Category Archives: ePrivacy

Planet49 CJEU Judgment brings some ‘Cookie Consent’ Certainty to Planet Online Tracking

Posted on October 3, 2019 | 4 comments

The Court of Justice of the European Union published yesterday its long-awaited judgment in the Planet49 case, referred by a German Court in proceedings initiated by a non-governmental consumer protection organization representing the participants to an online lottery. It dealt with questions which should have been clarified long time ago, after Article 5(3) was introduced in Directive 2002/58 (the ‘ePrivacy Directive’) by an amendment from 2009, with Member States transposing and then applying its requirements anachronistically:

  • Is obtaining consent through a pre-ticked box valid when placing cookies on website users’ devices?
  • Must the notice given to the user when obtaining consent include the duration of the operation of the cookies being placed and whether or not third parties may have access to those cookies?
  • Does it matter for the application of the ePrivacy rules whether the data accessed through the cookies being placed is personal or non-personal?

The Court answered all of the above, while at the same time signaling to Member States that a disparate approach in transposing and implementing the ePrivacy Directive is not consistent with EU law, and setting clear guidance on what ‘specific’, ‘unambiguous’ and ‘informed’ consent means.

The core of the Court findings is that:

  • pre-ticked boxes do not amount to valid consent,
  • expiration date of cookies and third party sharing should be disclosed to users when obtaining consent,
  • different purposes should not be bundled under the same consent ask,
  • in order for consent to be valid ‘an active behaviour with a clear view’ (which I read as ‘intention’) of consenting should be obtained (so claiming in notices that consent is obtained by having users continuing to use the website very likely does not meet this threshold) and,
  • (quite consequential), these rules apply to cookies regardless of whether the data accessed is personal or not.

Unfortunately, though, the Court did not tackle one other very important issue: what does ‘freely given’ consent mean? In other words, would requiring and obtaining consent for placing cookies with the purpose of online tracking for behavioural advertising as a condition to access an online service, such as an online lottery (as in Planet49’s case), be considered as ‘freely given’ consent?

An answer to this question would have affected all online publishers and online service providers that condition access to their services to allowing online behaviour tracking cookies being installed on user devices and rely on ‘cookie walls’ as a source of income for their businesses. What is interesting is that the Court included a paragraph in the judgment specifically enunciating that it does not give its view on this issue because it was not asked to do so by the referring German Court (paragraph 64). Notably, ‘freely given’ is the only of the four conditions for valid consent that the Court did not assess in its judgment and that it specifically singled out as being left out in the open.

Finally, one very important point to highlight is that the entirety of the findings were made under the rules for valid consent as they were provided by Directive 95/46. The Court even specified that its finding concerning ‘unambiguous’ consent is made under the old directive. This is relevant because the definition of consent in Article 2(h) of Directive 95/46 only refers to ‘any freely given specific and informed indication’ of agreement. However, Article 7(a) of the directive provides that the data subject’s consent may make a processing lawful if it was given ‘unambiguously’.

With the GDPR, the four scattered conditions have been gathered under Article 4(11) and have been reinforced by clearer recitals. The fact remains that conditions for valid consent were just as strong under Directive 95/46. The Court almost ostensibly highlights that its interpretation is made on the conditions provided under the old legal regime and they only apply to the GDPR ‘a fortiori‘ (paragraph 60); (see here for what a fortiori means in legal interpretation).

Consequently, it seems that consent obtained for placing cookies with the help of pre-ticked boxes or through inaction or action without intent to give consent, even prior to the GDPR entering into force, has been unlawfully obtained. It remains to be seen if any action by supervisory authorities will follow to tackle some of those collections of data built relying on unlawfully obtained consent, or whether they will take a clean slate approach.

For a deeper dive into the key findings of the Planet49 CJEU judgment, read below:

Discrepancies in applying ePrivacy at Member State level, unjustifiable based on Directive’s text

Before assessing the questions referred on substance, the Court makes some preliminary findings. Among them, it finds that ‘the need for a uniform application of EU law and the principle of equality require that the wording of a provision of EU law which makes no express reference to the law of the Member States for the purpose of determining its meaning and scope must normally be given an autonomous and uniform interpretation throughout the European Union’ (paragraph 47). Article 5(3) of the ePrivacy Directive does not provide any room for Member State law to determine the scope and meaning of its provisions, by being sufficiently clear and precise in what it asks the Member States to do (see paragraph 46 for the Court’s argument).

