Paul Voigt, Axel von dem Bussche: the EU ePrivacy Regulation – Preliminary Guidance and Commentary
Menü
Paul Voigt, Axel von dem Bussche: the EU ePrivacy Regulation – Preliminary Guidance and Commentary
1. Without prejudice to Article (6) 1, providers of the electronic communications networks and services shall be permitted to process electronic communications content only:
(a) for the purpose of the provision of a service requested by an end-user for purely individual use if the requesting end-user has given consent and where such requested processing does not adversely affect fundamental rights and interests of another person concerned; or
(b) if all end-users concerned have given their consent to the processing of their electronic communications content for one or more specified purposes.
2. Prior to the processing in accordance with point (b) of paragraph 1 the provider shall carry out a data protection impact assessment of the impact of the envisaged processing operations on the protection of electronic communications data and consult the supervisory authority if necessary pursuant to Article 36 (1) of Regulation (EU) 2016/679. Article 36 (2) and (3) of Regulation (EU) 2016/679 shall apply to the consultation of the supervisory authority.
(2) The content of electronic communications may reveal highly sensitive information about the natural persons involved in the communication, from personal experiences and emotions to medical conditions, sexual preferences and political views, the disclosure of which could result in personal and social harm, economic loss or embarrassment. Similarly, metadata derived from electronic communications may also reveal very sensitive and personal information. These metadata includes the numbers called, the websites visited, geographical location, the time, date and duration when an individual made a call etc., allowing precise conclusions to be drawn regarding the private lives of the persons involved in the electronic communication, such as their social relationships, their habits and activities of everyday life, their interests, tastes etc.
(15a) The prohibition of interception of electronic communications content under this Regulation should apply until receipt of the content of the electronic communication by the intended addressee, i.e. during the end-to-end exchange of electronic communications content between end-users. Receipt implies that the end-user gains control over, and has the possibility to interact with, the individual electronic communications content, for example by recording, storing, printing or otherwise processing such data, including for security purposes. The exact moment of the receipt of electronic communications content may depend on the type of electronic communications service that is provided. For instance, depending on the technology used, a voice call may be completed as soon as either of the end-users ends the call. For electronic mail or instant messaging, depending on the technology used, the moment of receipt may be as soon as the addressee has collected the message, typically from the server of the electronic communications service provider. Upon receipt, electronic communications content and related metadata should be erased or made anonymous in such a manner that no natural or legal person is identifiable, by the provider of the electronic communications service except when processing is permitted under this Regulation. After electronic communications content has been received by the intended end-user or end-users, it may be recorded or stored by those end-users. End-users are free to mandate a third party to record or store such data on their behalf.
(16a) The protection of the content of electronic communications pertains to the essence of the fundamental right to respect for private and family life, home and communications protected under Article 7 of the Charter. Any interference with the content of electronic communications should be allowed only under very clear defined conditions, for specific purposes and be subject to adequate safeguards against abuse. This Regulation provides for the possibility of providers of electronic communications services to process electronic communications content in transit, with the informed consent of all the end-users concerned. For example, providers may offer services that entail the scanning of emails to remove certain pre-defined material. Given the sensitivity of the content of communications, this Regulation sets forth a presumption that the processing of such content data will result in high risks to the rights and freedoms of natural persons. When processing such type of content, the provider of the electronic communications service should consult the supervisory authority if necessary pursuant to Article 36 (1) of Regulation (EU) 2016/679. Such consultation should be in accordance with Article 36 (2) and (3) of Regulation (EU) 2016/679. The presumption does not encompass the processing of content to provide a service requested by the end-user where the end-user has consented to such processing and it is carried out for the purposes and duration strictly necessary and proportionate for such service.
(16b) Services that facilitate end-users everyday life such as index functionality, personal assistant, translation services and services that enable more inclusion for persons with disabilities such as text-to-speech services are emerging. Processing of electronic communication content might be necessary also for some functionalities used normally in services for individual use, such as searching and organising the messages in email or messaging applications. Therefore, as regards the processing of electronic communications content for services requested by the end-user for their own individual use, consent should only be requested required from the end-user requesting the service taking into account that the processing should not adversely affect fundamental rights and interest of another end-user concerned. Processing of electronic communications data should be allowed with the prior consent of the end-user concerned and to the extent necessary for the provision of the requested functionalities.
