Paul Voigt, Axel von dem Bussche: the EU ePrivacy Regulation – Preliminary Guidance and Commentary
Menü
Paul Voigt, Axel von dem Bussche: the EU ePrivacy Regulation – Preliminary Guidance and Commentary
1. Where the processing for a purpose other than that for which the electronic communications metadata have been collected under paragraph 1 of Articles 6 and 6b is not based on the end-user’s consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 11, the provider of electronic communications networks and services shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the electronic communications metadata are initially collected, take into account, inter alia:
(a) any link between the purposes for which the electronic communications metadata have been collected and the purposes of the intended further processing;
(b) the context in which the electronic communications metadata have been collected, in particular regarding the relationship between end-users concerned and the provider;
(c) the nature of the electronic communications metadata as well as the modalities of the intended further processing, in particular where such data or the intended further processing could reveal categories of data, pursuant to Articles 9 or 10 of Regulation (EU) 2016/679;
(d) the possible consequences of the intended further processing for end-users;
(e) the existence of appropriate safeguards, such as encryption and pseudonymisation.
2. Such processing, if considered compatible, may only take place, provided that:
(a) the processing could not be carried out by processing information that is made anonymous, and electronic communications metadata is erased or made anonymous as soon as it is no longer needed to fulfil the purpose, and
(b) the processing is limited to electronic communications metadata that is pseudonymised, and
(c) the electronic communications metadata is not used to determine the nature or characteristics of an end-user or to build a profile of an end-user, which produces legal effects concerning him or her or similarly significantly affects him or her.
3. For the purposes of paragraph 1 of this Article, the providers of electronic communications networks and services shall not, without prejudice to Article 6 (3), share such data with any third parties, unless it is made anonymous.
(17aa) Further processing for purposes other than for which the metadata where initially collected may take place without the consent of the end-users concerned, provided that such processing is compatible with the purpose for which the metadata are initially collected, certain additional conditions and safeguards set out by this Regulation are complied with, including the requirement to genuinely anonymise the result before sharing the analysis with third parties. As end-users attach great value to the confidentiality of their communications, including their physical movements, such data cannot be used to determine the nature or characteristics on an end-user or to build a profile of an end-user, in order to, for example, avoid that the data is used for segmentation purposes, to monitor the behaviour of a specific end-user or to draw conclusions concerning the private life of an end-user. For the same reason, the end-user must be provided with information about these processing activities taking place and given the right to object to such processing.
With regard to electronic communications metadata, Art. 6c ePrivacy Regulation allows providers of electronic communications services and networks to process such data for purposes not foreseen when the data was initially collected, provided certain conditions are met. Above all, the envisaged purposes of further processing must be compatible with the initial purposes for which the data was collected. In order to determine whether compatibility of purposes is fulfilled, an assessment ought to take place for which Art. 6c Sec. 1 ePrivacy Regulation defines a non-exhaustive list of factors to be considered.[1] When assessing compatibility it becomes relevant whether the intended further processing and its consequences are covered by the reasonable expectations of affected end-users. Based on predictability and foreseeability, ‘obviously compatible’ and ‘obviously incompatible’ processing purposes and scenarios are distinguished.[2]
The criteria for assessing compatibility of purposes defined in Art. 6c Sec. 1 ePrivacy Regulation correspond to those stipulated in the parallel provision of the GDPR for further processing of personal data in Art. 6 Sec. 4 lit. a) – lit. e) GDPR. Due to the proximity of both provisions, many of the considerations regarding Art. 6 Sec. 4 GDPR can be applied to Art. 6c Sec. 1 ePrivacy Regulation. However, such application must take into account that the protective purpose of the ePrivacy Regulation, to preserve the confidentiality of electronic communications data and protect end-users, differs from that of the GDPR (Art. 1 No. I.2.).
