Paul Voigt, Axel von dem Bussche: the EU ePrivacy Regulation – Preliminary Guidance and Commentary
Menü
Paul Voigt, Axel von dem Bussche: the EU ePrivacy Regulation – Preliminary Guidance and Commentary
1. Providers of electronic communications networks and services shall be permitted to process electronic communications data only if:
(a) it is necessary to provide an electronic communication service; or
(b) it is necessary to maintain or restore the security of electronic communications networks and services, or detect technical faults, errors, security risks or attacks on electronic communications networks and services;
(c) it is necessary to detect or prevent security risks or attacks on end-users’ terminal equipment;
(d) it is necessary for compliance with a legal obligation to which the provider is subject laid down by Union or Member State law, which respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the safeguarding against and the prevention of threats to public security.
2. Electronic communications data shall only be permitted to be processed for the duration necessary for the specified purpose or purposes according to Articles 6 to 6c and if the specified purpose or purposes cannot be fulfilled by processing information that is made anonymous.
3. A third party acting on behalf of a provider of electronic communications network or services may be permitted to process electronic communications data in accordance with Articles 6 to 6c provided that the conditions laid down in Article 28 of Regulation (EU) 2016/679 are met.
(15a) The prohibition of interception of electronic communications content under this Regulation should apply until receipt of the content of the electronic communication by the intended addressee, i.e. during the end-to-end exchange of electronic communications content between end-users. Receipt implies that the end-user gains control over, and has the possiblity to interact with, the individual electronic communications content, for example by recording, storing, printing or otherwise processing such data, including for security purposes. The exact moment of the receipt of electronic communications content may depend on the type of electronic communications service that is provided. For instance, depending on the technology used, a voice call may be completed as soon as either of the end-users ends the call. For electronic mail or instant messaging, depending on the technology used, the moment of receipt may be as soon as the addressee has collected the message, typically from the server of the electronic communications service provider. Upon receipt, electronic communications content and related metadata should be erased or made anonymous in such a manner that no natural or legal person is identifiable, by the provider of the electronic communications service except when processing is permitted under this Regulation After electronic communications content has been received by the intended end-user or end-users, it may be recorded or stored by those end-users. End-users are free to mandate a third party to record or store such data on their behalf.
(16) The prohibition of processing, including storage of communications is not intended to prohibit any automatic, intermediate and transient processing, including storage of this information insofar as this takes place for the sole purpose of carrying out the transmission in the electronic communications network. Processing of electronic communications data by providers of electronic communications services and networks should only be permitted in accordance with this Regulation. It should not prohibit the processing of electronic communications data without consent of the end-user to ensure the security, including the availability, authenticity, integrity or confidentiality, of the electronic communications services, including for example checking security threats such as the presence of malware or viruses, or the identification of phishing. Security measures are essential to prevent personal data breaches in electronic communications. Spam electronic messages may also affect the availability of the respective services and could potentially impact the performance of networks and services, which justifies the processing of electronic communications data to mitigate this risk. Such security measures, including anti-spam measures, should be proportionate and should be performed in the least intrusive manner. Providers of electronic communications services are encouraged to offer end-users the possibility to check electronic messages deemed as spam in order to ascertain whether they were indeed spam.
(16a) The protection of the content of electronic communications pertains to the essence of the fundamental right to respect for private and family life, home and communications protected under Article 7 of the Charter. Any interference with the content of electronic communications should be allowed only under very clear defined conditions, for specific purposes and be subject to adequate safeguards against abuse. This Regulation provides for the possibility of providers of electronic communications services to process electronic communications content in transit, with the informed consent of all the end-users concerned. For example, providers may offer services that entail the scanning of emails to remove certain pre-defined material. Given the sensitivity of the content of communications, this Regulation sets forth a presumption that the processing of such content data will result in high risks to the rights and freedoms of natural persons. When processing such type of content, the provider of the electronic communications service should consult the supervisory authority if necessary pursuant to Article 36 (1) of Regulation (EU) 2016/679. Such consultation should be in accordance with Article 36 (2) and (3) of Regulation (EU) 2016/679. The presumption does not encompass the processing of content to provide a service requested by the end-user where the end-user has consented to such processing and it is carried out for the purposes and duration strictly necessary and proportionate for such service.
(16b) Services that facilitate end-users everyday life such as index functionality, personal assistant, translation services and services that enable more inclusion for persons with disabilities such as text-to-speech services are emerging. Processing of electronic communication content might be necessary also for some functionalities used normally in services for individual use, such as searching and organising the messages in email or messaging applications. Therefore, as regards the processing of electronic communications content for services requested by the end-user for their own individual use, consent should only be requested required from the end-user requesting the service taking into account that the processing should not adversely affect fundamental rights and interest of another end-user concerned. Processing of electronic communications data should be allowed with the prior consent of the end-user concerned and to the extent necessary for the provision of the requested functionalities.
(16c) Providers of electronic communications services may, for example, obtain the consent of the end-user for the processing of electronic communications data, at the time of the conclusion of the contract, and any moment in time thereafter. In some cases, the legal person having subscribed to the electronic communications service may allow a natural person, such as an employee, to make use of the service in accordance with Regulation 2016/679.
