The European Data Protection Board, the body created under
the GDPR which, in essence, takes on the roles formerly carried out by the
Article 29 Working Party, has issued a statement in which it lists some
concerns about the proposals put forward for the ePrivacy Regulation. Its
statement can be read in full here.
The EDPB is clearly concerned about the slippage in progress
on the ePrivacy Regulation, which was originally supposed to come into force at
the same time as the GDPR. It notes in particular that the use of IP based
communication services has become widespread since the old Directive was
implemented and that these ‘Over-the-Top’ services are currently not covered.
The EDPB states that the a swift adoption of the new ePrivacy Regulation is
necessary ‘in order to ensure that end-users’ confidentiality of communications
is protected while using these new services and to create a level playing field
for providers of electronic communication and functionally equivalent services’.
The EDPB’s points are listed under the following headings:
- Confidentiality of electronic communications requires
specific protection beyond the GDPR
- The ePrivacy Directive is already in force
- The proposed Regulation aims at ensuring its uniform
application across every Member State and every type of data controller
- The new Regulation must enforce the consent requirement for
cookies and similar technologies and offer services providers technical tools
allowing them to obtain that consent.
The EDPB’s conclusions are as follows:
- The ePrivacy Regulation should not lower the level of
protection offered by the current ePrivacy Directive.
- The ePrivacy Regulation should provide protection for all
types of electronic communications, including those carried out by
‘Over–the-Top’ services, in a technology neutral way.
- User consent should be obtained systematically in a
technically viable and enforceable manner before processing electronic
communications data or before using the storage or processing capabilities of a
user’s terminal equipment. There should be no exceptions to process this data
based on the ‘legitimate interest’ of the data controller, or on the general
purpose of the performance of a contract.
- Article 10 should provide an effective way to obtain consent
for websites and mobile applications. More generally, settings should preserve
the privacy of the users by default, and they should be guided to choose a
setting, on receipt of relevant and transparent information. In this regard,
the Regulation should remain technology neutral to ensure that its application
remains consistent whatever the use cases.
- The highest level of scrutiny should be applied for any ad
hoc exceptions that the legislators may wish to consider adding to those
already included in the Commission and Parliament drafts texts. In particular,
any broadly -framed exceptions for cases where ‘a public authority’ requests
processing of data should be carefully scrutinised, and the proposal should not
allow the indiscriminate monitoring of user’s location or the processing of
- In order for consent to be freely given as required by the
GDPR, access to services and functionalities must not be made conditional on
the consent of a user to the processing of personal data or the processing of
information related to or processed by the terminal equipment of end-users,
meaning that cookie walls should be explicitly prohibited.
- The use of genuinely anonymised electronic communication
data should be encouraged.
- The aforementioned evolutions will protect the privacy of
end-users in every relevant context and prevent any distortions of competition.