The concept of further compatible processing had already been envisaged by the Data Protection Directive in its Art. 6 Sec. 1 lit. b). ‘Further processing’ refers to any processing other than the initial collection of data, whether its purposes have been initially specified or not.[3] The Art. 29 WP concretised the factors to be taken into account for a compatibility test in connection with Art. 6 Sec. 1 lit. b) of the Data Protection Directive, which were then largely incorporated into Art. 6 Sec. 4 GDPR and now accordingly within Art. 6c Sec. 1 ePrivacy Regulation.[4]
The first step in carrying out a compatibility assessment is to identify the purposes, which ought to be compared. One common use case for a change in purpose of the processing is the anonymisation of data, which plays a role in both the GDPR and the ePrivacy Regulation as a protective mechanism and is a key tool for providers of electronic communications services and networks in order to gain more flexibility in planned processing operations.[5] In this regard it is crucial to note that anonymisation constitutes a processing operation by itself, which, if not covered by the purpose of collection, must also meet the requirements under Art. 6c ePrivacy Regulation (and, in the case of GDPR applicability, of Art. 6 Sec. 4 GDPR, as well). Thus, the process of anonymization must be considered in front of its own individual purposes, which, in general, will not be the purpose of anonymization alone (i.e. dissolving a person´s identifiability), but rather a particular subsequent use of the anonymised data. Such subsequent uses (e.g. processing within big data applications), represent the ones, which are relevant to the assessment of compatibility with the initial purposes.[6]
These uses, as a second step, must be compared to the catalogue of criteria under Art. 6c Sec. 1 lits. a to e ePrivacy Regulation. Subsequent criteria must be taken into account, when assessing the compatibility of further processing with the purposes pursued at the first stage. Here, it is questionable, if Art. 6c Sec. 1 ePrivacy Regulation represents an individual legal basis for further processing in itself, or if it actually relies on (additional) justification according to Art. 6b Sec. 1 ePrivacy Regulation. One might argue, Art. 6b Sec. 1 ePrivacy Regulation, which at a first glance applies primarily to the initial collection of data only, would be required as a basis for further processing, as well, meaning that every individual act of processing was in need of separate justification. Subsequently, Art. 6c ePrivacy Regulation only represented an addition to the prerequisites under Art. 6b Sec. 1 ePrivacy Regulation and thus served as a means of further restriction on processing. While being a question of rather technical nature, practical effects are significant, since additional requirements of justification narrow down the applicability of the norm and the practical leeway for further processing.
Reason for such an interpretation of Art. 6c Sec. 1 ePrivacy Regulation was provided by voices in literature, which, by then with regard to the related provision in Art. 6 Sec. 4 GDPR, referred to the wording and possible dysfunctionalities of the provision.[7] Subsequently, on the one hand, the term “compatible” corresponded to the provision in Art. 5 Sec. 1 lit. b GDPR, thus representing a mere interpretation of the general principle of purpose limitation.[8] As such, it could not at the same time elaborate justification requirements under Art. 6 Sec. 1 GDPR. On the other hand, it was considered a contradiction of values to privilege further processing of data solely on the grounds it had already been collected, while any further kind of (initial) processing needed to be justified. According to this opinion, intolerable modes of processing could have been enacted under the rather indifferent consideration criteria of Art. 6 Sec. 4 GDPR, only because they qualified “compatible” to the initial purposes. Much lighter forms of interferences, to the contrary, would have been excluded. Thus, it was feared, controllers could feel an incentive to collect data for admissible purposes in the first place and use them for their actual purposes in the second place. That, due to this interpretation, however, contradicted Art. 8 Sec. 2 CFR, requiring a legal basis for (every) processing of personal data.
In the light of both Art. 6 Sec. 4 GDPR and Art. 6c ePrivacys´ explicit wording, its systematic layout, and practical orientation, this finding, however, cannot stand. To the contrary it is correct that already under the GDPR, Art. 6 Sec. 4 did not only specify the principles of processing according to Art. 5 Sec. 1 lit. b alone, but also represented an individual legal basis for further processing in itself. Conversely, as Recital 50 GDPR clarified, “no legal basis separate from that which allowed the collection of the personal data [was] required”. Withal, this finding already followed from the explicit stipulation of Art. 5 Sec. 1 lit. b GDPR, stating that data should not be “further processed in a manner that is incompatible with [the initial] purposes”. E contrario, processing in a compatible manner would be admissible.
