A months-old German court decision on Google Tag Manager has resurfaced here, with many claiming the GDPR applies to every use of GTM or similar tools. A bit of nuance may be useful:
– First, that claim that the use of IP addresses and other identifiers = always processing of personal data? Let’s first wait and see what the CJEU says in the SRB case. (read my analysis of the Advocate General’s Opinion, which would necessarily imply that not all uses of IP addresses or other identifiers are processing of personal data: https://lnkd.in/dSnd8czZ )
It bears repeating, but *just because something makes a user unique, doesn’t mean that the user is identifiable* from the perspective of the potential controller. “Singling out” and “identifiable” are different notions.
– Second, this VG Hanover decision plus the other recent ones (e.g. Landgericht Leipzig) highlight one of my greatest qualms about the ePrivacy Directive (ePD): everything requires consent, no matter how privacy-friendly or non-intrusive a particular technology might be, because regulators and courts appear to be increasingly fixated on a very strict interpretation of exceptions while expanding their interpretation of the scope of Article 5(3) ePD. (see notably a couple of recent pieces of mine on this topic: https://lnkd.in/eR87ybev & https://lnkd.in/e8qC_JAv )
– Third, but this is also linked to the second point: we need to get to alignment of GDPR and ePrivacy legal grounds. Regulated industries cannot deal with ePrivacy consent if they have legal obligations to deal with (as legal ground under the GDPR), and legitimate interest as a GDPR legal ground becomes irrelevant to many online activities if the service exemption under ePrivacy is interpreted too strictly. Even the service exemption under ePrivacy and the contract legal ground under the GDPR might not align well, depending on which authority/court you look at.
(And that’s before tackling the fact that this service exemption only concerns information society services, which excludes various non-commercial online activities.)
I still hope that there is room for reviving some of the better ideas of the draft ePrivacy Regulation – notably the broader range of consent exemptions to cover many non-harmful practices.
In the meantime, though, I hope some will refrain from fear-mongering (“You’ll have to pay 200-5000 EUR per user! Class actions coming tomorrow!”).
After all, if better privacy is what you wish, it may be worthwhile focussing on fixing legislation issues. One bad consequence concerns privacy-enhancing technologies: if I need consent for both the more “intrusive” version and a privacy-friendlier alternative, why bother with the latter (less data + often costlier)? Another: consent defeats the aim of anti-fraud measures (though required by law in some sectors).
After a hiatus due to various data litigation files, I’ll be getting back into writing articles on such topics in the coming weeks.
Data protection
Did this analysis get you thinking? Reach out!
DataLaws.net is entirely open-access, and instead of getting your data in exchange for this content, how about another trade? If this commentary saved you research time or sparked an idea, feel free to invite me over for tea, chai or a hot chocolate next time you are around Brussels or Antwerp - or invite me over to your offices for a chat!
Get in touch ↗ Let's connect on LinkedIn ↗