Paul Voigt, Axel von dem Bussche: the EU ePrivacy Regulation – Preliminary Guidance and Commentary
Menü
Paul Voigt, Axel von dem Bussche: the EU ePrivacy Regulation – Preliminary Guidance and Commentary
1. The European Data Protection Board, established under Article 68 of Regulation (EU) 2016/679, shall have the task to contribute to the consistent application of Chapters I and II and III of this Regulation.
2. To that end, the Board shall have the following tasks:
(a) advise the Commission on any proposed amendment of this Regulation;
(b) examine, on its own initiative, on request of a supervisory authority designated in accordance with Article 18 (0) or on request of the Commission, any question covering the application of this Regulation in relation to Chapters I, II and III and issue guidelines, recommendations and best practices in order to encourage consistent application of this Regulation;
(c)
(d) issue guidelines, recommendations and best practices in order to facilitate cooperation, including exchange of information, between supervisory authorities referred to in paragraph 0 of Article 18 and/or the supervisory authority responsible for monitoring the application of Regulation (EU) 2016/679;
(da) issue guidelines, recommendations and best practices in accordance with point (b) of this paragraph to assess for different types of electronic communications services the moment in time of receipt of electronic communications content;
(db) issue guidelines, recommendations and best practices in accordance with point (b) of this paragraph on the provision of consent in the context of Articles 6 to 6b and 8 of this Regulation by end-users who are legal persons and or in an employment relationship;
(e) provide the Commission with an opinion on the icons referred to in paragraph 3 of Article 8;
(f)
(g)
(h) promote the exchange of knowledge and documentation on legislation on protection of electronic communications of end-users and of the integrity of their terminal equipment as laid down in Chapter II and practice relevant supervisory authorities world wide;
3. Where the Commission requests advice from the Board, it may indicate a time limit, taking into account the urgency of the matter.
4. The Board shall forward its opinions, guidelines, recommendations, and best practices to the Commission and make them public.
5. The Board shall consult the supervisory authorities referred to in Article 18 (0) before any of the tasks referred to in paragraph 2.
6. The Board shall, where appropriate, consult interested parties and give them the opportunity to comment within a reasonable period. The Board shall, without prejudice to Article 76 of Regulation (EU) 2016/679, make the result of the consultation procedures publicly available.
The European Data Protection Board (‘EDPB’), established under Art. 68 GDPR, replaces the prior installed Art.-29-Working Party, which had already been assigned with the task to coordinate the application of national data protection regulations. In comparison, the EDPB, however, has significantly more extensive powers, as it is not only entitled to issue opinions, but can also adopt binding decisions (as for instance with regard to the consistency mechanism, pursuant to Art. 63 et seqq. GDPR).[1] Its purpose is to promote cooperation between supervisory authorities and, in the Commission´s words, to “create a common data protection culture [between them] to ensure that the rules of the Regulation are interpreted consistently”.[2] In front of this background, Art. 19 ePrivacy Regulation does not install a comparable independent body, but includes the EDPB into its regulatory framework. In order to safeguard a cooperative and consistent application, the legislative approach here is to use the existing infrastructure and expertise of the EDPB, while not artificially splitting up the closely related matters. This approach appears to be sensible not least in view of the plurality of supervisory authorities, which is facilitated under Art. 18 Sec. 0 of the ePrivacy Regulation, to the extent that it could possibly serve as a role model. In any case, the centralization of enforcement powers within the framework of an existing authority is preferable to a plurality and decentralization.[3]
With regard to its organization, Arts. 68 to 76 GDPR apply. Consequently, the EDPB is set up as an independent legal entity, which comprises of the leading members of the Member State´s supervisory authorities. It is, therefore, more or less a virtual authority with no physical building and staff in comparison to other EU authorities. Nevertheless, it has supervisory functions by its own and counsels the commission on the application of both GDPR and ePrivacy Regulation. A main task represents the issuance of guidelines, recommendations and best practices, which aim at a consistent approach to legal enforcement. As regards details on the background and history, as well as the individual tasks pursuant to the GDPR, reference is made to the respective literature.[4]
[1] Dix, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 68 Rec. 1.