Admittedly, such compatible manners would have been specified within Art. 6 Sec. 4 GDPR. However, this specification was not located in Art. 5 GDPR, as would be expected from such specification, but rather in Art. 6 GDPR, thus expressing its systematic layout as an original reason for “lawful processing” (and not a mere “principle relating to processing”). This implementation of a separate provision under Art. 6 Sec. 4 GDPR or, even clearer, Art. 6c ePrivacy Regulation would have been dispensable, if further processing was not privileged per se, but if it required additional justification. The legislator could have simply implemented this requirement into the relevant provisions directly[9], instead of effortfully creating separate clauses. For instance, it could have stated that “any act of processing, initial or subsequent, shall be permitted only, if…”[10]or at least: “in addition to the requirements pursuant to Art. 6b Sec. 1 GDPR, the provider shall take into account the following aspects”[11]. Instead, it chose both to refrain from making such a statement[12] and to separate the provision in the course of an individual Article. This clearly points out to an independent systematic layout of both Art. 6 Sec. 4 GDPR and Art. 6c Sec. ePrivacy Regulation and their consequent legal nature as original justifications for further processing.
Finally, this interpretation compels, when taking into account the general aim incorporated to the provision of both separate clauses, which has been to privilege further processing in the course of an individual legal bases and of clear legal requirements. Any different understanding would contradict this layout. Since the latter emerges from the apprehension of a too wide scope of application, it is moreover hardly comprehensible in light of the fact that these bases are provided for in a very strict and specific way, even exceeding the comparatively broad stipulations within Art. 6 Sec. 1 GDPR and Art. 6b ePrivacy Regulation: On the one hand, the comprehensive set of criteria in Art. 6b ePrivacy Regulation applies to communications metadata only, i.e. particularly not to communications content or other sorts of communications data.[13] On the other hand, further processing requires additional safeguards under Art. 6c Sec. 2 ePrivacy Regulation in order to guarantee pseudonymisation and a limited intensity of interference with fundamental rights and interests. This layout applies precisely to restrict the scope of application and therefore disqualifies concerns about an inappropriate overuse. Altogether, the catalogue of Art. 6 Sec. 1 lits. a to e ePrivacy Regulation represent independent legal bases for further processing and must as such be taken into account in every case of application.
[1] The wording of Art. 6c Sec. 1 ePrivacy Regulation explicitly states that, inter alia, the factors listed in the provision are to be taken into account, which implies the applicability of further factors that are not explicitly listed; cf. Albers/Veit, in: Wolff/Brink, BeckOK-Datenschutzrecht (2020), Art. 6 DSGVO para. 69.
[2] Cf. Art. 29 Data Protection Working Party, WP 203, Opinion 03/2013 on purpose limitation from 2 April 2013, p. 22 et seq.
[3] Art. 29 Data Protection Working Party, WP 203, Opinion 03/2013 on purpose limitation from 2 April 2013, p. 21.
[4] Art. 29 Data Protection Working Party, WP 203, Opinion 03/2013 on purpose limitation from 2 April 2013, p. 3, 23 et seqq.
[5] Art. 6 Sec. 2, Art. 6b Sec. 1 lit. e, Sec. 2.
[6] See with regard to Art. 6 Sec. 4 GDPR, German Federal Commissioner for Data Protection and Freedom of Information (BfDI), Position paper on anonymisation under the GDPR with special focus on the telecommunications industry from 20 June 2020, p. 6 et seq.
[7] Cf. Buchner/Petri, in: Kühling/Buchner, DS-GVO/BDSG (2020), Art. 6 para. 181 et seqq; Albers/Veit, in: Wolff/Brink, BeckOK-Datenschutzrecht (2020), Art. 6 DSGVO para. 69.
[8] Buchner/Petri, ibid.; Albers/Veit, ibid.
[9] Art. 6 Sec. 1 GDPR or Art. 6b Sec. 1 ePrivacy Regulation respectively.
