Article 4 ePrivacy Regulation – Definitions

The close relationship between the ePrivacy Regulation and the GDPR has already been illustrated above (Art. 1 No. I.2.). According to Art. 1 Sec. 3 ePrivacy Regulation, it is a regulatory objective of the ePrivacy Regulation to complement and expand on the existing regulations of the GDPR and thus to create a coherent regulatory landscape. Since the scope of application of the ePrivacy Regulation and the GDPR overlap, it is essential that a uniform understanding of obligations exists within both laws. The ePrivacy Regulation does justice to this by setting out a general reference to the definitions of the GDPR in Art. 4 Sec. 1 lit. a).

The reference in Art. 4 Sec. 1 lit. a) ePrivacy Regulation is a general clause. It is not limited to particular terms or specified in more detail but instead intends to adapt all definitions introduced in the context of the GDPR, unless the ePrivacy Regulation explicitly provides otherwise. However, this reference concerns mainly Art. 4 GDPR, which provides definitions for the most relevant terms used within the GDPR. For many of the definitions in Art. 4, the GDPR also provides Recitals that may serve to determine terms of the ePrivacy Regulation.

a)  Modified definition of ‘processing’, Art. 4 Sec. 2a

Although closely related to each other, the objectives of the GDPR and the ePrivacy Regulation are not identical. Therefore, some of the referenced provisions of the GDPR can only be applied mutatis mutandis within the ePrivacy Regulation in order to fully comply with the regulatory purpose of the latter.^[1] For this reason, some criticism was raised during the legislative process regarding the ePrivacy Regulation’s extensive use of references to the GDPR.^[2]

The most apparent contradiction resulted from the reference to the definition of the term ‘processing’ in Art. 4 No. 2 GDPR. Processing in Art. 4 No. 2 GDPR is defined as ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction’.

Thus, in accordance with the scope of application and protective purpose of the GDPR, its definition of processing is limited to personal data only. A literal application of the definition, thus, would lead to the conclusion that non-personal data cannot be the subject of ‘processing’ in the sense of the ePrivacy Regulation. However, the ePrivacy Regulation generally does not distinguish between personal and non-personal data, as long as it is communications-related.^[3] This contradiction, which still existed in the Commission’s Proposal of 2017, was remedied in the text of the ePrivacy Regulation that was eventually adopted by the Council. Art. 4 Sec. 2a of the ePrivacy Regulation now explicitly clarifies that the definition of processing from Art. 4 No. 2 GDPR is to be adopted with the modification that non-personal data can also be the subject of processing in the context of the ePrivacy Regulation.

b)  Definition of ‘consent’ within the ePrivacy Regulation

Consent is a core legal basis under the ePrivacy Regulation as well as under the GDPR,^[4] and the starting point for many cases of application of both legal instruments.^[5] However, the ePrivacy Regulation does not introduce its own autonomous definition for consent. Instead, the definition of Art. 4 No. 11 GDPR applies.

According to the referenced Art. 4 No. 11 GDPR ’consent’ means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of data relating to him or her’.

However, this definition must be modified in the context of its application to the ePrivacy Regulation. It applies only mutatis mutandis, as do all provisions of the GDPR relating to consent that are applied in the context of the ePrivacy Regulation.^[6]

The necessity to modify the definition of consent results from the fact that consent under the GDPR is specifically tailored to natural persons, so-called data subjects.^[7] In the context of the ePrivacy Regulation, however, the definition of consent must also fit legal persons due to its broadened scope of protection according to Art. 1 Sec. 1a ePrivacy Regulation. Therefore, within the framework of the ePrivacy Regulation, the reference to ‘data subject’ in Art. 4 No. 11 GDPR must be replaced by the term ‘end-user’, which also covers legal persons.^[8] With regard to the requirements for valid consent, such as transparency and voluntariness, an adjustment must also take place to the extent that these are to be realised by the legal person.^[9]

c)  Supervisory authority

The ePrivacy Regulation provides for enforcement of its rules primarily by supervisory authorities in Chapter IV, particularly Art. 18. The ePrivacy Regulation does not provide an autonomous definition of the term ‘supervisory authority’. However, the reference to the GDPR in Art. 4 Sec. 1 lit. a) ePrivacy Regulation applies and, additionally, Art. 18 Sec. 0 (sic!) ePrivacy Regulation requires that supervisory authorities that monitor the ePrivacy Regulation shall meet the same requirements as supervisory authorities under the GDPR. Art. 18 Sec. 1 ePrivacy Regulation even provides for the opportunity to instruct the same supervisory authorities that are responsible for the monitoring of the GDPR with the monitoring of the application of Art. 12 – Art. 16 GDPR (Art. 18 para. Xx).

The GDPR defines supervisory authorities in Art. 4 No. 21 as ‘an independent public authority which is established by a Member State pursuant to Art. 51’ GDPR. According to the referenced Art. 51 GDPR, ‘each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union’.

It follows from these definitions, that each Member State shall have its own national supervisory authority. It is also possible to have multiple supervisory authorities in a single Member State according to Art. 18 Sec. 1b ePrivacy Regulation. This is the case, for example, with the supervisory authorities of the GDPR in Germany.^[10]

In the context of the GDPR, it can be observed that the matters affected by the regulation often have a cross-border character, so that several supervisory authorities could be concerned.^[11] This is also likely to be the case in situations that fall within the scope of the ePrivacy Regulation. The regulation was created precisely for the purpose of regulating and enabling the transnational flow of electronic communications data (Art. 1 No. I.1.b). In cases where several supervisory authorities are concerned, the competent supervisory authority must be determined. In absence of explicit provisions within the ePrivacy Regulation, this determination will be made on the basis of the provisions of the GDPR referenced (see Art. 18).

According to Art. 18 Sec. 1ab ePrivacy Regulation, supervisory authorities are granted investigative and corrective powers, including the power to impose fines (Art. 23) in cases of non-compliance with the ePrivacy Regulation. This corresponds to the powers of the supervisory authorities under the GDPR, which are specified in more detail in Art. 58 (for the powers of supervisory authorities under the ePrivacy Regulation see Art. 18).

d)  Representative

According to Art. 4 No. 17 GDPR, the term ‘representative’ shall mean ‘a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Art. 27 [GDPR], represents the controller or processor with regard to their respective obligations under this Regulation’. The role of a representative is also included in the ePrivacy Regulation in Art. 3 Sec. 2 (Art. 3 No. II.).

Providers of electronic communications services (Art. 3 No. II.2.) or electronic communications networks (Art. 3 No. II.2.), who provide their services to end-users located in the EU but who are not established in the EU, are subject to the obligation to appoint such a representative established in the EU. This representative essentially acts as a contact point for supervisory authorities and end-users (Art. 3 No. II.). This obligation is also subject to a fine as per Art. 23 Sec. 2 lit. e) ePrivacy Regulation.

