Article 6b ePrivacy Regulation [previous Art. 6(2)] – Permitted processing of electronic communications metadata

Art. 6b Sec. 1 lit. a) ePrivacy Regulation sets out very specific purposes for the processing of electronic communications data, all of which primarily serve the interests of the providers of electronic communications services or networks and from which the end-users concerned benefit only indirectly, if at all.

1. Network management or optimisation

Art. 6b Sec. 1 lit. a) ePrivacy Regulation provides for the permission to process electronic communications data in order to manage and optimise networks, for which there is no counterpart in Art. 6 GDPR. However, the purposes to promote network management and optimisation correspond to cases of application in Art. 6 Sec. 1 lit. f) GDPR. Under the GDPR, optimisation and management of services such as individualisation of services or improvement of the usability are generally considered ‘legitimate interests’ of the data controllers subject to the GDPR and covered by Art. 6 Sec. 1 lit. f).^[2] Whether a legal basis corresponding to Art. 6 Sec. 1 lit. f) GDPR should be introduced in the ePrivacy Regulation, which allows providers of electronic communications services to process electronic communications data on the basis of legitimate interests, was one of the main points of contention in the legislative process and the approach changed repeatedly in the various proposals of the Council Presidencies.^[3] Art. 6 Sec. 1 lit. f) GDPR is a very general and vague clause.^[4] This was a major factor of opposition to the introduction of such a provision in the ePrivacy Regulation.^[5] The final version of the ePrivacy Regulation adopted by the Council does not include a processing permission based on ‘legitimate interest’ of electronic communications service and network providers.

By including the processing purposes of network management and optimisation, the legislator has now opted for the middle ground between the inclusion of ‘legitimate interests’ as a statutory permission for processing of electronic communications metadata on one hand, and the complete rejection of such permission on the other. Although the broad notion of ‘legitimate interests’ per se has not been included as a legal basis for processing, at least two of its cases of application are explicitly recognized. That follows in particular from the proposal submitted by the Croatian Council Presidency in March 2020: It included ‘legitimate interests’ as an autonomous legal basis in Art. 6b Sec. 1 lit. e), while the related Recital 17b defined network management and optimisation as specific cases of application of such legitimate interests.^[6] Thus, these purposes are generally classified as specific cases of legitimate interests of providers not only in the context of the GDPR, but also in the context of the ePrivacy Regulation. By including only these two specific use cases as permission for the processing of electronic communications metadata in the adopted Council version of Art. 6b Sec. 1 lit. a) ePrivacy Regulation, the legislator creates an important legal basis for electronic communications service and network providers, while remaining sufficiently specific to minimise legal uncertainty and the risk of abuse that would accompany a broader formulation.^[7] However, with the deletion of the general permission regarding legitimate interests, all passages in the Recitals of the ePrivacy Regulation that referred to network management and optimisation as use cases of legitimate interest have also been deleted, despite these specific purposes being retained. Recital 17b of the Croatian proposal, for example, specified that network management or optimisation refer to processes for the development and management of the scalability and capacities of a network, i.e. the core of its functionality.^[8] Despite a somewhat misguided removal of these Recitals in the legislative process, this interpretation still ought to be valid in the context of Art. 6b Sec. 1 lit. a) ePrivacy Regulation.

On the other hand, the provision now chosen by the legislator under Art. 6b Sec. 1 lit. a) ePrivacy Regulation rejects the possibility of weighing the interests in favour of the end-user.  This is because the ePrivacy Regulation does not provide for the weighing of interests as the framework of Art. 6 Sec. 1 lit. f) GDPR requires.. Rather, the general restrictions applicable to the statutory permissions for processing of electronic communications data apply, in particular necessity and purpose limitation (Art. 6 No. III. et seqq.).

