Will all tracking need consent in future?
The purpose of Article 8 of the draft ePrivacy Regulation of 10 February 2021 as it stands today is to protect users’ terminal equipment, i.e. their smartphones, computers and other devices, and is aimed at website and app operators.
Not all data processing related to the use of terminal equipment will require consent. The latest draft of the ePrivacy Regulation permits the use of session cookies that are technically necessary and of audience measuring tools without the consent of users (Article 8(1)(a), (c) and (d)).
Under the current proposal by the EU Council of Ministers, it should also be possible in future to justify data processing in the context of using terminal equipment by determining a purpose compatibility between the purpose of the original collection of data and the purpose of the intended further processing. When balancing the interests in this respect the following, among other things, must be taken into account in accordance with Article 8(1)(g):
- (i) whether, and if so which, connections there are between the original collection of the data and the intended further processing,
- (ii) the context in which the data were originally collected, especially the relationship between end user and provider,
- (iii) the modalities of collecting and further processing, especially whether special categories of personal data pursuant to Article 9(1) GDPR are being disclosed,
- (iv) the consequences of the further processing for the end user and
- (v) the use of possible security mechanisms, especially encryption or pseudonymisation
What is more, such further processing is only possible if it is ensured, in accordance with Article 8(1)(h) that:
- (i) the information will be erased or anonymised immediately after the purpose has been achieved,
- (ii) only pseudonymised information is further processed and
- (iii) the information is not used to analyse the characteristics of a user or to build an individual profile of a user.
The draft of the EU Council of Ministers would thus still require the user's consent to tracking for advertising purposes, regardless of whether this tracking is performed using the provider’s own cookies or third-party cookies.
Article 10 of the early first draft of the ePrivacy Regulation imposes obligations on providers of software enabling electronic communication, i.e. providers of Internet browsers in particular. In accordance with the principle of privacy by design, the intention is for the user to be able to prevent third parties from storing information on the user’s terminal equipment or from processing such information, via, e.g. their browser settings (Article 10(1) of the first draft). Such a provision would therefore apply in particular to third-party cookies.
The Portuguese Council presidency, like previous presidencies, recently voted for the deletion of Article 10 in its entirety. Instead, however, recital 20a suggests enabling what is referred to as "whitelisting". Software providers are encouraged to make it easy for users to create and modify whitelists in their browsers at any time and to withdraw their consent. However, the user's consent, given directly at the request of the service used, are intended to always take precedence over such software settings and be taken into account accordingly.
How must consent be implemented?
With regard to the implementation of consent, the ePrivacy Regulation largely refers to the provisions of the GDPR, thereby imposing strict conditions. Consent must be given voluntarily, for a specific purpose, with knowledge of the facts and unambiguously; it must also be as easy to revoke consent as it was to grant it (see also Working Paper 259 of the Article 29 Data Protection Working Group Rev. 01).
Having said that, two simplifications are being discussed in relation to the provisions in the (current) draft of the ePrivacy Regulation on the protection of information stored on terminal equipment. Firstly, users should also be able to express their consent, as far as technically feasible, via software settings in browsers and similar software. Nonetheless, this is not intended to water down GDPR requirements with regard to consent. Secondly, if the controller is not in a position to identify the person concerned, he should be allowed to demonstrate consent by means of technical logging data.
What applies during the transitional period?
With regard to the transitional period of currently 24 months from the date of entry into force until the ePrivacy Regulation comes into effect (Article 29(2)), there has been some support for the GDPR, the Federal Data Protection Act (BDSG) and the Telemedia Act (TMG) continuing to apply in parallel. Although Article 95 of the GDPR expressly governs the relationship with the existing Directive on Privacy and Electronic Communications (2002/58/EC) and leaves its provisions unaffected, interaction of the legislation nonetheless gives rise to considerable legal uncertainty. As a result, different views have been expressed regarding the legality of website tracking, for example, ranging from a need for consent to the view that it is only necessary to provide an objection option (section 15(3), TMG).
With regard to the legal situation in Germany, there was disagreement as to whether the provisions of the Telemedia Act (sections 11 ff. TMG) relating to online tracking constitute an implementation of the Directive on Privacy and Electronic Communications and therefore continue to apply alongside the GDPR, or whether the GDPR is solely applicable since 25 May 2018.
