Paul Voigt, Axel von dem Bussche: the EU ePrivacy Regulation – Preliminary Guidance and Commentary
Menü
Paul Voigt, Axel von dem Bussche: the EU ePrivacy Regulation – Preliminary Guidance and Commentary
Electronic communications data shall be confidential. Any interference with electronic communications data, including listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance and processing of electronic communications data, by anyone other than the end-users concerned, shall be prohibited, except when permitted by this Regulation.
Corresponding Recitals:
(1) Article 7 of the Charter of Fundamental Rights of the European Union (“the Charter”) protects the fundamental right of everyone to the respect for his or her private and family life, home and communications. Respect for the confidentiality of one’s communications is an essential dimension of this right, applying both to natural and legal persons. Confidentiality of electronic communications ensures that information exchanged between parties and the external elements of such communication, including when the information has been sent, from where, to whom, is not to be revealed to anyone other than to the parties involved in a communication. The principle of confidentiality should apply to current and future means of communication, including calls, internet access, instant messaging applications, e-mail, internet phone calls and personal messaging provided through social media.
(15) Electronic communications data should be treated as confidential. This means that any interference of electronic communications data, whether directly by human intervention or through the intermediation of automated processing by machines, without the consent of the communicating parties should be prohibited. Interception of electronic communications data may occur, for example, when someone other than the communicating parties, listens to calls, reads, scans or stores the content of electronic communications, or the associated metadata for purposes other than the exchange of communications. Interception also occurs when third parties monitor websites visited, timing of the visits, interaction with others, etc., without the consent of the end-user concerned. As technology evolves, the technical ways to engage in interception have also increased. Such ways may range from the installation of equipment that gathers data from terminal equipment over targeted areas, such as the so-called IMSI (International Mobile Subscriber Identity) catchers, to programs and techniques that, for example, surreptitiously monitor browsing habits for the purpose of creating end-user profiles. Other examples of interception include capturing payload data or content data from unencrypted wireless networks and routers, including browsing habits without the end-users’ consent.
(15a) The prohibition of interception of electronic communications content under this Regulation should apply until receipt of the content of the electronic communication by the intended addressee, i.e. during the end-to-end exchange of electronic communications content between end-users. Receipt implies that the end-user gains control over, and has the possiblity to interact with, the individual electronic communications content, for example by recording, storing, printing or otherwise processing such data, including for security purposes. The exact moment of the receipt of electronic communications content may depend on the type of electronic communications service that is provided. For instance, depending on the technology used, a voice call may be completed as soon as either of the end-users ends the call. For electronic mail or instant messaging, depending on the technology used, the moment of receipt may be as soon as the addressee has collected the message, typically from the server of the electronic communications service provider. Upon receipt, electronic communications content and related metadata should be erased or made anonymous in such a manner that no natural or legal person is identifiable, by the provider of the electronic communications service except when processing is permitted under this Regulation. After electronic communications content has been received by the intended end-user or end-users, it may be recorded or stored by those end-users. End-users are free to mandate a third party to record or store such data on their behalf.
(16) The prohibition of processing, including storage of communications is not intended to prohibit any automatic, intermediate and transient processing, including storage of this information insofar as this takes place for the sole purpose of carrying out the transmission in the electronic communications network. Processing of electronic communications data by providers of electronic communications services and networks should only be permitted in accordance with this Regulation. It should not prohibit the processing of electronic communications data without consent of the end-user to ensure the security, including the availability, authenticity, integrity or confidentiality, of the electronic communications services, including for example checking security threats such as the presence of malware or viruses, or the identification of phishing. Security measures are essential to prevent personal data breaches in electronic communications. Spam electronic messages may also affect the availability of the respective services and could potentially impact the performance of networks and services, which justifies the processing of electronic communications data to mitigate this risk. Such security measures, including anti-spam measures, should be proportionate and should be performed in the least intrusive manner. Providers of electronic communications services are encouraged to offer end-users the possibility to check electronic messages deemed as spam in order to ascertain whether they were indeed spam.
As a general rule, the interference with electronic communications data is prohibited to protect the fundamental rights and freedoms of natural and legal persons in the provision and use of electronic communications services, Art. 5 Sent. 2 ePrivacy Regulation.[1] However, for certain addressees and provided specific legal preconditions are met, exceptions to this general prohibition may apply pursuant to Arts. 6 et seqq. (Art. 6 para. 1 et seqq.). The ePrivacy Regulation thereby corresponds to the GDPR, which, for personal data, also encompasses a general prohibition of processing but provides for legal permissions subject to certain conditions.[2] The predecessor of the ePrivacy Regulation, the ePrivacy Directive, was following a similar approach.[3] Any exceptions and legal permissions relating to the general prohibition of Art. 5 ePrivacy Regulation are to be regarded as narrow, specific and purpose-oriented, which requires a restrictive approach with respect to their application.[4]
The prohibition enshrined in Art. 5 Sent. 2 ePrivacy Regulation covers all means of electronic communications, regardless of the specific type of service that is being used.[5] As highlighted by Art. 5 Sent. 1 ePrivacy Regulation, this is to protect the confidentiality of communications in general.
