Article 2 ePrivacy Regulation - Material Scope
Article 2 ePrivacy Regulation
1. This Regulation applies to:
(a) the processing of electronic communications content and of electronic communications metadata carried out in connection with the provision and the use of electronic communications services;
(b) end-users’ terminal equipment information.
(c) the offering of a publicly available directory of end-users of electronic communications services;
(d) the sending of direct marketing communications to end-users.
2. This Regulation does not apply to:
(a) activities which fall outside the scope of Union law, and in any event measures, processing activities and operations concerning national security and defence, regardless of who is carrying out those activities whether it is a public authority or a private operator acting at the request of a public authority;
(b) activities of the Member States which fall within the scope of Chapter 2 of Title V of the Treaty on European Union;
(c) electronic communications services which are not publicly available;
(d) activities, including data processing activities, of competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
(e) electronic communications data processed after receipt by the end-user concerned.
– Sect. 3 of Art. 2 has been removed from the adopted text of the ePrivacy Regulation –
4. This Regulation shall be without prejudice to the application of Directive 2000/31/EC9, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive.
5. This Regulation shall be without prejudice to the provisions of Directive 2014/53/EU.
Corresponding Recitals
(7) The Member States should be allowed, within the limits of this Regulation, to maintain or introduce national provisions to further specify and clarify the application of the rules of this Regulation in order to ensure an effective application and interpretation of those rules. Therefore, the margin of discretion, which Member States have in this regard, should maintain a balance between the protection of private life and personal data and the free movement of electronic communications data.
(7a) This Regulation does not apply to the protection of fundamental rights and freedoms related to activities which fall outside the scope of Union law, and in any event measures, processing activities and operations concerning national security and defence, regardless of who is carrying out those operations, whether it is a public authority or a private operator acting at the request of a public authority.
(8) This Regulation should apply to providers of electronic communications services, and to providers of publicly available directories. This Regulation should also apply to natural and legal persons who use electronic communications services to send direct marketing commercial communications or make use of processing and storage capabilities of terminal equipment or collect information processed by or emitted by or stored in end-users’ terminal equipment.
(8aa) Some end-users, for example providers of payment services or payment systems, process as recipients their electronic communications data for different purposes or request a third party to process their electronic communications data on their behalf. It is also important that end-users, including legal entities, have the possibility to take the necessary measures to secure their services, networks, employees and customers from security threats or incidents. Information security services may play an important role in ensuring the security of end-users’ digital sphere. For example, an end-user as an information society service provider may process its electronic communications data, or may request a third party, such as a provider of security technologies and services, to process that end-user’s electronic communications data on its behalf, for purposes such as ensuring network and information security, including the prevention, monitoring and termination of fraud, unauthorised access and Distributed Denial of Service attacks, or facilitating efficient delivery of website content. Processing of their electronic communications data by the end-users concerned, or by a third party entrusted by the end-users concerned to process their electronic communications data after receipt on their behalf, is should not be covered by this Regulation. For the purpose of protecting the end-user’s terminal equipment processing upon receipt, including also just before receipt, by a third party entrusted should not be covered by this Regulation.
(8a) This Regulation does not apply to the electronic communications data of deceased persons. Member States may provide for rules regarding the processing of electronic communications data of deceased persons.
(10) Radio equipment and its software which is placed on the internal market in the Union, must comply with Directive 2014/53/EU of the European Parliament and of the Council6. This Regulation should not affect the applicability of any of the requirements of Directive 2014/53/EU nor the power of the Commission to adopt delegated acts pursuant to Directive 2014/53/EU requiring that specific categories or classes of radio equipment incorporate safeguards to ensure that personal data and privacy of end-users are protected.
(11) The services used for communications purposes, and the technical means of their delivery, have evolved considerably. End-users increasingly replace traditional voice telephony, text messages (SMS) and electronic mail conveyance services in favour of functionally equivalent online services such as Voice over IP, messaging services and web-based e-mail services. In order to ensure an effective and equal protection of end-users when using functionally equivalent services, this Regulation uses the definition of electronic communications services set forth in the Directive (EU) 2018/1972. That definition encompasses not only internet access services and services consisting wholly or partly in the conveyance of signals but also interpersonal communications services, which may or may not be number-based, such as for example, Voice over IP, messaging services and web-based e-mail services. The protection of confidentiality of communications is crucial also as regards interpersonal communications services that are ancillary to another service; therefore, such type of services also having a communication functionality should be covered by this Regulation.
(11a) The protection of confidentiality of communications is crucial also as regards interpersonal communications services that are ancillary to another service; therefore, the processing of electronic communications data in the context of the provision of such type of minor ancillary services should be covered by this Regulation.