The definition of a representative in Art. 4 Sec. 17 GDPR as referenced in Art. 4 Sec. 1 lit. a) ePrivacy Regulation thus applies on the premise that the representative is to be appointed in accordance with the provisions of Art. 3 Sec. 2 – Sec. 5 ePrivacy Regulation and does not represent the controller or processor, but the actors who provide services as per Art. 3 Sec. 1 ePrivacy Regulation.

e)  Data protection impact assessment

The ePrivacy Regulation requires a ‘data protection impact assessment’ in certain cases. According to Art. 6a Sec. 2 ePrivacy Regulation, an impact assessment is always required prior to the processing of electronic communications content on the basis of Art. 6a Sec. 1 lit. b). In some circumstances it might also be necessary to conduct such an assessment prior to the processing of electronic communications metadata, if this is likely to result in high risks to the rights and freedoms of natural persons (Recital 17). However, the notion of data protection impact assessment is neither defined nor further specified in the ePrivacy Regulation.

The concept of data protection impact assessments was first introduced by the GDPR. If a type of data processing, particularly the use of new technologies, is likely to result in a high risk to the rights and freedoms of individuals, taking into account the nature, scope, context and purpose of the processing, the controller^[12] shall assess the impact of the planned processing activities on the protection of personal data according to Art. 35 Sec. 1 GDPR.^[13] The same applies if an  ongoing processing operation is modified in such a way that it risks potential changes (e.g. change of purposes, change of the processed data itself).[14]

A data protection impact assessment consists of an estimation of the impacts of the intended future processing activities with the aim of identifying high risks to the rights and interests of the data subjects and compliance with legal requirements.^[15] The minimum requirements that need to be included in a data protection impact assessment are set out inArt. 35 Sec. 7 GDPR. The requirements are a systematic description of the planned processing operations and purposes; an assessment of the necessity and proportionality of the planned processing in relation to the purposes, and an assessment of the risks to the rights and freedoms of the concerned parties and the intended measures to address the risks.^[16] There are no further criteria for the scope of a data protection impact assessment, leaving the legal requirements for the concrete procedure very vague.^[17]

Processing of electronic communications content is considered a particularly risk-prone activity under the Privacy Regulation.^[18] In this context, Recital 16a of the ePrivacy Regulation establishes a rebuttable presumption that the processing of such content data will result in  high risks to the rights and freedoms of natural persons. When processing electronic communications content, the service provider should consult, if necessary, the supervisory authority pursuant to Art. 36 Sec. 1 ePrivacy Regulation. The presumption does not apply if the processing is carried out in the context of a service requested by the end-user and the end-user has consented. Further, this presumption does not apply to the processing of electronic communications content based on Art. 6a Sec. 1 lit. a) ePrivacy Regulation. Such processing is also not subject to the requirement to carry out a data protection impact assessment. This flows from Art. 6a Sec. 2 ePrivacy Regulation, which only refers to the permission of Art. 6a Sec. 1 lit. b). However, it will arguably be regularly necessary to perform such data protection impact assessment in the context of Art. 6a Sec. 1 lit. a)  in order to meet the requirements set out by the permission with regard to the protection of the rights and interest of the concerned end-users (Art. 6a para. 20 et seqq.).

Processing of electronic communications metadata can also constitute a high risk activity that requires a data protection impact assessment. This is not derived from the provisions of the ePrivacy Regulation, but can be found in Recital 17. Recital 17 sets out the same indicators for the requirement of a data protection impact assessment as the GDPR. These are the use of new technologies, nature, scope, context and purposes of processing. Based on the criteria established by the GDPR, strong indicators for a particularly risk-prone activity will be the processing of a large amount of metadata or the effect on a large number of end-users.^[19]

[1] Such a corresponding application is expressly provided for in Art. 4a Sec. 1 ePrivacy Regulation concerning the provisions of the GDPR on consent.

[2] Cf. European Parliament, LIBE report A8-0324/2017, 20 October 2017, amendments 52 et seq.; see also Schmitz, ZRP 2017, 172, 173.

[3] In this context, see the comments on ‘electronic communications data’, Art. 4 para. 96 et seqq.

[4] Art. 6 Sec. 1 lit. a) GDPR, see Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) – A Practical Guide (2017), p. 93 et seqq.

[5] Cf. Art. 6a Sec. 1 lit. b); Art. 6b Sec. 1 lit. c), Art. 8 Sec. 1 lit. b) ePrivacy Regulation.

[6] Recital 3; the restriction that definitions are to be applied mutatis mutandis only applied to the definition of consent in the ePR Commission Proposal 2017, but is now extended to all relevant provisions. This is also stipulated in Art. 4a Sec. 1 ePrivacy regulation, see commentary regarding Art. 4a No. I.

[7] Cf. Art. 4a Sec. 1 ePrivacy Regulation.

[8] See details regarding the definition of ‘end-user’ at Art. 4 No. I.2.e).

[9] On the specific requirements for a valid declaration of consent in general and its transferability to declarations of consent of legal persons, see Art. 4a.

[10] In Germany, the multiplicity of supervisory authorities is due to the federal system, see Voigt/von dem Bussche, The EU General Data Protection Regulation, p. 189 (2017).

[11] Voigt/von dem Bussche, The EU General Data Protection Regulation, p. 189 (2017).

[12] The processor shall assist the controller in ensuring compliance with this obligation according to recital 95 GDPR.

[13] Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR), p. 47 (2017).

[14] Art. 35 Sec. 11 GDPR; Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR), p. 47 (2017).

[15] Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 47.

[16] Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 47.

[17] Von dem Bussche in: Plath, BDSG/DSGVO, Art. 35 (2016), para. 17; Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 49.

[18] Recital 16a.

[19] Cf. Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR), p. 48 (2017).

Unlike the reference to the GDPR in Art. 4 Sec. 1 lit. a) ePrivacy Regulation, the definitions adopted from the EECC are explicitly specified in Art. 4 Sec. 1 lit. b) ePrivacy Regulation. Consequently, the terms contained in the EECC relevant to the application of the ePrivacy Regulation are easier to identify.

a)  Electronic communications network, Art. 2 no. 1 EECC

The term ‘electronic communications network’ refers to ‘transmission systems, whether or not based on a permanent infrastructure or centralised administration capacity, and, where applicable, switching or routing equipment and other resources including network elements which are not active, which permit the conveyance of signals by wire, radio, optical or other electromagnetic means, including satellite networks, fixed (circuit- and packet-switched, including internet) and mobile networks, electricity cable systems, to the extent that they are used for the purpose of transmitting signals, networks used for radio and television broadcasting, and cable television networks, irrespective of the type of information conveyed’.