1. Technical quality of service requirements

According to Art. 6b Sec. 1 lit. a ePrivacy Regulation, service providers are allowed to process electronic communications metadata if this is necessary to meet the ‘mandatory quality of service requirements’ set out by the EECC or Regulation (EU) 2015/2120. Neither of these referenced laws set out mandatory quality of service requirements themselves. Instead, they grant the power to define specific requirements to the Member States of the EU, subject to certain conditions:

– In order to obtain the authorization for the provision of electronic communications networks or services and the rights of use for radio spectrum (i.e. the use of specific radio frequencies) and numbering resources (e.g. telephone numbers), the Member States of the EU may impose quality of service requirements; Art. 13 Sec. 1 EECC Directive in conjunction with Annex I D.1^[9] and Art. 55 Sec. 2 lit. b.

– For broadband internet access services and voice communications services (so called ‘universal services’), minimum quality of service requirements need to be defined by the EU Member States according to Art. 84 EECC Directive.^[10]

– National regulatory authorities may impose minimum quality of service requirements in order to ensure the provision of non-discriminatory internet access under Art. 5 Sec. 1 Regulation (EU) 2015/2120.

Consequently, there is no uniform European standard of the required minimum quality of a service and applicable requirements to meet such standard. In case an EU Member State determines and imposes special quality of service requirements on the providers of electronic communications services or networks, the providers might be permitted to process electronic communications metadata in order to comply and achieve the mandatory standard. In other Member States, where no such statutory quality standards exist, the permission of Art. 6b Sec. 1 lit. a) ePrivacy Regulation will not be available to providers of electronic communications services and networks. This may result in different assessments of the lawfulness of processing of electronic communications metadata in the Member States, despite the immediate and direct effect of the ePrivacy Regulation and the legislative intention to create a level playing field.

Simply speaking, the technical quality of service requirements which might be invoked in the context of the permission of Art. 6b Sec. 1 lit. a) ePrivacy Regulation refer to the proper functioning of such services.^[11] The requirements considered necessary in order to achieve a certain technical quality standard of a service ought to enable the simplest possible and most accessible operation of the respective service, especially in terms of its reliability and availability. This understanding corresponds to the proximity of this purpose to the optimisation of networks and services enshrined in the same statutory permission (Art. 6b No. I.1.a) et seqq. above). Compliance with technical quality of service standards is assigned to the sphere of interest of the providers.^[12]

[2] Konferenz der unabhängigen Datenschutzaufsichtsbehörden des Bundes und der Länder, Orientierungshilfe der Aufsichtsbehörden für Anbieter von Telemedien, March 2019, p. 12.

[3] While it was introduced in the proposal of the Croatian Presidency from 21 February 2020 (see Council of the European Union, Doc. No. 5979/20, p. 20) it was removed in the proposal of the German Presidency from 4 November 2020 (see Council of the European Union, Doc. No. 9931/10, p. 2-3).

[4] Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 103.

[5] EDPB, Statement of the EDPB on the revision of the ePrivacy Regulation and its impact on the protection of individuals with regard to the privacy and confidentiality of their communications from 28 May 2018, p.1.

[6] Council of the European Union, Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) from 6 March 2020, Doc. No. 6543/20, p. 24.

[7] Cf. recital 47 GDPR from which the need for interpretation and balancing with regard to the applicable legitimate interests becomes apparent; Albers/Veit, in: Wolff/Brink, BeckOK-Datenschutzrecht (2020), Art. 6 para. 48.

[8] Council of the European Union, Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) from 6 March 2020, Doc. No. 6543/20, p. 26 et seq.

[9] See Rec. 74 EECC Directive.

[10] See Rec. 237 EECC Directive.

[11] Cf. Rec. 114 EECC Directive.

[12] See recital 17b of the Croatian Proposal, Council of the European Union, Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) from 6 March 2020, Doc. No. 6543/20, p. 27.

Providers of electronic communications services and networks may process electronic communications metadata if this is necessary for the performance of an electronic communications service contract with the end-user who is concerned by the relevant metadata. The purpose ‘performance of an electronic communications service contract’ is explicitly not limited to the provision of the agreed main service, but ought to encompass all activities associated with the performance of a contract that could require the processing of metadata.^[13] Art. 6b Sec. 1 lit. a) ePrivacy Regulation lists billing, calculating interconnection payments but also detecting and countering fraudulent or abusive use of the contractually agreed electronic communications services, which are all considered necessary activities associated with the performance of a contract.^[14]