(11aa) In all the circumstances where electronic communication is taking place between a finite, that is to say not potentially unlimited, number of end-users which is determined by the sender of the communications, e.g. any messaging application allowing two or more people to connect and communicate, such services constitute interpersonal communications services. Conversely, a communications channel does not constitute an interpersonal communications service when it does not enable direct interpersonal and interactive exchange of information via electronic communications networks between a finite number of persons, whereby the persons initiating or participating in the communication determine its recipient(s). This is for example the case when the entity providing the communications channel is at the same time a communicating party, such as a company that operates a communications channel for customer care that allows customers solely to communicate with the company in question. Also, where access to an electronic communications is available for anyone, e.g. communications in an electronic communications channel in online games which is open to all persons playing the game, such channel does not constitute an interpersonal communications feature. This reflects the end-users’ expectations regarding the confidentiality of a service.
(12) The use of machine-to-machine and Internet of Things services, that is to say services involving an automated transfer of data and information between devices or software-based applications with limited or no human interaction, is emerging. In order to ensure full protection of the rights to privacy and confidentiality of communications, and to promote a trusted and secure Internet of Things in the digital single market, this Regulation, in particular the requirements relating to the confidentiality of communications, should apply to the transmission of such services. The transmission of machine-to-machine or Internet of Things services regularly involves the conveyance of signals via an electronic communications network and, hence, constitutes an electronic communications service. This Regulation should apply to the provider of the transmission service if that transmission is carried out via a publicly available electronic communications service or network. Conversely, where the transmission of machine-to-machine or Internet of Things services is carried out via a private or closed network such as a closed factory network, this Regulation should not apply. Typically, providers of machine-to-machine or Internet of Things services operate at the application layer (on top of electronic communications services). These service providers and their customers who use IoT services are in this respect end-users, and not providers of the electronic communication service and therefore benefit from the protection of confidentiality of their electronic communications data. Specific safeguards could also be adopted under sectorial legislation, as for instance Directive 2014/53/EU.
(13) The development of fast and efficient wireless technologies has fostered the increasing availability for the public of internet access via wireless networks accessible by anyone in public and semi-private spaces such as ‘hotspots’ situated at different places within a city, department stores, shopping malls and hospitals. To the extent that those communications networks are provided to an undefined group of end-users, regardless if these networks are secured with passwords or not, the confidentiality of the communications transmitted through such networks should be protected. The fact that wireless electronic communications services may be ancillary to other services should not stand in the way of ensuring the protection of confidentiality of communications data and application of this Regulation. Therefore, this Regulation should apply to electronic communications data using publicly available electronic communications services and public electronic communications networks. In contrast, this Regulation should not apply to closed groups of end-users such as home (fixed or wireless) networks or corporate networks or networks to which the, access is limited to a pre-defined group of end-users, e.g. to family members or, members of a corporation. Similarly, this Regulation does not apply to data processed by services or networks used for purely internal communications purposes between public institutions, courts, court administrations, financial, social and employment administrations. As soon as electronic communications data is transferred from such a closed group network to a public electronic communications network, this Regulation applies to such data, including when it is M2M/IoT and personal/home assistant data. The provisions of this Regulation regarding the protection of end-users’ terminal equipment information also apply in the case of terminal equipment connected to a closed group network such as a home (fixed or wireless) network which in turn is connected to a public electronic communications network.
I. General scope of application
The general subject matter of the ePrivacy Regulation contained in its Art. 1 defines its regulatory purposes, but does not yet contain explicit specifications for determining and delimiting the legal scope of application of the law (except for Art. 1 Sec. 3, which delimits the scope of application in relation to the GDPR). While Art. 1 ePrivacy Regulation is more of a declaration of intent and useful in order to assess how to apply the law, the scope of application of the ePrivacy Regulation regarding when the law applies is mainly determined in its subsequent provisions, namely Arts. 2 and 3.
These stipulations contain rules on the material and territorial scope of the law and partially allow for conclusions regarding the personal scope of application of the regulation. Thus, in order to determine whether the provisions of the ePrivacy Regulation apply in a particular situation, three aspects have to be considered and distinguished:
– Material Scope
Firstly, it has to be ascertained whether the issue of that situation is covered by the material scope of the ePrivacy Regulation, i.e. whether there is a processing situation in the context of electronic communications as defined in Art. 2 Sec. 1 of the ePrivacy Regulation and no exceptions pursuant to Art. 2 Sec. 2 apply (Art. 2 No. III.).
– Territorial Scope
Secondly, it has to be assessed whether the issue at hand is covered by the territorial scope of application of the ePrivacy Regulation. The territorial scope of the ePrivacy Regulation is stipulated in its Art. 3.