The ePrivacy Regulation sets specific priorities regarding the protection of confidentiality of electronic communications content. Recital 2, for instance, emphasises the particular sensitivity of information that could be disclosed when interfering with electronic communications content. As regards natural persons, electronic communications content might disclose highly personal information relating to sexual orientation, health condition or political views.[1] According to the rationale of the ePrivacy Regulation, the protection of the confidentiality of electronic communications content pertains to the essence of the fundamental right to respect for private and family life, home and communications protected under Art. 7 CFR (see Art. 4 No. III.1.a).[2] Therefore, Recital 16a provides that any interference with electronic communications content is presumed to be a high-risk activity with regard to the rights and freedoms of natural persons (however, this presumption does not apply unconditionally, see Art. 6 No. III.).[3]
Although Recital 16a explicitly refers to natural persons and not all end-users and, thus, excludes legal persons, a similar scope of protection applies to legal persons, as these are equally protected under the ePrivacy Regulation, Art. 1 Sec. 1a ePrivacy Regulation (Art. 1 No. I.1.a). Moreover, the special sensitivity of electronic communications content of legal persons is explicitly recognised. It is not limited to the involvement of natural persons. In relation to legal persons, such sensitive content may, for example, contain information of economic value and secrets, which are essential for the operation of the business, Recital 3.
The prioritization of the protection of electronic communications content in comparison with the protection of electronic communications metadata is obvious: While Art. 6a ePrivacy Regulation only provides for two rather narrow permissions for the processing of electronic communications content, both of which are strongly linked to the initiation of the processing by the concerned end-users themselves (Art. 6a No. II.), Art. 6b provides for a greater number of permissions regarding the processing of electronic communications metadata, including for purposes which are predominantly in the interest of the providers (Art. 6b Sec. 1 lit. b), purposes of network management and optimisation). Furthermore, Art. 6a Sec. 2 ePrivacy Regulation stipulates that a data protection impact assessment in terms of the GDPR must be carried out when processing electronic communication content pursuant to Art. 6a Sec. 1 lit. b). In contrast, there is no equivalent provision in the legal basis of Art. 6b ePrivacy Regulation for the processing of electronic communications metadata. Additionally, unlike for electronic communications metadata, Art. 6c ePrivacy Regulation does not provide for the possibility of further processing for compatible purposes for electronic communications content without end-user consent (Art. 6c.).
[1] Recital 2; as regards the assessment of sensitivity of the information concerned, electronic communications content thus corresponds analogously to the valuation of the special categories of personal data in Art. 9 GDPR.
[2] Recital 16a.
[3] In this context see also Art. 4 No. III.1.a).
Art. 6a Sec. 1 ePrivacy Regulation provides for two permissions for the processing of electronic communications content, which may apply independently of the general legal basis of Art. 6 ePrivacy Regulation. Both permissions rely strongly on the initiation and consent by the affected end-users, thus implying that the disposition of electronic communications content is strictly and solely at the discretion of the end-users themselves. Nevertheless, both permissions differ from each other. Art. 6a Sec. 1 lit. a) ePrivacy Regulation restricts its permissible processing purposes, but does not necessarily require consent of all affected end-users. Rather, consent of the requesting end-user will suffice, provided that protection of fundamental rights and freedoms of non-consenting parties is guaranteed (Art. 6a No. II.1.b). Art. 6a Sec. 1 lit. b), on the other hand, requires consent of all affected end-users for the processing of electronic communications content, but is generally open as regards permissible processing purposes (Art. 6a No. II.2.).
Electronic communications content may be processed by providers of electronic communications networks and services on the basis of Article 6a Sec. 1 lit. a) ePrivacy Regulation if this processing serves the provision of a service that has been requested by the affected end-user. Additionally, the end-user requesting the service must have effectively consented to the processing of electronic communications content (for a definition of consent and the requirements for its effectiveness see Art. 4a No. I.). Art. 6a Sec. 1 lit. a) ePrivacy Regulation requires the consent of only one of the communicating parties, provided that the other requirements of the permission are met. Thus, if two end-users are involved in a communications process and potentially affected by the exchanged content, processing can take place lawfully even if only one of them has effectively consented to it. Consent must meet the requirements set out in Art. 4a ePrivacy Regulation.
a) Another person concerned
The notion ‘another person concerned’ in Art. 6a Sec. 1 lit. a) ePrivacy Regulation, whose rights and interests are to be taken into account before processing electronic communications content is somewhat unclear. Due to the broad wording, it is conceivable here that not only communication partners, but also third parties who have not participated in the communication process but are nevertheless affected by its content are covered. Such interpretation is supported by the fact that the permission avoids the usual terminology of the ePrivacy Regulation, which normally refers to ‘end-users’ or the ‘parties involved in a communication’.[4] Furthermore, it is conceivable that the interests of a third party uninvolved in the communications process are adversely affected by exchanged communications content, e.g. because private information of a person is disclosed and this person is also identified in the course of the communication.