(17) The processing of electronic communications metadata can be useful for businesses, consumers and society as a whole. Vis-à-vis Directive 2002/58/EC, this Regulation broadens the possibilities for providers of electronic communications services to process electronic communications metadata. However, end-users attach great importance to the confidentiality of their communications, including their online activities, and they also want to control the use of electronic communications metadata for purposes other than conveying the communication. Therefore, providers of electronic communications networks and services should be permitted to process electronic communications metadata after having obtained the end-users’ consent. In addition, those providers should be permitted to process an end-user’s electronic communications metadata where it is necessary for the provision of an electronic communications service based on a contract with that end-user and for billing related to that contract. Examples of commercial usages of electronic communications metadata by providers of electronic communications services may include the provision of heat maps; a graphical representation of data using colours to indicate the presence of individuals. To display the traffic movements in certain directions during a certain period of time, an identifier is necessary to link the positions of individuals at certain time intervals. This identifier would be missing if anonymous data were to be used and such movement could not be displayed. Such usage of electronic communications metadata could, for example, benefit public authorities and public transport operators to define where to develop new infrastructure, based on the usage of and pressure on the existing structure. Where a type of processing of electronic communications metadata, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, a data protection impact assessment and, as the case may be, a consultation of the supervisory authority should take place prior to the processing, in accordance with Articles 35 and 36 of Regulation (EU) 2016/679.
(19) Third parties are legal or natural person that do not provide an electronic communications service to the end-user concerned. However, sometimes the same legal or natural person can also provide different kind of services to the same end-user, for example information society service such as cloud storage. With respect to the provision of this other service, the same legal person is normally deemed to be a third party. If the other service is necessary for the provision of the electronic communication service, such as automatic storage of the messages in the cloud by web-based email, the provider of such a service normally is not deemed to be a third party.
Art. 6 to Art. 6c ePrivacy Regulation provides for permissions for the processing of electronic communications data that exempts certain processing operations from the general prohibition of Art. 5. The four legal bases for lawful processing of electronic communications data that these provisions set out are subdivided as follows:
– General legal bases in Art. 6 Sec. 1 ePrivacy Regulation, which can apply irrespective of the type of electronic communications data concerned;
– Specific legal bases that may be applicable (in parallel to Art. 6) to the processing of electronic communications content as per Art. 6a Sec. 1 ePrivacy Regulation;
– Specific legal bases that may be applicable (in parallel to Art. 6) to the processing of electronic communications metadata as per Art. 6b Sec. 1 ePrivacy Regulation;
– A legal basis that applies exclusively to compatible further processing of electronic communication metadata, i.e. that differentiates both in terms of the type of data concerned and the affected processing operation, as per Art. 6c.
In contrast, the ePR Commission Proposal 2017 provided for a single article as legal basis, which covered all the aforementioned elements and distinguished only in its subsections, which set out different requirements for electronic communications content and metadata.[1] Only the legal basis for further compatible processing now enshrined in Art. 6c ePrivacy Regulation was not initially provided for in the ePR Commission Proposal 2017. However, a respective legal basis had already been proposed as an additional subparagraph to Art. 6 in previous Council proposals.[2] The division of the legal basis into four articles has, thus, not created a completely new catalogue of permissions, but instead reorganised the already existing possibilities and partly described them in greater detail. It is noteworthy, that the ePrivacy Regulation in its current version does not contain a provision on the processing of electronic communications data for of the prevention of criminal offences relating to child pornography as was proposed during the legislative processes (intended as Art. 6d).[3] Now, this issue is intended to be dealt with in a separate legislative instrument. In July 2021 the European Parliament has adopted a resolution for temporary derogation from the ePrivacy Directive in order to allow for data processing for such preventive purposes.[4]
The structure of the permissions for the processing of electronic communications data reveals a relationship of specificity: while Art. 6 Sec. 1 ePrivacy Regulation contains a general statutory permission for processing, Art. 6a – Art. 6c only apply in very specific cases. Art. 6a – Art. 6c are lex specialis in relation to Art. 6 ePrivacy Regulation and, thus, have precedence in cases where both provisions could apply.[5] Where one of the cases set out in Art. 6a – Art. 6c is applicable, the specific permissions apply and any special requirements for lawful processing must be met. Only if none of the cases provided for is relevant, recourse may be made to Art. 6 Sec. 1 ePrivacy Regulation. The general character of Art. 6 ePrivacy Regulation also results from Art. 6 Sec. 2, Sec. 3 ePrivacy Regulation. These provisions contain general requirements on the proportionality of processing activities (Art. 6 No. III.) and the engagement of third parties (para. 37 et seqq.), which also apply in the cases of Art. 6a – Art. 6c ePrivacy Regulation.
[1] See ePR Commission Proposal 2017, Art. 6.
[2] Council of the European Union, Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) from 10 July 2018, Doc. No. 10975/18, Art. 6 Sec. 2a.
[3] See the Croatian Proposal, Council of the European Union, Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications, Doc. No. 5979/20 from 21 February 2020, p. 26.
[4] European Parliament, Use of technologies for the processing of data for the purpose of combating online child sexual abuse (temporary derogation from Directive 2002/58/EC) Doc. No. P9_TA(2021)0319 from 6 July 2021.
[5] This follows from the common legal principle lex specialis derogat legi generali, see also Art. 1 No. I.2.b).