This definition is to be understood in a broad manner and corresponds to the principle of technology neutrality.^[20] Recital 12 EECC clarifies that the regulations of the EECC cover the use of radio frequency of all types of electronic communications networks, in particular emerging technologies and autonomous systems of wirelessly interconnected radio devices, which can function independently of a central network operator. Furthermore, Recital 13 draws attention to the fact that requirements for communication networks are constantly growing who in turn are continuously evolving. The technology neutral design of the Regulation aims to encompass such developments and cover ‘function creeps’ as well.^[21]

b)  Electronic communications service, Art. 2 no. 4 EECC

According to Art. 2 no. 4 EECC, the term ‘electronic communications service’ refers to services provided via electronic communications networks, usually for remuneration. This includes in particular:

– Internet access services (Art. 2 no. 4 lit. (a) EECC);

– Interpersonal communications services (Art. 2 no. 4 lit. (b) EECC); and

– Services consisting wholly or mainly of the conveyance of signals such as transmission services used for the provision of machine-to-machine services or for broadcasting (Art. 2 no. 4 lit. (c) EECC).

Other examples for electronic communications services are phone services (analogue voice telephones and voice-over-IP), text message services, email services (text messages and webmail) and fax services. Regarding end-users’ rights and freedoms, it makes no difference whether providers convey signals by themselves or merely enable the communication.^[22] Therefore, the definition of electronic communications services does not follow a technological, but a functional approach as follows from Recital 15 EECC.^[23]

According to Recital 16 EECC, the requirement of provision for remuneration does not necessarily require payment in money. Rather, the definition also includes electronic communications services provided in exchange for other goods and services which are perceived by the market participants as a monetary value or economic benefit. These are, in particular, user data (personal data within the meaning of the GDPR as well as other information) that is provided directly, indirectly, actively or passively, in exchange for access to a communication service.^[24] All cases in which the service provider monetises user data are included.

In addition, it is also considered a remuneration if the end-user is exposed to advertisement in return for access to a service for the broadcasting of which the service provider is then paid by a third party. This relatively broad understanding of ‘remuneration’ in Union law is in accordance with the jurisprudence of the CJEU on the concept of remuneration in the context of the freedom of services in Art. 57 TFEU.^[25]

aa)  Internet access services

The term ‘internet access services’ is not defined in the EECC, but in Art. 2 No. 2 Regulation (EU) 2015/2120 to which Art. 2 no. 4 lit. (a) of the EECC refers. According to this chain of legal references, the term ‘internet access services’ refers to publicly available electronic communications services, which provide access to the internet and thereby connect to virtually all end points of the internet, irrespective of the network technology and terminal equipment used. This includes a multitude of services and connection types, such as services providing internet access over DSL, fibre, cable modem, satellite connection or Wi-Fi hotspots.

bb)  Interpersonal communications service

Art. 4 Sec. 1 lit. b) ePrivacy Regulation contains an autonomous reference to Art. 2 no. 5 EECC regarding the definition of the term ‘interpersonal communications service’, although this definition is already provided by the reference to electronic communications services, as a sub-category of the latter. For more details on the definition of interpersonal communications services in the meaning of Art. 2 no. 5 EECC see Art. 4 No. I.2.b).

cc)  Services consisting wholly or mainly in the conveyance of signals

The third type of services that, according to the referenced provision of Art. 2 no. 4 EECC, qualify as electronic communications services are services consisting wholly or mainly in the conveyance of signals. Examples are transmission services used for the provision of machine-to-machine services or for broadcasting.

Generally, a conveyance of signals takes place when the content of the conveyance, broken down into data packets, is fed into an electronic communications network where it is conveyed to the receiving party.^[26] As mentioned above, services that predominantly consist of this type of technical process qualify as electronic communications service pursuant to Art. 4 Sec. 1 lit. b ePrivacy Regulation, Art. 2 No. 4 and Recital 15 of the EECC.

Whether or not a provider’s service consists in the conveyance of signals is determined on the basis of the degree of responsibility that the provider bears for the conveyance of the signal.^[27] This is decided on a  case-by-case basis. The CJEU found such responsibility in a case where a remunerated online calling service was  performed on the basis of the online service provider’s own legally binding contracts with providers of the relevant Public Switched Telephone Network (‘PSTN’) and internet providers, that exercised the conveyance of the signal.^[28] The exercise of the conveyance of the signal by third parties was of no relevance to the court. The remuneration by the end-users and the own contractual obligations significantly implied its responsibility towards the users.

In contrast, the court denied responsibility in the case of a web-based e-mail service provider where there was no additional indicator for such responsibility of the provider, apart from the general communication element of its service. The court concluded that it was mainly the responsibility of the internet access providers and the operators of the various networks among the open internet to convey the signals necessary for the functioning of any web-based e-mail service.^[29] According to the court, the responsibility of the supplier of web-based e-mail services required an additional element in connection to the responsibility vis-à-vis the users that held an e-mail account with the supplier. The mere participation in a conveyance service that was mainly performed by other parties did not suffice.

However, with the entering into force of the EECC, the responsibility for the conveyance of signals should no longer be a matter of concern. According to Recital 15 EECC, the end-user’s perspective is decisive. From the perspective of an end-user, it is irrelevant whether a provider conveys signals themselves or whether the communication is delivered via an intermediary internet access service. Therefore, only functional rather than technical considerations are decisive. The definition of electronic communications services introduced by the EECC influences the ePrivacy Directive and the corresponding Member States’ implementing laws (Art. 2 No. II.1.f). The ePrivacy Regulation stays in line with this trend when referencing the EECC.

The scrapping of the technical conveyance of signals as a decisive criterion for electronic communications services is the reason why OTT services are included in the new definition of the EECC (Art. 2 No. II.1.f), Art. 1 No. II.1.). OTT services usually do not convey signals themselves but rely on the conveyance of signals by others and are delivered over the network infrastructure of others.^[30] This circumstance had previously led to a lack of clarity about their status as electronic communications services, which resulted in a lack of clarity in law.

The CJEU judgment above, which rejected the responsibility of web-based e-mail service providers for the conveyance of signals, also concluded that ‘pure’ OTT services with no other special characteristics do not constitute electronic communications services falling under any of the applicable European legal frameworks.^[31] This finding revealed a major regulatory gap in the context of privacy protection, since end-users increasingly replace traditional telecommunications services, such as voice telephony, text messages (SMS) and electronic mail conveyance services with OTT services.^[32] Therefore, it has been one major aim of the ePrivacy Regulation to finally include those services in the European electronic communications regulatory framework and thereby keep pace with recent technical developments and practical demands.^[33]

With regard to the privacy interests of end-users, it makes no difference whether providers convey signals themselves or whether the communication is delivered via an internet access service.^[34] Therefore, OTT must be considered a functionally equivalent service and necessarily falls within the scope of the ePrivacy Regulation. This is because the Regulation aims to ensure an equal level of data protection, regardless of the way the signals are conveyed.^[35] It is impossible to achieve the regulatory objective to create high standards of protection of privacy and confidentiality of communications without regulatory recognition of OTT services.

