Paul Voigt, Axel von dem Bussche: the EU ePrivacy Regulation – Preliminary Guidance and Commentary
Menü
Paul Voigt, Axel von dem Bussche: the EU ePrivacy Regulation – Preliminary Guidance and Commentary
1. The provider of the electronic communications service shall erase electronic communications content or make that data anonymous when it is no longer necessary for the purpose of processing in accordance to article 6 (1) and 6a (1).
2. Without prejudice to points (b), (c) and (d) of Article 6 (1), points (c), (d), (e), (f), point (g) of Article 6b, Article 6c and points (b) to (g) of Article 8 (1) the provider of the electronic communications service shall erase electronic communications metadata or make that data anonymous when it is no longer needed for the purpose of providing an electronic communication service.
3. Where the processing of electronic communications metadata takes place for the purpose of billing in accordance with point (b) of Article 6b (1), the relevant metadata may be kept until the end of the period during which a bill may lawfully be challenged, or a payment may be pursued in accordance with national law.
4. Union or Member state law may provide that the electronic communications metadata is retained, including under any retention measure that respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society, in order to safeguard the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the safeguarding against and the prevention of threats to public security, for a limited period. The duration of the retention may be extended if threats to public security of the Union or of a Member State persists.
Art. 7 ePrivacy Regulation constitutes an implementation of the principle of purpose limitation, which is primarily a basic principle of data processing as set out in Art. 5 Sec. 1 lit. b) GDPR, but indirectly also applies to the ePrivacy Regulation (e.g. by reference to general provisions of the GDPR as part of the requirements for valid consent and the reference to purpose limitation in recital 20a ePrivacy Regulation).
Art. 7 Sec. 1 ePrivacy Regulation sets out an obligation for providers of electronic communications service or – probably also – networks[1] to erasure, which applies only to electronic communications content processed in accordance with the two explicitly listed legal bases, Art. 6 Sec. 1 or Art. 6a Sec. 1 ePrivacy Regulation. If the retention of electronic communications content is no longer necessary for the purposes of processing envisaged in the referenced legal bases, providers of electronic communications services and networks are obliged to erase or anonymise such data.
The regulatory content of Art. 7 Sec. 1 of the ePrivacy Regulation is reminiscent of Art. 6 Sec. 2 of the ePrivacy Regulation, which in effect also imposes an obligation to erase or anonymise electronic communications content (as well as electronic communications metadata) that is no longer required for the purposes of processing (No. I.3.).[2] Art. 6 Sec. 2 ePrivacy Regulation provides for a general processing limitation and anonymisation requirement for electronic communications content. The provision is applicable beyond the scope of Art. 6 ePrivacy Regulation and covers processing operations on the basis of Art. 6a, 6b and 6c ePrivacy Regulation as well. Therefore, there is a certain overlap between 7 Sec. 1 ePrivacy Regulation and Art. 6 Sec. 2 ePrivacy Regulation.
[1] Art. 7 Sec. 1 ePrivacy regulation addresses only providers of electronic communication services and, thus, not network providers. However, it is to be assumed that this constitutes an editorial mistake. Comparable inconsistencies in the terminology can also be found in other parts of the ePrivacy Regulation, see e.g. Art. 6 No. II. at footnote 4, see also Art. 4 No. I.2.a).
[2] Similar provisions stipulating a requirement to erase or anonymise electronic communications data canbe found in other parts of the ePrivacy Regulation, such as Art. 6c Sec. 2 lit. a) in connection with the further processing of electronic communications metadata for compatible purposes, in Art. 6b Sec. 1 lit. e) ePrivacy Regulation for the processing of electronic communications metadata that are location data for statistical, historical research or scientific purposes as well as Art. 8 Sec. 1 lit. h), Sec. 2 lit. c) for the processing of information collected by terminal equipment. This reflects the fact that erasure and anonymisation of electronic communications data under the ePrivacy Regulation are considered important measures to protect the interests of the end-user, as inter alia reflected in recitals 15a and 25, albeit in a more specific context.