[2] European Commission, Stronger protection, new opportunities – Commission guidance on the direct application of the General Data Protection Regulation as of 25 May 2018, p. 10.
[3] Cf. in this regard Art. 18 No. II.1.b).
[4] See, for instance, Voigt/v. d. Bussche, The EU General Data Protection Regulation (GDPR), p. 197; Schöndorf-Haubold, in: Sydow, Europäische Datenschutzgrundverordnung (2018), Art. 68 et seqq.
The ePrivacy Regulation incorporates the EDPB´s tasks subsequent to provisions on supervisory authorities under Art. 18 ePrivacy Regulation. Thus, it follows the systematic order of the GDPR, which is to implement the two related areas in a unified context. The EDPB is assigned with the general purpose to contribute to a consistent application of Chapters I to III of the ePrivacy Regulation. For its fulfillment, the board receives specific tasks, which are enlisted exhaustively under Art. 19 Sec. 2 lits. a to e and Secs. 3 – 6 ePrivacy Regulation. Together with Art. 20 ePrivacy Regulation, which underlines the cooperative purpose of European authorities, it, thus, forms the second regulatory area of Chapter IV on the establishment of independent supervisory authorities and the enforcement of this Regulation.
The catalogue pursuant to Art. 19 Secs. 1 – 6 ePrivacy Regulation divides into a general purpose and associated individual tasks. Sec. 1 has, furthermore, the character of a general clause, which – unlike Art. 70 Sec. 1 GDPR – is finally concretized pursuant to Secs. 2 – 6. This is particularly evident from the lack of corresponding opening phrases, such as the word “in particular”. Moreover, while the Commission’s original draft still provided for a complete reference to the tasks under Art. 70 GDPR, this was replaced in the course of the Council´s proposal in favor of a concretization of the tasks following the specific needs of the ePrivacy Regulation.[5] Thus, the tasks under Art. 70 GDPR do not apply either in direct or analogous form under Art. 19 ePrivacy Regulation. For instance, this concerns the review of the application of practical guidelines, recommendations and best practices pursuant to Art. 70 Sec. 1 lit. l GDPR or the issuance of such regarding the set-up of administrative fines (Art. 70 Sec. 1 lit. k GDPR). Conversely, many unapplicable tasks, specific to the area of data protection were removed. This pertains, particularly, to the comprehensive catalogue on the issuance of guidelines, recommendations and best practices, e.g. on data breaches, data transfers or the exchange of information between controllers or processors.
Art. 19 Sec. 1 ePrivacy Regulation clarifies that the EDPB is not alone in charge of ensuring consistent application of Chapters I to III but rather contributes to that end. The main role rather play the Member States´ supervisory authorities themselves. These are granted a respective cooperation framework pursuant to Arts. 18 Sec. 1b, 2; 20 ePrivacy Regulation, which serves as the primary means in guaranteeing a uniform application. Subsequently, the board is not mandated to adopt final decisions (as it is in view of e.g. Art. 65 Sec. 1 GDPR), but rather to provide guidelines, best practices and recommendations (see Sec. 2 lit. b – db). In addition, it performs advisory functions in response to requests from the Commission and the supervisory authorities (see Secs. 1 lit. a, 3 and 5).
[5] Cf., for instance, Art. 19 Sec. 2 lit. da ePrivacy Regulation on electronic communications, lit. db Var. 3 on cookie-consent or lit. e on icons under Art. 8 Sec. 3 ePrivacy Regulation.
Unlike under Art. 70 Sec. 1 lit. b GDPR, according to which the EDPB has a comprehensive supervisory task in view of “any issue related to the protection of personal data in the Union”, the scope of tasks under Art. 19 Sec. 2 lit. a ePrivacy Regulation is narrowed. Accordingly, the EDPB advises the Commission solely with regard to proposed amendments to the Regulation. This has significance particularly in the course of monitoring and evaluation of the effects of the Regulation, which, pursuant to Art. 28 S. 3 ePrivacy Regulation shall lead to a proposal for the Regulation´s amendment or repeal. Only Art. 19 Sec. 2 lit. b ePrivacy Regulation contains a further-reaching review obligation, according to which the Commission´s questions on the application must be examined by the EDPB and answered by way of guidelines, recommendations and best practices.
