The applicability of the ePrivacy Directive to new tracking technologies from a practical point of view: the European Data Protection Committee speaks out
Faced with the high speed of technological progress that we are currently experiencing, there is a danger that the law will be left behind and, with it, the possibility of new situations that are not regulated.
This occurs, among others, in the field of electronic communications and in relation to the protection of users against how others can use their information using electronic devices, on which today's society depends.
In recent years, tracking technologies (cookies, pixels, among others) through web pages and apps have become something to talk about, being the most relevant regulatory standard in the European Union, known as ePrivacy Policy. This rule imposes the obligation that the installation or access to tracking technologies be preceded by sufficient information to users, as well as the obligation to, in most cases, obtain the consent of the interested parties.
The emergence of more and more technologies whose function is to obtain information from devices for different purposes, has led the European Data Protection Committee (CEPD) to the publication of a Guide to interpreting Article 5.3 of the Directive (the one who imposes these obligations) so that there are no doubts as to their application to technologies that have been appearing in recent times when advances are being made at great speed.
The methodology used by the CEPD in the guidelines for the exhaustive interpretation of the above-mentioned article is to break down the terms used to interpret them.
Article 5.3 applies when”the use of electronic communication networks is allowed for the purpose of storing information or obtaining access to information stored on the terminal equipment of a subscriber or user”.
“Information”
The key to the interpretation of this term is to bear in mind that the concept of “personal data” is not being used but is going further, with a much broader term that does not require that the person to whom the information refers to make that subject identifiable, either directly or indirectly.
In what cases can this be relevant? In cases where the installation is done on the computer that does not contain personal information of a specific person and that, even so, falls under the Scope of the analyzed article.
In other words, the installation of technologies on a device falls under the scope of application of this article regardless of whether that terminal contains personal information or not.
“Terminal equipment of a subscriber or user”
The protection provided by Article 5.3 of the Directive is not only carried out in relation to the confidentiality of the information contained, but is also intended to safeguard the “integrity of the terminal equipment itself”.
Protection is granted:
- Regardless of whether the parts that make up the equipment make up a hardware structure.
- Regardless of the ownership or joint use of the equipment, that is, the fact that the same computer or terminal is used by different users, as well as the fact that the same communication involves different teams.
As a case excluded from the application of the article, the CEPD identifies equipment that is not an end point of a communication and only transmits information without making any modification of that information, since in this context they will not be considered terminal equipment.
“Electronic communication networks”
According to the CEPD, an electronic communication network is any network system that allows the transmission of electronic signals between its nodes, regardless of the equipment and protocols used.
That is, regardless of whether the infrastructure used is public or private, and regardless of the way in which it is managed. Nor does it make any difference how many computers or devices are connected to the network at the same time.
“Gaining Access”
In the words of the CEPD, “Whenever the accessing entity wishes to obtain the information stored in the terminal equipment and actively adopts measures for that purpose, Article 5.3 may be applied. In general, this involves the accessing entity proactively sending specific instructions to the terminal equipment in order to receive back the desired information. ”
The CEPD draws attention to the fact that accessing and storing are not equivalent or cumulative. In addition, both acts do not have to be carried out by the same person or entity.
“Information Storage” and “Stored Information”
The article analyzed will be applicable when it comes to both the storage of information, or access to the stored information.
With regard to the first, information storage is understood as the placement of information on a physical electronic storage medium that forms part of a user's terminal equipment. Normally, giving instructions to the software of the terminal equipment to generate specific information, such as the storage of cookies in a browser.
With regard to the second, article 5.3 will apply when information stored by the user, or by a hardware manufacturer, or any other entity is accessed; whether it results from the receivers integrated into the terminal; or is produced through the processes and programs executed on the terminal equipment.
After this analysis of Article 5.3 of the ePrivacy Directive, the CEPD analyzes, by way of example and not limitative, some use cases in which it applies the interpretation determined throughout the guidelines.
Specifically, it analyzes and explains the reason for the application of the studied article in the following cases:
- Tracking through pixels embedded in web pages
- Local tracking through APIs
- Tracking based on IP address only
- Tracking through IoT
- Tracking using unique identifiers
In short, this is the measure that, for the time being, the CEPD has adopted so that Article 5.3 continues to apply to emerging tracking technologies, trying to prevent it from becoming outdated in the face of their rapid progress.
This is, without a doubt, a feasible solution at the present time, but one that should not make us forget the need for the law itself to be constantly changing to avoid its outdated nature, which creates a situation of legal insecurity.
Sara Hervías Costa, Senior Privacy Counsel, Legal Army