In the context of Art. 7 Sec. 1 ePrivacy Regulation, deletion and anonymisation of electronic communications content are equivalent instruments to ensure compliance with Art. 7 Sec. 1. The wording of Art. 7 Sec. 1 ePrivacy Regulation does not distinguish between both instruments. Accordingly, electronic communications service providers could either delete or anonymise relevant electronic communications content to comply with their obligation under Art. 7 Sec. 1 ePrivacy Regulation. Electronic communications content that has been anonymised could, in principle, be stored indefinitely – i.e. regardless of time and purpose of processing. There is no longer a need for a purpose of processing in accordance with Art. 6 Sec. 1.
Art. 6 Sec. 1 ePrivacy Regulation provides for four general legal bases for the processing of electronic communications data. These apply, unless one of the more specific provisions of Art. 6a – Art. 6c ePrivacy Regulation applies. For detailed explanations of the individual cases of application of Art. 6 Sec. 1 lit. a) – lit. d), please refer to Art. 6 No. II..
Art. 6a Sec. 1 ePrivacy Regulation sets out two special permissions that relate exclusively to the processing of electronic communications content. These are the provision of an electronic communications service to an end-user who has requested this service and consented to the processing of the respective content (Art. 6a Sec. 1 lit. a)) as well as consent declared by all end-users concerned (Art. 6a Sec. 1 lit. b)). For details on the processing operations and the electronic communications data concerned, please refer to the explanations on Art. 6a (see Art. 6a No. II.1.). for processing according to lit. a) and Art. 6a No. II.1.c) for processing according to lit. b)).
Art. 7 Sec. 2 ePrivacy Regulation imposes the obligation to erase or anonymise electronic communications metadata, which is no longer needed for the provision of such electronic communications service. Art. 7 Sec. 2 of the ePrivacy Regulation (i) only applies to electronic communications metadata, and (ii) only determines the obligation to delete and anonymise data after the fulfilment of one specific purpose, the provision of an electronic communications service.
Generally, the point in time when electronic communications metadata is no longer needed for the specific purpose of the provision of an electronic communications service and, therefore, the relevant point in time for the obligation to erase or anonymise such data pursuant to Art. 7 Sec. 2, can be determined easily. The point in time at which data needs to be erased in relation to the legal bases referenced in Art. 7 Sec. 2 ePrivacy Regulation – namely Art. 6 Sec. 1 lit. b) – d), Art. 6b Sec. 1 lit. c) – f), Art. 6c and Art. 8 Sec. 1 lit. b) – g) ePrivacy Regulation – is, however, less certain.
For instance, Art. 6 Sec. 1 lit. b) ePrivacy Regulation permits the processing of electronic communications metadata for the purposes of maintaining and restoring the security of electronic communications data and services. To a certain extent, this will also require preventive data processing without a specific reason and, thus, retention for a period that may be difficult to determine (see Art. 6 No. II.3.). The same applies to Art. 6 Sec. 1 lit. c) ePrivacy Regulation, which refers to maintaining and restoring the security of end-user terminal equipment. Furthermore, these data security-related purposes significantly serve the interests of the end-users and the protection of confidentiality of their electronic communications, which arguably justifies a later point of time of erasure/anonymization.
Furthermore, Art. 7 Sec. 2 ePrivacy Regulation shall apply without prejudice to such storage of electronic communications metadata which is processed in order to comply with a legal obligation of the electronic communications service or network providers under Member State or Union law, pursuant to Art. 6 Sec. 1 lit. d) ePrivacy Regulation. This is somewhat comparable to Art. 17 Sec. 3 lit. b) GDPR which also exempts from the obligation to erase in Art. 17 Sec. 1 GDPR data processing that is necessary for compliance with a legal obligation of Union or Member State law.