In practice, divergent transposition and implementation of the ePrivacy Directive has created different regimes across the Union, which had consequences for the effectiveness of its enforcement.

‘Unambiguous’ means ‘active behavior’ and intent to give consent

The Court starts its assessment from a linguistic interpretation of the wording of Article 5(3) of Directive 2002/58. It notes that the provision doesn’t require a specific way of obtaining consent to the storage of and access to cookies on users’ devices. The Court observes that ‘the wording ‘given his or her consent’ does however lend itself to a literal interpretation according to which action is required on the part of the user in order to give his or her consent.

In that regard, it is clear from recital 17 of Directive 2002/58 that, for the purposes of that directive, a user’s consent may be given by any appropriate method enabling a freely given specific and informed indication of the user’s wishes, including by ticking a box when visiting an internet website‘ (paragraph 49).

The Court highlights that per Article 2(f) of Directive 2002/58 the meaning of a user’s ‘consent’ under the ePrivacy Directive is meant to be the same as that of a data subject’s consent under Directive 95/46 (paragraph 50). By referring to Article 2(h) of the former data protection directive, the Court observes that ‘the requirement of an ‘indication’ of the data subject’s wishes clearly points to active, rather than passive, behaviour’ (paragraph 52). The Court then concludes that ‘consent given in the form of a preselected tick in a checkbox does not imply active behaviour on the part of a website user’ (paragraph 52).

Interestingly, the Court points out that this interpretation of what ‘indication’ means ‘is borne out by Article 7 of Directive 95/46’ (paragraph 53), and in particular Article 7(2) which ‘provides that the data subject’s consent may make such processing lawful provided that the data subject has given his or her consent ‘unambiguously’’ (paragraph 54). So even if the definition of consent in Directive 95/46 does not refer to this condition in particular, the Court nevertheless anchored its main arguments in it.

The Court then made another important interpretation concerning what ‘unambiguous’ consent means: ‘Only active behaviour on the part of the data subject with a view to giving his or her consent may fulfil that requirement’ (paragraph 54). This wording (‘with a view to’) suggests that there is a condition of willfulness, of intent to give consent in order for the indication of consent to be lawful.

In addition, to be even clearer, the Court finds that ‘it would appear impossible in practice to ascertain objectively whether a website user had actually given his or her consent to the processing of his or her personal data by not deselecting a pre-ticked checkbox nor, in any event, whether that consent had been informed. It is not inconceivable that a user would not have read the information accompanying the preselected checkbox, or even would not have noticed that checkbox, before continuing with his or her activity on the website visited” (paragraph 55).

A fortiori, it appears impossible in practice to ascertain objectively whether a website user had actually given his or her consent to the processing of his or her personal data by merely continuing with his or her activity on the website visited (continuing browsing or scrolling), nor whether the consent has been informed, provided that the information given to him or her does not even include a pre-ticked checkbox which would at least give the opportunity to uncheck the box. Also, just like the Court points out, it is not inconceivable that a user would not have read the information announcing him or her that by continuing to use the website they give consent.

With these two findings in paragraphs 54 and 55 the Court seems to clarify once and for all that informing users that by continuing their activity on a website signifies consent to placing cookies on their device is not sufficient to obtain valid consent under the ePrivacy Directive read in the light of both Directive 95/46 and the GDPR.

‘Specific’ means consent can’t be inferred from bundled purposes

The following condition that the Court analyzes is that of specificity. In particular, the Court finds that ‘specific’ consent means that ‘it must relate specifically to the processing of the data in question and cannot be inferred from an indication of the data subject’s wishes for other purposes” (paragraph 58). This means that bundled consent will not be considered valid and that consent should be sought granularly for each purpose of processing.

‘Informed’ means being able to determine the consequences of any consent given

One of the questions sent for a preliminary ruling by the German Court concerned specific categories of information that should be disclosed to users in the context of obtaining consent for placing cookies. Article 5(3) of the ePrivacy Directive requires that the user is provided with ‘clear and comprehensive information’ in accordance with Directive 95/46 (now replaced by the GDPR). The question was whether this notice must also include (a) the duration of the operation of cookies and (b) whether or not third parties may have access to those cookies.