Examples of services that are covered by Article 5:[6] calls, internet access, instant messaging applications, e-mail, internet phone calls and personal messaging provided through social media.
[1] Art. 5 Sent. 2 and Rec. 15 ePrivacy Regulation; see below, Sect. 4.1(a).
[2] Cf. Art. 6 Sec. 1 Sent. 1 of the GDPR; Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR), p. 87 (2017).
[3] EDPB, statement from 25 May 2018 on the revision of the ePrivacy Regulation and its impact on the protection of individuals with regard to the privacy and confidentiality of their communications, p. 2.
[4] EDPB, statement 03/2021 on the ePrivacy Regulation, 9 March 2021, p. 2.
[5] Rec. 1 ePrivacy Regulation.
[6] Rec. 1 ePrivacy Regulation.
Art. 5 Sent. 1 specifies the object of protection as the confidentiality of electronic communications.[7] The confidentiality of electronic communications is part of the general right to confidentiality of communications, which in turn constitutes a component of the broader right to respect for private life and communications, commonly referred to as the right to privacy as defined in Art. 7 CFR and Art. 8 ECHR (Art. 1 No. I.1.).
The right to confidentiality of communications is considered the modern equivalent to traditional postal secrecy and requires that no other parties than those involved in a communication process gain access to information concerning the communication, which includes its content, but also accruing metadata, i.e. the time of communication and the location of the communicating parties (Art. 1 No. I.1.).[8] Since it does not necessarily require a personal reference or impairment of private life as such, the right to confidentiality of communications constitutes an autonomous and separately protected interest, which is generally also applicable to legal persons. Legal persons, too, may have a legitimate interest in ensuring that information on certain communication processes does not leave the intended circle of participants (Art. 1 No. I.1.a). Thus, it was necessary to include legal persons into the scope of protection of the ePrivacy Regulation (Art. 1 Sec. 1a) in order to meet the regulatory objective of confidentiality of communications.
Ensuring the right to confidentiality of communications constitutes an essential precondition in order to guarantee other fundamental rights and freedoms, such as the freedom of expression and information, as well as the right to personal data protection, freedom of thought and religion (Art. 1 No. I.1.).[9] The application of the ePrivacy Regulation should reflect this emphasis and significance of the protected interest. This applies in particular to the interpretation of the prohibition in Art. 5 Sent. 2 ePrivacy Regulation and its exceptions and permissions.
[7] This is also already generally determined by Art. 1 of the ePrivacy Regulation.
[8] EDPB, Statement of the EDPB on the revision of the ePrivacy Regulation and its impact on the protection of individuals with regard to the privacy and confidentiality of their communications from 25 May 2018, p. 1; cf. Recital 1.
[9] ePR Commission Proposal 2017, Explanatory Memorandum, at 3.6.
While Art. 2 Sec. 1 ePrivacy Regulation defines the material scope of application of the ePrivacy Regulation in a very broad manner, its Art. 2 Sec. 2 stipulates exceptions that further restrict and, thus, specify the material scope of application of the ePrivacy Regulation. The provision lists four cases explicitly exempted from the application of the ePrivacy Regulation, namely
-activities outside of the scope of Union law, and in any event measures, processing activities and operations concerning national security and defence, regardless of who is carrying out those activities, whether it is a public authority or a private operator acting at the request of a public authority (Art. 2 Sec. 2 lit. a ePrivacy Regulation),
-activities of Member States regarding the common foreign and security policy of the EU pursuant to Chapter 2 Title V TEU[10] (Art. 2 Sec. 2 lit. b ePrivacy Regulation),
-issues concerning electronic communications services that are not publicly available, (Art. 2 Sec. 2 lit. c ePrivacy Regulation), i.e. when the services are offered to closed groups of end-users only,
-activities for the purpose of criminal persecution, execution of criminal penalties and safeguarding of public security carried out by competent authorities (Art. 2 Sec. 2 lit. d ePrivacy Regulation) and
– electronic communications data processed after receipt by the end-user (Art. 2 Sec. 2 lit. e ePrivacy Regulation).
[10] See Art. 77 ff. TFEU.