Furthermore, Art. 7 Sec. 2 applies without prejudice to the processing of location data for scientific, historical research and statistical purposes pursuant to Art. 6b Sec. 1 lit. e) ePrivacy Regulation. These purposes are predominantly in the public interest and, under certain conditions, similarly exempted from the obligation to erase personal data pursuant to Art. 17 Sec. 3 lit. d) GDPR. However, such processing is subject to special conditions and safeguards under the ePrivacy Regulation (Art. 6b No. I.5.).
Finally, Art. 7 Sec. 2 ePrivacy Regulation applies without prejudice to the entire provision of Art. 6c ePrivacy Regulation. This is coherent, as Art. 6c ePrivacy Regulation is somewhat of an exception to the principle of purpose limitation, while Art. 7 aims at ensuring purpose limitation (see No. I. above). The fulfilment of the initial purposes of data collection will not give rise to an obligation of erasure and anonymisation for electronic communications services or network providers if a new and compatible purpose within the terms of Art. 6c Sec. 1 ePrivacy Regulation applies. However, electronic communications metadata processed in accordance with Art. 6c ePrivacy Regulation will have to be erased by the electronic communications service or network provider as soon as the newly introduced compatible processing purposes allow for this. This results from the general provision of Art. 6 Sec. 2 of the ePrivacy Regulation, which is also applicable to Art. 6c.
[3] Cf. Worms, in: Wolff/Brink, BeckOK-Datenschutzrecht, Art. 17 para. 87.
Art. 7 Sec. 4 ePrivacy Regulation constitutes a specific opening clause that allows Member States and the Union legislator to enact laws that deviate from Art. 7 Sec. 2 3 of the ePrivacy Regulation. These laws may provide for the possibility of data retention beyond the time of necessary erasure specified in Art. 7 Sec. 2, Sec. 3. Art. 7 Sec. 4 ePrivacy Regulation. The provisions referenced by the opening clause do not concern the obligation to erase pursuant to Art. 7 Sec. 1 ePrivacy Regulation, as Art. 7 Sec. 4 is explicitly limited to electronic communications metadata. While Art. 7 Sec. 4 of the ePrivacy Regulation only applies to Art. 7 Sec. 2 and Sec. 3, the provision of Art. 11 ePrivacy Regulation contains a general opening clause that, theoretically, applies to all obligations and requirements for the lawfulness of processing of electronic communications data specified in Chapter II of the ePrivacy Regulation and has been modelled in accordance with the principles of Art. 23 GDPR (see Art. 11). Interestingly, the purposes pursued by the provisions envisaged under Art. 7 Sec. 4 ePrivacy Regulation are more limited than those of the more general clause of Art. 11 Sec. 1 ePrivacy Regulation. The latter refers, inter alia, to Art. 23 Sec. 1 lit. e) GDPR and, thus, to ‘general public interests of the Union or of a Member State‘. According to recital 26 of the ePrivacy Regulation, a general public interest is, for example, an important economic or financial interest.
Art. 7 Sec. 4 ePrivacy Regulation (in this context see also Art. 6 No. II.5.) takes into account CJEU case law on legislative measures of Member States which included obligations regarding preventive, general and discriminate retention of electronic communications data.[4] According to the CJEU, preventive and untargeted data retention is not compatible with Art. 7, 8, 11 and 52 of the CFR.[5] This is reflected in Art. 7 Sec. 4 ePrivacy Regulation. Member State and Union laws may allow for the retention of electronic communications metadata to ensure the prevention, investigation, detection and prosecution of criminal offences or the execution of criminal penalties as well as the protection against and prevention of threats to public security if they respect the essence of fundamental rights and freedoms and represent a proportionate measure in a democratic society. Furthermore, the envisaged data retention periods should also be limited in time. The ePrivacy Regulation, thus, issues restrictions with regard to the design of laws covered by this opening clause.
[4] CJEU, joined cases C-511/18, C-512/18, C-520/18 from 27 November 2020 as well as case C-623/17 from 6 October 2020.
[5] See CJEU, joined cases C-511/18, C-512/18, C-520/18 from 27 November 2020, para. 113 et seqq., 137, 141; CJEU, C-623/17 from 6 October 2020, para. 81 et seq.