Somewhat contradictory, in this sense, appears the unrestricted wording of Art. 19 Sec. 3 ePrivacy Regulation, according to which the Commission shall specify a time limit, when requesting ‘advice’. Thus, Sec. 3 must be understood as to specifying Sec. 2 lit. a alone and not opening up a general advisory obligation.
While the issuance of guidelines, recommendations and best practices is a regular initiative of the EDPB, Art. 19 Sec. 2 lit. b ePrivacy Regulation also grants an initiative right to the supervisory authorities and the Commission. Accordingly, a request from the aforementioned institutions necessarily leads to the issuance of a publication, the extent of which, however, may vary in view of the issue´s significance and complexity. What is more, the scope of possible requests is conceivably broad, as such refers to “any question covering the application of this Regulation in relation to Chapters I, II and III”. While, indeed, this primarily pertains to the application of the Regulation, also necessary preliminary questions are included, meaning that principally any topic in relation to the ePrivacy Regulation may be subject to the request. Finally, in line with the EDPB´s purpose, laid out under Art. 19 Sec. 1 ePrivacy Regulation, Sec. 2 lit. b states that publications need to encourage a consistent application of this Regulation.
Issuing guidelines, recommendations and best practices represents the EDPB´s principle and most important task within the context of the ePrivacy Regulation.[6] This is underlined by the comparatively large scope of various subject areas, which the legislator expects the EDPB to publish on. Namely they include:
A precise delimitation of the three instruments is difficult to make and also low in yield, as it is rather to be considered as a specification of one and the same publication-format. Guidelines, recommendations and best practices do not have a directly binding effect, but merely provide a framework for orientation.[8] Nevertheless, a considerable steering effect can be assumed, since such orientation (on purpose) retroacts on the application and interpretation by national supervisory authorities and practitioners. All in all, this approach is unique in administrative law, as it involves the creation of an executive-supporting authority, which does itself not issue any measures with external effect.[9] The allocation of quasi-legislative powers must, moreover, accept the reproach of a lack of democratic legitimacy.[10]
Finally, when issuing a publication, the EDPB must forward the results to the Commission and make them public (Art. 19 Sec. 4 ePrivacy Regulation). On the one hand, this provides a reconnection to the higher-level executive body of the Commission, and on the other hand, it fulfills the essential function of a publication, which is to achieve the greatest possible steering effect.
[6] Schiedermair, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht (2019), Art. 70 Rec. 6 speaks of the „central part of the EDPB´s work”, Körffer, in: Paal/Pauly, DS-GVO BDSG (2021), Art. 70 Rec. 6 of its “core task”.
[8] Nguyen, in: Gola, Datenschutz-Grundverordnung (2018), Art. 70 Rec. 8.
[9] This, of course, pertains to the ePrivacy Regulation alone. In view of the GDPR, such powers are given, as, for instance, the performance of accreditation and specification of respective requirements pursuant to Art. 70 Sec. 1 lits. o and p GPDR.
[10] Nguyen, ibid.; from a historical point of view, however, this even represents a mitigation compared to the GDPR´s original draft, which had provided the Commission with a genuine power to adopt implemention acts, cf. Dix, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 70 Rec. 3.
According to Art. 19 Sec. 2 lit. e ePrivacy Regulation, the EDPB shall provide the Commission with an opinion on the icons referred to in Art. 8 Sec. 3 ePrivacy Regulation.[11] Background of the regulation is Art. 8 Sec. 2 ePrivacy Regulation, according to which the collection of information emitted by end-users´ devices is generally prohibited, except for cases pursuant to Art. 8 Sec. 2 lit. b and c of the ePrivacy Regulation. These presume that the end-user has given their consent or the collection is necessary for the purpose of statistical surveys. Art. 8 Sec. 2a ePrivacy Regulation, subsequently, stipulates that a respective operation requires a clear and prominent notice that shall be displayed within the area of collection. It must inform the end-user about the modalities, purposes, responsible persons and the measures, which can be applied in order to stop or minimize the operation. Art. 8 Sec. 3 ePrivacy Regulation, finally, allows for the use of standardized icons to “give a meaningful overview of the collection in an easily visible, intelligible and clearly legible manner”. While, according to Art. 8 Sec. 4 ePrivacy Regulation, the Commission is empowered to adopt delegated acts about the information presented by such icons and the procedures for providing them, now, Art. 19 Sec. 2 lit. e ePrivacy Regulation orders the EDPB to issue its opinion on that matter. This aims to utilize the board´s specific expertise in matters of data and privacy protection.