Regardless of the type of electronic communications data involved, Art. 6 Sec. 1 ePrivacy Regulation permits the processing of electronic communications data by providers of electronic communications services and electronic communications networks[6] if this is necessary for the provision of an electronic communications service (Art. 6 No. II.2.), for maintaining or restoring the security of electronic communications services and networks (Art. 6 No. II.3.) or the terminal equipment of end-users (Art. 6 No. II.4.), or if an applicable legal obligation under Union law or the law of a Member State requires processing of electronic communications data (Art. 6 No. II.5.).
[6] The wording in Art. 6 of the ePR Commission Proposal 2017 suggested a distinction between the addressees of its permission for processing of electronic communications data. While the permission formulated in Art. 6 Sec. 1 ePR Commission Proposal 2017 addressed both providers of electronic communications services and networks, the special legal bases in Art. 6 Sec. 2 and Sec. 3 of the ePR Commission Proposal 2017 for the processing of electronic communications metadata and content were, based on the wording, directed solely at providers of electronic communications services. However, this supposed differentiation was due to an editorial mistake and has been repealed subsequently. All of the permissions contained in Art. 6 to 6c of the ePrivacy Regulation apply equally to providers of electronic communications services and networks, cf. Steinrötter, in: Specht/Mantz, Handbuch Europäisches und deutsches Datenschutzrecht, § 5 para. 33.
The permissions set out in Art. 6 Sec 1 ePrivacy Regulation are determined by the purpose of the intended processing and limited by the standard of ‘necessity’. However, the ePrivacy Regulation does not explain when a processing operation is to be classified as necessary in order to achieve the specified purposes. Generally, different interpretations are possible. Onone hand, under a broader standard, useful and beneficial processing operations, that are helpful to achieve the purpose could be considered necessary. Alternatively, a strict standard could be applied and necessary could be interpreted as an equivalent for ‘indispensable’. Consequently, only processing that is vital to achieve a purpose specified in Art. 6 Sec. 1 ePrivacy Regulation will be regarded as lawful and permissible.
While Art. 5 Sec. 3 ePrivacy Directive used the term ‘strictly necessary’, Art. 6 Sec. 1 ePrivacy Regulation only uses the weaker formulation ‘necessary’ in relation to the specified cases. Generally, such change of wording could imply that the new provision intends to set lower requirements for processing. However, Recital 17 ePrivacy Regulation indicates that the term ‘necessary’ in Art. 6 Sec. 1 ePrivacy Regulation is meant to implement a strict standard on its own.
Similarly to Art. 6 ePrivacy Regulation, the general legal basis for processing of Art. 6 GDPR relies on necessity. Within the GDPR, it does not suffice for the intended processing to be helpful for the envisaged purpose to be lawful.[7] Rather, processing is considered necessary only if otherwise, it would be impossible to fulfil the purpose at all.[8] Necessity in terms of this understanding as applied under the GDPR is an objective standard that requires an assessment of whether the processing in question constitutes the least intrusive measure compared to other options. Such interpretation of ‘necessary’ is in line with a strong protection of the rights and interests of the end-users concerned and therefore also reasonably applicable under the ePrivacy Regulation. When determining necessary measures, a distinction can be made in particular regarding the necessary extent (Art. 6 No. II.1.a) and necessary duration (Art. 6 No. II.1.b) of the processing.
However, specificities of the ePrivacy context must be taken into account. In the scope of application of the ePrivacy Regulation, existing technical specifications and industry standards for transmission processes and devices of end-users might predetermine what is necessary in order to provide a service, achieve a transmission or ensure security of a network.[9] Therefore, a case-by-case assessment is often required in order to determine whether a certain technical protocol must be used or if more privacy-friendly alternatives are available.
a) Necessity with regard to the extent of processing
Whether processing is necessary to achieve a purpose specified in Art. 6 Sec. 1 ePrivacy Regulation depends primarily on the scope and extent of the intended processing. Thus, only those specific electronic communications data may be processed that are actually necessary to fulfil the envisaged purpose. Arguably, this will often exclude electronic communications content from the legal bases of Art. 6 Sec. 1 ePrivacy Regulation. For example, processing of content of an electronic communication will only be necessary in rare cases and at a particularly small scale in order to provide an electronic communications service (Art. 6 Sec. 1 lit. a), (see Art. 6 No. II.2.), or to maintain the security of an electronic communications network (Art. 6 Sec. 1 lit. b), see (Art. 6 No. II.3.). Whether the processing of communication content is actually necessary for a specific purpose defined in Art. 6 Sec. 1, or whether the processing of metadata alone would be sufficient, is assessed against strict standards. The processing of communications content is generally considered the more risk-prone and intrusive measure under the ePrivacy Regulation (Art. 6a No. I.). Thus, although Article 6 ePrivacy Regulation does not inherently distinguish between processing of content and metadata, the aforementioned assessment must be reflected in the definition of the notion of necessity.
Where Art. 6 is applied to the processing of electronic communications metadata, a differentiated assessment of necessity is required depending on the specific metadata in question. For example, if the processing of location data is considered necessary to achieve a purpose of Art. 6 Sec. 1 ePrivacy Regulation, this will not automatically permit the processing of other electronic communications metadata, such as the time and duration of the electronic communication process.