The ePR Commission Proposal 2017 worded its permission corresponding to Art. 6b Sec. 1 lit. b) more narrowly. It enumerated the aforementioned activities relating to the performance of a contract (billing, calculation of payments, fraud detection), but did not envisage a more general umbrella term to which other purposes related to the performance of a contract could be assigned. The more general wording ‘performance of a contract’ was supplemented in the later course of legislation, mainly in order to adapt the wording to the GDPR.^[15] However, this results not only in a harmonisation of terminology but also in an expansion of the scope of application: In principle, various purposes not explicitly listed in Art. 6b Sec. 1 lit. b) ePrivacy Regulation but related to the performance of an electronic communications service contract can eventually be covered under the notion of ‘performance of a contract’. Art. 6b Sec. 1 lit. b) ePrivacy Regulation is, thus, clearly not limited to the enumerated purposes of billing, calculating or fraud and abuse detection.^[16] The supplementation of ‘performance of a contract’ generates a similar effect as the replacement of ‘achieve a transmission’ by ‘provide an electronic communications service’ as permissible processing purpose in Art. 6 Sec. 1 lit. a) ePrivacy Regulation.^[17] The introduction of a general term created room for the application of the permission to various purposes related to the performance of the contract, which do not necessarily have to be explicitly defined and limited in the ePrivacy Regulation (see Art. 6 No. II.2.).

The end-user concerned by the processing of their/its metadata must be a party to the contract for the performance of which the processing takes place. This requirement is an addition that was introduced during the further legislative process and was not envisaged by the initial ePR Commission Proposal 2017. Arguably, it was also introduced to align the wording to the GDPR.^[18] The requirement that the contract must be a contract in which the end-user itself is involved to render a processing permissible should be relatively self-explanatory and arguably has a primarily declaratory function. Generally, this requirement is implied by the requirement of necessity and purpose limitation of any intended processing, which will hardly be met in situations where the affected end-user is not a party to the relevant contract in relation to which the processing is supposed to take place. Moreover, the rationale of this permission is that processing for the purpose of performance of the contract is based on an autonomous decision of the end-user concerned, and thus might be considered permissible.^[19]

The strong alignment of the permission with the corresponding Art. 6 Sec. 1 lit. b) GDPR suggests that both permissions ought to be applied and interpreted in a similar way. However, there are decisive differences regarding the interpretation of the term ‘contract’ in regulations. In the context of Art. 6 Sec. 1 lit. b) GDPR, it is disputed what kind of legal relationships ought to be covered by this term. It is notable that this is not the case, at least not to the same extent, within Art. 6b Sec. 1 lit. b) ePrivacy Regulation. Rather, the permission is limited to electronic communications service contracts, i.e. a specific type of contract. Furthermore, unlike the GDPR and despite the fact that the wording was adapted, the provision does not refer to pre-contractual relationships which are thus are not covered. Both observations suggest a rather restrictive interpretation of the term ‘electronic communications service contract’ under the ePrivacy Regulation. Accordingly, Art. 6b Sec. 1 lit. b) ePrivacy Regulation does not cover processing activities carried out for the purpose of the conclusion of the contract itself. Art. 6 Sec. 1 lit. b) GDPR, on the other hand, explicitly encompasses preparatory pre-contractual measures as permissible processing purposes.

Hence, in order for the permission as per Art. 6b Sec. 1 lit. b) ePrivacy Regulation to apply, an existing contract for the provision of electronic communication services is required. This contract must have been validly concluded under the law of the relevant Member State.^[20] If this prerequisite is met, all activities that may become necessary in the context of the performance of the contract may qualify as permissible processing purposes, including the termination of the contract.^[21]

