The Article 29 Working Party has welcomed the proposal for a new ePrivacy Regulation but it is a welcome laced with ‘grave concerns’
The Article 29 Working Party has published its comments on the proposal for a new ePrivacy Regulation. Its Opinion can be downloaded here. The Opinion welcomes inter alia the following:
However, the Working Party also raises four points of grave concern, relating to:
In these respects, the Opinion suggests that the Proposed Regulation would lower the level of protection enjoyed under the GDPR and suggests how to remedy this.
With regard to WiFi-tracking, depending on the circumstances and purposes of the data collection, such tracking under the GDPR is likely either to be subject to consent, or may only be performed if the personal data collected is anonymised. In the latter case, the following four conditions have to be complied with: the purpose of the data collection from terminal equipment is restricted to mere statistical counting, the tracking is limited in time and space to the extent strictly necessary for this purpose, the data will be deleted or anonymised immediately afterwards, and there are effective opt-out possibilities. The European Commission is invited to promote a technical standard for mobile devices to automatically signal an objection against such tracking.
With regard to the analysis of content and metadata, the starting point should be that it is prohibited to process communications data without the consent of all end-users (senders and recipients). To allow providers to provide services explicitly requested by the user, such as for example search and indexing functionality, or text-to-speech services, there should be a domestic exception for the processing of content and metadata for the purely personal purposes of the user him or herself.
With regard to consent for tracking, the Working Party calls for an explicit prohibition on tracking walls, that is, take it or leave it choices that force users to consent to tracking if they want to have access to the service.
The Working Party recommends that terminal equipment and software must by default offer privacy protective settings, and offer clear options to users to confirm or change these default settings during installation. The settings must be easily accessible during use. Users must be enabled to signal specific consent through their browser settings. Privacy preferences should not be limited to interference by third parties or be limited to cookies. The Working Party strongly recommends making adherence to the Do Not Track standard mandatory.
The Working Party has also expressed concern about other issues, including direct marketing and seeks clarification on a number of points.