EDPB Statement on the Revision of the ePrivacy Regulation

The newly created European Data Protection Board has reviewed the draft ePrivacy Regulation and ‘has decided to offer further advice and clarifications on some specific issues raised by the proposed amendments’.

The European Data Protection Board, the body created under the GDPR which, in essence, takes on the roles formerly carried out by the Article 29 Working Party, has issued a statement in which it lists some concerns about the proposals put forward for the ePrivacy Regulation. Its statement can be read in full here.

The EDPB is clearly concerned about the slippage in progress on the ePrivacy Regulation, which was originally supposed to come into force at the same time as the GDPR. It notes in particular that the use of IP based communication services has become widespread since the old Directive was implemented and that these ‘Over-the-Top’ services are currently not covered. The EDPB states that the a swift adoption of the new ePrivacy Regulation is necessary ‘in order to ensure that end-users’ confidentiality of communications is protected while using these new services and to create a level playing field for providers of electronic communication and functionally equivalent services’.

The EDPB’s points are listed under the following headings:

  • Confidentiality of electronic communications requires specific protection beyond the GDPR
  • The ePrivacy Directive is already in force
  • The proposed Regulation aims at ensuring its uniform application across every Member State and every type of data controller
  • The new Regulation must enforce the consent requirement for cookies and similar technologies and offer services providers technical tools allowing them to obtain that consent.

The EDPB’s conclusions are as follows:

  • The ePrivacy Regulation should not lower the level of protection offered by the current ePrivacy Directive.
  • The ePrivacy Regulation should provide protection for all types of electronic communications, including those carried out by ‘Over–the-Top’ services, in a technology neutral way.
  • User consent should be obtained systematically in a technically viable and enforceable manner before processing electronic communications data or before using the storage or processing capabilities of a user’s terminal equipment. There should be no exceptions to process this data based on the ‘legitimate interest’ of the data controller, or on the general purpose of the performance of a contract.
  • Article 10 should provide an effective way to obtain consent for websites and mobile applications. More generally, settings should preserve the privacy of the users by default, and they should be guided to choose a setting, on receipt of relevant and transparent information. In this regard, the Regulation should remain technology neutral to ensure that its application remains consistent whatever the use cases.
  • The highest level of scrutiny should be applied for any ad hoc exceptions that the legislators may wish to consider adding to those already included in the Commission and Parliament drafts texts. In particular, any broadly -framed exceptions for cases where ‘a public authority’ requests processing of data should be carefully scrutinised, and the proposal should not allow the indiscriminate monitoring of user’s location or the processing of their metadata.
  • In order for consent to be freely given as required by the GDPR, access to services and functionalities must not be made conditional on the consent of a user to the processing of personal data or the processing of information related to or processed by the terminal equipment of end-users, meaning that cookie walls should be explicitly prohibited.
  • The use of genuinely anonymised electronic communication data should be encouraged.
  • The aforementioned evolutions will protect the privacy of end-users in every relevant context and prevent any distortions of competition.

Published: 2018-05-29T09:33:00


      This site uses cookies. By using the site you agree to our use of cookies as set out in our Privacy Policy.

      Please wait...