Beyond this, the specific activities associated with the performance of a contract listed in the ePrivacy Regulation, i.e. billing, calculating interconnection payments, detecting or stopping fraudulent, or abusive use of, or subscription to electronic communications services are not further specified in the law. In particular, ‘detecting or stopping of fraudulent and abusive use’ leaves room for interpretation. It is noteworthy that this particular purpose is not included in the parallel provision of Art. 6 Sec. 1 lit. b) GDPR, i.e. is not classified as necessary for the performance of a contract. Rather, such purposes are likely to be located in Art. 6 Sec. 1 lit. f) GDPR, within the legitimate interests of the controller. Thus, the GDPR and the ePrivacy Regulation are based on different understandings of what is necessary for the performance of a contract. In this regard, the standard of the ePrivacy Regulation is broader than that of the GDPR. In principle, this processing purpose can refer to fraudulent and abusive use by third parties interfering with the contractually determined electronic communications services, e.g. through spam or so-called botnets, as well as to fraudulent and abusive use by the end-users. In the latter case, the detection and stopping of such use is primarily in the interest of the electronic communications service provider and even contradicts the interests of the abusive end-user.^[22] However, the distribution of interests in the various permissible processing purposes determined in Art. 6b Sec. 1 ePrivacy Regulation is heterogeneous and not exclusively assigned to the sphere of the end-user as in Art. 6a Sec. 1 ePrivacy Regulation. There is, thus, room for processing purposes related to provider interests such as under Art. 6b Sec. 1 lit. b) ePrivacy Regulation. Additionally, the identification of permissible processing purposes for the performance of a contract in Art. 6b Sec. 1 lit. b) ePrivacy Regulation strongly depends on the processes that an end-user can and must reasonably expect when entering an electronic communications service contract.^[23] It is reasonable to expect electronic communications service providers to make efforts to prevent misuse of their services by the end-user. However, a reasonable standard should be applied to what constitutes fraudulent or abusive use of a service by an end-user. Any use that is within the contractual limits, even if exploited to the maximum and excessively exceeding the average use, should nevertheless not be classified as abusive.^[24] Moreover, it will have to be clarified to what extent the notion of ‘detection’ also encompasses preventive measures, or whether it only applies in the case of specific indications for abusive use. In this respect, the precise circumstances and details of the individual contract will be decisive.

The requirement of necessity applies to Art. 6b Sec. 1 lit. b) ePrivacy Regulation, as is the case for all provisions permitting processing of electronic communications data (see Art. 6 No. II.1. et seqq.). Whether processing of electronic communications metadata is to be regarded necessary for the performance of a contract will depend strongly on the underlying rationale of the relevant contract, i.e. its substance and fundamental objective.^[25] In accordance with the general requirement of necessity, it does not suffice that processing is helpful or advantageous for billing, calculating interconnection payments or detecting and stopping fraudulent or abusive use. Rather, the intended processing must be indispensable to meet the envisaged purpose, i.e. it would be impossible for the respective electronic communications service or network provider to bill, calculate interconnection payments or to detect and stop fraudulent or abusive use without the intended processing. It must be the least invasive measure towards end-users, but at the same time still fulfil the intended purpose. In other words, if the service provider could fulfil the purposes by means of an alternative measure, with the same efficiency but a lower impact for the confidentiality of communications, the intended processing of electronic communications metadata would be unnecessary and therefore unlawful. Thus, a case-by-case assessment, while taking into account the realistic alternative options available to providers, is required. As a general rule, the mere inclusion of a contractual clause regarding the intended processing does not generate the required objective necessity for processing.^[26] A contractual clause that unilaterally determines the necessity of a certain processing or which makes processing a condition for a service does not establish genuine necessity, which in principle may exist independently of a corresponding provision in the contract.

[13] For the provision of the agreed electronic communications service itself, providers of electronic communications networks or services may be able to rely on the general permission of Art. 6 Sec. 1 lit. a) ePrivacy Regulation if all requirements are met, see Art. 6 No. II.2. et seqq.

[14] Council of the European Union, Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) from 5 January 2021, Doc. No. 5008/21, para. 34.

[15] Council of the European Union, Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) from 5 January 2021, Doc. No. 5008/21, para. 34 and 32.

[16] The EDPB had explicitly opposed such an extension or rather abstraction of the permission for processing for the performance of a contract, see Statement of the EDPB on the revision of the ePrivacy Regulation and its impact on the protection of individuals with regard to the privacy and confidentiality of their communications from 28 May 2018, p. 1 et seq.

[17] Council of the European Union, Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) from 5 January 2021, Doc No. 5008/21, para. 32, 34.

