Will all tracking need consent in future?
The purpose of Article 8 of the draft ePrivacy Regulation as it stands today is to protect users’ terminal equipment, i.e. their smartphones, computers and other devices, and is aimed at website and app operators.
Not all data processing related to the use of terminal equipment will require consent. The latest draft of the ePrivacy Regulation permits the use of session cookies that are technically necessary and of audience measuring tools without the consent of users (Article 8(1)(c) and (d)).
Under the current proposal from the Croatian Council presidency, it should also be possible in future for legitimate interests of the service provider to justify data processing in the context of using terminal equipment, provided that the interests or rights and freedoms of the user are not overriding. The interests of the users shall override if (i) the user is a child, (ii) the service provider processes, stores or collects data on the user's terminal equipment to analyse the characteristics of the user or build an individual profile, or (iii) the processing, storage or collection of data by the service provider includes special categories of personal data as set out in Article 9(1) of the GDPR (Article 8(1)(g)).
The Croatian presidency's draft would thus still require the user's consent to tracking for advertising purposes, regardless of whether this tracking is performed using the provider’s own cookies or third-party cookies.
Article 10 of the early first draft of the ePrivacy Regulation imposes obligations on providers of software enabling electronic communication, i.e. providers of Internet browsers in particular. In accordance with the principle of privacy by design, the user should be able to prevent third parties from storing information on the user’s terminal equipment or from processing such information, e.g. via their browser settings (Article 10(1) of the first draft). This provision therefore applies in particular to third-party cookies.
The current Council presidency, like previous presidencies, recently voted for the deletion of Article 10 in its entirety. It thus remains to be seen whether this obligation on software providers is eventually adopted or not.
How must consent be implemented?
With regard to the implementation of consent, the ePrivacy Regulation largely refers to the provisions of the GDPR, thereby imposing strict conditions. Consent must be given voluntarily, for a specific purpose, with knowledge of the facts and unambiguously; it must also be as easy to revoke consent as it was to grant it (see also Working Paper 259 of the Article 29 Data Protection Working Group Rev. 01).
Having said that, two simplifications are being discussed in relation to the provisions in the current draft of the ePrivacy Regulation on the protection of information stored on terminal equipment. Firstly, users should also be able to express their consent, as far as technically feasible, via software settings in browsers and similar software. Nonetheless, this is not intended to water down GDPR requirements with regard to consent. Secondly, if the controller is not in a position to identify the person concerned, he should be allowed to demonstrate consent by means of technical logging data.
What applies during the transitional period?
With regard to the transitional period of currently 24 months from the date of entry into force until the ePrivacy Regulation comes into effect (Article 29(2)), there has been some support for the GDPR, the Federal Data Protection Act (BDSG) and the Telemedia Act (TMG) continuing to apply in parallel. Although Article 95 of the GDPR expressly governs the relationship with the existing Directive on Privacy and Electronic Communications (2002/58/EC) and leaves its provisions unaffected, interaction of the legislation nonetheless gives rise to considerable legal uncertainty. As a result, different views have been expressed regarding the legality of website tracking, for example, ranging from a need for consent to the view that it is only necessary to provide an objection option (section 15(3), TMG).
With regard to the legal situation in Germany, there is disagreement as to whether the provisions of the Telemedia Act (sections 11 ff., TMG) relating to online tracking constitute an implementation of the Directive on Privacy and Electronic Communications and therefore continue to apply alongside the GDPR, or whether the GDPR is solely applicable since 25 May 2018.
The Conference of Independent Data Protection Authorities of the German Federal Government and the Federal States published opinions on this matter in April 2018 and in March 2019. Their view is that the provisions of sections 11 ff. of the TMG ceased to be applicable when the GDPR came into effect. This means that compliance of online tracking must be judged solely in terms of the GDPR. With regard to tracking mechanisms, in particular for advertising purposes, the authorities currently take the view that they require the consent of data subjects as set out in the GDPR (Article 6(1)(a), Article 7, GDPR).
Since the ECJ ruling of 1 October 2019 (Planet49 – Case C 673/17) in particular, it would be difficult to argue otherwise and support the applicability of sections 11 ff. of the TMG. The ECJ has now also ruled that agreement in the sense of active consent by the user is required for the setting of cookies that are not technically necessary for use, i.e. in particular with regard to cookies used for advertising purposes. Pre-ticked boxes or similar methods are not sufficient, according to the court. The ECJ has thus rejected the view that providing an objection option is all that is needed in the case of cookies for advertising purposes (section 15(3) TMG).
What about offline tracking?
The ePrivacy Regulation also aims to restrict offline tracking, which to date has not been explicitly regulated. This includes the use of data sent from devices such as smartphones for network connectivity purposes. Such data is required by radio standards like WLAN and Bluetooth in order for devices to establish and maintain connections with each other.
These signals can also be used to (re-)identify devices and thus indirectly also their users, and to locate and track them within the range of a network. Recital 25 of the Regulation states that this information could also be used for more intrusive purposes than statistical counting, such as re-identification of a device (and thus probably of its owner) or to send personalised messages to end-users.
The Commission’s draft ePrivacy Regulation provided for a ban on collecting such data except exclusively for the purpose of establishing a connection; alternatively, a notice could be displayed in accordance with Article 13 of the GDPR and the data subject could be informed as to how to stop or minimise the collection.
Parliament’s proposal and the Council’s current draft, on the other hand, provide for the user’s consent in addition to information on data collection. Alternatively, however, they allow data to be collected which is processed solely for statistical purposes and which is anonymised or deleted once its purpose has been fulfilled. To this end, users must be given an objection option which must not impair the functioning of the terminal equipment. It is unclear whether this requirement is technically feasible.
Ban on cookie walls on websites?
One of the most controversial issues within the upcoming trilogue procedure on the ePrivacy Regulation will be a possible ban on tracking walls, also known as cookie walls.
The drafts of the Commission and the Council from early 2017 did not contain any specific provisions on tracking walls/cookie walls. The European Parliament’s draft of 26 October 2017 differs in this respect: in Article 8(1)(1)(b) and recital 22, it called for an explicit ban on this practice for the first time.
The Council has so far not fully adopted the European Parliament’s proposal. The draft produced by the Finnish presidency of the Council dated 26 July 2019 sought to strike a balance in recital 20 between the interests of website operators on the one hand and the interests of users on the other (as did the previous draft of February 2019). Accordingly, it would generally be permissible to make access to free website content conditional on users’ consent to the use of tracking cookies. This would apply in particular if the user has the choice of two comparable offerings and one of them does not require consent to tracking. Different rules would apply if the user has no choice but to consent to the use of tracking cookies when accessing certain services for which there are no alternatives. Services provided by public authorities were cited as an example.
According to observers of the Brussels scene, the German government is advocating that cookie walls should be explicitly allowed. Consumer protection agencies criticise this move as circumventing the ban on performance of a contract being made conditional on consent to unnecessary data processing, as stipulated in Article 7(4) of the GDPR.
The draft published by the Croatian Council presidency on 21 February 2020 departs from the Finnish proposals and, in recital 20, no longer provides for privileged treatment of tracking or cookie walls.
The differing views held by the German government, the Commission and the Council on the one hand and the European Parliament on the other with regard to cookie walls highlight the different interests currently competing for influence in Brussels. It remains to be seen whether publishers and digital companies or consumer organisations and data protectors will ultimately prevail in the matter of cookie walls.