[10] In case of Art. 6 Sec. 1 GDPR and Art. 6b ePrivacy.
[11] In case of Art. 6c ePrivacy Regulation.
[12] Even in light of an ongoing debate under Art. 6 Sec. 4 GDPR.
[13] For more details, see Art. 4 No. III.1. et seqq.
The first criterion that might weigh in favour of compatibility of purposes is a link between the original and further processing purposes, Art. 6c Sec. 1 lit. a) ePrivacy Regulation. In order to determine whether there is such a sufficient link, the context of processing as well as the way in which a certain purpose is commonly understood by relevant stakeholders in the particular situation ought to be taken into account.[14]
A relatively broad interpretation of this prerequisite results from the wording of Art. 6c Sec. 1 lit. a) ePrivacy Regulation, according to which ‘any’ link shall be sufficient. Still, with regard to the parallel provision of Art. 6 Sec. 4 GDPR, it is argued that ”compatibility” should be applied rather restrictively, as otherwise there would be a risk of an excessive weakening of the principle of purpose limitation, which is a core value of data protection law.[15] However, this reasoning is not necessarily transferable to the interpretation of Art. 6c Sec. 1 of the ePrivacy Regulation. The ePrivacy Regulation does not regulate the principle of purpose limitation in a manner comparable to the GDPR. Rather, purpose limitation applies only indirectly in the ePrivacy context, for example when the ePrivacy Regulation refers to the GDPR with regard to the requirements for effective consent and the determination of processing purposes becomes relevant in this regard (Art. 4a No. IV.).[16]
As a rule of thumb, a link in terms of Art. 6c Sec. 1 lit. c) ePrivacy Regulation is most apparent if the intended further processing constitutes the ‘logical next step’ after the initial collection of electronic communications metadata and, thus, could have been foreseen by the end-users concerned.[17]
[14] Art. 29 Data Protection Working Party, WP 203, Opinion 03/2013 on purpose limitation from 2 April 2013, p. 23.
[15] Buchner/Petri, in: Kühling/Buchner, DS-GVO/BDSG (2020), Art. 6 para. 186.
[16] The principle of purpose limitation is also referred to in recital 20aa with regard to compatible further processing of data collected from end-user terminal equipment, Art. 8 No. I.3.h).
[17] Cf. Art. 29 Data Protection Working Party, WP 203, Opinion 03/2013 on purpose limitation from 2 April 2013, p. 23; Buchner/Petri, in: Kühling/Buchner, DS-GVO/BDSG (2020), Art. 6 para. 187.
The ”context of the collection” refers to what a reasonable person in the situation of the end-user would expect the respective electronic communications metadata to be used for in the specific context of the situation at hand.[18] A factor deserving special consideration within the context of data collection is the nature of the relationship between the parties, i.e. what the usual and customary expected practice in the given contractual, commercial or other relationship would be.[19] In this respect, the relationship between the parties might have a negative impact on a compatibility assessment in two ways: while a long-standing special relationship of trust may arguably preclude unanticipated further processing, a superficial relationship without any trust between the parties, in turn, may also not justify further processing.[20]
It is a recurring relevant factor within the compatibility test of Art. 6c Sec. 1 ePrivacy Regulation (as well as within Art. 6 Sec. 4 GDPR) that it needs to be assessed whether the intended further processing falls within the scope of what can and must be reasonably expected in a specific situation.[21] If further processing can reasonably be expected, it can be assumed that the legitimisation of the initial data collection also implicitly legitimises the intended further processing.[22] However, where the electronic communications service or network provider suggests that electronic communications metadata will be handled with outstanding confidentiality and for specified purposes only, further processing will most likely be regarded incompatible as the expectations of the end-users concerned are pulled in the opposite direction. As a general rule, the more specific and restrictive the context of data processing, the more limited the expectations of affected end-users will be, and there will be less room for compatible further processing.[23]
[18] Cf. Art. 29 Data Protection Working Party, WP 203, Opinion 03/2013 on purpose limitation from 2 April 2013, p. 24.
[19] Ibid.