[18] See Art. 6 Sec. 1 lit. b) GDPR.

[19] Albers/Veit, in: Wolff/Brink, BeckOK-Datenschutzrecht (2021), Art. 6 para. 30.

[20] The same applies within the parallel provision of Art. 6b Sec. 1 lit. b) GDPR, see EDPB, Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects from 8 October 2019, p. 9; Albers/Veit, in: Wolff/Brink, BeckOK-Datenschutzrecht (2021), Art. 6 para. 31.

[21] Cf. Albers/Veit, in: Wolff/Brink, BeckOK-Datenschutzrecht (2021), Art. 6 para. 31.

[22] Cf. recital 47 GDPR, which assigns fraud detection and prevention to the sphere of interest of the controllers obliged under the GDPR.

[23] Cf. EDPB, Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects from 8 October 2019, p. 10 with regard to the parallel provision of the GDPR.

[24] Engeler/Felber, ZD 2017, 251, 254.

[25] See in the context of the provision of Art. 6 Sec. 1 lit. b) GDPR, EDPB, Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects from 8 October 2019, p. 9; with regard to the comparability of both provisions see above at para. 12.

[26] EDPB, Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects from 8 October 2019, p. 9.

End-users may consent to the processing of their electronic communications metadata. Such consent must meet all requirements of validity as set out in Art. 4a ePrivacy Regulation, which in turn relates strongly to the validity requirements of the GDPR (Art. 4a No. IV.). The permission of Art. 6b Sec. 1 lit. c) ePrivacy Regulation does set out any further special, metadata-related, requirements with regard to end-user consent. The relevant Recital 18 emphasises the requirement of voluntariness of consent and the possibility for end-users to make a genuinely free choice, which is particularly relevant in connection with the provision of essential services (Art. 4a No. IV. 2.b)cc) and services provided for non-monetary counter-performance (Art. 4a para. 37).

Where processing of electronic communications data is necessary for the protection of vital interests of a natural person, which according to Recital 17a refers to both, the end-users as well as other persons, it might be permitted on the basis of Art. 6b Sec. 1 lit. d) ePrivacy Regulation. The GDPR provides for a corresponding legal basis for the processing of personal data inArt. 6 Sec. 1 lit. d). Although the processing purposes may also relate to the vital interests of the end-users concerned, provided they are natural persons, the legal basis of Art. 6b Sec. 1 lit. d) ePrivacy Regulation serves public interests, similarly as the parallel provision of the GDPR.^[27]

Recital 17a provides examples of specific processing purposes that may arise from the overriding purpose of protecting the vital interest of natural persons. These are humanitarian purposes, in particular the monitoring of epidemics and their spread as well as humanitarian disasters, whether manmade or of natural origin. The interests must be essential for the end-users who are natural persons or other natural persons. The permission is therefore an exception that will only apply in extreme situations.

Furthermore, the legal basis of Art. 6b Sec. 1 lit. d) ePrivacy Regulation is, like its parallel provision in the GDPR, subordinate to other permissions according to Recital 17a.[28] This means that it only applies if the intended processing cannot be justified under any other permission provided for in the ePrivacy Regulation and where the protection of the specified interests cannot be met without such processing.

[27] Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 107 et seq.

[28] See respectively recital 46 GDPR.

The statutory permissions of Art. 6b Sec. 1 lit. e) and lit. f) ePrivacy Regulation allow for processing of electronic communications data for scientific, historical or statistical – i.e. public interest – purposes. The provisions differentiate between the processing of electronic communications metadata that are location data in Art. 6b Sec. 1 lit. e) (Art. 6b No. I.5.a) and other metadata in Art. 6b Sec. 1 lit. f) (such as time and duration of a communication, Art. 6b No. I.5.b). For the processing of location data, the ePrivacy Regulation itself provides for more detailed requirements, while for the processing of other electronic communications metadata reference is made to provisions of Member State law or other regulations of Union law, thus, outside the scope of the ePrivacy Regulation.