The provision provides an indicative list of the various forms of prohibited means of interference, which are: listening, tapping, storing, monitoring and scanning, as well as other kinds of interception, surveillance and processing of electronic communications data, by anyone other than the end-users concerned. Recital 15 contains further explanations and specifications as to which measures shall fall under the prohibition.
The terminology of interception might imply a limitation on electronic communications content, however, Recital 15 explicitly clarifies that interception might also take place in relation to electronic communications metadata. Therefore, storage of information regarding the time and duration of a call, for instance, might be qualified as an unlawful form of interception of electronic communications in terms of Art. 5 Sent. 2 ePrivacy Regulation. Further examples of interception include capturing payload data or content data from unencrypted wireless networks and routers as well as browsing habits without the end-users’ consent, Recital 15.
The prohibition in Art. 5 ePrivacy Regulation is aligned with the general technology-neutral approach of the ePrivacy Regulation. With regard to the forms of interception, Recital 15 states that these are subject to constant and rapid change as well as technological progress. The ever-increasing possibilities and measures by which interference with electronic communications data can take place are intended to be addressed by the generic provisions within the framework of the ePrivacy Regulation. Therefore, the examples of interception and interference set out in Art. 5 as well as in the Recitals of the ePrivacy Regulation are to be interpreted and applied in accordance with such a broad and technology-neutral understanding and, in particular, are not to be regarded as conclusive. In context of the required technology neutrality, Recital 15 emphasises the use of evolving technologies and methods to collect and analyse data on the terminal equipment of end-users in order to draw conclusions about their browsing habits and digital behaviour for the purpose of creating corresponding end-user profiles (Art. 8).[11] Such measures may also constitute means of interception of electronic communications data and therefore fall within the scope of the prohibition of Art. 5 and as Art. 8 ePrivacy Regulation.
[11] Recital 15.
In addition to the permissions within the end-user’s autonomous control, such as consent and request of services (see Art. 6), there are also exceptions to the prohibition of interference that can apply independently of the end-user.
When processing, including storage of electronic communications data and intermediate and transcient processing, takes place solely for purposes of carrying out a transmission within an electronic communications network, it may be exempt from the general prohibition of interference under Art. 5 Sent. 2 ePrivacy Regulation.[12] This also applies if the interference or processing in question is intended to secure the security, availability, authenticity, integrity, or confidentiality of the requested electronic communications services (e.g. identification and remediation of security threats such as viruses of malware; Art. 6 para. 17 et seqq.). The end-user’s explicit consent to the processing is not required in such cases (Art. 6 Sec. 1 lit. b) and lit. c) ePrivacy Regulation).[13] The rationale behind this is that service and network providers ought to take appropriate precautionary measures in order to prevent and mitigate external data protection breaches and, thus, serve the protection of rights and interests of their end-users.[14]
This exception regarding the security of electronic communications services refers in particular to the interception and filtration of spam messages, for example, by providers of e-mail web services, which may affect not only the security but also the availability of such services. However, such preventive measures should always be proportionate and the least intrusive means to pursue such goals, which is clarified explicitly with regard to spam messages but generally applies to all other conceivable precautionary security measures, Recital 16. In the specific context of spam messaging, end-users should be given the possibility to manually access the contents of such intercepted messages, for example by temporarily storing them in a separate spam folder linked with the end-user’s inbox.[15]
Finally, Member States are permitted, under certain conditions, to restrict the scope of application of Art. 5 ePrivacy Regulation for purposes of public interest by legislative means. This is provided for in Art. 11 ePrivacy Regulation and, in particular, refers to measures of public safety as well as for the investigation and prosecution of criminal offences (Art. 11.).[16]
[12] Recital 16.
[13] Recital 16.
[14] Recital 16.
[15] Recital 16.
[16] Recital 26; in a first statement of the EDPB concerning the position of the Council of the European Union on the ePrivacy Regulation, the EDPB notes that the envisaged possibilities of Members States to restrict the scope of the provisions of the ePrivacy Regulation, especially with regard to data retention, appear to contradict data protection standards as well as jurisprudence of the CJEU. See EDPB, statement 03/2021 on the ePrivacy Regulation, 9 March 2021, p. 2, see Art. 11; see also statement of the German Federal Commissioner for Data Protection and Freedom of Information from 10 February 2021, who raises similar concerns, especially with regard to precautionary data retention. Available at https://www.bfdi.bund.de/DE/Infothek/Pressemitteilungen/2021/03_Ratsposition-ePrivacy-VO.html .