The Conference of Independent Data Protection Authorities of the German Federal Government and the Federal States published opinions on this matter in April 2018 and in March 2019. Their view is that the provisions of sections 11 ff. of the TMG ceased to be applicable when the GDPR came into effect. This means that compliance of online tracking must be judged solely in terms of the GDPR. With regard to tracking mechanisms, in particular for advertising purposes, the authorities take the view that they require the consent of data subjects as set out in Article 6(1)(a), Article 7 GDPR.
Since the ECJ ruling of 1 October 2019 (Planet49 – Case C 673/17) in particular, it would be difficult to argue otherwise and support the applicability of sections 11 ff. of the TMG. The ECJ has now also ruled that agreement in the sense of active consent by the user is required for the setting of cookies that are not technically necessary for use, i.e. in particular with regard to cookies used for advertising purposes. Pre-ticked boxes or similar methods are not sufficient, according to the court. The ECJ has thus rejected the view that providing an objection option is all that is needed in the case of cookies for advertising purposes (section 15(3) TMG). In its ruling of 28 May 2020 (Cookie-Einwilligung II – I ZR 7/16) the German Federal Court of Justice, which had referred this question in these proceedings to the ECJ for a preliminary ruling, followed the case law of the ECJ and ruled that section 15(3) TMG must be construed in conformity with the Directive in such a way that active consent is required, whereas a box checked as default is not sufficient.
What about offline tracking?
The ePrivacy Regulation also aims to restrict offline tracking, which to date has not been explicitly regulated. This includes the use of data sent from devices such as smartphones for network connectivity purposes. Such data is required by radio standards like WLAN and Bluetooth in order for devices to establish and maintain connections with each other.
These signals can also be used to (re-)identify devices and thus indirectly also their users, and to locate and track them within the range of a network. Recital 25 of the ePrivacy Regulation states that this information could also be used for more intrusive purposes than statistical counting, such as re-identification of a device (and thus probably of its owner) or to send personalised messages to end-users.
The Commission’s draft ePrivacy Regulation provided for a ban on collecting such data except exclusively for the purpose of establishing a connection; alternatively, a notice could be displayed in accordance with Article 13 of the GDPR and the data subject could be informed as to how to stop or minimise the collection.
Parliament’s proposal and the Council’s current draft, on the other hand, provide for the user’s consent in addition to information on data collection. Alternatively, however, they allow data to be collected which is processed solely for statistical purposes and which is anonymised or deleted once its purpose has been fulfilled. To this end, users must be given an objection option which must not impair the functioning of the terminal equipment. It is unclear whether this requirement is technically feasible.
Ban on cookie walls on websites?
One of the most controversial issues within the upcoming trilogue procedure on the ePrivacy Regulation will be a possible ban on tracking walls, also known as cookie walls.
The drafts of the Commission and the Council of Ministers from early 2017 did not contain any specific provisions on tracking walls/cookie walls. The European Parliament’s draft of 26 October 2017 differs in this respect: in Article 8(1)(1)(b) and recital 22, it called for an explicit ban on this practice for the first time.
The Council of Ministers has so far not fully adopted the European Parliament’s proposal. The draft produced by the Finnish presidency of the Council dated 26 July 2019 sought to strike a balance in recital 20 between the interests of website operators on the one hand and the interests of users on the other (as did the previous draft of February 2019). Accordingly, it would generally be permissible to make access to free website content conditional on users’ consent to the use of tracking cookies. This would apply in particular if the user has the choice of two comparable offerings and one of them does not require consent to tracking. Different rules would apply if the user has no choice but to consent to the use of tracking cookies when accessing certain services for which there are no alternatives. Services provided by public authorities were cited as an example.
According to observers of the Brussels scene, the German government is advocating that cookie walls should be explicitly allowed. Consumer protection agencies criticise this move as circumventing the ban on performance of a contract being made conditional on consent to unnecessary data processing, as stipulated in Article 7(4) of the GDPR.
The draft published by the Croatian Council presidency on 21 February 2020 departed from the Finnish proposals and, in recital 20, no longer provided for privileged treatment of tracking or cookie walls.
The differing views held by the German government, the Commission and the Council of Ministers on the one hand and the European Parliament on the other with regard to cookie walls highlight the different interests currently competing for influence in Brussels. It remains to be seen whether publishers and digital companies or consumer organisations and data protectors will ultimately prevail in the matter of cookie walls.