Although the wording of the permission allows for such a broad interpretation, such interpretation would severely restrict the processing possibilities of providers and the possibilities of further service development and optimisation. Such restriction of the business operations of the latter would contradict one of the regulatory objectives of the ePrivacy Regulation (Art. 1 No. I.1.b). It is also questionable how providers are supposed to check and guarantee the protection of fundamental rights and interests of such uninvolved parties who might not be easily accessible to them in practice. The protection of third parties uninvolved in a communication process arguably also exceeds the protective scope of Art. 5 ePrivacy Regulation, which explicitly seeks to ensure the protection of electronic communications data relating to the communicating end-users. Recital 2, which emphasises the special need for protection of electronic communications content, refers only to the persons involved in the communication process and, thus, limits the personal scope of protection. Finally, Recital 16b, which refers to the permission of Art. 6a Sec. 1 lit. a) ePrivacy Regulation, deviates from the wording of the latter and is limited to the fundamental rights and interest of the end-user concerned. By definition, end-users are parties who use an electronic communications service, which implies application only to the communicating parties. Although the divergent wording of a Recital cannot be decisive for the application of a statutory provision, it will have a relevant effect on its interpretation. Thus, ‘another person concerned’ pursuant to Art. 6a Sec. 1 lit. a) ePrivacy Regulation refers to other parties involved in a communication process, but not to third parties.
b) Protection of fundamental rights and freedoms
Art. 6a Sec. 1 lit. a) ePrivacy Regulation refers to the necessary protection of fundamental rights and interests of persons other than the requesting end-users. The question arises as to which specific rights and interests are to be covered by this provision. In particular, it seems reasonable to assume that only privacy-related interests of these persons, as determined in Art. 7 CFR and relating to the confidentiality of communications should be included. These are the rights and interests that the ePrivacy Regulation primarily intends to protect (Art. 1 No. I.1.). However, this regulatory focus does not necessarily imply a general limitation of the protective functions of the ePrivacy Regulation. Rather, the protection of the confidentiality of electronic communications content has an impact on the effective exercise and enjoyment of various other fundamental rights (Art. 1 No. I.1.). The protection of the confidentiality of electronic communication content, therefore, inherently serves and implies the protection of other fundamental rights and freedoms and should therefore not be applied entirely separately from them.
In general, Art. 6a Sec. 1 lit. a) ePrivacy Regulation arguably ought to be interpreted restrictively and narrowly, i.e. in the sense of the broadest possible protection of affected end-users. This is because the ePrivacy Regulation is based on the premise that electronic communications content may only be processed with the consent of all end-users concerned.[5] This concept is partially undermined within the permission of Art. 6a Sec. 1 ePrivacy Regulation. This, thus, not only represents an exception to the general prohibition of Art. 5 but also to the general commitment to consent. Due to this exceptional character, the permission must be applied with restraint and with the best possible respect for the end-user interests in order to retain necessary and adequate safeguards. Accordingly, all fundamental rights should be covered by the requirement of Art. 6a Sec. 1 lit. a) ePrivacy Regulation to provide for adequate protection and, thus, assessed by electronic communications service and network providers who are relying on this provision. This includes rights and interests that do not necessarily appear to be privacy-related, such as freedom of religion or expression.
Art. 6a Sec. 1 lit. a) ePrivacy Regulation does not clarify how the providers of electronic communications networks and services that are addressed by the permission are supposed to ensure that such fundamental rights and interests are not adversely affected by the intended processing of electronic communications content.