– Personal Scope
Lastly, the regulatory targets and addressees have to be identified in order to assess whether the ePrivacy Regulation is applicable to a case at hand. Other than the material and territorial scope, the personal scope is not autonomously defined in any specific provision of the ePrivacy Regulation. Rather, the scope of addressees differs depending on the specific obligation or provision in question. Thus, where there is no explicit limitation, the provisions of the ePrivacy Regulation, principally, apply to all actors involved in a process falling within the material and territorial scope of application. Such provisions with generally unlimited personal scope are, for example Art. 5 and Art. 8 Sec. 1 ePrivacy Regulation. Applicability of other provisions, however, eventually depends on special characteristics of the norm addressees. For example, Art. 6 ePrivacy Regulation is only applicable to providers of electronic communications networks and services, while Art. 15 ePrivacy Regulation applies to providers of number-based interpersonal communications services.[1]
[1] Further concretization of the individual personal scope of application can be found in various other Articles of the ePrivacy Regulation, see e.g. Art. 5.IV., Art. 6 and Art. 15.
II. Material scope, Art. 2 Sec. 1 – In Which Cases Does the ePrivacy Regulation Apply?
The ePrivacy Regulation has a rather narrow material scope concerning the type and nature of protected data and relevant processing activities. It applies only to processing situations which are related to communications. In this regard, Art. 2 Sec. 1 ePrivacy Regulation defines a comprehensive list of use cases to be covered by the material scope, namely
1. ‘the processing of electronic communications content and of electronic communications metadata carried out in connection with the provision and the use of electronic communications services’ according to Art. 2 Sec. 1 lit.a);[2]
2. ‘end-users’ terminal equipment information’ according to Art. 2 Sec. 1 lit. b);[3]
3. ‘the offering of a publicly available directory of end-users of electronic communications services’ according to Art. 2 Sec. 1 lit. c);[4]
4. ‘the sending of direct marketing communications to end-users’pursuant to Art. 2 Sec. 1 lit. d).[5]
Additionally, there is another category of cases of application under the ePrivacy Regulation, which does not follow directly from Art. 2 Sec. 1. Namely, the control and management of communications received by end-users, in particular calls, in Art. 12 et seq. ePrivacy Regulation. For instance, providers are obliged to offer end-users the possibility to block unwanted calls according to Art. 14 ePrivacy Regulation.
The ePR Commission Proposal 2017 did not contain such a differentiated determination of the material scope of application of the ePrivacy Regulation in its Art. 2 Sec. 1. Rather, Art. 2 Sec. 1 merely contained a general clause that explicitly referred only to the processing of electronic communications data and the protection of information on the terminal equipment of the end-user.[6] The other cases of application resulted only from recital 8 of the ePR Commission Proposal 2017 as well as the corresponding substantive provisions in Art. 5 et seq. Arguably, this omission occurred due to an editorial oversight, however, making Art. 2 Sec. 1 ePR Commission Proposal 2017 appear incomplete. Accordingly, a correction was already suggested in early stages of the legislative process and finally agreed upon in the document adopted by the Council of the European Union.[7]
[2] The material provisions corresponding to this case of application can be found in Art. 5-7 ePrivacy Regulation.
[3] The main provision regarding the integrity of end-user terminal equipment is Art. 8 ePrivacy Regulation.
[4] See the corresponding provision of Art. 15 ePrivacy Regulation.
[5] The requirements for the use of electronic communications services for direct marketing purposes are stipulated in Art. 16 ePrivacy Regulation.
[6] See ePR Commission Proposal 2017, Art. 2 Sec. 1.
[7] Council of the European Union, Doc. No. 11001/19, pp. 44 f.; Council of the European Union, Doc. No. 9931/20, p. 55; as well as the European Parliament, LIBE report A8-0324/2017, 20 October 2017, amendments 40 et seq., which all propose to amend Art. 2 Sec. 1 ePrivacy Regulation in this regard.
1. Processing of electronic communications content and metadataArt. 2 Sec. 1 lit. a)
Art. 2 Sec. 1 lit. a) ePrivacy Regulation defines the processing of electronic communications content and electronic communications metadata in connection with the provision and use of electronic communications services as the first material case of application of the ePrivacy Regulation. Consequently, it must be determined what is meant by the terms electronic communications content and metadata, and when provision of electronic communications services exists. For this purpose, the definitions of Art. 4 ePrivacy Regulation should be referred to in the first place. Art. 4 Sec. 3 lit. a) – lit. c) contain the definitions of ‘electronic communications content’ and ‘metadata’, while ‘electronic communications services’ are defined by reference to the EECC definition only, Art. 4 Sec. 1 lit. b). For a detailed explanation of the aforementioned definitions, see Art. 4 No. I. et seq. However, the following shall provide an abstract illustration with a focus on the meaning for the material scope of application of the ePrivacy Regulation.