During the legislative process, the question was raised of how to align the confidentiality of communications with the right of the involved parties to handle their own communications data as they please, which supposedly was not sufficiently regulated in the initial ePR Commission Proposal 2017.[17] In consequence, the material scope envisaged by Art. 2 ePrivacy Regulation has been limited, so that it does not extend to processing of electronic communications data after receipt by the designated end-users, Art. 2 para. 2 lit. e) ePrivacy Regulation (Art. 2 No. III.5.).[18]
As regards electronic communications content (which is subject to particularly strict protection under the ePrivacy Regulation, Art. 6a para. 1 et seqq.), it is highlighted in Recital 15a that the general prohibition of interception of Art. 5 Sent. 2 ePrivacy Regulation does only apply until receipt of the electronic communications content.[19] However, the same will apply to interception of electronic communications metadata due to the limitation of scope of application of the ePrivacy Regulation enshrined in Art. 2 Sec. 1 lit. e) and Recital 8aa. It follows from these two provisions that the ePrivacy Regulation is generally limited in its applicability to the period during which the communication process lasts. Consequently, Recital 15a serves only declaratory purposes with regard to electronic communications content and does not imply a different application between the two types of electronic communications data. Thus, after receipt, i.e. when the communications process has terminated, the parties to a communication process generally enjoy freedom of disposal regarding their electronic communications data, including the possibility to share this data with third parties for processing purposes on their behalf (Art. 2 No. III.5.)
In particular, end-users are intended to be provided with the possibility to share electronic communications data with third party service providers to be able to use certain services. Recital 8aa of the ePrivacy Regulation provides an indicative example for the sharing of electronic communications data by end-users with providers of security technologies and services in order to ensure network and information security, including the prevention, monitoring and termination of fraud, or facilitating efficient delivery of website content. The end user has a legitimate interest in the use of such services, which has to be addressed appropriately. Additionally, end-users may have a reasonable and legitimate interest to permanently store electronic communications content or electronic communications metadata. This is part of the receipt of electronic communications data, which grants end-users the right to control and to dispose of such data.[20] It is, thus, only legitimate and necessary to enable end-users to make use of third party services for such purposes and, in turn, to allow third parties to provide such services lawfully.[21]
In order to determine when the prohibition of Art. 5 of the ePrivacy Regulation applies and when it ceases to have effect, it is necessary to determine the exact moment of receipt. This moment depends on the means of communication, Recital 15a. This will influence the time of completion of a communication process. An abstract definition is therefore impossible. Rather, decisions will have to be made on a case-by-case basis. Nevertheless, to facilitate legal certainty and a harmonised application of the law among Member States, Art. 19 Sec. 2 lit. da) ePrivacy Regulation provides that the EDPB should provide general guidance with regard to the determination of receipt (Art. 19).
According to Art. 5 Sent. 2 ePrivacy Regulation, the prohibition of interference with electronic communications data applies to ‘anyone other than the end-users concerned’. Since the only parties entitled to access the content of the communication are the end-users participating in the communication, any party outside the communication process shall not interfere with it. The participating parties in a communication process are defined as the sender and intended addressee of the communication. The prohibition of Art. 5 Sent. 2 ePrivacy Regulation is limited rationae personae to third parties only.[22] Consequently, it appears unnecessary to limit the application of Art. 5 Sent. 2 ePrivacy Regulation to the period before receipt. Since the prohibition is directed at third parties only and not at the recipient and sender, the latter are always and generally excluded from it. In other words, Art. 5 Sent. 2 never applies to these parties, regardless of the point in time and whether receipt has already taken place. Therefore, it would not have been necessary to exempt the participating parties to a communication process from the prohibition of Art. 5 Sent. 2 ePrivacy Regulation after receipt. On the other hand, as regards third party service or network providers – with whom end-users are intended to have the possibility to share data – Art. 5 Sent. 2 ePrivacy Regulation applies irrespectively of the time of receipt regardless. Whether the prohibition of processing applies to these parties depends solely on the codified permissions of Art. 6 et seqq. ePrivacy Regulation. Consequently, these providers are not affected by the limitation of Art. 5 ePrivacy Regulation until receipt. As a consequence, in light of this limitation, the supposed temporal restriction of Art. 5 ePrivacy Regulation only a declaratory character.
[17] Council of the European Union, ST 12336/18 from 20 September 2018, p. 2.
[18] Council of the European Union, ST 14491/18 from 23 November 2018, p. 4.
[19] While the wording of recital 15a is limited to ‘interception’, the restriction on application until receipt must apply equally to all forms of interference in terms of Art. 5 ePrivacy Regulation. The imprecise wording of the recital is arguably due to an editorial mistake.
[20] Cf. recital 15a.
[21] Cf. recital 15a.
[22] Cf. recital 15.