One way to avoid a violation of fundamental rights and interests might be to inform the non-consenting parties about the intended processing and thereby give them the opportunity to object to it. However, this does not seem feasible. Informing all end-users will often involve an effort equivalent to obtaining consent. Based on Recital 19, the processing of electronic communications content should be facilitated in order to enable the effective use of certain services, which is why only the user requesting this service has to give consent. Also, in comparison to Art. 6 Sec. 1 lit. b) ePrivacy Regulation, the participation of other end-users is not necessarily required under the conditions of Art. 6 Sec. 1 lit. a) ePrivacy Regulation in order to render the permission applicable. It must therefore be possible for providers of electronic communications networks and services to process communication content on the basis of Art. 6a Sec. 1 lit. a) ePrivacy Regulation without being required to interact with all parties involved in the communication.
It will arguably not be possible to determine with certainty whether or not fundamental rights and interests of non-consenting parties involved in a communication process will be infringed and to guarantee that such infringements are avoided. However, there are measures that providers of electronic communications services and networks seeking to rely on the permission of Art. 6a Sec. 1 lit. a) ePrivacy Regulation can take in order to reduce the processing risks and mitigate harm. The need to introduce adequate safeguards is addressed in Recital 16a. First, it is advisable to introduce particularly strict deletion concepts with regard to electronic communications content (see Art. 6 No. III.1.). Recital 16b underlines that the processing of electronic communications content under the conditions of Art. 6 Sec. 1 lit. a) ePrivacy Regulation may be carried out strictly and exclusively to the extent necessary for the requested service. In many cases, this will mean that the processed communications content will have to be deleted immediately after the provision of the requested service and will not be retainable beyond that (e.g. in the case of translation assistants, no retention beyond or after translation).[6]
Additionally, the implementation of highly sophisticated technical and organisational measures following the example of Art. 32 GDPR will be necessary to meet the requirement of sufficient protection of fundamental rights and freedoms within Art. 6a Sec. 1 lit. a) ePrivacy Regulation and in order to ensure a level of security that is appropriate to the high risk associated with the processing of electronic communications content.[7] Another conceivable measure, also based on the model of the GDPR, might be the appointment of a data protection officer who is responsible for the risk assessment and management of any concerns and requests of affected end-users in connection with processing of electronic communications content. Finally, even in the context of Art. 6a Sec. 1 lit. a) ePrivacy Regulation, the performance of a data protection impact assessment might be reasonable in order to evaluate the risks posed by the intended processing for the rights and interests of non-consenting persons.
The data protection impact assessment as a necessary protection measure for the processing of electronic communications content is expressly provided for in Art. 6a Sec. 2 ePrivacy Regulation, but only for processing on the basis of Art. 6a Sec. 1 lit. b) and, thus, not for Art. 6a Sec. 1 lit. a) ePrivacy Regulation (Art. 6a No. III.). While this measure is not explicitly provided for as a necessary precondition, Art. 6a Sec. 2 ePrivacy Regulation does not exclude a data protection impact assessment in the context of Art. 6a Sec. 1 lit. b). Generally, a data protection impact assessment might be considered suitable for the classification of risks as required for non-consenting end-users in the context of Art. 6a Sec. 1 lit. a), as it is precisely a preventive measure designated to prevent the occurrence of violations of individual rights. Part of the minimum requirements for a data protection impact assessment as set out in Art. 35 Sec. 7 GDPR – as applicable in the context of the ePrivacy Regulation (Art. 6a No. III.) – is the assessment of the impact to the rights and freedoms of the data subjects, i.e. end-users respectively as within the scope of the ePrivacy Regulation (Art. 4 No. I.2.e).[8] Depending on the specifics of the individual case, it may therefore be advisable to carry out such a data protection impact assessment in connection with the permission of Art. 6a Sec. 1 lit. a) as well (see in this regard at Art. 6 No. II.4.).
c) Services requested by the consenting end-user
Art. 6a Sec. 1 lit. a) ePrivacy Regulation does not specify what kind of service must be concerned by the request of the consenting end-user in order for the permission to apply. In particular, the wording is not limited to electronic communications services as defined in Art. 4 Sec. 1 lit. b) ePrivacy Regulation. It is therefore conceivable that the permission of Art. 6 Sec. 1 lit. a) ePrivacy Regulation applies even if other services are requested from providers of electronic communications services or networks.[9] Recital 16b refers to services facilitating end-users’ everyday life such as a personal assistant, translation services and services enabling the inclusion of persons with disabilities. The ‘services’ referred to in Art. 6a Sec. 1 lit. a) ePrivacy Regulation are therefore expressly not limited to electronic communications services.
