Trying to patch up an old law, the EDPB adopts a new ePrivacy guidance


AdobeStock_295690916 [Converted]
Author: Iurie Cojocaru

It is hard to regulate technology. One of the reasons, amongst many others, is time. What you regulate today does not correspond to the technical landscape of tomorrow. Back in the first decade of 2000, when the ePrivacy Directive was adopted and amended, the European legislator did not have in mind the technical evolution which followed, nor the digital realities that we are currently living in.

The notion of channels of communication for direct marketing, for example, did not cover the multitude of means of communication available today, so that, for a while, certain companies sought to send direct marketing communications using such new tools, in order to avoid the consent requirements. A judgment of the Court of Justice of the European Union (in the case C-102/20) and the legislative amendments brought by the European Electronic Communications Code were necessary in order to broaden the scope of channels of communications.

Likewise in the case of cookies and similar technologies. Let alone that the types of cookies and similar technologies that we have today are more varied and sophisticated than what the European legislator thought of when shaping the ePrivacy Directive. The risk is that some of the tools currently used to track individuals may not even fall under the definition of cookies and similar technologies.

According to Article 5 paragraph 3 of the ePrivacy Directive (similar to Article 4 paragraph 5 of the Romanian Law 506/2004 transposing such directive), “the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed”, as a rule, if, amongst others, the subscriber provides his/her consent.

Over the years, there have been various attempts to argue that specific technologies do not fall under this legal provision of venerable age. And if Article 5(3) does not apply, the consent under this provision is not needed.

Of course, we are all waiting for the ePrivacy Regulation, which was envisaged to adapt the legal requirements to the present level of technology. The act was meant to become applicable together with GDPR, starting with 25 May 2018, but it is far from being finalized and we see nothing on the horizon.

In the meanwhile, the European Data Protection Board (EDPB), as well as its predecessor, Article 29 Working Party (WP), have had certain attempts to clarify (read “update” or even “expand”) the ePrivacy Directive provisions on cookies and similar technologies.

The most recent endeavor in this direction are the Guidelines 2/2023 of EDPB on Technical Scope of Art. 5(3) of ePrivacy Directive, open to public consultation until 28 December 2023 (Guidelines).

The Guidelines aim to provide clarity on what is covered by Article 5(3) from ePrivacy Directive. And a lot is covered there, according to EDPB.

In 13 pages, the EDPB takes us through the key elements of applicability of Article 5(3), as well as provides us with a number of use cases. Thus, the Guidelines present the applicability of such provision by clarifying the notions of “information”, “terminal equipment”, “electronic communications network”, “gaining access”, “stored information” and “storage”.

Amongst other things, the EDPB stresses that “storage” and “access” do not have to be both present in order for Article 5(3) to apply. “Gaining access” and “storing information” are independent from one another. These two operations do not even need to be performed by the same entity (for example, the information accessed by one entity may be stored by the user himself/herself, by the hardware manufacturer or by another entity).

Then, according to the EDPB, for storing information in the terminal equipment (for example, your smartphone or laptop), there is no need for direct access being sufficient to instruct software on the terminal equipment to generate a specific information. Likewise, to access the information on the terminal equipment, it is sufficient for the entity to instruct such terminal equipment to send the information.

The EDPB also says that there is no minimal or maximal limit on the length of time that information must persist in a storage medium, nor a limit on the amount of information stored in the terminal equipment.

On the other hand (and this is a limitation of scope), the Guidelines indicate that Article 5(3) does not apply if the information is used strictly inside the device and does not leave it. For example, this happens when the camera or the microphone is accessed on a smartphone, but this information is not extracted outside the device.

What comes next? Subject to the comments received during the public consultation, the Guidelines will get a final form. The organizations, on their side, will need to check if the qualification of their technologies is in line with what the EDPB says in its Guidelines. If not, adjustments will need to be made and, what is more painful, consent may need to be obtained in cases which until now have been believed to be outside the scope of Article 5(3).

Certainly, the Guidelines of EDPB do not have a binding force. Then again, as we all know, the representatives of data protection authorities (DPA) from EU Member States (including the Romanian DPA) are part of EDPB and normally the national DPAs and the EDPB tend to sing in harmony. Take only the annual reports of the Romanian DPA which have numerous references to EDPB and WP guidelines. So, it is to be expected that the optics of the EDPB Guidelines will be also adopted by the Romanian DPA.