Examples for OTT services that are also interpersonal communications services are instant messengers like WhatsApp, Telegram, Signal and iMessage, Voice-over-IP services like Skype, Viber, FaceTime and e-mail services such as Gmail, Outlook.com, Yahoo, web.de and GMX.

Although signals may be conveyed between machines as well, they do not constitute interpersonal communication.^[36] Since the ePrivacy Regulation aims to ensure the protection of the rights to privacy and confidentiality of communications, those special conveyances must also be covered by the protection, Recital 12 ePrivacy Regulation. As a result of the development of the markets and of the communications services as well as the technical means of providing the communications data, the conveyance of signals only depends on the conveyance via electronic communications services.

Example (1): Company T builds and deploys smart meters. These devices measure the electricity consumption in a residential unit and transmit the data collected to a central server for billing purposes. While no human is involved in the communication, it is an electronic communications service as signals are conveyed. Another example is the communication process between self-driving cars to warn about vicinity to objects or other risks.

dd)  Exception: services including content control

Services that provide content or exercise editorial control over content do not constitute electronic communications services within the EECC, according to Art. 2 No. 4. This exception refers to various web services such as news sites or online shops where content is determined unilaterally by the web service provider. Therefore, such services do not fall within the scope of the ePrivacy Regulation, an exception that is also made by  reference in Art. 4 Sec. 1 lit. b) ePrivacy Regulation. According to Recital 7 EECC, audiovisual policy and content is regulated separately, by means of autonomous legislation. This is because it involves regulatory objectives and purposes, such as freedom of expression, media pluralism, the protection of minors, that are different to the objectives of protection of privacy and confidentiality that are pursued with regards to communications.^[37]

The exception for content and editorial control is not without difficulties, especially with regard to the only recently included OTT services. OTT services frequently use algorithmic means and filters to supervise and control content, so-called ‘editorial control’.^[38] However, the use of such algorithmic means may well pose privacy risks that cannot necessarily be addressed adequately within the framework of the regulation of audiovisual media services alone, but rather constitute a matter of concern for the ePrivacy Regulation.^[39] Thus, it seems questionable to which extent the exception of editorial control in privacy-related cases will be applied. Unfortunately, the ePrivacy Regulation does not provide any more detailed provisions on this.

c)  Interpersonal communications services, Art. 4 Sec. 1 lit. b)

The term ‘interpersonal communications services’ is defined in Art. 2 no. 5 EECC. The term refers to a sub-category of the notion ‘electronic communications service’ referred to above, but is listed separately in Art. 4 Sec. 1 lit. b) ePrivacy Regulation within the references to the EECC. According to the definition in Art. 2 no. 5 EECC, it includes all services that enable a direct interpersonal and interactive exchange of information between a finite number of persons,^[40] whereby the initiating or participating persons are the recipients. Recital 17 EECC lists examples for this type of services,such as traditional voice calls between two individuals or all types of emails, messaging services, or group chats.

Communications involving legal persons can also constitute interpersonal communications services within the definition. This is when natural persons act on behalf of those legal persons or are involved at least at one side of the communication.^[41] This is in accordance with the regulatory purpose of the ePrivacy Regulation, which requires that legal persons not be excluded rationae personae from the scope of the definition of interpersonal communications services, Art. 1 Sec. 1a.

Furthermore, Art. 2 no. 5 EECC explicitly refers once again to the necessity of remuneration for the relevant service. However, this is only of a declaratory nature. Interpersonal communications services as a sub-category of electronic communications services already have to be provided for remuneration according to the definition pursuant to Art. 2 no. 4 EECC.^[42]

aa)  Communication ‘merely as a minor ancillary feature’ to another service

The referenced definition in Art. 2 no. 5 EECC excludes services that enable interpersonal or interactive communication as a merely minor ancillary feature which is intrinsically linked to another main service. Whether a communication feature is ‘purely ancillary’ or ‘insignificant’ in terms of this definition is interpreted rather narrowly and determined from the perspective of end-users.^[43]

However, although the ePrivacy Regulation references this definition of the EECC, the reference does not cover the exception mentioned above. According to Art. 4 Sec. 2 ePrivacy Regulation, such interpersonal communication services are included in the protection of the confidentiality of communications even if ‘merely a minor ancillary feature’.^[44] Thus, contrary to the referenced EECC definition, interpersonal communications services that only fulfil a subordinate function within another service are explicitly within the scope of the ePrivacy Regulation. In other words, in the context of Art. 4 Sec. 1 lit. b), Sec. 2 ePrivacy Regulation, communication capabilities are not the decisive aspect of a product for its categorisation as interpersonal communications service. Instead, communication capabilities as a side feature is sufficient under the ePrivacy Regulation.^[45]

Examples for such ancillary interpersonal communications services are chat functionalities in computer games, support chats in online shops or the personal messaging tools in services like Facebook, Instagram, Twitter, Snapchat, TikTok or web forums.

Thus, social networks providing personal message or chat functionalities as part of their services will qualify as interpersonal communications services regardless of their technical design and capabilities. The question that remains is how to deal with social networks that do not offer traditional messaging functions, but provide possibilities for the users to share information and content only.^[46] This assessment might vary depending on the specific set-up of each network. Thereby, the end users’ expectations of confidentiality should be decisive, i.e. whether the user can define the group of recipients or whether the user even knows, with whom the exchange takes place.^[47] For example, messages exchanged over timelines of social networks that are visible only for a finite number of contacts may well fall under the scope of interpersonal communications services.^[48]

On the other hand, the Council of the European Union proposed an amendment to the Recitals in the sense that customer care chats and in-game communications open to all players of a game should not be considered interpersonal communications services, because of the end-user’s usually diminished expectations in the  confidentiality of such services.^[49]

bb)  Interactivity

A service is ‘interactive’ when it allows the recipient of the information to respond.^[50] The service must allow for communications between a certain number of individuals determined by the sender.^[51] If those requirements are not met, the ePrivacy Regulation does not apply due to lack of an interpersonal communications service.^[52]

Examples of interpersonal communications services are: Voice calls between two individuals; all types of emails; messaging services and group chats. ^[53]

In contrast, examples that are generally not considered interpersonal communications services are: services enabling linear broadcasting, video on demand, websites, social networks, blogs, or exchange of information between machines. A web forum is not an interpersonal communications service per se as it does not facilitate communication between a defined and finite group of recipients, but to the general public. The same applies to websites that feature a comments section. ^[54]

d)  Number-based and number-independent interpersonal communications services, Art. 4 Sec. 1 lit. b)

Art. 4 Sec. 1 lit. b) ePrivacy Regulation refers to ‘number-based interpersonal communications services’ and ‘number-independent interpersonal communications services’ as terms to be determined on the basis of the definitions referenced in the EECC. As has been pointed out above, the general term of interpersonal communications services constitutes a sub-category of electronic communications services and is defined in Art. 2 no. 5 EECC.^[55] This category of interpersonal communications services is further specified by means of the additional factors ‘number-based’ or ‘number-independent’ as set out in Art. 2 no. 6 and Art. 2 no. 7 EECC.