The Court clarified that providing ‘clear and comprehensive’ information means ‘that a user is in a position to be able to determine easily the consequences of any consent he or she might give and ensure that the consent given is well informed. It must be clearly comprehensible and sufficiently detailed so as to enable the user to comprehend the functioning of the cookies employed’ (paragraph 74). Therefore, it seems that using language that is easily comprehensible for the user is important, just as it is important painting a full picture of the function of the cookies for which consent is sought.

The Court found specifically with regard to cookies that ‘aim to collect information for advertising purposes’ that ‘the duration of the operation of the cookies and whether or not third parties may have access to those cookies form part of the clear and comprehensive information‘ which must be provided to the user (paragraph 75).

Moreover, the Court adds that ‘information on the duration of the operation of cookies must be regarded as meeting the requirement of fair data processing‘ (paragraph 78). This is remarkable, since the Court doesn’t usually make findings in its data protection case-law with regard to the fairness of processing. Doubling down on its fairness considerations, the Court goes even further and links fairness of the disclosure of the retention time to the fact that ‘a long, or even unlimited, duration means collecting a large amount of information on users’ surfing behaviour and how often they may visit the websites of the organiser of the promotional lottery’s advertising partners’ (paragraph 78).

It is irrelevant if the data accessed by cookies is personal or anonymous, ePrivacy provisions apply regardless

The Court was specifically asked to clarify whether the cookie consent rules in the ePrivacy Directive apply differently depending on the nature of the data being accessed. In other words, does it matter that the data being accessed by cookie is personal or anonymized/aggregated/de-identified?

First of all, the Court points out that in the case at hand, ‘the storage of cookies … amounts to a processing of personal data’ (paragraph 67). That being said, the Court nonetheless notes that the provision analyzed merely refers to ‘information’ and does so ‘without characterizing that information or specifying that it must be personal data’ (paragraph 68).

The Court explained that this general framing of the provision ‘aims to protect the user from interference with his or her private sphere, regardless of whether or not that interference involves personal data’ (paragraph 69). This finding is particularly relevant for the current legislative debate over the revamp of the ePrivacy Directive. It is clear that the core difference between the GDPR framework and the ePrivacy regime is what they protect: the GDPR is concerned with ensuring the protection of personal data and fair data processing whenever personal data is being collected and used, while the ePrivacy framework is concerned with shielding the private sphere of an individual from any unwanted interference. That private sphere/private center of interest may include personal data or not.

The Court further refers to recital 24 of the ePrivacy Directive, which mentions that “any information stored in the terminal equipment of users of electronic communications networks are part of the private sphere of the users requiring protection under the European Convention for the Protection of Human Rights and Fundamental Freedoms. That protection applies to any information stored in such terminal equipment, regardless of whether or not it is personal data, and is intended, in particular, as is clear from that recital, to protect users from the risk that hidden identifiers and other similar devices enter those users’ terminal equipment without their knowledge” (paragraph 70).

Conclusion

The judgment of the CJEU in Planet49 provides some much needed certainty about how the ‘cookie banner’ and ‘cookie consent’ provisions in the ePrivacy Directive should be applied, after years of disparate approaches from national transposition laws and supervisory authorities which lead to a lack of effectiveness in enforcement and, hence, compliance. The judgment does leave open on ardent question: what does ‘freely given consent’ mean? It is important to note nonetheless that before reaching the ‘freely given’ question, any consent obtained for placing cookies (or similar technologies) on user devices will have to meet all of the other three conditions. If only one of them is not met, then that consent is invalid.

***

You can refer to this summary by quoting G. Zanfir-Fortuna, ‘Planet49 CJEU Judgment brings some ‘Cookie Consent’ Certainty to Planet Online Tracking’, http://www.pdpecho.com, published on October 3, 2019.

4 Comments

Posted in CJEU case-law, Comments, ePrivacy, Europe, News

Tagged , , , , , , , , , , , , ,

A Conversation with Giovanni Buttarelli about The Future of Data Protection: setting the stage for an EU Digital Regulator

Posted on November 21, 2017 | Leave a comment

The nature of the digital economy is as such that it will force the creation of multi-competent supervisory authorities sooner rather than later. What if the European Data Protection Board would become in the next 10 to 15 years an EU Digital Regulator, looking at matters concerning data protection, consumer protection and competition law, having “personal data” as common thread? This is the vision Giovanni Buttarelli, the European Data Protection Supervisor, laid out last week in a conversation we had at the IAPP Data Protection Congress in Brussels.