Art. 6a Sec. 1 lit. a) requires that the requested service must be provided for purely individual use of the end-user only. This excludes services that are used commercially, industrially or on a large scale by the end-users, and exceed the average individual use in everyday life. In most cases, this restriction is likely to exclude legal persons as requesting end-users in terms of Art. 6a Sec. 1 lit. a) ePrivacy Regulation.
[4] Cf. recital 1, Art. 6a Sec. 1 lit. b) ePrivacy Regulation.
[5] Recital 16a.
[6] Cf. Kiparski in: Specht/Mantz, Handbuch Europäisches und Deutsches Datenschutzrecht (2019), § 18 para. 72.
[7] This is also explicitly provided for in Art. 8 Sec. 2b) for data collections from end-user terminal equipment that are considered particularly risk-prone, Art. 8.
[8] Cf. Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 49.
[9] Cf. Kiparski in: Specht/Mantz, Handbuch Europäisches und Deutsches Datenschutzrecht (2019), § 18 para. 72.
On the basis of Art. 6a Sec. 1 lit. b) ePrivacy Regulation, providers of electronic communications services or networks may process electronic communications content regardless of the underlying purpose if the processing purposes are clearly predetermined and all end-users concerned have consented to the processing. Thus, in contrast to Art. 6a Sec. 1 lit. a) ePrivacy Regulation, consent must be obtained from all end-users and not only of the end-user initiating the processing. However, there is freedom to determine the purposes of processing. These purposes only need to be specified and defined prior to the beginning of the processing activities.
All parties to a communication process are regarded as end-users. Consequently, providers relying on the permission of Art. 6a Sec. 1 lit. b) ePrivacy Regulation are required to obtain the consent of all communicating parties.[10] Such consent must meet all general validity requirements and, in particular, must be informed, voluntary and withdrawable at any time (Art. 4a No. VIII.).[11] The relevant purposes of the processing must be defined before the start of the processing activity in question. In order to meet the validity requirements of consent and, in particular, sufficient information, it will be necessary to determine the processing purposes when consent is obtained, at the latest, as the processing purposes must be covered by the information to be provided to the end-users prior to obtaining their consent (Art. 4a IV.4.). These purposes must not be subsequently changed – this would require obtaining new consent from all end-users involved in the communications process. Other than for the processing of electronic communications metadata in Art. 6c, the ePrivacy Regulation does not provide for a possibility to process electronic communications content for further compatible purposes.[12]
Recital 16a suggests that the processing of communications content in cases of Art. 6a Sec. 1 lit. b) is limited to content in transit, i.e. may not continue beyond the communication process. As an example for processing of electronic communications content in transit, Recital 16a refers to services that entail the scanning of emails to remove certain pre-defined material.[13] It is questionable whether this implication can genuinely be interpreted as a mandatory restriction. Such interpretation would limit the scope of application of the permission of Art. 6a Sec. 1 lit. b) ePrivacy Regulation significantly.
[10] Recital 16a.
[11] Recital 16a.
[12] Here, again, a similarity between the means of protection of electronic communications content in the ePrivacy Regulation and the protection of special categories of personal data pursuant to Art. 9 GDPR can be observed. The latter categories of personal data are also to be excluded from the possibility of further processing pursuant to Art. 6 Sec. 4 lit. c) GDPR.
[13] Recital 16a.
Art. 6a Sec. 2 ePrivacy Regulation provides for a mandatory data protection impact assessment if electronic communications content is processed on the basis of Art. 6a Sec. 1 lit. b) ePrivacy Regulation. The ePrivacy Regulation does not define the term data protection impact assessment itself, but refers to the terms of the GDPR via Art. 4 Sec. 1 lit. a) ePrivacy Regulation. The GDPR introduces and specifies the notion of data protection impact assessment in Art. 35.[14] In essence, however, the data protection impact assessment as envisaged by Art. 35 GDPR is a preventive measure, the purpose of which is to evaluate the factual and legal situation in relation to the intended processing activities in order to prevent data protection non-compliance (see Art. 4 No. I.1.e).