According to the referenced definition in Art. 2 no. 6 EECC, a service is considered number-based, if it ‘connects with publicly assigned numbering resources, namely, a number or numbers in national or international numbering plans, or which enables communication with a number or numbers in national or international numbering plans’. Recital 18 EECC further restricts this definition to the effect that the assignment of any arbitrary number as an identifier is insufficient. Instead, the end-user numbers must be assigned to the relevant services in order to ensure end-to-end connectivity or enable end-users to reach persons to whom such numbers have been assigned. Providers of such services are subject to additional obligations, as these services participate in and benefit from publicly assured interoperable ecosystems and, thus, are a subject of public interest.^[56] Such additional obligations for providers of these special services are inter alia set out in Arts. 12, 13 and Art. 14 ePrivacy Regulation.

A service is defined as number-independent, when it ‘does not connect with publicly assigned numbering resources, namely, a number or numbers in national or international numbering plans, or which does not enable communication with a number or numbers in national or international numbering plans’, according to the referenced definition set out in Art. 2 no. 7 EECC. As number-independent interpersonal communications services do not participate in the publicly assured interoperable ecosystem, providers of such services are not subject to specific regulatory obligations, unless public interest requires otherwise.^[57]

e)  End-User, Art. 4 Sec. 1 lit. b)

Art. 4 Sec. 1 lit. b) ePrivacy Regulation refers to the definition of the term ‘end-user’ in Art. 2 no. 14 EECC. The term end-user is a frequently recurring notion within the ePrivacy Regulation and is highly relevant to its application, as the end-user is the central subject of protection in the Regulation.

According to Art. 2 no. 14 EECC, ‘end-user’ shall mean ‘a user not providing public electronic communications networks or publicly available electronic communications services’. A ‘user’, in turn, is an ‘individual or legal person using or requesting a publicly available electronic communications service’ (Art. 2 no. 13 EECC Directive). Thus, in accordance with the subject matter of the ePrivacy Regulation as defined in its Art. 1 Sec. 1a, legal person in the sense of non-human entities, such as corporations, can be considered end-users.^[58]

aa)  Distinction between end-users and providers

The primary focus of the definition in Art. 2 no. 14 EECC are regulatory questions regarding the provision of telecommunications networks and services. In that context, a subject is either an ‘end-user’ or ‘a provider’ and therefore the difference between both terms is relatively clear. However, in ePrivacy-scenarios, the identification of end-users may be more difficult.

In the context of the ePrivacy Regulation, there might be entities that provide public communications networks or publicly available electronic communications services and thus cannot be considered end-users in that regard. They may, however, engage in different parallel activities, either for internal purposes or in other fields of business, which might classify them as end-users.

Example: X is a freelance software developer and provides a messaging app for smart devices that relies on a server infrastructure provided by himself. X is, thus, not an end-user regarding actions in connection with his business of providing a messaging app. However, he uses his messaging app as a user as well. In that regard, he is not acting as a provider of communications services.

Therefore, the distinction between an end-user and a non-end-user requires a focus on the respective activities. Despite not qualifying as an end-user when providing public communication networks or publicly available electronic communication services, it is still possible to qualify as an end-user, should one use or request the usage of publicly available electronic communications. In this case, protection under Art. 5 ePrivacy Regulation and its further provisions is granted after all.

bb)  End-Users in machine-to-machine communications

The wording of the referenced definition of end-users in Art. 2 no. 14, no. 13 EECC does not allow for an interpretation that includes machines, which results in machine-to-machine communications falling outside the scope of protection of the ePrivacy Regulation.^[59] However, according to Recital 12 ePrivacy Regulation, transmission of machine-to-machine communication is included if it is carried out via publicly available electronic communications networks or services.^[60] In order to fall within the ePrivacy Regulation, said communication must be attributed to an individual or a legal person, who is then considered the respective end-user. According to Recital 12, providers of machine-to-machine communications typically operate at the application level, above electronic communications services. Providers of such services and their costumers are therefore considered end-users, and not providers, of these services and benefit from the protection of confidentiality of their communications data.^[61]

Examples: T is a teenager who uses a messenger service via his/her mobile phone’s cellular connection. P is a professional carpenter who uses a PC for office work that is connected to the internet via cable modem. Corporation L has deployed several servers in a datacentre that provides computational capacity for L’s internal needs only; the servers are connected to the internet via the data centre’s routers and several fibre optic connections. When communicating with other parties, T, P and L are end-users.

Corporation M is a provider of telecommunication networks and owns several fibre-optic backbones. Individual X is a freelance software developer and provides a messaging app for smart devices that relies on a server infrastructure provided by herself. M and X are not end-users in the described capacity.

f)  Definition of ‘call’, Art. 4 Sec. 1 lit. b)

The last definition of the EECC referenced by Art. 4 Sec. 1 lit. b) ePrivacy Regulation is the definition of the term ‘call’, which is set out in Art. 2 no. 31 EECC. According to Art. 2 no. 31 EECC, ‘call’ means ‘a connection established by means of a publicly available interpersonal communications service allowing two-way voice communication’. Some of the obligations specified in the ePrivacy Regulation specifically refer to providers enabling calls as part of their service, which are usually also providers of number-based interpersonal communications services. These obligations are found in Arts. 12, 13 and Art. 14 ePrivacy Regulation, and refer to the conditions and requirements regarding calling line identification, as well as to handling of nuisance calls.^[62]

[20] Cf. recital 13 et. seq. EECC.

[21] Cf. recital 13, 14 EECC.

[22] Recital 15 EECC.

[23] Cf. below at Art. 4 No. I.2.cc) regarding the relevance of conveyance of signals within the functional approach to electronic communications services.

[24] Recital 16 EECC.

[25] Judgment of the CJEU of 26 April 1988, C-352/85, at para. 16; Judgement of the CJEU from 11 September 2014, C-291/13, at para. 27 et seq.; Judgement of the CJEU from 15 September 2016, C-484/14, at para. 41 et seq.; Cf. recital 16 EECC.