[20] Frenzel, in: Paal/Pauly, DSGVO/BDSG (2021), Art. 6 para. 49.
[21] Cf. Recital 50 GDPR; Art. 29 Data Protection Working Party, WP 203, Opinion 03/2013 on purpose limitation from 2 April 2013, p. 22 et seqq.
[22] Buchner/Petri, in: Kühling/Buchner, DS-GVO/BDSG (2020), Art. 6 para. 187.
[23] Art. 29 Data Protection Working Party, WP 203, Opinion 03/2013 on purpose limitation from 2 April 2013, p. 25.
Art. 6c Sec. 1 lit. c) primarily refers to factors that might have a negative impact on the compatibility test when fulfilled. The first circumstance that according to Art. 6c Sec. 1 lit. c) ePrivacy Regulation would have a negative impact in the context of a compatibility test is the involvement of special categories of data in the sense of Art. 9, Art. 10 GDPR in the intended further processing. The reference to the provisions of the GDPR is explicit. If the further processing of electronic communication data would lead to such information being revealed, there is only little room for compatibility. However, the question arises as to what extent special categories of data of natural persons particularly highlighted in Art. 9 and Art. 10 GDPR, might generate a protective effect in relation to legal persons as well in order to comply with the subject matter of the ePrivacy Regulation as set out in Art. 1 Sec. 1a.
The referenced Art. 9 Sec. 1 GDPR defines ‘personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation’ as special categories of data. In accordance with the GDPR’s protective purpose, which is limited to the protection of natural persons, the categories of data requiring special protection under Art. 9 Sec. 1 GDPR are limited by definition to personal data only. In the context of application in the ePrivacy context a modification towards electronic communications data and the protection of end-users which might be both, natural as well as legal persons, is necessary. The same applies to Art. 10 GDPR which stipulates special protection for personal data relating to criminal convictions and offences.
Not all of the categories of data listed in Art. 9 Sec. 1 as well as Art. 10 GDPR will be equally relevant for end-users who are legal persons. Apart from commercial criminal law, which is developed to varying degrees in the Member States, the data on criminal convictions according to Art. 10 GDPR will also be less relevant in connection with legal persons. Certain categories, such as political opinion according to Art. 9 Sec. 1 GDPR, however, as well as religious and philosophical beliefs and indirectly also any proximity to certain trade unions may be relevant in relation to legal persons as well, for example in case of religious associations or an association belonging to a certain political party.
All categories of data listed in Art. 9 Sec. 1 and Art. 10 GDPR are likely to become relevant in the context of Art. 6c Sec. 1 lit. c) ePrivacy Regulation with regard to legal persons, if respective information on natural persons acting on behalf of the legal person would be revealed by processing the electronic communications metadata of legal persons.
The categories of data listed in Art. 9 and Art. 10 GDPR ought to be regarded as a guideline rather than an exhaustive list within the reference of Art. 6c Sec. 1 lit. c) ePrivacy Regulation. There could be information beyond explicitly mentioned data categories that are equally sensitive and worthy of protection and would therefore also have a negative effect in the context of a compatibility test, such as trade secrets or information about a legal person’s business operations of monetary value (in this regard see Art. 1 No. I.1.a)). This is implied by the wording of Art. 6 Sec. 1 lit. c) ePrivacy Regulation (‘in particular’). However, the nature and sensitivity of such data should be comparable to the categories listed in Art. 9 Sec. 1 GDPR. In sum, the more sensitive the data concerned, the narrower the scope for permitted compatible further processing.[24]
In addition to particularly sensitive categories of data, the modalities of the intended processing operation must be taken into account within Art. 6c Sec. 1 lit. c) ePrivacy Regulation, as well. While modalities had not yet been an explicit factor within Art. 6 Sec. 4 GDPR (lit. c only referred to the nature of the data), the impact assessment under Art. 6 Sec. 4 lit. d) GDPR nevertheless entailed the type and scope of processing. Consequently, modalities of processing would refer to the fact, if for example, data was processed by a different controller in another context or with unknown consequences, a public disclosure of data or other forms of accessibility to a larger number of persons would occur, whether large amounts of personal data would be processed or combined with other data (e.g. in case of profiling, for commercial, law enforcement or other purposes) and particularly if such operations were not foreseeable at the time of collection.[25] With regard to the result of the assessment that meant, and respectively means in the context of Art. 6c ePrivacy Regulation, that the less intensive the intended data processing is, the more it favours compatibility of additional purposes.[26]
[24] Art. 29 Data Protection Working Party, WP 203, Opinion 03/2013 on purpose limitation from 2 April 2013, p. 25.
