Article 29 Working Party Opinion on the Proposed ePrivacy Regulation

April 6, 2017

The Article 29 Working Party has published its comments on
the proposal for a new ePrivacy Regulation. Its Opinion can be downloaded here. The Opinion
welcomes inter alia the following:

  • ·       
    the choice of a regulation as the regulatory
    instrument – thus ensuring that rules are uniform across the entire EU, providing
    clarity for supervisory authorities and organisations alike and ensuring
    consistency with the GDPR
  • ·       
    the decision to make the same authority
    responsible for monitoring compliance with GDPR responsible for the enforcement
    of ePrivacy rules
  • ·       
    the draft’s principled approach, using broad
    prohibitions and narrow exceptions, and the targeted application of the concept
    of consent
  • ·       
    the expansion of the scope of the Proposed
    Regulation to include Over-The-Top (OTT) providers
  • ·       
    the application of the proposed Regulation to content
    and associated metadata and its recognition that metadata may reveal very
    sensitive data.

However, the Working Party also raises four points of grave
concern, relating to:

  • ·       
    the tracking of the location of terminal
    equipment
  • ·       
    the conditions under which the analysis of content
    and metadata is allowed
  • ·       
    tracking walls
  • ·       
    the default settings of terminal equipment and
    software.

In these respects, the Opinion suggests that the Proposed
Regulation would lower the level of protection enjoyed under the GDPR and
suggests how to remedy this.

With regard to WiFi-tracking, depending on the circumstances
and purposes of the data collection, such tracking under the GDPR is likely
either to be subject to consent, or may only be performed if the personal data
collected is anonymised. In the latter case, the following four conditions have
to be complied with: the purpose of the data collection from terminal equipment
is restricted to mere statistical counting, the tracking is limited in time and
space to the extent strictly necessary for this purpose, the data will be deleted
or anonymised immediately afterwards, and there are effective opt-out
possibilities. The European Commission is invited to promote a technical
standard for mobile devices to automatically signal an objection against such
tracking.

With regard to the analysis of content and metadata, the
starting point should be that it is prohibited to process communications data
without the consent of all end-users (senders and recipients). To allow
providers to provide services explicitly requested by the user, such as for example
search and indexing functionality, or text-to-speech services, there should be
a domestic exception for the processing of content and metadata for the purely
personal purposes of the user him or herself.

With regard to consent for tracking, the Working Party calls
for an explicit prohibition on tracking walls, that is, take it or leave it
choices that force users to consent to tracking if they want to have access to
the service.

The Working Party recommends that
terminal equipment and software
must by default offer privacy protective
settings, and offer clear options to users to confirm or change these default
settings during installation. The settings must be easily accessible during
use. Users must be enabled to signal specific consent through their browser
settings. Privacy preferences should not be limited to interference by third
parties or be limited to cookies. The Working Party strongly recommends making
adherence to the Do Not Track standard mandatory.

The Working Party has also expressed concern about other
issues, including direct marketing and seeks clarification on a number of
points.