Examples for processing that is necessary to provide an electronic communications service and achieve a transmission: Automatic, intermediate and transient storage, duplication, partition, merge etc. of communications data for technical reasons in hardware on the route of transmission, e.g. in buffers, for the reason of packet transmission etc. as a necessity of the chosen technical method of transportation.[10]
b) Necessity with regard to the duration of processing
The requirement of necessity also limits lawful processing of electronic communications data in its duration. A processing operation that was originally necessary to achieve a specific purpose can subsequently become (no longer) necessary after a certain period of time has passed. Generally, the latest relevant point of time will be the moment when the respective purpose of the processing is accomplished, i.e. an electronic communications service has been provided or a security threat for an electronic communications network detected and averted. Any subsequent processing activities cannot be justified on the basis of Art. 6 Sec. 1 ePrivacy Regulation and providers have to delete any electronic communications data by then, unless another specific permission applies, Art. 7 ePrivacy Regulation. However, even if such a permission exists, further processing of the data might be subject to the GDPR where personal data is concerned.
[7] Albers/Veit, in: Wolff/Brink, BeckOK Datenschutzrecht, Art. 6 (2020), para. 17.
[8] Albers/Veit, in: Wolff/Brink, BeckOK Datenschutzrecht, Art. 6 (2020), para. 17; This is assumed for the GDPR in particular in the context of necessity for the performance of a contract, Art. 6 Sec. 1 lit. b) GDPR, EDPS, Assessing the Necessity of Measures that limit the fundamental right to the protection of personal data: A Toolkit, p. 6, EDPB, Opinion 2/2019 on the interplay between the ePrivacy Directive and the GDPR, in particular regarding the competence, tasks and powers of data protection authorities from 8 October 2018, p. 7.
[9] Cf. Engeler, PinG 2018, 141, 144 f.
[10] Recital 16.
The processing of electronic communications data is allowed if it is necessary for the provision of an electronic communications service based on a contract with the end-user.[11] The provision of the electronic communications service and thus indirectly also the intended data processing must, thus, be part of the performance of a contract entered into by the end-user. The purpose of the processing of electronic communications data permitted under Art. 6 Sec. 1 lit. a) ePrivacy Regulation therefore corresponds to that of Art. 6 Sec. 1 lit. b) GDPR.
However, the legal basis of Art. 6 Sec. 1 lit. a) ePrivacy Regulation, which does not differentiate between the types of data involved, should be interpreted rather restrictively and as closely as possible to the wording of the legal permission, so not to undermine the required level of protection for electronic communications data. Consequently, only the processing necessary for the provision of the contractual service agreed upon, i.e. transmission of a signal, is covered by Art. 6 Sec. 1 lit. a) ePrivacy Regulation. The legal permission does not apply to other activities related to the performance of the contract, such as billing. The latter is explicitly mentioned in Recital 17 as being covered by the permission to process electronic communications data, however, arguably referring to the more specific legal basis of Art. 6b Sec. 1 lit. b) ePrivacy Regulation which is limited to the processing of metadata. Therefore, the comparison with the general legal basis of Art. 6 Sec. 1 lit. b) GDPR only applies to a limited extent, as it refers to a wider range of diverse acts taking place in the context of the performance of a contract and might render processing lawful.[12]
In comparison to the corresponding provision envisaged in the ePR Commission Proposal 2017, the legal permission of Art. 6 Sec. 1 lit. a) ePrivacy Regulation is relatively broad. Art. 6 Sec. 1 lit. a) of the ePR Commission Proposal 2017 allowed for the processing of electronic communications data in order to achieve the transmission of the communication. The transmission of a communication is, depending on the contractual agreement, only a part of the provision of the whole requested electronic communications service and therefore offers a smaller scope of justification for processing of electronic communications data.[13] Depending on how an electronic communications service is designed, it need not be limited to the transmission of content between the communicating parties. Rather, it can include, for example, the subsequent storage or provision of communications. In turn, the ‘transmission’ as envisaged by the ePR Commission Proposal 2017 is generally achieved and terminated as soon as the recipient has retrieved the communication. Art. 6 Sec. 1 lit. a) ePrivacy Regulation, thus, offers a broader range of justifiable services compared to the ePR Commission Proposal 2017. This was precisely the aim of the Council of the European Union, which intended to include all processing activities that may be required in the provision of electronic communications services.[14]
Consequently, the ePrivacy Regulation is now more permissive in this context than originally envisaged. This development was necessary given the intended technology-neutrality of the ePrivacy Regulation as well as its object to promote the offer and further development of electronic communications services, Recital 17 (in this regard see Art. 1 No. I.1.b). A design of this legal permission that is too narrow could restrict the possibilities of development of electronic communications services and the emergence of new offers of such services. On one hand, this would not be in the interest of the providers and, on the other hand, not necessarily in the interest of the protected end-users either.[15]
[11] Recital 17.
[12] Cf. Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 102; EDPB, Statement of the EDPB on the revision of the ePrivacy Regulation and its impact on the protection of individuals with regard to the privacy and confidentiality of their communications from 25 May 2018, p. 1 et seq.
[13] With regard to the various electronic communications services that may be considered, see Art. 4 No. I.2.b)bb).
[14] Council of the European Union, Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) from 5 January 2021, Doc. No. 5008/21, para. 32.
[15] See recital 17.
