Last few days to comment on the game-changing ePrivacy guidelines of the EDPB. One issue examined for some clients is the inconsistency between the expanded scope of that provision (a rule regarding cookies and similar (active) information storage & access technologies, but now also covering nearly any interaction with a computing device *and* the passive receipt of information) and other statutory requirements.
A key concern in many regulated industries – beyond the stretching of concepts beyond what they mean both to Joe Public and in technical terms – is that the “cookie rule” (Art. 5(3) of the ePrivacy Directive or ePD) only contains 2 consent exemptions: strict necessity for the provision of a service explicitly requested by the subscriber/user, and use for the sole purpose of transmission of an electronic communication (over a public network, too). And none of those exemptions concerns the case of a legal authorisation or even obligation to store or use information.
The very next provision in the ePD – Article 6 ePD, and 6(2) in particular – illustrates this perfectly. Telecom operators are prohibited from using traffic data, except in a number of cases. Some are stated to be subject to consent (e.g. use for marketing of own telecom services), others not (e.g. use for billing and interconnection payments). Telecom providers have even recently become legally required in various Member States to fight fraud on their networks without looking at the content of communications… which basically means that they need to use traffic data and other metadata to do so.
Yet such traffic data would in many cases be covered by the expanded scope of Art. 5(3) ePD – based on the EDPB’s broader interpretation.
So what does that mean? Should we consider that Art. 5(3) ePD implicitly contains an “unless otherwise legally authorised or required” type of clause? Or does it mean that we can interpret the “service” consent exemption broadly, to also cover all ancillary uses of information to enable a service to be provided in general (and therefore not purely for the technical delivery of the service at one point in time to one specific user)? Or is it instead an indication that the EDPB’s new interpretation goes too far – and that the EDPB should have stuck to the actual scope of the GDPR?
This is just one example, but others were shared with us, notably in relation to the financial services industry and the online advertising world.
We are putting the finishing touches on a joint submission for various clients wishing to stay anonymous, and also on submissions that some clients are filing in their own name, and will comment on some of the other aspects that they cover during the next few days. [Also gratifying to see that many other companies and associations have drawn inspiration from my in-depth analysis of the guidelines!]
More than anything, I am looking forward to the EDPB’s (hopefully constructive and positive) reaction.
data protection
Did this analysis get you thinking? Reach out!
DataLaws.net is entirely open-access, and instead of getting your data in exchange for this content, how about another trade? If this commentary saved you research time or sparked an idea, feel free to invite me over for tea, chai or a hot chocolate next time you are around Brussels or Antwerp - or invite me over to your offices for a chat!
Get in touch ↗ Let's connect on LinkedIn ↗