The conversation was a one hour session in front of an over-crowded room in The Arc, a cozy amphitheater-like venue inducing bold ideas being expressed in a stimulating exchange.

To begin with, I reminded the Supervisor that at the very beginning of his mandate, in early 2015, he published the 5-year strategy of the EDPS. At that time the GDPR wasn’t adopted yet and the Internet of Things was taking off. Big Data had been a big thing for a while and questions about the feasibility and effectiveness of a legal regime that is centered around each data item that can be traced back to an individual were popping up. The Supervisor wrote in his Strategy that the benefits brought by new technologies should not happen at the expense of the fundamental rights of individuals and their dignity in the digital society.

Big data will need equally  big data protection, he wrote then, suggesting thus that the answer to Big Data is not less data protection, but enhanced data protection.

I asked the Supervisor if he thinks that the GDPR is the “big data protection” he was expecting or whether we need something more than what the GDPR provides for. And the answer was that “the GDPR is only one piece of the puzzle”. Another piece of the puzzle will be the ePrivacy reform, and another one will be the reform of the regulation that provides data protection rules for the EU institutions and that creates the legal basis for the functioning of the EDPS. I also understood from our exchange that a big part of the puzzle will be effective enforcement of these rules.

The curious fate of the European Data Protection Board

One centerpiece of enforcement is the future European Data Protection Board, which is currently being set up in Brussels so as to be functional on 25 May 2018, when the GDPR becomes applicable. The European Data Protection Board will be a unique EU body, as it will have a European nature, being funded by the EU budget, but it will be composed of commissioners from national data protection authorities who will adopt decisions, that will rely for the day-to-day activity on a European Secretariat. The Secretariat of the Board will be ensured by dedicated staff of the European Data Protection Supervisor.

The Supervisor told the audience that he either already hired or plans to hire a total of “17 geeks” adding to his staff, most of whom will be part of the European Data Protection Board Secretariat. The EDPB will be functional from Day 1 and, apparently, there are plans for some sort of inauguration of the EDPB celebrated at midnight on the 24th to the 25th of May next year.

These are my thoughts here: the nature of the EDPB is as unique as the nature of the EU (those of you who studied EU Law certainly remember from the law school days how we were told that the EU is a sui generis type of economical and political organisation). In fact, the EDPB may very well serve as test model for ensuring supervision and enforcement of other EU policy areas. The European Commission could test the waters to see whether such a mixt national/European enforcement mechanism is feasible.

There is a lot of pressure on effective enforcement when it comes to the GDPR. We dwelled on enforcement, and one question that inevitably appeared was about the trend that starts to shape up in Europe, of having competition authorities and consumer protection authorities engaging in investigations together with, or in parallel with data protection authorities (see herehere and here).

It’s time for a big change, and time for the EU to have a global approach, the Supervisor said. And a change that will require some legislative action. “I’m not saying we will need an European FTC (US Federal Trade Commission – n), but we will need a Digital EU Regulator“, he added. This Digital Regulator would have the powers to also look into competition and consumer protection issues raised by processing of personal data (so, therefore, in addition to data protection issues). Acknowledging that these days there is a legislative fatigue in Brussels surrounding privacy and data protection, the Supervisor said he will not bring this idea to the attention of the EU legislator right now. But he certainly plans to do so, maybe even as soon as next year. The Supervisor thinks that the EDPB could morph into this kind of Digital Regulator sometime in the future.

The interplay among these three fields of law has been on the Supervisor’s mind for some time now. The EDPS issued four Opinions already that set the stage for this proposal – See Preliminary Opinion on “Privacy and competitiveness in the age of Big Data: the interplay between data protection, competition law and consumer protection in the digital economy“, Opinion 4/2015 “Towards a new digital ethics“, Opinion 7/2015 “Meeting the Challenges of Big Data“, and finally Opinion 8/2016 on “coherent enforcement of fundamental rights in the age of Big Data“. So this is certainly something the data protection bubble should keep their eyes on.

