On Wednesday, November 15, 2023, the European Data Protection Board (“EDPB”) announced new draft guidance titled “Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive” (the “Guidelines”), which the EDPB says “aims to clarify which technical operations, in particular new and emerging tracking techniques, are covered by the Directive, and to provide greater legal certainty to data controllers and individuals.”
As background, Article 5(3) of the ePrivacy Directive (“ePD”) says that “Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent” or “as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.” The Guidelines clarify that Article 5(3) applies to many advertising and analytics technologies and connected devices, including connected cars and other “Internet of Things” (“IoT”) devices. Where Article 5(3) applies, companies will be restricted from most processing of even non-personal data without affirmative consent.
In the Guidelines, the EDPB recognizes that “[w]hile the applicability of Article 5(3) of the ePrivacy Directive is well established and implemented for some tracking technologies such as cookies, there is a need to remove ambiguities related to the application of the said provision to emerging tracking tools.”
Criteria for Article 5(3) applicability
The Guidelines explain that Article 5(3) will apply if four elements are met. Specifically, it applies if the operations carried out (1) relate to “information,” (2) involve “terminal equipment,” (3) are made in the context of the “provision of publicly available electronic communications services in public communications networks,” and (4) constitute the “gaining of access” or “storage.”
1. The operations relate to “information”
The EDPB clarifies that “information” includes both personal data and non-personal data, citing the intent of the ePD and European Court of Justice precedent on the issue. It also clarifies that third parties still require consent when accessing information on “terminal equipment” regardless of whether who stored the data and how it was stored.
2. The operations involve “terminal equipment”
To understand the definition of “terminal equipment,” the EDPB states that the Guidelines build on the definition of “terminal equipment” provided in Directive 2008/63/EC (Directive on Competition in the Markets in Telecommunications Terminal Equipment). That definition states that terminal equipment is “equipment directly or indirectly connected to the interface of a public telecommunications network to send, process or receive information; in either case (direct or indirect), the connection may be made by wire, optical fibre or electromagnetically; a connection is indirect if equipment is placed between the terminal equipment and the interface of the network.” According to the Guidelines, “terminal equipment” is technology that allows for “correspondence” and “the legitimate interest of the legal persons to be carried out.” Note that the Guidelines do not provide a specific definition of “the legitimate interests” it refers to, but it states that “terminal equipment” can be the combination of several individual components. Examples include smartphones, laptops, connected cars or connected TVs, [and] smart glasses.” It also explains what terminal equipment is not, and says a device is not terminal equipment under Article 5(3) where it is not an endpoint, acts solely as a communication relay, and does not modify any information.
3. The operations are made in the context of providing “publicly available electronic communications services in public communications networks”
Significantly, the definition of a “publicly available electronic communications services in public communications networks” is broad. The EDPB states that it is “any network system that allows transmission of electronic signals between its nodes, regardless of the equipment and protocols used.” The definition even covers ad-hoc networks, which the Guidelines describe as networks allowing terminal equipment to dynamically join or leave a mesh of other terminal equipment. Helpfully, the Guidance clarifies that the exact equipment and protocols used, the number of pieces of terminal equipment present at a given time, and how the network is deployed or managed do not influence whether a technology is an “electronic communications network.” However, the network must be “public,” which would still include networks that are limited to a subset of the public (e.g., because of a subscription or other eligibility requirements).
4. The operations constitute a “gaining of access” or “storage”
The final element for Article 5(3) applicability is whether a processing operation involves either or both “gaining access” to or “storing” information. In addition to activities like recalling cookies from a device to a server, the Guidelines clarify that an entity gains access to information when (1) the “entity distributes software on the terminal . . . that will then proactively call an API . . . endpoint over the network, or (2) JavaScript code “instructs [a user’s] browser . . . to send asynchronous requests with the targeted content.” Article 5(3) applies because the entity “instructs the terminal equipment to send the information.” In addition, Article 5(3) may still apply even where one entity instructs a terminal to send data from the terminal, but a separate entity receives the information. This suggests that a company may not be able to avoid the application of Article 5(3) where the company uses vendors to create code that transmits information back to the company.
According to the Guidelines, “storage” occurs when an entity “plac[es] information on a physical electronic storage medium local to the terminal equipment,” typically by sending instructions to software on the terminal equipment to generate the “stored” information. These are the only requirements. Other details, such as the length of time stored information must persist, are inconsequential. Further, the storage mechanism is also inconsequential. Storage may occur on “hard disc drives (HDD), solid state drives (SDD), flash drives, . . . random-access memory (RAM), . . . magnetic tape, or central processing unit (CPU) cache,” and “[t]he storage medium may be connected internally (e.g., through a SATA connection), externally (e.g., through a USB connection), or through a network protocol (e.g., a network-attached-storage device).”
Examples
Helpfully, the Guidelines provide a list of non-exhaustive examples of the applicability of Article 5(3), including examples of pixel and URL tracking, local processing, tracking based on IP only, IoT transmissions, and the use of unique identifiers:
· An e-commerce website engages in affiliate marketing using tracked links on the e-commerce website’s domain as well as a tracking pixel to detect whether its marketing emails have been opened by the recipient. The e-commerce website sends out a marketing email with a tracking pixel, constituting an instruction to the user’s terminal equipment to respond with a specified identifier. Another user accesses the e-commerce website via an affiliate marketing link and on a public communications network, engaging a caching mechanism on the user’s device. Both the tracked link and the tracking pixel are regulated by Article 5(3).
· An entity relies on local processing instructed by software installed on the user’s computer. The local processing produces information and makes it available via a client-side API to desired third parties. Code in the client-side API makes the produced information available to recipients by sending it over a network to a server. The client-side API is regulated by Article 5(3).
· An entity’s advertising relies solely on a user’s IP address to track their browsing online across domains. Gaining access to the IP will trigger Article 5(3), but only when the IP is generated from a user’s terminal equipment.
· An entity’s IoT product has a direct connection to a public communication network through the use of a cellular SIM card. The product is designed to locally cache information until a network is available, at which point it sends the dynamically stored data to a remote server. In this case, the IoT product is a terminal, and because it passes information to a remote server, and is regulated by Article 5(3).
· An entity’s IoT product does not have a direct connection to a public communication network, and instead is designed to relay information to the user’s smartphone through Bluetooth. The transmission from the IoT product to the device may fall outside of Article 5(3), but would be in scope when the smartphone or other relay device begins delivering the information to the server.
The Guidelines are open for public comment, and will remain open until December 28, 2023.
Cameron Cantrell is an Associate at Hintze Law with expertise in AI privacy and ethics, data security breach law, and biometric and surveillance technologies.
Hintze Law PLLC is a Chambers-ranked, boutique privacy firm that provides counseling exclusively on global data protection. Its attorneys and privacy analysts support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy and data security.