The GDPR also envisages scientific, historical research and statistical purposes as permissible purposes for the processing of personal data. This results from Art. 89 GDPR and its corresponding Recitals 156 et seqq. However, the GDPR does not provide for an explicit legal basis comparable to Art. 6b Sec. 1 lit. e) and f) of the ePrivacy Regulation. In particular, Art. 89 GDPR itself is not a legal basis for processing, but rather provides further details on the design of and requirements for processing operations intended for the respective purposes, provided that a permission of the GDPR applies. The lawfulness of such processing is determined in accordance with the general legal bases of Art. 6 GDPR or, in the case of special categories of data such as health data, Art. 9 GDPR.^[29] Similarly, the ePR Commission Proposal 2017 did not provide for an explicit legal basis for processing of electronic communications data for these purposes of public interest. It was introduced in the later course of the legislative process. Due to the inclusion of the relatively detailed permissions in Art. 6b Sec. 1 lit. e) and lit. f), which also autonomously determine the preconditions and limits of lawful data processing, a clarifying provision such as Art. 89 GDPR is not necessary within the ePrivacy Regulation.

Recital 17b highlights that such processing of electronic communications data can be particularly useful for public authorities and public transport operators, as it can provide insight into where additional infrastructure can be developed based on usage and pressure on the existing infrastructure. However, there are no specific definitions provided within the ePrivacy Regulation with regard to which specific purposes are considered scientific, statistical or relevant for historical research. These purposes have in common that they are regarded as useful to the society as a whole, whereas, occasionally they may also serve the particulate interests of providers, especially with regard to statistical purposes. Recourse can be made to the specifications of the GDPR, which contain comprehensive explanations in Recitals 156 et seqq. Based on these clarifications, the notion of scientific purposes is to be interpreted broadly and relates primarily, but not exclusively, to research in the health sector.^[30] Additionally, in context of processing for purposes of scientific research Art. 167 TFEU must be taken into account, which establishes the creation of a European area of research as an objective of the EU and, thus, suggests a rather broad scope for this processing permission as well. As regards processing for historical research purposes, the GDPR highlights research in the field of genealogy.^[31] Statistical purposes are defined as any operation of collection and processing of personal data necessary for statistical surveys or for the production of statistical results, which in turn may serve various other and not further limited purposes, including scientific research.^[32] Statistical purposes often require an abstract or global collection and examination of data, which takes place over a longer period of time and on a large scale and therefore excludes any processing relating to a specific person or a concrete contractual relationship.

Recital 17b sets out various general requirements for processing operations based on Art. 6b Sec. 1 lit. e) and lit. f) ePrivacy Regulation, many of which overlap with the requirements of Art. 89 GDPR.^[33] The legislator intended to harmonise Recital 17b of the ePrivacy Regulation with Art. 89 GDPR.^[34] According to Recital 17b, processing operations carried out for scientific, historical research or statistical purposes should result exclusively in aggregated data. Aggregated data describes different individual data sets which are combined into a group in a way that only a group value and no longer an individual data set is accessible. This may or may not lead to anonymisation of the electronic communications metadata. Furthermore, data resulting from such processing operations shall not be used to make decisions or take measures in relation to a specific individual, neither to identify certain characteristics or create a profile of an end-user, nor to draw conclusions regarding the private life of end-users.^[35]

Recital 17b highlights the necessity to introduce safeguards for the processing of electronic communications metadata for the aforementioned purposes, one of which is the pseudonymisation of metadata, which is also explicitly mentioned as a legal prerequisite for lawful processing within the framework of Art. 6b Sec. 1 lit. e) ePrivacy Regulation (para. 28 below).^[36] The right to object by end-users affected by the processing of electronic communications metadata for scientific, historical research or statistical purposes is highlighted among the safeguards indicated in Recital 17b. To grant a right to object will usually require information and education of the end-user about the data processing, purposes, its duration and scope.

a) Electronic communications metadata that constitutes location data, Art. 6b Sec. 1 lit. e)