[25] Accordingly, the manner of data processing was also mentioned within the framework of the criteria established for a compatibility test by the Art. 29 Data Protection Working Party, WP 203, Opinion 03/2013 on purpose limitation from 2 April 2013, p. 26, which served as a basis for the provision of Art. 6 Sec. 4 GDPR.
[26] Ibid.
The consequences that further processing may have for end-users, both negative and positive, must also be taken into account in the compatibility test.[27] Such consequences can entail situations where the intended further processing will result in decisions of third parties affecting the end-users, where individuals are to be excluded from certain situations and/or discriminated on the basis of the processing results, as well as potential negative emotional consequences for end-users that may arise from a loss of control over their own data, such as fear or distress.[28] The latter will obviously only become relevant in cases where the affected end-users are natural persons. Withal, it is to assume that consequences will affect the individual harder, the less he or she expects them. Therefore, the Art. 29 WP considers a decisive factor, to which extent such consequences are foreseeable.[29] This criteria reflects on the central role of an end-user, when using communicative tools and is therefore an adequate means to balance out his or her interests with the ones of the controlling parties. Dogmatically, it can be linked to the term of “possible” consequences. ‘Possibility’, as a criteria of attributability, entails the individual´s assessment on certain effects to his or her actions. This entails, whether effects lie beyond reasonable life experience, i.e. are generally considered “impossible”, or need to be included into its general risk. Foreseeable effects, consequently, are attributable, unforeseeable ones are not.
[27] Art. 29 Data Protection Working Party, WP 203, Opinion 03/2013 on purpose limitation from 2 April 2013, p. 25.
[28] Art. 29 Data Protection Working Party, ibid.
[29] See above Sec. I.3.; Art. 29 Data Protection Working Party, ibid.
Finally, the compatibility of further processing will depend on whether the electronic communications service or network provider intending to process the electronic communications metadata for compatible purposes has implemented sufficient safeguards in order to protect the interests of affected end-users. Art. 6c Sec. 1 lit. e) names psedonymisation and encryption as explicit examples of such safeguards. These safeguards are mentioned repeatedly within the ePrivacy Regulation as relevant instruments for the protection of end-user interests, for example as regards the lawfulness of the processing of location data for scientific, historical or research purposes (Art. 6b No. I.5.). For a definition of pseudonymisation and encryption, reference is made to Art. 6b No. I.5.a). The decisive factor in assessing any safeguards is, in particular, whether the level of protection provided during the initial processing is maintained during further processing as well.[30]
Further examples of ‘additional safeguards’ which that could support compatibility of further processing are technical or organisational measures that could ensure functional separation,[31] such as anonymisation (Art. 6 No. III.2.) and aggregation (Art. 6b No. I.5.) of data, as well as any measures taken for the benefit of end-users, such as additional information, increased transparency and explicit references to or facilitation of their possibility to object.[32]
[30] Buchner/Petri, in: Kühling/Buchner, DS-GVO/BDSG (2020), Art. 6 para. 191.
[31] According to the Art. 29 WP, ‘functional separation’ means that the respective data cannot be used to take decisions or other actions with respect to individuals, see Art. 29 Data Protection Working Party, WP 203, Opinion 03/2013 on purpose limitation from 2 April 2013, p. 27.
[32] Recital 17aa; cf. Art. 29 Data Protection Working Party, WP 203, Opinion 03/2013 on purpose limitation from 2 April 2013, p. 26.
