications. It is the first statement of substance by the EDPB since it was established by the EU General Data Protection Regulation on 25 May 2018.  The statement calls on the European Commission, Parliament and Council to work together to ensure a swift adoption of the proposed Regulation, which will replace the current ePrivacy Directive (the “Directive”).

The statement contains the EDPB’s advice and clarifications on some issues which have been raised during the development of the proposed Regulation, which is still in draft form. Key messages from the statement include that:

  1. Confidentiality of electronic communications requires protection beyond what is offered by the GDPR

The EDPB emphasizes the need for ‘broad prohibitions, narrow exceptions, and the use of consent’ within the proposed Regulation.

The EDPB thus rejects suggestions that the proposed Regulation should permit processing of electronic communications content and metadata on what some may consider open-ended grounds, such as on the basis of the ‘legitimate interests’ of an organisation.

The EDPB equally does not believe that organizations should be able to process electronic communications metadata based on the general purpose of the ‘performance of a contract’. The statement notes that consent would not be required, on the other hand, to process electronic communications metadata which have been fully anonymized in accordance with EU guidance.

  1. The proposed Regulation maintains rights and obligations which exist today under the Directive

In particular, the EDPB notes that:

  • Transmission services used for the provision of machine to machine services are already in the scope of the current Directive; and
  • The protection of terminal equipment is already a right (meaning that data controllers may only gain access to, or store information on subscribers’ devices under certain conditions).

The proposed Regulation maintains these rules, although it also includes new exceptions in areas where the EDPB considers there to be a limited privacy risk, such as in the context of security updates, and in the context of audience measurement.

  1. The proposed Regulation aims to ensure a uniform application across every Member State and every type of data controller

The EDPB emphasizes that the changes are designed to ensure an equal playing field for all types of data controllers, in a technology neutral way. In particular:

  • The proposed Regulation is aimed at bringing ‘Over-the-Top’ services within the scope of the rules, as the EDPB views these are functionally equivalent to traditional electronic communications services.
  • The proposed Regulation’s rules apply as soon as data relating to users’ behaviour are collected – whether or not users have created an account for a service.
  • Service providers will need to obtain consent compliant with GDPR consent requirements. Notably, the requirement to obtain ‘freely given’ consent should prevent service providers from implementing so-called ‘cookie walls’ which block users from receiving the service if they do not provide their consent (in fact, the EDPB appears to support an explicit prohibition on ‘cookie walls’).
  • Uniform application of the rules is achieved by aligning the sanctions and territorial scope of the proposed Regulation with those of the GDPR.
  1. The proposed Regulation must enforce the ‘consent’ requirement for cookies and similar technologies, and offer services providers technical tools which allow them to obtain that consent

In particular, the EDPB supports the inclusion of provisions within the proposed Regulation which:

  • Offer users control over the use of the storage capabilities of their terminal equipment;
  • Require a ‘privacy by default’ approach in relation to software settings; and
  • Permit web site and mobile applications to obtain users’ consent through the use of privacy settings.

To keep up with the latest on the GDPR, check out Sidley’s GDPR Monitor page.