a) Electronic communications data: content and metadata
Art. 2 Sec. 1 lit. a) specifies that the relevant data categories falling within the scope of the ePrivacy Regulation are electronic communications content, i.e. the actual information content exchanged between the communication parties in text, sound or other form,[8] and electronic communications metadata, i.e. information relating to the communication process itself, such as the time, source and destination of the communication process.[9] Both categories are jointly summarised under the term ‘electronic communications data’, Art. 4 Sec. 3 lit. a) ePrivacy Regulation.[10]
Both categories of data presuppose that prior processing of data has taken place in the context of an electronic communications service, in order to qualify as electronic communications content or metadata. This results from the definitions of the terms in Art. 4 Sec. 3 lit. b) and lit. c) ePrivacy Regulation. Thus, in order to determine whether a processing situation is covered by the material scope of the ePrivacy Regulation or not, it is decisive whether the data in question can be associated to an electronic communication service (Art. 4 No. I.2.b).[11]
Art. 5 – Art. 7 ePrivacy Regulation constitute the relevant material provisions regarding matters falling under Art. 2 Sec. 1 lit. a). Art. 5 ePrivacy Regulation stipulates a general prohibition of interference with electronic communications data, unless the conditions for permission of Art. 6 – Art. 6c are met. While the ePR Commission Proposal 2017 contained a permission for both electronic communications content and electronic communications metadata in a single provision of Art. 6, the legal text adopted by the Council of the European Union additionally contains separate specific permissions for both sub-categories of electronic communications data in Art. 6a (content) and Art. 6b and 6c (metadata).
b) Electronic communications services
The term ‘electronic communications service’ is defined in Art. 4 Sec. 1 lit. b) by reference to the EECC and includes, in brief, services that are provided via an electronic communications network and are used for the transmission of information.[12] The term shall be interpreted in a broad sense and a technology-neutral way.[13] This will ensure that the material scope of application of the ePrivacy Regulation, while limited to communication issues, extends to a wide range of processing situations in connection with electronic communications, not limited to specific technical means of communications delivery or to services which serve the conveyance of signals.[14] Thus, the material scope of application includes in particular processing of electronic communications data in order to provide or use ‘internet access services’, ‘interpersonal communications services’ as well as ‘data protection services’.[15]
c) Exclusion of electronic communications networks?
Neither Art. 2 Sec. 1 nor Art. 3 Sec. 1 lit. a), which stipulate the material and territorial scope of applicability of the Regulation, explicitly refer to provision and use of electronic communications networks, but to electronic communications services only. It is undisputed that the ePrivacy Regulation generally applies to providers of both, electronic communications services and networks and differentiates between both terms, e.g. within the permissions of Art. 6 ePrivacy Regulation, which is why they may not be considered synonyms.[16] The recitals to the ePrivacy Regulation also clearly provide for its applicability to electronic communications networks, e.g. recitals 12 and 13 and differentiate between both terms as well.[17] Additionally, Art. 4 Sec. 1 lit. b) contains a separate definition and reference to both issues. The absence of the notion of electronic communication network in Art. 2 should therefore be considered an editorial mistake.
However, it follows from recital 12 of the ePrivacy Regulation, as well as from Art. 2 no. 4 EECC, that electronic communications services are necessarily provided via electronic communications networks. Thus, albeit not synonyms, there exists a somewhat interdependent relationship between both notions, which in principle also requires a largely equal or uniform legal treatment of electronic communications services and networks, unless there are obvious reasons to the contrary.
d) Personal scope – ‘provision of services’ and ‘providers’
The ePrivacy Regulation applies to, amongst others, the provision of the aforementioned electronic communications services to end-users. Neither the term ‘provision’, nor ‘provider’ are defined within the ePrivacy Regulation albeit constituting a precondition of its application. While the ePrivacy Regulation references to several definitions from the EECC, it does not refer to the related definition of an ‘operator’ in Art. 2 No. 29 EECC in order to define the term ‘provider’. Thus, the scope of norm addressees within the material scope of the ePrivacy Regulation is not explicitly limited. Instead, the ePrivacy Regulation focuses on the relevant action, namely the ‘provision’ as per Art. 2 Sec. 1 ePrivacy Regulation and on the service as such. Any engagement in making the relevant services available to end-users, unless expressly excluded from the material scope of application under Art. 2 Sec. 2, shall be considered a provision within the meaning of Art. 2 Sec. 1 ePrivacy Regulation, regardless of the nature of the actor providing the service.