Art. 6 Sec. 2 ePrivacy Regulation provides for the mandatory performance of a data protection impact assessment only in the cases of Art. 6a Sec. 1 lit. b) ePrivacy Regulation. The requirement of the data protection impact assessment applies to the processing of electronic communications content based on Art. 6a Sec. 1 lit. b), regardless of the actual risk potential of the intended processing operation, pursuant to Art. 6 Sec. 2 ePrivacy Regulation. The necessity for such a mandatory protective measure in connection with this legal basis may result from the circumstance that Art. 6a Sec. 1 lit. b) requires the consent of all end-users concerned, but does not provide for a restriction with respect to the permissible purposes. This means that, in principle, with the consent of all end-users concerned, the content of electronic communications can be lawfully processed for all potential purposes, even if not necessarily in the interest of the end-users. The only restriction related to the purposes of processing is that these purposes must be pre-defined by the parties (see Art. 6a No. II.2.). This is in contrast to Art. 6a Sec. 1 lit. a) ePrivacy Regulation. Here, it is not enough that consent is given, but the processing is also strictly restricted to the purpose of providing a service requested by the consenting end-user and may only be carried out to the extent necessary for this purpose. Arguably, the exception of Art. 6a Sec. 1 lit. a) ePrivacy Regulation from the obligation to perform a data protection impact assessment in Art. 6a Sec. 2 is based on the legislator’s assessment that such processing operations restricted to a specific and legally envisaged purpose are less risk-prone or less worthy of protection compared to the permission of Art. 6a Sec. 1 lit. b) ePrivacy Regulation. Furthermore, in cases of Art. 6a Sec. 1 lit. a) ePrivacy Regulation, a somewhat dual legitimisation by the end-user is perceived for the envisaged processing of electronic communications content. The end-user must both, consent and explicitly request the service for which the processing is intended in order for the permission of Art. 6a Sec. 1 lit. a) to apply (Art. 6a No. II.1.). This justifies the assumption that in these cases, a proportionally higher level of protection is already provided for in comparison to merely collecting consent under Art. 6a Sec. 1 lit. b) ePrivacy Regulation.
On the other hand, it should be noted that such supposedly dual legitimisation and the strict purpose limitation provided for in Art. 6a Sec. 1 lit. a) ePrivacy Regulation primarily have a protective effect in relation to the (one) consenting end-user only. The other parties to the communication process that are equally affected by the permission but do not consent to processing of their electronic communications content do not contribute to the justification according to Art. 6a Sec. 1 lit. a) ePrivacy Regulation. Against this background, the privileged treatment of the permission set out in Art. 6a Sec. 2 ePrivacy Regulation of the exception from the mandatory data protection impact assessment appears less appropriate. Furthermore, the requirement of Art. 6 Sec. 1 lit. a) ePrivacy Regulation to exclude risks to fundamental rights and freedoms of the other parties involved in the communication can be met precisely by means of a data protection impact assessment. A data protection impact assessment in terms of Art. 35 GDPR shall identify the risks posed by processing operations, which is a necessary step in order to determine the required prevention and mitigation measures. It is therefore intended to prevent infringements from occurring in the first place, as also required by Art. 6a Sec. 1 lit. a) ePrivacy Regulation.
Art. 35 Sec. 1 GDPR sets out that a data protection impact assessment will always be necessary if an envisaged processing activity is likely to result in high risks to the rights and freedoms of natural persons.[15] In the context of the ePrivacy Regulation, this should also refer to end-users. Recital 16a provides for a presumption of high risks for processing of electronic communications content, but explicitly exempting processing based on Art. 6a Sec. 1 lit. a). Accordingly, the differentiation on the statutory obligation to conduct a data protection impact assessment in Art. 6a Sec. 2 ePrivacy Regulation is consistent. But under certain circumstances, it may nevertheless be advisable for providers of electronic communications services and networks to consider conducting a data protection impact assessment in individual cases when relying on Art. 6a Sec. 1 lit. a) ePrivacy Regulation. In some cases, this may be the most appropriate way to identify and analyse risks for other persons affected by the communication and the intended processing and, thus, necessary to meet the requirements of Art. 6a Sec. 1 lit. a) ePrivacy Regulation for the protection of non-consenting end-users. The absence of a presumption of high-risks in processing on the basis of Art. 6a Sec. 1 lit. b) as per Recital 16a does not automatically deem all processing operations based on this permission less risk-prone. Providers of electronic communications services and networks will be well advised to decide whether a data protection impact assessment ought to be conducted depending on whether a high risk to fundamental rights and freedoms actually exists in the individual case at hand and not to rely on the inapplicability of Art. 6 Sec. 2 exclusively. This is also supported by the reference to Art. 35 GDPR in Recital 17, which states that even the processing of electronic communications metadata may require a data protection impact assessment in case it generates high risks for end-users. It may therefore be advisable in practice to consider carrying out a data protection impact assessment in the context of Art. 6a Sec. 1 lit. a) ePrivacy Regulation, especially when it comes to determining risks to the interests and rights of third parties (see also Art. 6a No. II.1.b).