[26] CJEU, judgement from 13 June 2019 – C-193/18, para. 34.

[27] CJEU, judgement from 30 April 2014 – C-475/12, para. 43; CJEU, judgement from 5 June 2019 – C-142/18, para. 29.

[28] CJEU, judgement from 5 June 2019 – C-142/18, para. 33.

[29] CJEU, judgement from 13 June 2019 – C-193/18, para. 32 et seq., particularly at 36.

[30] BEREC, Report on OTT services, BoR (16) 35, p. 14.

[31] Cf. CJEU, judgement from 13 June 2019 – C-193/18, para. 38.

[32] Directorate-General for Internal Policies, An Assessment of the Commission’s Proposal on Privacy and Electronic Communications, May 2017, p. 36.

[33] ePR Commission, Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), 2017/003, Explanatory Memorandum, p. 1.

[34] Cf. recital 15 EECC.

[35] Cf. EDPB, statement from 25 May 2018 on the revision of the ePrivacy Regulation and its impact on the protection of individuals with regard to the privacy and confidentiality of their communications, at p. 2.

[36] Cf. recital 17 sent. 5 EECC.

[37] This regulatory matter is covered by the Directive (EU) 2018/1808 of the European Parliament and of the Council of 14 November 2018 amending Directive 2010/13/EU on the coordination of certain provisions laid down by law, regulation or administrative action in Member States concerning the provision of audiovisual media services (Audiovisual Media Services Directive) in view of changing market realities and is partly subject to the Proposal for a Regulation of the European Parliament and of the Council on a Single Market For Digital Services (Digital Services Act) and amending Directive 2000/31/EC from 15 December 2020, Doc. No. 2020/0361 (COD).

[38] Directorate-General for Internal Policies, An Assessment of the Commission’s Proposal on Privacy and Electronic Communications, May 2017, p. 38 et seq.

[39] Ibid.

[40] A finite number shall mean a not potentially unlimited number of natural persons, which is determined by the sender of the communication, according to recital 17 EECC.

[41] Recital 17 EECC.

[42] See Art. 4 No. I.2.b) above regarding the remuneration for electronic communications services.

[43] Recital 17 EECC.

[44] See also recital 11a ePrivacy Regulation.

[45] Woger, PinG 2018, 80, 82.

[46] The social network Instagram, for example, did not contain a messaging function when it was initially launched in 2010. Users could only share content, which could then be commented on by other users – generally publicly visible. Only in December 2013 the feature ‘instagram direct’ was introduced, allowing direct and private messaging between users. Additionally, this feature was only available at the mobile app until 2020, when it was introduced in the web app as well. See ‘Introducing Instagram Direct Message’, 12 December 2013, https://about.instagram.com/blog/announcements/introducing-instagram-direct-message (last access: 25 March 2021); Ashley Carmen, ‘Instagram starts bringing DMs to the web, 14 January 2020, https://www.theverge.com/2020/1/14/21063269/instagram-web-dm-test-launch-browser-access-messages-facebook (last access: 25 March 2021).

[47] Cf. Council of the European Union, ST 11001/19, p. 10.

[48] Directorate-General for Internal Policies, An Assessment of the Commission’s Proposal on Privacy and Electronic Communications, p. 39 et seq.

[49 Council of the European Union, ST 11001/19, p. 10.

[50] Recital 17 EECC.

[51] Recital 17 EECC.

[52] Recital 17 EECC Directive.

[53] Cf. recital 17 EECC Directive.

[54] Cf. recital 17 EECC Directive.

[55] See para. 46 et seqq.

[56] Cf. recital 18 EECC.

[57] Recital 18 EECC.

[58] Cf. Art. 1 No. I.1.a).

[59] Directorate-General for Internal Policies, An Assessment of the Commission’s Proposal on Privacy and Electronic Communications, May 2017, p. 42.

[60] Regarding the requirement of public availability, see Art. 4 No. III.1.a), Art. 2 No. III.4.; Similarly to the regime of the ePrivacy Directive see EDPB, statement from 25 May 2018 on the revision of the ePrivacy Regulation and its impact on the protection of individuals with regard to the privacy and confidentiality of their communications, p. 2.

[61 Recital 12.

[62] See commentaries regarding Art. 12, Art. 13 and Art. 14 respectively.

According to Art. 4 Sec. 1 lit. c) ePrivacy Regulation, the term ‘terminal equipment’ shall be defined as in Art. 1 Sec. 1 Directive 2008/63/EC. The latter defines terminal equipment as ‘equipment directly or indirectly connected to the interface of a public telecommunications network to send, process or receive information; in either case (direct or indirect), the connection may be made by wire, optical fibre or electromagnetically; a connection is indirect if equipment is placed between the terminal and the interface of the network’ (Art. 1 Sec. 1 lit. a) Directive 2008/63/EC); or ‘satellite earth station equipment’ (Art. 1 Sec. 1 lit. b) Directive 2008/63/EC).^[63]

The definition of terminal equipment is of major relevance with regard to Art. 8 ePrivacy Regulation. The latter intends to secure the integrity of terminal equipment by means of a prohibition of interference.^[64] The main case of application for this provision is likely to be the application of cookies, which repeatedly has been the subject of legal disputes in the ePrivacy context in recent years.^[65]

It follows from the referenced definition of terminal equipment in Art. 1 Sec. 1 lit. a) Directive 2008/63/EC that, generally, any device that is directly or indirectly connected to the interface of a public telecommunications network to send, process or receive information can be considered terminal equipment in terms of the ePrivacy Regulation. This encompasses, for instance, routers, modems, desktop and portable computers, tablets, smartphones or other smart devices like smart TVs or smart speakers. The two relevant factors for such devices to qualify as terminal equipment are (i) the existence of a public telecommunications network and (ii) a connection therewith.

a)  Public telecommunications network

The term ‘public telecommunications network’ is not defined in EU law, neither in Directive 2008/63/EC nor the ePrivacy Regulation. Consequently, the meaning must be determined autonomously.