In addition to the required compatibility assessment regarding the purposes of collection and the subsequently determined processing purposes, Art. 6c Sec. 2 ePrivacy Regulation sets out further requirements for the lawfulness of further processing. These all concern proportionality considerations of the intended processing. All of the requirements set out in Art. 6c Sec. 2 lit. a) – c) are partly derived from other legal provisions of the ePrivacy Regulation or already enshrined in the compatibility test of Art. 6c Sec. 1 itself. Thus, the requirements stipulated by Art. 6c Sec. 2 ePrivacy Regulation arguably have a primarily declaratory and emphasising effect, leaving, however, less “wiggle room” than the compatibility assessment.
Further processing of electronic communications metadata may not take place, even if the compatibility assessment proves positive, if the intended purposes could be achieved equally with electronic communications metadata that have been anonymised, Art. 6c Sec. 2 lit. a) ePrivacy Regulation. In any case, the provision stipulates the necessity to make anonymous or delete electronic communications metadata in the course of further processing, either as soon as the purposes have been fulfilled, or can be fulfilled. This corresponds to Art. 6 Sec. 2 ePrivacy Regulation. The latter is explicitly applicable to processing operations pursuant to Art. 6c ePrivacy Regulation and stipulates both, the preference for anonymised electronic communications data in all processing operations and the obligation to erase such data as soon as the processing purposes no longer require further processing or storage (Art. 6 No. III.1.).
Furthermore, Art. 6c Sec. 1 lit. b) ePrivacy Regulation stipulates that it is mandatory to pseudonymise electronic communications metadata before it is further processed for compatible purposes. Pseudonymisation is a common safeguard within the ePrivacy Regulation, to which reference is made repeatedly (see No. I.5.). In this respect, there is somewhat of an overlap with Art. 6c Sec. 1 lit. e), which also refers to the necessity of pseudonymisation in the context of further processing. However, Art. 6c Sec. 2 lit. b) ePrivacy Regulation is more extensive, as here pseudonymisation is not one of several possible safeguards that would have an effect in favour of lawfulness, but rather, according to the wording, a mandatory legal requirement.
The last requirement stipulated in Art. 6c Sec. 2 ePrivacy Regulation takes up another criterion that already has to be considered in the context of the compatibility test. According to Art. 6c Sec. 2 lit. c) of the ePrivacy Regulation, further processing for compatible purposes should only be lawful if it does not lead to adverse consequences that would significantly affect the end-users concerned. This applies, in particular, to processing of electronic communications metadata for the purpose of profiling end-users or determining their nature and characteristics, on the basis of which decisions would be taken that could have legal consequences for end-users. This requirement is, thus, closely related to the assessment criterion of the compatibility test pursuant to Art. 6c Sec. 1 lit. d) ePrivacy Regulation, according to which the consequences for end-users resulting from further processing are to be taken into account when assessing purpose compatibility (see above No. I.4.). While the compatibility test only refers to the consequences in a very general sense and a balancing has to take place, i.e. adverse consequences do not necessarily have to lead to incompatibility (cf. No. I.4.), Art. 6c Sec. 2 lit. c) ePrivacy Regulation highlights certain particular consequences of processing that are prohibited in the context of lawful further processing.
Art. 6c Sec. 3 ePrivacy Regulation stipulates a prohibition to share electronic communications metadata, which has been further processed, with third parties, unless it has been made anonymous.[33] The provision refers to Art. 6 Sec. 3 ePrivacy Regulation, which permits processing by third parties on behalf of the provider, if the conditions laid down in both Art. 6 to 6c ePrivacy and Art. 28 GDPR are met. Art. 6c Sec. 3 ePrivacy Regulation thus corresponds to the provision of Art. 6b Sec. 2, which allows sharing of location data for scientific or historical research or statistical purposes.[34] Since reference is made “without prejudice to Art. 6 Sec. 3”, in these cases (for once) anonymization is not required.
Art. 28 GDPR is relevant with regard to its special requirements for processing by third parties on behalf of the service provider. Comments under Art. 6 No. III. apply here.
[33] Recital 17aa.
[34] For details cf. Art. 6b No. III.