Enhanced global enforcement initiatives

Another question that had to be asked on enforcement was whether we should expect more concentrated and coordinated action of privacy commissioners on a global scale, in GPEN-like structures. The Supervisor revealed that the privacy commissioners that meet for the annual International Conference are “trying to complete an exercise about our future”. They are currently analyzing the idea of creating an entity with legal personality that will look into global enforcement cases.

Ethics comes on top of legal compliance

Another topic the conversation went to was “ethics”. The EDPS has been on the forefront of including the ethics approach in privacy and data protection law debates, by creating the Ethics Advisory Group at the beginning of 2016. I asked the Supervisor whether there is a danger that, by bringing such a volatile concept into the realm of data protection, companies would look at this as an opportunity to circumvent strict compliance and rely on sufficient self-assessments that their uses of data are ethical.

“Ethics comes on top of data protection law implementation”, the Supervisor explained. According to my understanding, ethics is brought into the data protection realm only after a controller or processor is already compliant with the law and, if they have to take equally legal decisions, they should rely on ethics to take the right decision.

We did discuss about other things during this session, including the 2018 International Conference of Privacy Commissioners that will take place in Brussels, and the Supervisor received some interesting questions from the public at the end, including about the Privacy Shield. But a blog can only be this long.

 

Note: The Supervisor’s quotes are so short in this blog because, as the moderator, I did my best to follow the discussion and steer it rather than take notes. So the quotes come from the brief notes I managed to take during this conversion.

Leave a comment

Posted in ePrivacy, Europe, GDPR, News

Tagged , , , , , , , , , , , , , , , , ,

Highlights of the draft LIBE report on the ePrivacy Reg

Posted on June 17, 2017 | 3 comments

The draft Report prepared by MEP Marju Lauristin for the LIBE Committee containing amendments to the ePrivacy Regulation was published last week on the website of the European Parliament.

The MEP announced she will be presenting the Report to her colleagues in the LIBE Committee on 21 June. The draft Report will need to be adopted first by the LIBE Committee and at a later stage by the Plenary of the European Parliament. The Parliament will then sit in the trilogue together with the European Commission and the Council (once it will also adopt an amended text), finding the compromise among the three versions of the text.

Overall, the proposed amendments strengthen privacy protections for individuals. The big debate of whether there should be an additional exemption to confidentiality of communications based on the legitimate interest of service providers and other parties to have access to electronic communications data was solved in the sense that no such exemption was proposed (following calls in this sense by the Article 29 Working Party, the European Data Protection Supervisor and a team of independent academics). The draft report also contains strong wording to support end-to-end encryption, as well as support for Do-Not-Track technology and a new definition of the principle of confidentiality of communications in the age of the Internet of Things.

Without pretending this is a comprehensive analysis, here are 20 points that caught my eye after a first reading of the amendments (added text is bolded and italicised):

1) Clarity regarding what legitimate grounds for processing prevail if both the GDPR and the ePrivacy Reg could apply to a processing operation: those of the ePrivacy Reg. (“Processing of electronic communications data by providers of electronic communications services should only be permitted in accordance with, and on a legal ground specifically provided for under, this Regulation” – Recital 5). The amendment to Recital 5 further clarifies the relationship between the GDPR and the ePrivacy Reg, specifying that the ePrivacy Reg “aims to provide additional and complementary safeguards taking into account the need for additional protection as regards the confidentiality of communications”.

2) The regulation should be applicable not only to information “related to” the terminal equipment of end-users, but also to information “processed by” it. (“…and to information related to or processed by the terminal equipment of end-users” – Article 2; see also the text proposed for Article 3(1)(c)). This clarifies the material scope of the Regulation, leaving less room for interpretation of what “information related to” means.

3) The link to the definitions of the Electronic Communications Code is removed. References to those definitions are replaced by self-standing definitions for “electronic communications network”, “electronic communications service”, “interpersonal communications service”, “number-based interpersonal communications service”, “number -independent interpersonal communications service”, “end-user”. For instance, the new definition proposed for “electronic communications service” is “a service provided via electronic communications networks, whether for remuneration or not, which encompasses one or more of the following: an ‘internet access service’ as defined in Article 2(2) or Regulation (EU) 2015/2120; an interpersonal communications service; a service consisting wholly or mainly in the conveyance of the signals, such as a transmission service used for the provision of a machine-to-machine service and for broadcasting, but excludes information conveyed as part of a broadcasting service to the public over an electronic communications network or service except to the extent that the information can be related to the identifiable subscriber or user receiving the information” (Amendment 49; my underline).

