During its latest plenary meeting, the EDPB adopted recommendations on the legal basis for requiring the creation of user accounts on e-commerce websites. In addition, the Board had a preliminary discussion on the Digital Omnibus proposal and appointed the new EDPB Deputy Chair.
Recommendation on creating user accounts on websites
The Board says that Internet users visit e-commerce websites for various reasons, including making online purchases, taking advantage of promotions, or simply browsing products. When interacting with these websites, they may be asked to create an account, which involves collecting and processing personal data, as well as increased privacy and security risks. The EDPB adopted recommendations to clarify when e-commerce websites can require their users to create an account. As a general rule, users should have the option to engage with e-commerce websites, including the ability to make purchases, without creating an account. In such cases, the EDPB recommends that e-commerce websites offer a choice: either a ‘guest’ mode, allowing users make purchases without creating an account, or the option to voluntarily create an account. This approach minimises the collection and processing of personal data, and therefore aligns with the GDPR’s principle of data protection by design and by default. However, mandatory account creation can be justified in a limited number of cases, including for example, offering a subscription service or providing access to exclusive offers. The recommendations highlight the EDPB’s efforts to promote pragmatic, user-friendly and privacy-protective practices in the e-commerce sector. The recommendations are subject to public consultation.
Preliminary discussion on the Digital Omnibus proposal
The EDPB had a preliminary discussion on the proposal for a Digital Omnibus, on which the EDPB and European Data Protection Supervisor will issue a Joint Opinion. In its Helsinki Statement, the EDPB made proposals to achieve enhanced clarity, support and engagement. The EDPB and the EDPS welcome the discussion on effective digital regulation and remain committed to finding solutions to make GDPR compliance easier, especially for small organisations. The EDPB and the EDPS will focus on how the European Commission’s proposal will affect the fundamental rights of individuals and whether it will lead to simplification for organisations and more legal certainty. While numerous points need to be analysed, at this stage, the EDPB and the EDPS are already saying that the proposed changes to the definition of personal data go further than the recent CJEU case law, and beyond a targeted modification of the GDPR, which may adversely affect the fundamental right to data protection.