Where it is necessary to maintain or restore the security of electronic communications networks and services or to detect technical faults and errors, security risks or attacks on electronic communications networks and services, providers may process electronic communications data pursuant to Art. 6 Sec. 1 lit. b) ePrivacy Regulation. The envisaged maintenance of security also includes the guarantee of availability, authenticity, integrity or confidentiality of electronic communications and services, which are also covered by Art. 6 Sec. 1 lit. b) ePrivacy Regulation.[16] Thus, these purposes may also allow providers to process electronic communications data.
In the context of Art. 6 Sec. 1 lit. b) ePrivacy Regulation, the question arises as to whether all measures for the security of electronic communications services and networks should be covered by this legal basis or whether providers should only be able to invoke this justification if there is actually an imminent security risk, which would preclude preventive measures not founded on a particular suspicion. The legal permission in Art. 6 Sec. 1 lit. b) ePrivacy Regulation is subject to the general requirement of necessity, especially with regard to time and scope of the permitted processing (see above Art. 6 No. II.1.), which in itself does not exclude preventive measures if these are covered by the purpose in the first place. It is not expressly defined whether the provision is intended to allow for responsive processing only, i.e. in cases where the provider already has indication on security issues, or whether it also covers pre-emptive screening of electronic communications data.
As regards to the legal situation in the EU Member States, there are comparable provisions in place that the ePrivacy Regulation will supersede and which can be used as a benchmark for interpretation. An example is § 12 Sec. 1 German Telecommunications Telemedia and Data Protection Act (TTDSG). In connection with this provision, the German Federal Supreme Court decided that security related processing is also permitted as a precautionary measure, without a distinct fault or error present. Furthermore, the court considered a provision to be proportionate if it allows to retain IP addresses for security reasons for a 7-day period.[17] It is unlikely that the European legislator intended to weaken this standard of network security, as this in itself would pose a risk to the rights and interests of end-users and counteract the object of the ePrivacy Regulation. Furthermore, the wording ‘to maintain or restore’ of Art. 6 Sec. 1 lit. b) ePrivacy Regulation allows for an interpretation to the effect that pre-emptive security measures are also to be included. “Maintenance” implies that security measures which are undertaken irrespective of a particular security threat but are necessary to ensure the required level of security is consistently guaranteed are included by the provision. This understanding is supported by the inclusion of availability, authenticity, integrity and confidentiality in the justifiable security purposes, as well as the highlighting of security measures for the prevention of personal data breaches in Recital 17. Furthermore, examples of permissible measures are listed, such as measures for the identification of malware, viruses and phishing.[18] Such measures of identification have a preventive character and may require pre-emptive screening in order to be effective. Thus, they may serve as indication for the legislative intent to cover necessary preventive measures. Additionally, the restriction of legal bases for the processing of electronic communications data intends to protect end-user rights and interests. This purpose would be skewed and reversed if the consequence of application were to be a reduction of the protection against security threats. It can therefore be assumed that Art. 6 Sec. 1 lit. b ePrivacy Regulation also covers pre-emptive screening of communications data for security and technical reasons.
In addition to the preventive processing of electronic communications data that will be necessary on a continuous or regular basis in order to maintain the general security of the electronic communications services and networks, the legal permission of Art. 6 Sec. 1 lit. b) ePrivacy Regulation refers to processing of electronic communications data for security purposes on an ad hoc basis. This may apply, for example, in response to an incident that has occurred suddenly and poses an acute threat to the security of the services. In such cases, data processing beyond the scope of what is required on a daily basis may become necessary to restore security. The requirement of necessity enshrined in Art. 6 Sec. 1 lit. b) ePrivacy Regulation will be of particular relevance in these cases. Even in such exceptional situations, permitted processing of electronic communications data will be limited to what is genuinely necessary and must be terminated at the moment when the security threat has been averted. Service and network providers will, thus, have to perform a balancing act in order to find a measure that leads to the quickest possible averting of security risks, since ‘not doing enough’ can in itself result in a violation of end-user rights and interests and, thus, breach of provider obligations. On the other hand, they have to find the measure least intrusive which does not unnecessarily harm the respective rights and interests while averting further damage.
Examples: A group of individuals attacks the network of provider P. Several components break down. To identify the attackers and terminate the attack, P needs to capture and analyse the network traffic, including electronic communications data.
Network provider P notices that its network is working slowly. It figures out that there has to be a faulty component that is dropping packets. To identify the faulty component, it needs to capture and analyse the network traffic, including electronic communications data.
In both cases, P will be allowed to process electronic communications data under Art. 6 Sec. 1 lit. b) ePrivacy Regulation.
Due to the requirement of necessity, processing of electronic communications data which is purely useful or advantageous for the security of a network or electronic communications service will not be covered by Art. 6 Sec. 1 lit. b) ePrivacy Regulation. The processing is necessary if it would be impossible to ensure security or continuity of the network or service without it. It must be the least invasive means towards end-users in order to maintain security. In other words: if the security and continuity of the network could be guaranteed in another way, by achieving the same level of security with the same efficiency, but with a minor interference for the confidentiality of communications, the respective processing would be unnecessary and therefore beyond the scope of the permission. Thus, the specific measure selected ought to be assessed on a case-by-case basis, taking into account all possible alternatives available to providers. This also means that new technical developments and possibilities must be taken into account continuously and evaluated by network and service providers.
[16] Recital 16.
