EDPB Statement on the Revision of the ePrivacy Regulation

May 28, 2018

The European Data Protection Board, the body created under
the GDPR which, in essence, takes on the roles formerly carried out by the
Article 29 Working Party, has issued a statement in which it lists some
concerns about the proposals put forward for the ePrivacy Regulation. Its
statement can be read in full here.

The EDPB is clearly concerned about the slippage in progress
on the ePrivacy Regulation, which was originally supposed to come into force at
the same time as the GDPR. It notes in particular that the use of IP based
communication services has become widespread since the old Directive was
implemented and that these ‘Over-the-Top’ services are currently not covered.
The EDPB states that the a swift adoption of the new ePrivacy Regulation is
necessary ‘in order to ensure that end-users’ confidentiality of communications
is protected while using these new services and to create a level playing field
for providers of electronic communication and functionally equivalent services’.

The EDPB’s points are listed under the following headings:

  • Confidentiality of electronic communications requires
    specific protection beyond the GDPR
  • The ePrivacy Directive is already in force
  • The proposed Regulation aims at ensuring its uniform
    application across every Member State and every type of data controller
  • The new Regulation must enforce the consent requirement for
    cookies and similar technologies and offer services providers technical tools
    allowing them to obtain that consent.

The EDPB’s conclusions are as follows:

  • The ePrivacy Regulation should not lower the level of
    protection offered by the current ePrivacy Directive.
  • The ePrivacy Regulation should provide protection for all
    types of electronic communications, including those carried out by
    ‘Over–the-Top’ services, in a technology neutral way.
  • User consent should be obtained systematically in a
    technically viable and enforceable manner before processing electronic
    communications data or before using the storage or processing capabilities of a
    user’s terminal equipment. There should be no exceptions to process this data
    based on the ‘legitimate interest’ of the data controller, or on the general
    purpose of the performance of a contract.
  • Article 10 should provide an effective way to obtain consent
    for websites and mobile applications. More generally, settings should preserve
    the privacy of the users by default, and they should be guided to choose a
    setting, on receipt of relevant and transparent information. In this regard,
    the Regulation should remain technology neutral to ensure that its application
    remains consistent whatever the use cases.
  • The highest level of scrutiny should be applied for any ad
    hoc exceptions that the legislators may wish to consider adding to those
    already included in the Commission and Parliament drafts texts. In particular,
    any broadly -framed exceptions for cases where ‘a public authority’ requests
    processing of data should be carefully scrutinised, and the proposal should not
    allow the indiscriminate monitoring of user’s location or the processing of
    their metadata.
  • In order for consent to be freely given as required by the
    GDPR, access to services and functionalities must not be made conditional on
    the consent of a user to the processing of personal data or the processing of
    information related to or processed by the terminal equipment of end-users,
    meaning that cookie walls should be explicitly prohibited.
  • The use of genuinely anonymised electronic communication
    data should be encouraged.
  • The aforementioned evolutions will protect the privacy of
    end-users in every relevant context and prevent any distortions of competition.