However, in the context of individual provisions and obligations certain requirements limiting the scope of application to a specific group of addressees are introduced, e.g. Arts. 12-14, which only apply to providers of number-based interpersonal communications services. Technically, this is not a limitation of the scope of application rationae personae, but is rather linked to a certain type of service offered. A general restriction on the personal scope of the ePrivacy Regulation is not provided for within the law.[18]
e) Applicability to special categories of electronic communications services
The recitals associated with Art. 2 Sec. 1 ePrivacy Regulation mention particular situations in which the ePrivacy Regulation shall apply. These are namely the provision and use of online communication services which are functionally equivalent to traditional means of electronic communications (i.e. OTT services)[19] and machine-to-machine communications in connection with the Internet of Things.[20] Both are relatively new subjects of regulation that have only recently been addressed by the European legislator in a considerable degree of detail and therefore require special attention.
f) Functionally equivalent online services for communications
The broad definition of electronic communications services adopted from the EECC extends the material scope of the ePrivacy Regulation to processing of electronic communications data in relation with the provision or use of online communications services which are functionally equivalent to traditional means of communications such as traditional voice telephony, SMS text messages and electronic mail conveyance services.[21] Recital 11 explicitly takes up this particular extension of the material scope of application and mentions Voice over IP, messaging services and web-based e-mail services as indicative examples for this new type of communication technologies.[22] These functionally equivalent services are commonly referred to as OTT services.[23]
OTT services are services that, unlike ‘traditional’ telecommunications services, do not operate on their own communications networks. Instead, they go ‘over-the-top’ of it and use the network infrastructure of others, especially the internet infrastructure.[24]
Example: Company A has its own communications network (regardless of whether by ownership or by contractual power of disposal). A provides electronic communications services over this network, allowing its users to make phone calls to other users either on the same network or on other networks via exchange points. A is therefore a ‘traditional’ network and service provider in the aforementioned sense and was already subject to the ePrivacy Regulation’s predecessor’s rules.
Company B offers a messenger app for smartphones that allows its users to send text messages to other users of the same app only. While B does operate its own server infrastructure that is necessary for the functioning of the app, B does not own or control the network infrastructure that connects the individual users from their homes to B’s server. Instead, the users connect to the server over the open Internet – meaning the network infrastructure of others, e.g. their Internet access providers, public Wi-Fi hotspots or other network providers. Therefore, B is an OTT service provider and was not subject to most of the ePrivacy Regulation’s predecessor’s rules.
Even though OTT services are subject to a set of regulations due to the broadened definition of ‘electronic communications services’ by the EECC (Art. 1 para. 44), the regulation of OTT services remains a major concern of the ePrivacy Regulation, as it is indispensable in order to effectively protect confidentiality of communications.[25] In practice, OTT services are increasingly replacing the traditional means of communications such as usual telephone calls, faxes and yet even e-mail services.[26] Apart from their technical characteristics and differences from traditional communication technologies, these services serve the exchange of information between their users and, from the users’ point of view, are not likely to be perceived as less worthy of protection than traditional means of communication. Rather, they are functionally equivalent and as such require a generally equivalent standard of protection.
Establishing a comprehensive legal framework for the handling and use of OTT services also directly benefits the subject matters as defined in Art. 1 Sec. 1, Sec. 1a and Sec. 2 ePrivacy Regulation, because explicit data protection standards regarding the provision of OTT services are established (Art. 1 Sec. 1 and 1a), improving the privacy rights of users. Conditions for the lawful provision of such services within the European Internal Market are defined (Art. 1 Sec. 2) which provide legal certainty for market participants.
g) Machine-to-machine communications and internet of things
Another form of electronic communication services that requires special attention are ‘machine-to-machine communications’, referred to in recital 12. Machine-to-machine communications are exchanges of information taking place between devices or equipment autonomously and automatically, without direct human intervention. Such exchange of information regularly takes place via the internet or mobile networks and is based on the conveyance of signals, thus, covered by the definition of electronic communications services in terms of the ePrivacy Regulation.
Information exchanged autonomously between machines may concern content that affects the privacy of natural persons or confidential data of legal persons. Recital 12, however, addresses machine-to-machine communication irrespective of any privacy context and content of the communications. This unconditional inclusion of machine-to-machine communications underlines that confidentiality of communications and exchange of information within the meaning of the ePrivacy Regulation as such constitute an object of protection in their own and are not per se dependent on the involvement of natural or legal persons.[27]
[8] Art. 4 Sec. 3 lit. b), see Art. 4 No. III.1.
[9] Art. 4 Sec. 3 lit. c), see Art. 4 No. III.1.
[10] See Art. 4 No. III.1. for a more detailed evaluation on this term.