4) Limitation of the personal scope of key provisions of the Regulation to natural persons. The draft report proposes two definitions to delineate the personal scope of the Regulation – “end-users” and “users”. While an “end-user” is defined as “a legal entity or a natural person using or requesting a publicly available electronic communications service“, a “user” is defined as “any natural person using a publicly available electronic communications service (…)“. Key provisions of the Regulation are only applicable to users, and especially the proposed principle of confidentiality of communications. (See Amendments 58 and 59). This proposal may unnecessarily limit the scope of application of the right to respect for private life, which, as opposed to the right to the protection of personal data, is theoretically (the CJEU did not yet explicitly state this) recognised as also protecting the privacy and confidentiality of communications of legal persons (through correspondence with Article 8 ECHR and how it has been interpreted by the European Court of Human Rights; for an analysis, see p. 17 and following HERE). The current ePrivacy Directive equally protects the confidentiality of communications of both natural and legal persons.

5) Enhanced definition of “electronic communications metadata”, to also include “data broadcasted or emitted by the terminal equipment to identify users’ communications and/or the terminal equipment or its location and enable it to connect to a network or to another device“.

6) Enhanced definition of “direct marketing”, to also include advertising in video format, in addition to the written and oral formats, and advertising served or presented to persons, not only “sent”. Could this mean that the definition of direct marketing will cover street advertising panels reacting to the passer-by? Possibly.

7) Extension of the principle of confidentiality of communications to machine-to-machine communications. A new paragraph is added to Article 5 (Amendment 59) “Confidentiality of electronic communications shall also include terminal equipment and machine-to-machine communications when related to a user”.

8) “Permitted” processing of electronic communications data is replaced by “lawful” processing. This change of wording de-emphasises the character of “exemptions to a principle” that the permitted processing had relative to the general principle of confidentiality. This may have consequences when Courts will interpret the law.

9) While proposed wording for the existing lawful grounds for processing is stricter (processing is allowed “only if”; necessity is replaced with “technically strict necessity”), there are additional grounds for processing added (See Amendments 64 to 66, to Article 6; see also Amendments 77, 79, 80 to Article 8).

10) A “household exemption” is introduced, similar to the one provided for by the GDPR, enhanced with a “work purposes exemption”: “For the provision of a service explicitly requested by a user of an electronic communications service for their purely individual or individual work related usage (…)“. In such circumstances, electronic communications data may be processed “without the consent of all users”, but “only where such requested processing produces effects solely in relation to the user who requested the service  and “does not adversely affect the fundamental rights of another user or users“. This exemption raises some questions and the first one is: does anyone use an electronic communications service for purposes other than “purely individual” or “work related” purposes? If you think so, leave a comment with examples. Another question is what does “without the consent of all users” mean (See Amendment 71, to Article 6).

11) An exception for tracking employees is included in the proposal. The collection of information from user’s terminal equipment (for instance, via cookies) would be permitted “if it is necessary in the context of employment relationships“, but only to the extent the employee is using equipment made available by the employer and to the extent this monitoring “is strictly necessary for the functioning of the equipment by the employee” (see Amendment 82). It remains to be seen what “functioning of the equipment by the employee” means. This exemption seems to have the same effect as the one in Article 8(1)(a), which allows such collection of information if “it is strictly technically necessary for the sole purpose of carrying out the transmission of an electronic communication over an electronic communications network”. On another hand, it should be kept in mind that the ePrivacy rules are not intended to apply to closed groups of end-users, such as corporate intranet networks, access to which is limited to members of an organisation (see Recital 13 and Amendment 11).

12) Consent for collecting information from terminal equipment “shall not be mandatory to access the service”. This means, for instance, that even if users do not consent to placing cookies tracking their activity online, they should still be allowed to access the service they are requesting. While this would be considered a consequence of “freely given” consent, enshrining this wording in a legal provision certainly leaves no room for interpretation (see Amendment 78 to Article 8). Moreover, this exception for collecting information is strengthened by a rule introduced as a separate paragraph of Article 8, according to which “No user shall be denied access to any information society service or functionality, regardless of whether this service is remunerated or not, on grounds that he or she has not given his or her consent under Article 8(1)(b) to the processing of personal information and/or the use of storage capabilities of his or her terminal equipment that is not necessary for the provision of that service or functionality.” (see Amendment 83). Such wording would probably put to rest concerns that personal data would be considered as “counter-performance” (equivalent to money) for services.

