European Data Protection Board Statement on the Council position on e-privacy

The EDPB welcomes the agreed negotiation mandate adopted by the Council on the protection of privacy and confidentiality in the use of electronic communication services (’the Council’s position’), as a positive step towards a new ePrivacy Regulation. It is of utmost importance that the EU general data protection framework is rapidly complemented with harmonised rules for electronic communications.

The text shows that the EDPB has  concerns regarding processing and retention of electronic communication data for the purposes of law enforcement and safeguarding national security and does not support the Council’s psoition to exclude this from the scope of the e-privacy regulation.

On confidentiality, the EDPB thinks that confidentiality of communications is a fundamental right protected under Article 7 of the Charter already implemented by the ePrivacy Directive. This right to confidentiality must be applied to every electronic communication, regardless of the means by which they are sent, at rest and in transit, from the sender to the receiver, and must also protect the integrity of every user’s terminal equipment.

The EDPB is also concerned that some exceptions (in particular Article 6(1)(c), Article 6b(1)(e), Article 6b(1)(f), Article 6c) introduced by the Council seem to allow for very broad types of processing, and recalls the need to narrow down those exceptions to specific and clearly defined purposes. In any case, those specific purposes should be explicitly listed in order to ensure legal certainty and the highest possible degree of the protection.

It also thinks that  provisions on consent under the GPDR apply in the context of the ePrivacy rules. Therefore, the EDPB considers that the necessity to obtain a genuine freely-given consent should prevent service providers from using unfair practices such as “take it or leave it” solutions, which make access to services and functionalities conditional on the consent of a user to the storing of information, or gaining of access to information already stored in the terminal equipment of a user.

On metadata procesing, the EDPB stresses that the derogation for audience measurement should be limited to low level analytics necessary for the analysis of the performance of the service requested by the user and should be solely limited to providing statistics to the service operator, and must be put in place by the operator or their processors. Therefore, this processing operation cannot give rise, by itself or in combination with other tracking solutions, to any singling-out or any profiling of users by the provider or other data controllers.

On consent and cookies fatigue, the EU data protection board considers that  the ePrivacy Regulation should improve the current situation by giving back control to the users and addressing the “consent fatigue”. Article 4a should go further and oblige browsers and operating systems to put in place a user friendly and effective mechanism allowing controllers to obtain consent, in order to create a level playing field between all actors. The scope of the Regulation should also explicitly include browser and operating system providers.

For more information on the EDPB opinion, click here.