[11] The term ‚processing‘ is defined in the ePrivacy Regulation by means of reference to the GDPR in Art. 4 Sec. 1 lit. a, Sec. 2a ePrivacy Regulation. For details on the definition see Art. 4 No. I.1.
[12] Cf. Art. 2 Sec. 4 of the EECC.
[13] Recital 11; see Art. 1 No. II.1., Member States were already required to introduce a broad and technology-neutral definition of electronic communications services into their telecommunications laws by virtue of the EECC; for a detailed comment on the term ‘electronic communications service’ see Art. 4 No. I.2.b)
.[14] Recitals 8, 11.
[15] Art. 2 Sec. 3 of the EECC; see Art. 4 No. I.2.b) for details relating to definitions of this terms.
[17] See in particular Recital 13.
[18] Insofar as certain provisions of the ePrivacy Regulation are restricted to a specific group of addressees and, thus, limited in their personal scope of application, this will be addressed at the relevant section of the commentary on the respective articles.
[19] Recital 11 ePrivacy Regulation.
[20] Recital 12 ePrivacy Regulation.
[21] Cf. Recital 11 and see Art. 2 No. II.1.b).
[22] See Art. 4 No. I.2.b) et seqq. for more detailed information on the listed services.
[23] See ePR Commission Proposal 2017, Explanatory Memorandum at 1.1; cf. also Art. 1 No. II.
[25] See the ePR Commission Proposal 2017, Explanatory Memorandum, at 2.3.; for more details on this regulatory subject of the ePrivacy Regulation, see Art. 4 No. I.2.b).
[26] Cf. Recital 11.
[27] However, objections have been expressed regarding the necessity of protection for pure machine-to-machine communications, which do not affect any privacy rights. In this context a limitation of the scope of application was called for, see Art. 2 No. II.1.g) and Art. 4 No. I.2.e)bb).
2. Information Related to the terminal equipment of end-users, Art. 2 Sec. 1 lit. b)
Art. 2 Sec. 1 lit. a) ePrivacy Regulation defines the processing of electronic communications content and electronic communications metadata in connection with the provision and use of electronic communications services as the first material case of application of the ePrivacy Regulation. Consequently, it must be determined what is meant by the terms electronic communications content and metadata, and when provision of electronic communications services exists. For this purpose, the definitions of Art. 4 ePrivacy Regulation should be referred to in the first place. Art. 4 Sec. 3 lit. a) – lit. c) contain the definitions of ‘electronic communications content’ and ‘metadata’, while ‘electronic communications services’ are defined by reference to the EECC definition only, Art. 4 Sec. 1 lit. b). For a detailed explanation of the aforementioned definitions, see Art. 4 No. III.1. However, the following shall provide an abstract illustration with a focus on the meaning for the material scope of application of the ePrivacy Regulation.
a) Electronic communications data: content and metadata
Art. 2 Sec. 1 lit. a) specifies that the relevant data categories falling within the scope of the ePrivacy Regulation are electronic communications content, i.e. the actual information content exchanged between the communication parties in text, sound or other form,[28] and electronic communications metadata, i.e. information relating to the communication process itself, such as the time, source and destination of the communication process.[29] Both categories are jointly summarised under the term ‘electronic communications data’, Art. 4 Sec. 3 lit. a) ePrivacy Regulation.[30]
Both categories of data presuppose that prior processing of data has taken place in the context of an electronic communications service, in order to qualify as electronic communications content or metadata. This results from the definitions of the terms in Art. 4 Sec. 3 lit. b) and lit. c) ePrivacy Regulation. Thus, in order to determine whether a processing situation is covered by the material scope of the ePrivacy Regulation or not, it is decisive whether the data in question can be associated to an electronic communication service (Art. 4 No. I.2.b).[31]
Art. 5 – Art. 7 ePrivacy Regulation constitute the relevant material provisions regarding matters falling under Art. 2 Sec. 1 lit. a). Art. 5 ePrivacy Regulation stipulates a general prohibition of interference with electronic communications data, unless the conditions for permission of Art. 6 – Art. 6c are met. While the ePR Commission Proposal 2017 contained a permission for both electronic communications content and electronic communications metadata in a single provision of Art. 6, the legal text adopted by the Council of the European Union additionally contains separate specific permissions for both sub-categories of electronic communications data in Art. 6a (content) and Art. 6b and 6c (metadata).
b) Electronic communications services
The term ‘electronic communications service’ is defined in Art. 4 Sec. 1 lit. b) by reference to the EECC and includes, in brief, services that are provided via an electronic communications network and are used for the transmission of information.[32] The term shall be interpreted in a broad sense and a technology-neutral way.[33] This will ensure that the material scope of application of the ePrivacy Regulation, while limited to communication issues, extends to a wide range of processing situations in connection with electronic communications, not limited to specific technical means of communications delivery or to services which serve the conveyance of signals.[34] Thus, the material scope of application includes in particular processing of electronic communications data in order to provide or use ‘internet access services’, ‘interpersonal communications services’ as well as ‘data protection services’.[35]
c) Exclusion of electronic communications networks?