The permission of Art. 6b Sec. 1 lit. e) ePrivacy Regulation for the processing of electronic communications metadata applies only to metadata that constitutes location data. Location data is defined in Art. 4 Sec. 3 lit. j) ePrivacy Regulation as ‘data processed by means of an electronic communications network or service, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service’ (for more details see Art. 4 No. III.8. et seqq.). Consequently, the location of an end-user, the place of residence or in the case of a legal entity as an end-user, the location from which it operates and coordinates business activities may be inferred from such data (provided the terminal equipment is used by the end-user for the respective communication). The location of an end-user may constitute particularly sensitive information, the disclosure of which may be highly privacy-intrusive for the end-users. Based on the separation of Art. 6b Sec. 1 lit. f) and e) into two separate legal bases, information regarding the location is regarded more sensitive than information derived from other electronic communications metadata, e.g. relating to the duration of a communication process.

For the processing of such electronic communications metadata, Art. 6b Sec. 1 lit. e) ePrivacy Regulation sets out three explicit legal requirements for lawfulness:

(i) the location data to be processed must be pseudonymised;

(ii) the intended scientific, historical research or statistical purposes pursued with the processing could not be achieved with the processing of location data made anonymous; and

(iii) the location data will not be used to determine nature or characteristics of an end-user or to create a profile of end-users.

According to the wording of Art. 6b Sec. 1 lit. e), the aforementioned requirements are not to be understood as an indicative list but rather as mandatory legal requirements. Consequently, pseudonymisation according to point (i) is not only one of several possible safeguards the provider of electronic communications services or networks is required to introduce as under Art. 89 Sec. 1 GDPR. Rather, if location data was not pseudonymised prior to processing, it cannot be lawfully processed on the basis of Art. 6b Sec. 1 lit. e) ePrivacy Regulation at all. Pseudonymisation refers to a process by which data with a direct personal reference, i.e. allowing the identification of a natural or legal person, is changed in a way that the identity cannot be directly inferred from the data record, but only with help of additional information or other reasonable means of identification (see also Art. 6 No. III.2. et seq.).

The requirement in Art. 6b Sec. 1 lit. e) (ii) that the intended purposes must not allow for processing of location data that has been made anonymous has a declaratory effect only.^[37] The same requirement is set out in Art. 6 Sec. 2 ePrivacy Regulation, which also applies in the context of Art. 6b Sec. 1. The obligation set out in Art. 6b Sec. 1 lit. e) (ii) ePrivacy Regulation, which requires electronic communications service and network providers to erase or anonymize processed location data as soon as the processing purposes have been fulfilled or allow for erasure or anonymization, is also declaratory which follows from Art. 6 Sec. 2 ePrivacy Regulation (Art. 6 No. III.2. et seq.).

Finally, Art. 6b Sec. 1 lit. e) (iii) ePrivacy Regulation stipulates that the data processing shall not serve to draw conclusions about the characteristics and nature of the end-user or to create profiles of them. In many cases, such use of data would be incompatible with the permissible scientific, historical research and statistical purposes, or with the necessity to achieve these purposes. The general requirement of necessity must be observed in addition to the specifically emphasised requirements of Art. 6b Sec. 1 lit. e) ePrivacy Regulation. By virtue of the explicit enumeration in Art. 6b Sec. 1 lit. e) ePrivacy Regulation, a number of the measures which are addressed in the associated Recitals 17a and 17b are elevated to statutory requirements for the security of processing.

With regard to the publishing and sharing of location data processed in accordance with Art. 6b Sec. 1 lit. e) ePrivacy Regulation with third parties, Art. 6 Sec. 3 ePrivacy Regulation contains a specific declaration (Art. 6 No. IV.).

b) Electronic communications metadata other than location data, Art. 6b Sec. 1 lit. f)