[17] BGH, judgement of 13 January 2011, III ZR 146/10, MMR 2011, 341; BGH, judgement of 3 July 2014, III ZR 391/13, ZD 2014, 461.
[18] Recital 17.
The protection of end-user terminal equipment is regarded equally important for the protection of confidentiality of communications as the protection of electronic communications data (Art. 8).[19] On the one hand, this requires restrictions on lawful access to terminal equipment through prohibitions and limitations as envisaged by Art. 8 Sec. 1 ePrivacy Regulation (see Art. 8). On the other hand, providers must be enabled to guarantee the security and integrity of terminal equipment when their electronic communications services or networks interfere with it. Therefore, the permission in Art. 8 Sec. 1 lit. c) ePrivacy Regulation which was not initially envisaged by the ePR Commission Proposal 2017 supplements the legal basis of Art. 6 Sec. 1 lit. b) ePrivacy Regulation to a certain extent. It determines that lawful deviation from the general prohibition of processing of electronic communications data is possible, not only for security-purposes of networks and services, but also of end-user terminal equipment.
Article 6 Sec. 1 lit. c) of the ePrivacy Regulation also provides for a preventive element, as it explicitly includes measures for the prevention and detection of mere security risks as well as attacks on end-user terminal equipment. Due to the substantial proximity of both provisions and the similarity of wording, the considerations made in the context of Art. 6 Sec. 1 lit. b) are in principle transferable (Art. 6 No. II.3.).
[19] Cf. recital 20.
[20] Council of the Euopean Union, Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) from 5 December 2017, Doc. No. 15333/17, p. 3. [21] Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 107. [22] Albers/Veit in: Wolff7Brink, BeckOK Datenschutzrecht (2020), Art. 6 para. 35. [23] EDPB, Statement 03/2021 on the ePrivacy Regulation from 9 March 2021, p. 1 et seq. [24] CJEU, joined cases C-511/18, C-512/18, C-520/18 from 27 November 2020 as well as case C-623/17 from 6 October 2020. [25] See CJEU, joined cases C-511/18, C-512/18, C-520/18 from 27 November 2020, para. 113 et seqq., 137, 141; CJEU, C-623/17 from 6 October 2020, para. 81 et seq. [26] EDPB, Statement 03/2021 on the ePrivacy Regulation from 9 March 2021, p. 1 et seq. [27] See Art. 6 Sec. 2, 3 GDPR; cf. Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 108.
If one of the purposes set out in Art. 6 Sec. 1 ePrivacy Regulation is applicable, providers of electronic communications services and networks may in principle process electronic communications data, provided such processing is necessary (Art. 6 No. II.1). This is further limited by the provision of Art. 6 Sec. 2 ePrivacy Regulation. These restrictions also apply to processing operations based on the legal bases of Art. 6a – Art. 6c ePrivacy Regulation.
Art. 6 Sec. 2 ePrivacy Regulation limits the duration of permitted processing of electronic communications data, based on the purposes of processing. Generally, processing of electronic communications data on the basis of Art. 6 – Art. 6c ePrivacy Regulation is only permissible until the relevant purposes have been fulfilled. However, the requirement of necessity applicable throughout the legal bases of Art. 6 Sec. 1 ePrivacy Regulation already enshrines a limitation of duration of permissible processing and, thus, implicitly regulates the factor time with regard to such processing. Art. 6 Sec. 2 of the ePrivacy Regulation therefore has a primarily declaratory effect with regard to the duration of processing.
The specific added value of the provision of Art. 6 Sec. 2 ePrivacy Regulation, however, consists of the clarification that lawful processing of electronic communications data may not always be continued until the purposes listed in Art. 6 Sec. 1 lit. a) – d) (or of Art. 6a – Art. 6c) have been achieved. It may also become necessary to terminate the processing at an earlier point in time. It follows from Art. 6 Sec. 2 that if the intended purposes can be achieved by means of processing anonymous information (Art. 6 No. III.2.) after a certain point in time, the processing of non-anonymous electronic communications data must be discontinued. Both, the achievement of a purpose and the availability or suitability of anonymous information for achieving the purpose can thus constitute events that can terminate the ‘necessary duration‘ of lawful processing of non-anonymised electronic communications data.
The retention of electronic communications data is a type of processing which requires permission by a legal basis (Art. 4 No. I.1.a). Time limits on the lawfulness of processing therefore always include an obligation to erase data. The data must be deleted, at the latest after a purpose of lawful processing of electronic communication data has been achieved. This is generally the only way to terminate processing as required by Art. 6 Sec. 2 ePrivacy Regulation. In order to meet this obligation, a regular assessment of whether data needs to be deleted ought to take place. In many cases, the implementation of a standardized erasure concept will be necessary in practice.[27]
[27] See with regard to the corresponding requirements of the GDPR Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 92; Conrad in: Auer-Reinsdorff/Conrad, Handbuch IT- und Datenschutzrecht (2019), § 34 para. 615 et seqq.