Albeit not referring to public telecommunications networks, the ePrivacy Regulation references the definitions of the resembling terms ‘electronic communications network’ and ‘public electronic communications network’ set out in Art. 2 no. 1, no. 8 EECC. According to these definitions, an ‘electronic communications network’ is a transmission system which permits the conveyance of signals by wire, radio, optical or other electromagnetical means, irrespective of the type of information conveyed.^[66] The definition includes all networks regardless of whether they are permanent or provisional, centralized or decentralized and encompasses all necessary equipment of such networks, including active as well as non-active components, switching or routing equipment and other resources. Such an electronic communications network is ‘public’ when used wholly or mainly for the provision of publicly available electronic communications services (for the requirement of public availability within the ePrivacy Regulation see Art. 2 No. III.4.^[67]

However, the referenced definition of terminal equipment in Art. 1 Sec. 1 Directive 2008/63/EC uses the formulation public telecommunications network and, thus, differs from the notions of the EECC referring to electronic communications. Both terms also differ in content. According to the understanding of the European legislator, which is reflected in the Framework Directive, telecommunications services are a special type of signal transmission and a subcategory of the generic term electronic communications services, which includes telecommunications as well as other means of transmission, for example, broadcasting, which is to be distinguished from telecommunications.^[68] Thus, electronic communications services constitutes the more general and broadly understood generic term and is consequently the more appropriate choice of terminology in the context of the technology-neutral ePrivacy Regulation. The same arguably applies to the relationship between public electronic communications network and public telecommunications network. Consequently, the terminology based on telecommunications is generally interpreted more restrictively than electronic communications services and networks as defined in the EECC and adapted by the ePrivacy Regulation.

However, to refer unconditionally to such rather restrictively formulated definition in Art. 1 Sec. 1 Directive 2008/63/EC does not fit into the overall concept of the ePrivacy Regulation, which is intended to establish technology-neutrality and adaptation of the law to the present state of the art. Generally, the term ‘telecommunication’ is no longer used within the ePrivacy Regulation. It was most likely not the intention of the legislator to introduce such a meaning for the definition of ‘terminal equipment’ in the ePrivacy Regulation, that is restricted to equipment connected to telecommunications networks, while consistently referring to electronic communications networks and services as the relevant case of application of the regulation.^[69] Furthermore, Recital 13 states that terminal equipment connected to a closed (non-public) network also falls under the scope of the ePrivacy Regulation if this network, in turn, is connected to a public electronic communications network. Thus, in connection with public availability and in contrast to of Art. 1 Sec. 1 Directive 2008/63/EC, it is not a decisive factor whether terminal equipment is connected to a telecommunications network. Rather, in the context of the ePrivacy Regulation, terminal equipment must be connected to a public electronic communications network, contrary to the referenced definition in Directive 2008/63/EC which refers to public telecommunications networks. Therefore, it may be referred to the definition of ‘public electronic communications network’ as defined in the EECC and illustrated above (para. 74), in order to determine whether an end-user’s device is connected to a network that meets the requirements of the ePrivacy Regulation and thus qualifies as terminal equipment. In consequence, the reference in Art. 4 Sec. 1 lit. c) ePrivacy Regulation to the definition of terminal equipment in Directive 2008/63/EC applies only mutatis mutandis.

Further examples for a ‘public telecommunications networks’ are classic telephone networks consisting of copper cable and the respective active infrastructure; networks operated by Internet access providers over copper cable or fibreglass; satellite networks; cellular networks, e.g. 4G/LTE, or Wi-Fi networks, whether public or available for-pay, e.g. in a hotel.

b)  Connection

There must be a connection between the public telecommunications network and the end-user’s device in order for the latter to qualify as terminal equipment. It is of no importance for the applicability of the ePrivacy Regulation, whether the connection of the device to the telecommunications network is made on a physical level or not, since the referenced definition in Art. 1 Sec. 1 Directive 2008/63/EC encompasses all practical relevant connection types.

aa)  Indirect network connections

Devices connected indirectly to a public telecommunications network are equally considered ‘terminal equipment’ according to Art. 1 Sec. 1 Directive 2008/63/EC. Following this provision, ‘a connection is indirect if equipment is placed between the terminal and the interface of the network’.

Example: A mobile phone using its cellular connection to communicate with a cell tower is directly connected to a public telecommunications network; the same applies to a landline phone that is directly plugged into the socket provided by the network operator. A tablet computer that uses its Wi-Fi adaptor to connect to a mobile phone which is connected to the Internet by cellular connection (‘tethering’) is indirectly connected as mentioned above.

In the context of Directive 2008/63/EC, the term ‘indirectly’ has been interpreted in a way that includes only passive intermediary equipment between the end-user’s device and the network.^[70] Such strict interpretation, however, cannot be upheld within the ePrivacy Regulation, as it would exclude a wide number of cases of application in which devices are connected to a network via other active devices, i.e. devices with own amplifying effect, control function or energy intake.^[71] In the context of the referenced Directive 2008/63/EC, an exclusion of active devices may be appropriate, as it concerns matters of competition law and pursues different legislative purposes. In the context of the ePrivacy Regulation, however, such application would be detrimental to its regulatory purposes to ensure high standards of protection of privacy and the confidentiality of communications for a broad spectrum of technologies and cases of application. This illustrates the problems that come with the  approach of the ePrivacy Regulation to ‘copy-and-paste’ existing definitions from other European legal instruments without adapting them to the ePrivacy context.

Therefore, in the context of the ePrivacy Regulation, the term ‘indirectly’ has to be interpreted in a wider sense, allowing to include active intermediary equipment. It would counteract the ePrivacy Regulation’s approach, which seeks to provide effective and comprehensive protection of information on end-user’s devices, to exclude these cases from the scope of Art. 8 ePrivacy Regulation.

bb)  Connection to wireless adapters

Interpreted in a narrow sense, a device that is only equipped with a wireless adaptor (e.g. Wi-Fi or Bluetooth), but not connected to a network cannot be considered as terminal equipment, since a device merely in the process to connect is not yet connected. However, the relevant provisions regarding the protection of terminal equipment in Art. 8 ePrivacy Regulation include limitations of third-party interception of data that is emitted by terminal equipment when trying to connect to other devices or networks in Art. 8 Sec. 2.^[72] If devices ‘not yet connected’ were not considered ‘terminal equipment’, there would be no reasonable field of application left for the aforementioned Art. 8 Sec. 2 ePrivacy Regulation (cf. Art. 8). Therefore, in the context of the ePrivacy Regulation, for a wireless device to be regarded as ‘connected to the interface of a public telecommunications network’ and therefore qualify as ‘terminal equipment’, it is sufficient if the respective device is only in the process of connection to a network.

Example: A Wi-Fi-enabled device does not have to be connected to a Wireless LAN to be in the material scope of the ePrivacy Regulation. It is sufficient when its wireless adaptor is enabled.

cc)  Outbound connections at private networks

Since the definition of terminal equipment in Art. 1 Sec. 1 Directive 2008/63/EC only refers to devices connected to public networks, the ePrivacy Regulation does generally not apply to devices which are connected to private networks, i.e. networks with a closed group of users. Such private networks are, for example, corporate networks where access is limited to members of the corporation.^[73] However, many private networks nowadays also contain some kind of gateway to other public networks, especially the internet. For example, many company networks have a gateway that allows their employees access to the internet. The same applies to all Wi-Fi networks in private homes.