For the same purposes as under Art. 6b Sec. 1 lit. e) ePrivacy Regulation, any other information falling within the category of electronic communications metadata that is not location data may also be processed pursuant to Art. 6b Sec. 1 lit. f) ePrivacy Regulation. For these cases, the ePrivacy Regulation does not provide any detailed requirements, apart from the explanations in Recitals 17a and 17b. Rather, reference is made to the applicable Member State law, Union law and the parallel provision of Art. 89 GDPR.^[38] While the latter is not a legal basis, it does contain specifics on the lawfulness of such processing (see Art. 6b No. I.5.a) above). Art. 6b Sec. 1 lit. f) ePrivacy Regulation makes an explicit reference to the safeguards of encryption and pseudonymisation. Both measures are also listed indicatively as safeguards in Art. 89 GDPR and, additionally, are envisaged as necessary technical or organisational measure in order to ensure processing security in terms of Art. 32 Sec. 1 lit. a) GDPR (see Art. 6b No. I.5.a) above with regard to pseudonymisation). The ePrivacy Regulation refers to encryption as an appropriate safeguard in order to ensure secure data processing and to reduce the risks for end-users in various contexts.^[39] Encryption means the conversion of data into a code and serves to make data unintelligible to unauthorised persons.^[40]

How the referenced ‘additional safeguards’ provided for in Art. 89 GDPR (and transferable to the purposes of the ePrivacy Regulation) are supposed to be designed – apart from encryption and pseudonymisation measure – is unclear and in need of interpretation. So far, the EDPB has left this question open albeit expressly confronting this issue and recognising the need for specifications in this regard.^[41] However, a high standard for the technical and organisational measures is required in order to guarantee the security and confidentiality of the processing process. Additionally, providers of electronic communications services and networks might consider close and concrete exchange with the concerned end-users prior to the intended processing. The communication with and information of end-users appears particularly reasonable in light of Recital 17b ePrivacy Regulation, which refers to the necessity of a right to object for end-users (Art. 6b No. I.5.). Similar considerations are made by the EDPB, which states that in certain circumstances, even if the processing for scientific, historical research or statistical purposes is carried out on a legal basis other than consent, the standards applied to informed consent could nevertheless become necessary as additional safeguards due to ‘ethical’ considerations.^[42] As a general rule, complete and comprehensive information of end-users about any processing of their electronic communications data will reduce the risk to their fundamental rights and interests associated with these processes and, thus, is a conceivable safeguard. If end-users are aware of what is happening with their data, they can protect themselves against any unwanted interference and make self-determined decisions.

[29] See EDPB, Document on response to the request from the European Commission for clarifications on the consistent application of the GDPR, focusing on health research from 2 February 2021, p. 4; Eichler, in: Wolff/Brink, BeckOK-Datenschutzrecht (2021), Art. 89 para. 1.

[30] Recital 159 GDPR.

[31] Recital 160 GDPR.

[32] Recital 162 GDPR.

[33] Recital 17b does not distinguish between processing of location data and other metadata and therefore applies in principle with regard to both legal bases.

[34] Council of the European Union, Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) from 5 January 2021, Doc. No. 5008/21, para. 34.

[35] Recital 17b; cf. recital 162 GDPR with regard to results of processing for statistical purposes.

[36] Psedonymisation is also a safeguard explicitly foreseen by Art. 89 Sec. 1 GDPR.

[37] The primacy of processing anonymised data where the intended purposes of processing allow for it is also envisaged in the parallel provision of Art. 89 Sec. 1 Sent. 2 GDPR.

[38] Such relevant Union or Member State law might be, depending on the intended processing and purposes, the Directive 2001/20/EC of the European Parliament and of the Council of 4 April 2001 on the approximation of the laws, regulations and administrative provisions of the Member States relating to the implementation of good clinical practice in the conduct of clinical trials on medicinal products for human use (‘Clinical Trials Directive’) as well as Regulation (EU) No 536/2014 of the European Parliament and of the Council of 16 April 2014 on clinical trials on medicinal products for human use, and repealing Directive 2001/20/EC (once it comes into application), or, on national level, the German Federal Statistics Act (‘Bundesstatistikgesetz’) referring to official national statistics, see below at Art. 6b No. II.

[39] Art. 6c Sec. 1lit. e), Art. 8 Sec. 1 lit. g) (v), recital 17b.

[40] See Art. 34 Sec. 3 lit. a) GDPR.

[41] EDPB, Document on response to the request from the European Commission for clarifications on the consistent application of the GDPR, focusing on health research from 2 February 2021, p. 12.

[42] EDPB, Document on response to the request from the European Commission for clarifications on the consistent application of the GDPR, focusing on health research from 2 February 2021, p. 4.