If a purpose of processing can also be achieved by processing information which is made anonymous, the processing of electronic communication data is not permitted, even if one of the legal bases provided for in Art. 6 – Art. 6c ePrivacy Regulation is principally applicable. According to Art. 6 Sec. 2 ePrivacy Regulation, providers of electronic communications services and networks shall prefer anonymous data in their processing activities if the purposes pursued allow for such precedence. The EDPB goes even further and calls for anonymisation to be explicitly highlighted as a ‘core guarantee’ of protection of electronic communications data, which should be systematically favoured by the addressees of the ePrivacy Regulation.[28]
Information which is made anonymous, according to Recital 15a, refers to information by which no natural or legal person is identifiable. This is comparable to the GDPR, with the difference that identifiability must also be precluded in relation to legal persons in order for electronic communications data to be anonymous and to meet the protective purpose of the ePrivacy Regulation (Art. 1 Sec. 1a ePrivacy Regulation; see Art. 1 No. I.1.a).[29] Anonymity-precluding identifiability, according to the requirements of the GDPR, means that the information in question allows conclusions to be drawn about the identity of natural or legal persons, even if this requires the use of additional information or other reasonable means of identification.[30] If the identity of the end-user cannot be determined directly from the information in question, but in connection with other reasonable means, the information is not made anonymous but only pseudonymised, which would not meet the standard of Art. 6 Sec. 2 ePrivacy Regulation.[31]
Whether or not the possible means of identification are reasonable depends on the circumstances of each individual case. Particularly relevant are time, costs and effort required for identification as well as available technological means and developments at the time of processing.[32] The additional information required in order to identify an end-user must not necessarily be in the possession of the electronic communications service or network provider, but it ought to be easily accessible, e.g. within an information service.[33]
Identifiability also exists if the information does not directly reveal the identity of a natural or legal person. Certain ‘identifiers’ which allow for the identity to be inferred are sufficient. Such identifiers allow to assign data to one or more characteristics that are the expression of physical, economic, social or other identity, e.g. a name, identification numbers (insurance, tax, ID), location data or online identifiers such as IP addresses.[34] This can subsequently lead to the indirect identification of a natural or legal person.
Electronic communications data, which allowed for identification of the end-users, can be anonymized later on by means of two categories of techniques:
– Randomisation and
– Generalisation.[35]
However, there are various techniques of anonymization. Which technique is the most effective and legally secure in a particular case will depend on the processing purposes, the type of data, the relevant providers and many other individual factors.[36] In any case, it should not be underestimated that a risk of re-identification is inherent to all anonymization processes and techniques and cannot be excluded with complete certainty.[37] Anonymization of electronic communications data is therefore not necessarily a guarantee for compliance with the ePrivacy Regulation.
[28] EDPB, Statement 03/2021 on the ePrivacy Regulation from 9 March 2021, p. 2.
[29] In contrast, under the GDPR data could also be considered anonymous if it allows conclusions to be drawn about a legal entity, but not about natural persons.
[30] Recital 26 GDPR.
[31] Cf. recital 26 GDPR; however, the pseudonymisation of electronic communications data becomes relevant in other parts of the ePrivacy Regulation, namely in Art. 6b Sec. 1 lit. e), Art. 6c Sec. 2 lit. b), Art. 8 Sec. 1 lit. h) ePrivacy Regulation.
[32] Recital 26 GDPR; Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 13.
[33] Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 12.
[34] Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 11.
[35] Art. 29 WP, WP 216 Opinion 05/2014 on Anonymisation Techniques from 10 April 2014, p. 12; Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 13.
[36] For a practical advice on anonymisation see Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 13; Art. 29 WP, WP 216 Opinion 05/2014 on Anonymisation Techniques from 10 April 2014, p. 23 et seqq.
[37] Art. 29 WP, WP 216 Opinion 05/2014 on Anonymisation Techniques from 10 April 2014, p. 23 et seqq.
Art. 6 Sec. 3 ePrivacy Regulation extends the personal scope of the legal bases of Art. 6 – Art. 6c to third parties who perform processing activities on behalf of the originally addressed providers of electronic communications services order networks. Third parties are defined as ‘natural or legal persons that do not provide an electronic communications service to the end-user concerned’, Recital 19. A provider of electronic communications services will also be qualified as a third party processor if the end-users accesses another electronic communications service from that provider, but not the service related to the particular processing operation at hand. In other words, whether the end-users maintain a direct contractual relationship with the party for the provision of other services (as main provider), is irrelevant for whether those parties qualify as third parties within Art. 6 Sec. 3 ePrivacy Regulation. It is therefore not so much the relationship with the end-user and the third party processor that is important in order to qualify as a third party within Art. 6 Sec. 3 ePrivacy Regulation, but the relation to the particular electronic communications service or network and the third party processor.
The extension of the legal bases for processing of the ePrivacy Regulation to third parties is subject to the premise that the requirements of Art. 28 GDPR are met. Thus, a data processing relationship in terms of the GDPR must exist between the third party and the provider of electronic communications services or networks on whose behalf the processing that is to be justified takes place.