In cases of a device also being able to make connections to public electronic communications networks while connected to a private network, this device is exposed to the same kind of privacy threats as it would be if it were connected directly to such a network. Therefore, while the ePrivacy Regulation does not apply to the internal functioning of private networks, its regulatory purpose requires it to apply to outbound connections. Recital 13 correspondingly provides for such an interpretation of the term terminal equipment, thus deviating from the originally referenced definition in Art. 1 Sec. 1 Directive 2008/63/EC and setting out that ‘the provisions of this Regulation regarding the protection of end-users’ terminal equipment information also apply in the case of terminal equipment connected to a closed group network such as a home (fixed or wireless) network which in turn is connected to a public electronic communications network’.^[74]

Example: Company A operates a computer network in its office. It also employs a security software that periodically accesses all computers in the network as well as the ongoing network traffic for security issues. None of these activities are subject to the ePrivacy Regulation, because they take place inside a private network only. However, the network also provides a gateway to the Internet. When one of the computers creates a connection to an external web server and that web server tries to access information on said computer, the ePrivacy Regulation applies.

[63] ‘Satellite earth station equipment’ is defined in Art. 1 Sec. 2 of Directive 91/163/EEC as ‘equipment which is capable of being used either for transmission only, or for transmission and reception (transmitreceive), or for reception only (receive-only), of radio-communication signals by means of satellites or other space-based systems, but excluding purpose-built satellite earth station equipment intended for use as part of the public telecommunications network of a Member State’. In the context of the ePrivacy Regulation, in particular the more detailed specification of the notion of terminal equipment, the term ‘satellite earth station equipment’ does not occur and does not play any further role for the application of the regulation. Consequently, it will also be neglected within the framework of this commentary.

[64] See the commentary on Art. 8.

[65] See Art. 8.

[66] See Art. 2 no. 1 of the EECC.

[67] Art. 2 no. 8 EECC.

[68] See Art. 2 lit. c) Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive); see also the definition at https://eur-lex.europa.eu/summary/glossary/electronic_communications_services.html (last access:  7 April 2021).

[69] Cf. recital 12, 13; the ePrivacy Regulation does not contain any explicit reference to public telecommunications networks.

[70] Lünenbürger/Stamm, in: Scheurle/Mayen, Telekommunikationsgesetz, § 3 TKG (2018), para. 71 with reference to Bundesrat parliamentary paper 365/15, p. 7 and thereby to the Note of the European Commission’s ‘Telecommunication Conformity Assessment and Market Surveillance Committee’ on ‘Application of the R&TTE Directive to indirectly connected equipment and to equipment with LAN Ports’ of 01 February 2012, Ref. Ares(2015)1711191 – 22/04/2015.

[71] Lünenbürger/Stamm, in: Scheurle/Mayen, Telekommunikationsgesetz, § 3 TKG (2018), para. 71.

[72] See Art. 8.

[73] Recital 13.

[74] The ePR Commission Proposal 2017 did not yet contain such a clarification with regard to private networks.

As the final definition referenced from another act of European law, Art. 4 Sec. 1 lit. d) ePrivacy Regulation refers to ‘information society services’ as defined in Art. 1 Sec. 1 lit. b) Directive (EU) 2015/1535.^[75] These are any services ‘normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.’

a) Legal definitions of Art. 1 Sec. 1 lit. b) and Annex I Directive (EU) 2015/1535

Additionally, some of the elements of this definition are specified in Art. 1 Sec. 1 lit. b) Directive (EU) 2015/1535:

i. ‘at a distance’, describes that the parties are not simultaneously present while the service is provided;

ii.‘by electronic means’, means that the service is sent initially and received at its destination by means of electronic equipment for the processing (including digital compression) and storage of data, and entirely transmitted, conveyed and received by wire, by radio, by optical means or by other electromagnetic means;

iii. ‘at the individual request of a recipient of services’ means that the service is provided through the transmission of data on individual request.

Examples for such information society services are online search engines, social networks or online sales platforms. For the purpose of determining whether a service constitutes an information society service within the meaning of this definition, Annex I to Directive (EU) 2015/1535 may be referred to in addition. It provides an indicative list of services that are not included in the definition of information society services  and therefore provides the basis for a negative delimitation.^[76]

According to Annex I Directive (EU) 2015/1535, a service is not provided at distance in the case of consultation of an electronic catalogue in a shop with the customer on site, or a plane ticket reservation made by means of network computers but in the physical presence of the customer at the travel agency. Furthermore, a service is not provided by electronic means if it contains material content even though it is provided via electronic devices, or if distribution of the service takes place offline, or if the service is not provided via electronic processing/inventory systems.^[77] In the ePrivacy context, the latter exception is particularly relevant. Based on Annex I No. 2, it mainly covers voice telephony services. However, arguably, only classic telephony and fax services that operate via Public Switched Telephone Networks (‘PSTN’; particularly the landline network and mobile phone network) are covered by this exception. Voice telephony services provided via the internet, meanwhile, fulfil the criterion of electronic processing and are thus likely to constitute information society services.

Generally, there is a large potential of overlap between the definitions of ‘information society services’ and the definition of ‘electronic communications services’. Recital 10 EECC sets out that electronic communications services as defined by the EECC may constitute information society services in terms of Art. 1 Sec. 1 lit. b) Directive EU 2015/1535 as well. Both laws are generally applicable in parallel. There is thus a partially overlapping regulation by the Union legislator.^[78]

b) Service provided for remuneration

Neither Art. 1 Sec. 1 lit. b) of the Directive (EU) 2015/1535 nor its Annexes contain a more detailed explanation or definition of the requirement of remuneration included in the definition of information society services. However, Union law in general applies a broad understanding of the term ‘remuneration’, which does not require a monetary payment; the provision of the service in an otherwise commercial context is sufficient.^[79] This broad understanding of the term applies in the context of the definition of electronic communication services^[80] and is transferable to information society services, as has been confirmed by the CJEU.^[81]

[75] In principle, the reference is superfluous at this point, as the general reference to all definitions of the GDPR in Art. 4 Sec. 1 lit. a) ePrivacy Regulation already indirectly refers to the definition of Art. 1 Sec. 1 lit. b) Directive (EU) 2015/1535 referenced via Art. 4 No. 25 GDPR (Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services).

[76] Art. 1 Sec. 1 lit. b) Directive (EU) 2015/1535.

[77] Directive (EU) 2015/1535, Annex I Indicative list of services not covered by the second subparagraph of point (b) of Article 1(1), at no. 2.

[78] Cf. Buchner/Kühling, DS-GVO, Art. 4 para. 5a (2020).

[79] See Art. 4 No. I.2.b) above.

[80] Recital 16 EECC.

[81] Judgement of the CJEU from 15 September 2016, C-484/14, at para. 41 et seq.