Neither Art. 2 Sec. 1 nor Art. 3 Sec. 1 lit. a), which stipulate the material and territorial scope of applicability of the Regulation, explicitly refer to provision and use of electronic communications networks, but to electronic communications services only. It is undisputed that the ePrivacy Regulation generally applies to providers of both, electronic communications services and networks and differentiates between both terms, e.g. within the permissions of Art. 6 ePrivacy Regulation, which is why they may not be considered synonyms.[36] The recitals to the ePrivacy Regulation also clearly provide for its applicability to electronic communications networks, e.g. recitals 12 and 13 and differentiate between both terms as well.[37] Additionally, Art. 4 Sec. 1 lit. b) contains a separate definition and reference to both issues. The absence of the notion of electronic communication network in Art. 2 should therefore be considered an editorial mistake.
However, it follows from recital 12 of the ePrivacy Regulation, as well as from Art. 2 no. 4 EECC, that electronic communications services are necessarily provided via electronic communications networks. Thus, albeit not synonyms, there exists a somewhat interdependent relationship between both notions, which in principle also requires a largely equal or uniform legal treatment of electronic communications services and networks, unless there are obvious reasons to the contrary.
d) Personal scope – ‘provision of services’ and ‘providers’
The ePrivacy Regulation applies to, amongst others, the provision of the aforementioned electronic communications services to end-users. Neither the term ‘provision’, nor ‘provider’ are defined within the ePrivacy Regulation albeit constituting a precondition of its application. While the ePrivacy Regulation references to several definitions from the EECC, it does not refer to the related definition of an ‘operator’ in Art. 2 No. 29 EECC in order to define the term ‘provider’. Thus, the scope of norm addressees within the material scope of the ePrivacy Regulation is not explicitly limited. Instead, the ePrivacy Regulation focuses on the relevant action, namely the ‘provision’ as per Art. 2 Sec. 1 ePrivacy Regulation and on the service as such. Any engagement in making the relevant services available to end-users, unless expressly excluded from the material scope of application under Art. 2 Sec. 2, shall be considered a provision within the meaning of Art. 2 Sec. 1 ePrivacy Regulation, regardless of the nature of the actor providing the service.
However, in the context of individual provisions and obligations certain requirements limiting the scope of application to a specific group of addressees are introduced, e.g. Arts. 12-14, which only apply to providers of number-based interpersonal communications services. Technically, this is not a limitation of the scope of application rationae personae, but is rather linked to a certain type of service offered. A general restriction on the personal scope of the ePrivacy Regulation is not provided for within the law.[38]
e) Applicability to special categories of electronic communications services
The recitals associated with Art. 2 Sec. 1 ePrivacy Regulation mention particular situations in which the ePrivacy Regulation shall apply. These are namely the provision and use of online communication services which are functionally equivalent to traditional means of electronic communications (i.e. OTT services)[39] and machine-to-machine communications in connection with the Internet of Things.[40] Both are relatively new subjects of regulation that have only recently been addressed by the European legislator in a considerable degree of detail and therefore require special attention.
f) Functionally equivalent online services for communications
The broad definition of electronic communications services adopted from the EECC extends the material scope of the ePrivacy Regulation to processing of electronic communications data in relation with the provision or use of online communications services which are functionally equivalent to traditional means of communications such as traditional voice telephony, SMS text messages and electronic mail conveyance services.[41] Recital 11 explicitly takes up this particular extension of the material scope of application and mentions Voice over IP, messaging services and web-based e-mail services as indicative examples for this new type of communication technologies.[42] These functionally equivalent services are commonly referred to as OTT services.[43]
OTT services are services that, unlike ‘traditional’ telecommunications services, do not operate on their own communications networks. Instead, they go ‘over-the-top’ of it and use the network infrastructure of others, especially the internet infrastructure.[44]
Example: Company A has its own communications network (regardless of whether by ownership or by contractual power of disposal). A provides electronic communications services over this network, allowing its users to make phone calls to other users either on the same network or on other networks via exchange points. A is therefore a ‘traditional’ network and service provider in the aforementioned sense and was already subject to the ePrivacy Regulation’s predecessor’s rules.
