European privacy authorities issue opinion on the ePrivacy regulation
The European Data Protection Authorities (DPA’s) of the Article 29 Working Party welcome the proposal for an ePrivacy Regulation. The Working Party welcomes the choice for a regulation as the regulatory instrument because this ensures that rules are uniform across the entire EU, and it provides clarity for supervisory authorities and organisations alike. The inclusion of Over-The-Top (OTT) providers is necessary, so that these services guarantee the same level of confidentiality of communications as traditional telecoms operators. The working party also welcomes the principled approach for broad prohibitions and narrow exceptions, as well as the attempt to modernize the rules applicable for tracking in the online world. However, the DPA’s note 4 points of concern in the opinion, adopted last week.
De ePrivacy Verordening is een aanvulling op de Algemene verordening gegevensbescherming (AVG) en gaat specifiek over elektronische communicatie, zoals telefoon en internet. Denk aan de vertrouwelijkheid van e-mails en sms’jes en het gebruik van metadata.
The DPA’s have serious concerns about 4 provisions which undermine the level of protection accorded by the General Data Protection Regulation (GDPR). The data protection authorities encourage the European legislature to adjust the ePrivacy Regulation taking these concerns into account.
WiFi tracking
The proposed Regulation gives the impression that organisations may collect information emitted by terminal equipment to track the physical movements of individuals, such as WiFi-tracking or Bluetooth-tracking, without the consent of the individual concerned. Apparently, organisations collecting these data could comply by means of a notice informing users to switch off their devices, when they do not want to be tracked.
However, the obligations in the ePrivacy Regulation for the tracking of the location of terminal equipment should be in line with the GDPR-requirements. Such tracking under the GDPR is likely either to be subject to consent, or may only be performed if the personal data collected are anonymised. In the latter case, the following 4 conditions have to be complied with: (i) the purpose of the data collection from terminal equipment is restricted to mere statistical counting, (ii) the tracking is limited in time and space to the extent strictly necessary for this purpose, (iii) the data will be deleted or anonymised immediately afterwards, and (iv) there are effective opt-out possibilities. In this respect, the Working Party invites the European Commission to promote a technical standard for mobile devices to automatically signal an objection against such tracking.
Analysis of content and metadata
Metadata and content are both highly sensitive data, and should be granted the same high level of protection. The starting point in the ePrivacy Regulation should be that it is prohibited to process metadata as well as content without the consent of all end-users, senders as well as recipients. To allow providers to provide services explicitly requested by the user, for example search- and indexing functionality, or text-to-speech services, there should be a domestic exception for the processing of content and metadata for the purely personal purposes of the user him or herself.
Tracking walls
With regard to consent for tracking, the ePrivacy Regulation should explicitly prohibit tracking walls, that is, take it or leave it choices that force users to consent to tracking if they want to have access to the service.
Privacy by default
Terminal equipment and software must offer privacy protective settings by default, and offer clear options to users to confirm or change these default settings upon installation. The settings must be easily accessible during use. In the GDPR, a conscious policy choice has been made to introduce the principles of data protection and privacy by design and by default. The proposed ePrivacy Regulation undermines these principles with regard to communications and device data. Users must be enabled to signal specific consent through their browser settings. Privacy preferences should not be limited to interference by third parties or be limited to cookies. The Working Party strongly recommends to make adherence to the Do Not Track standard mandatory as a technical mechanism to ensure that users are given genuine choice and control over the interference with their devices.