As a first requirement, Art. 28 Sec. 1 GDPR restricts the possibilities of choice of third party processors. Applying this to the ePrivacy Regulation, it requires providers of electronic communications services or networks to choose processers ‘providing sufficient guarantees to implement appropriate technical and organisational measures’ in a manner that processing will meet the requirements of the ePrivacy Regulation and ensure the protection of the rights of the affected end-users.[38] The providers of electronic communications services and networks are, thus, not free in their choice of processors to whom they want to entrust the electronic communications data of their end-users. Rather they are required to assess the sufficiency of the guarantees provided by the processors and, according to the EDPB, ought to be able to prove that all elements provided for the protection of data have been taken into serious consideration when assessing the chosen processors.[39] In order to assess the sufficiency of these guarantees, the providers ought to consider elements such as the expert knowledge, reliability and resources of the third party processors.[40]
After diligent selection of a processor, it is necessary to conclude a data processing agreement by which the service or network providers effectively commit their third party processors to meet the conditions and obligations for lawful processing in order to meet the requirements of Art. 28 GDPR.[41] Such data protection agreement must be in writing, which includes electronic form, and must be legally binding on the processor.[42] With regard to its content, the agreement must define the subject matter, the duration, nature and purpose of processing, the type of electronic communications data to be processed and the obligations and rights of the providers as well as the processors.[43]
According to Art. 28 Sec. 6 GDPR, the data processing agreement may be based on standard contractual clauses, which might be either approved by the European Commission (Art. 28 Sec. 7 GDPR) or a supervisory authority in accordance with Art. 63 GDPR (Art. 28 Sec. 8 GDPR).[44] The European Commission has adopted respective standard contractual clauses for controllers and processors under the GDPR in June 2021.[45] These standard contractual clauses are directly applicable only within the framework of the GDPR, and thus do not have immediate effect to electronic communications service or network providers under Art. 6 Sec. 3 ePrivacy Regulation.[46] However, the standard contractual clauses define the required content of data processing agreements according to Art. 28 Sec. 3 and Sec. 4 GDPR, which must also be taken into account according to Art. 6 Sec. 3 ePrivacy Regulation. They can therefore at least serve as a reference point for electronic communications service or network providers who want to use a third party to process electronic communications data according to Art. 6 Sec. 3 ePrivacy Regulation.
The obligations and limitations of action of third party processors as defined in the agreement arise predominantly from Art. 28 Sec. 3 GDPR. Of particular importance is the right of the providers to issue instructions and the strict commitment of third party processors to this follow any such instructions, Art. 28 Sec. 3 lit. a) GDPR. It should be made clear that the processing does not take place autonomously or on the processors’ own initiative, but solely on the basis of documented instructions from the provider, i.e. the processor is obliged to document the instructions it receives.[47] It is mandatory for lawful processing by third parties that the actual responsible electronic communications service or network providers retain the power to determine the purposes and means of the intended processing.[48] An exception to this strict obligation to comply with instructions of the provider may apply if the processor is obliged to process data on the basis of a regulation under the law of a Member State.[49] Furthermore, third party processors shall be obliged to assist the providers in their compliance with the relevant regulations on the protection of electronic communication data, see Art. 28 Sec. 3 lit. f) GDPR. In this context, providers must also be granted all relevant information regarding the compliance of processors with their obligations and, if necessary, be given the opportunity to conduct audits.[50] Additionally, third party processors must be obliged to implement technical and organisational measures pursuant to Art. 32 GDPR to protect electronic communications data, such as encryption, pseudonymisation and access restrictions.[51]
Third party processors may be allowed to designate a sub-processor upon prior written authorisation of the providers.[52] Art. 28 Sec. 2, Sec. 4 GDPR sets out special provisions in this regard. Whether and to what extent the processor may engage other third parties is at the sole discretion of the provider, who may issue a general authorisation for this purpose or require that a corresponding request is submitted to the provider for a case-by-case decision. Which route is taken must be specified in the agreement.[53] In the case of a general authorisation, the processor must inform the provider of any changes concerning the sub-processors involved and must respect any objections by the provider to such changes.[54] If a sub-processor is involved, a contract ought to be concluded between the sub-processor and the initial processor, that subjects the sub-processor to the same obligations and restrictions as the initial processor owed itself vis-à-vis the providers.[55]
Breaches of obligations by third party processors who have been commissioned to process electronic communication data in accordance with Art. 6 Sec. 3 ePrivacy Regulation will be sanctioned by the supervisory authorities – as is also the case under the GDPR.[56] Based on Art. 23 Sec. 1, Sec. 3 ePrivacy Regulation, fines of up to EUR 20 000 000 or 4% of a company’s worldwide annual turnover could be imposed for such violations (see Art. 23 para. Xx).
[38] Cf. Art. 28 Sec. 1 GDPR.
[39] EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR from 2 September 2020, para. 92.
[40] EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR from 2 September 2020, para. 95.
[41] Cf. Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 81.
[42] EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR from 2 September 2020, para. 99 et seq.
[43] Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 81.
[44] Spoerr, in: Wolff/Brink, BeckOK Datenschutzrecht (2021), Art. 28 para. 95.
[45] European Commission, Implementing Decision (EU) 2021/915 of 4 June 2021 on standard contractual clauses between controllers and processors under Article 28(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29(7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council.
[46] Such direct application would probably require a supplementary decision by the European Commission clarifying the application to the ePrivacy Regulation.
[47] Cf. Art. 28 Sec. 3 lit. a) GDPR; Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 81 et seq.
[48] EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR from 2 September 2020, para. 113 et seqq.
[49] EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR from 2 September 2020, para. 118.
[50] Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 82.
[51] Cf. Art. 28 Sec. 3 lit. c) GDPR.
[52] See Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 84.
[53] EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR from 2 September 2020, para. 126.
[54] EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR from 2 September 2020, para. 125.
[55] Art. 28 Sec. 4 GDPR; Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 83.
[56] See Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 83.