[11] See Art. 8 No. II.2.c).
In line with its purpose to contribute to a consistent application of the ePrivacy Regulation, the EDPB shall promote the exchange of knowledge and documentation concerning the legislation on privacy matters, as well as the applied practice of relevant supervisory authorities worldwide. Art. 19 Sec. 2 lit. h ePrivacy Regulation specifies that this particularly pertains to the protection of electronic communications of end-users (see Arts. 5 to 7 ePrivacy Regulation) and the integrity of their terminal equipment (see Art. 8 ePrivacy Regulation), which at the same time represent the Regulation´s core matter. In this sense, the function of the EDPB as of a communication platform is underlined[12], which is intended to establish the best possible application of privacy protection by means of a continuous exchange of information among the European supervisory authorities, as well as the collection of expertise and knowledge from third countries. In the sense of an external monitoring and evaluation body, the EDPB, thus, complements the cooperation between European supervisory authorities. This is, moreover, achieved by a corresponding legal framework under Arts. 18 Secs. 1b and 2; 20 ePrivacy Regulation.
With regard to collection of respective information, the EDPB may resort to various initiatives, which are already in place both on a Union and a worldwide level. Such include, for instance, the International Conference of Data Protection and Privacy Commissioners (ICDPPC)[13], the so-called Spring Conference of the Member States´ data protection authorities and the Council of Europe[14], the Global Privacy Enforcement Network (GPEN)[15] and the International Working Group on Data Protection in Technology (IWGDPT), also known as the ‘Berlin Group’[16].[17]
[12] Schiedermair, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht (2019), Art. 70 Rec. 10.
[13] See https://privacyconference2018.org, last retrieved 17 May 2022.
[14] See https://edps.europa.eu/data-protection/our-work/edps-worldwide_de, last retrieved 17 May 2022.
[15] See www.privacyenforcement.net, last retrieved 17 May 2022.
[16] See https://www.datenschutz-berlin.de/datenschutz/zusammenarbeit-und-gremien, last retrieved 17 May 2022.
[17] Compilation by Nguyen, in: Gola, Datenschutz-Grundverordnung (2018), Art. 70 Rec. 3.
Prior to performing any of the tasks referred to in Art. 19 Sec. 2 ePrivacy Regulation, the EDPB shall consult the supervisory authorities installed pursuant to Art. 18 Sec. 0 ePrivacy Regulation. This ensures a proper reconnection to the experience of authorities and, thus, serves to prevent devious or impractical recommendations by the board. The prior consultation of authorities corresponds a subsequent consultation of “interested parties” under Art. 19 Sec. 6 ePrivacy Regulation. Such may include, for instance, data protection experts from science and practice, as well as associations concerned with data protection issues.[18]
Consultation under Art. 19 Sec. 6 ePrivacy Regulation is an occasion-related task, which only arises insofar as it appears appropriate in the individual case. Then, however, parties must be given the opportunity to comment on the performance of the task within a “reasonable period” of time. In contrast to Art. 19 Sec. 5 ePrivacy Regulation, the EDPB can organize such consultation by way of a general call for comments, i.e. it does not need to address each party individually. Results of the consultation shall be made publicly available, as far as no specific confidentiality interests pursuant to Art. 76 GDPR prevail. This is particularly the case if company and business secrets are disclosed in the course of consultations.[19]
[18] Schiedermair, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht (2019), Art. 70 Rec. 13.
[19] Nguyen, in: Gola, Datenschutz-Grundverordnung (2018), Art. 70 Rec. 11.