According to Art. 6a Sec. 2 ePrivacy Regulation, providers relying on the permission of Art. 6a Sec. 1 lit. b) ePrivacy Regulation for the processing of electronic communications content are required to consult the supervisory authority, if necessary. The necessity of consultation results from Art. 36 Sec. 1 GDPR.[16] Accordingly, providers of electronic communications services and networks are required to consult the supervisory authorities if the previously performed data protection impact assessment has shown that there would be a high risk to the rights and interests of the end-users concerned due to the intended processing and no measures are in place to mitigate this risk, Art. 36 Sec. 1 GDPR. By way of Art. 6a Sec. 2 ePrivacy Regulation, the Council has liberalised the initial ePR Commission Proposal 2017. In the corresponding provision of Art. 6 Sec. 3 ePR Commission Proposal 2017 it was envisaged that providers of electronic communications networks and services must always mandatorily consult the supervisory authority when processing of electronic communications content on the basis of end-user consent, regardless of whether there was a necessity in terms of Art. 36 Sec. 1 GDPR.
If the performance of a data protection impact assessment results in the need for consultation of the supervisory authority, Art. 36 Sec. 2 and Sec. 3 GDPR apply to the consultation process, Art. 6a Sec. 2 Sent. 2 ePrivacy Regulation.
Art. 36 Sec. 2 GDPR grants the supervisory authority a period of eight weeks, extendable up to fourteen weeks, to respond and comment upon supposed infringements of the ePrivacy Regulation by the envisaged processing activities and to exercise its supervisory powers in accordance with Art. 58 GDPR. In the context of the ePrivacy Regulation, this will apply mutatis mutandis to the exercise of the powers of supervisory authorities under Art. 18, 23 ePrivacy Regulation (Art. 18) . Therefore, service and network providers have to plan their processing activities with a timeframe allowing for prior consultation of the supervisory authorities. However, should the consulted supervisory authority remain silent, mere expiration of the aforementioned period does not guarantee providers the lawfulness of their intended processing.[17] Rather, the supervisory authority is free to use all its powers against the intended processing operation, even if it was the authority’s inactivity which led to the expiration of the limitation period in spite of attempts of consultation.[18] Art. 36 Sec. 2 GDPR does not contain an enforceable right to request positive reaction by the supervisory authority. However, the controller may have the option to bring an administrative action for failure to act against the supervisory authority.[19]
Art. 36 Sec. 3 GDPR defines the information that is to be provided to the consulted supervisory authority by the providers of electronic communications services or networks. Such information includes:
– where applicable, the respective responsibilities of the providers and third party processors in cases of Art. 6 Sec. 3 ePrivacy Regulation (which also applies to the permissions set out in Art. 6a Sec. 1; Art. 6 No. IV.);
– the purposes and means of the intended processing;
– the measures and safeguards provided to protect the rights and freedoms of end-users;
– where applicable, the contact details of the data protection officer (Art. 6a No. II.1.b);
– details regarding the conducted data protection impact assessment;
– any other information requested by the consulted supervisory authority.
[14] For a definition of the term, please refer to the comments on Art. 4 No. I.1.e).
[15] This also applies in the context of the ePrivacy Regulation and is not per se limited to processing of electronic communications content. Recital 17 indicates that a data protection impact assessment should also be carried out for the processing of electronic communications metadata if these are particularly risk-prone.
[16] As explicitly stipulated by Art. 6a Sec. 2 ePrivacy Regulation.
[17] Baumgartner, in: Ehmann/Selmayr, DSGVO (2018), Art. 36 para. 14.
[18] Baumgartner, in: Ehmann/Selmayr, DSGVO (2018), Art. 36 para. 14.
[19] Jaspers/Reif in: Schwartmann/Jaspers/Thüsing/Kugelmann, DS-GVO/BDSG (2018), Art. 36, para. 42.