13) All further use of electronic communications data collected under ePrivacy rules is prohibited. A new paragraph inserted in Article 6 simply states that “Neither providers of electronic communications services, nor any other party, shall further process electronic communications data collected on the basis of this Regulation” (see Amendment 72).

14) Wi-fi tracking and similar practices involving collection of information emitted by terminal equipment would only be possible with the informed consent of the user or if the data are anonymised and the risks are adequately mitigated (a third exception is, of course, when accessing such data is being done for the purposes of establishing a connection). This is a significant change compared to Commission’s text, which allowed such tracking in principle, provided the user is informed and is given the possibility to opt-out (“stop or minimise the collection”) (see Amendments 85, 86). The draft report also proposes a new paragraph to Article 8 containing measures to mitigate risks, including only collecting data for the purpose of “statistical counting”, anonymisation or deletion of data “immediately after the purpose is fulfilled”, and effective opt-out possibilities.

15) Significantly stronger obligations for privacy by default are proposed, with a clear preference for Do-Not-Track mechanism. Article 10 is enhanced so that all software placed on the market must “by default, offer privacy protective settings to prevent other parties from storing information on the terminal equipment of a user and from processing information already stored on that equipment” (see Amendment 95). Opt-outs shall be available upon installation (Amendment 96). What is remarkable is a new obligation that “the settings shall include a signal which is sent to the other parties to inform them about the user’s privacy settings. These settings shall be binding on, and enforceable against, any other party” (see Amendment 99). The rapporteur explains at the end of the Report that “the settings should allow for granulation of consent by the user, taking into account the functionality of cookies and tracking techniques and DNTs should send signals to the other parties informing them of the user’s privacy settings. Compliance with these settings should be legally binding and enforceable against all other parties”.

16) A national Do Not Call register is proposed for opting out of unsolicited voice-to-voice marketing calls (see Amendment 111).

17) End-to-end encryption proposed as security default measure for ensuring confidentiality of communications. Additionally, strong wording is included to prevent Member States from introducing measures amounting to backdoors. Under the title of “integrity of the communications and information about security risks”, Article 17 is amended to include a newly introduced paragraph that states: “The providers of electronic communications services shall ensure that there is sufficient protection in place against unauthorised access or alterations to the electronic communications data, and that the confidentiality and safety of the transmission are also guaranteed by the nature of the means of transmission used or by state-of-the-art end-to-end encryption of the electronic communications data. Furthermore, when encryption of electronic communications data is used, decryption, reverse engineering or monitoring of such communications shall be prohibited. Member States shall not impose any obligations on electronic communications service providers that would result in the weakening of the security and encryption of their networks and services (my highlight) (see Amendment 116).

18) The possibility of class actions for infringement of the ePrivacy reg is introduced. End-users would have “the right to mandate a not-for-profit body, organisation or association” to lodge complaints or to seek judicial remedies on their behalf (see Amendments 125 and 126).

19) Infringement of obligations covered by Article 8 (cookies, wi-fi tracking) would be sanctioned with the first tier of fines (the highest ones – up to 20 mill. EUR or 4% of global annual turnover), which is not the case in the Commission’s proposal (see Amendment 131).

As a bonus, here’s the 20th highlight:

20) Echoing the debate over data analytics using pshycographic measurements to influence elections, the report amends an important recital (Recital 20) to refer to the fact that information on terminal equipments may reveal “very sensitive data”, including “details of the behaviour, psychological features, emotional condition and political and social preferences of an individual“. Among other reasons, this justifies the principle that any interference with the user’s terminal equipment should be allowed only with the user’s consent and for specific and transparent purposes (see Amendment 20; also, watch this video from last week’s Digital Assembly in Malta, where around min. 6 the Rapporteur talks about this and points out that “without privacy there will be no democracy”).

 

Read more:

Other analyses of the LIBE draft report: HERE and HERE.

Overview of the ePrivacy initial proposal by the Commission: HERE.

***
Enjoy what you are reading? Consider supporting pdpEcho

 

 

 

 

3 Comments

Posted in ePrivacy, Europe, News

Tagged , , , , , , , , , , , ,