Company B offers a messenger app for smartphones that allows its users to send text messages to other users of the same app only. While B does operate its own server infrastructure that is necessary for the functioning of the app, B does not own or control the network infrastructure that connects the individual users from their homes to B’s server. Instead, the users connect to the server over the open Internet – meaning the network infrastructure of others, e.g. their Internet access providers, public Wi-Fi hotspots or other network providers. Therefore, B is an OTT service provider and was not subject to most of the ePrivacy Regulation’s predecessor’s rules.
Even though OTT services are subject to a set of regulations due to the broadened definition of ‘electronic communications services’ by the EECC (Art. 1 No. II.1.) , the regulation of OTT services remains a major concern of the ePrivacy Regulation, as it is indispensable in order to effectively protect confidentiality of communications.[45] In practice, OTT services are increasingly replacing the traditional means of communications such as usual telephone calls, faxes and yet even e-mail services.[46] Apart from their technical characteristics and differences from traditional communication technologies, these services serve the exchange of information between their users and, from the users’ point of view, are not likely to be perceived as less worthy of protection than traditional means of communication. Rather, they are functionally equivalent and as such require a generally equivalent standard of protection.
Establishing a comprehensive legal framework for the handling and use of OTT services also directly benefits the subject matters as defined in Art. 1 Sec. 1, Sec. 1a and Sec. 2 ePrivacy Regulation, because explicit data protection standards regarding the provision of OTT services are established (Art. 1 Sec. 1 and 1a), improving the privacy rights of users. Conditions for the lawful provision of such services within the European Internal Market are defined (Art. 1 Sec. 2) which provide legal certainty for market participants.
g) Machine-to-machine communications and internet of things
Another form of electronic communication services that requires special attention are ‘machine-to-machine communications’, referred to in recital 12. Machine-to-machine communications are exchanges of information taking place between devices or equipment autonomously and automatically, without direct human intervention. Such exchange of information regularly takes place via the internet or mobile networks and is based on the conveyance of signals, thus, covered by the definition of electronic communications services in terms of the ePrivacy Regulation.
Information exchanged autonomously between machines may concern content that affects the privacy of natural persons or confidential data of legal persons. Recital 12, however, addresses machine-to-machine communication irrespective of any privacy context and content of the communications. This unconditional inclusion of machine-to-machine communications underlines that confidentiality of communications and exchange of information within the meaning of the ePrivacy Regulation as such constitute an object of protection in their own and are not per se dependent on the involvement of natural or legal persons.[47]
[28] Art. 4 Sec. 3 lit. b), see Art. 4 No. III.1.a).
[29] Art. 4 Sec. 3 lit. c), see Art. 4 No. III.1.b).
[30] See Art. 4 No. III.1. for a more detailed evaluation on this term.
[31] The term ‚processing‘ is defined in the ePrivacy Regulation by means of reference to the GDPR in Art. 4 Sec. 1 lit. a, Sec. 2a ePrivacy Regulation. For details on the definition see Art. 4 No. I.1.a) and No. II.
[32] Cf. Art. 2 Sec. 4 of the EECC.
[33] Recital 11; see Art. 1 No. II., Member States were already required to introduce a broad and technology-neutral definition of electronic communications services into their telecommunications laws by virtue of the EECC; for a detailed comment on the term ‘electronic communications service’ see Art. 4 No. I.2.b).
[34] Recitals 8, 11.
[35] Art. 2 Sec. 3 of the EECC; see Art. 4 No. I.2.b)aa) and bb) for details relating to definitions of this terms.
[37] See in particular Recital 13.
[38] Insofar as certain provisions of the ePrivacy Regulation are restricted to a specific group of addressees and, thus, limited in their personal scope of application, this will be addressed at the relevant section of the commentary on the respective articles.
[39] Recital 11 ePrivacy Regulation.
[40] Recital 12 ePrivacy Regulation.
[41] Cf. Recital 11 and see Art. 2 No. II.1.b).
[42] See Art. 4 No. I.2.b) for more detailed information on the listed services.
[43] See ePR Commission Proposal 2017, Explanatory Memorandum at 1.1; cf. also Art. 1 No. II.
[44] For details see Art. 4 No. I.2.b)
[45] See the ePR Commission Proposal 2017, Explanatory Memorandum, at 2.3.; for more details on this regulatory subject of the ePrivacy Regulation, see Art. 4 No. I.2.b).
[46] Cf. Recital 11.
[47] However, objections have been expressed regarding the necessity of protection for pure machine-to-machine communications, which do not affect any privacy rights. In this context a limitation of the scope of application was called for, see Art. 2 No. II.1.g) and Art. 4 No. I.2.e)aa).
3. Offering of publicly available directories of end-users of electronic communications services, Art. 2 Sec. 1 lit. c)
As the third case of application, Art. 2 Sec. 1 lit. c) ePrivacy Regulation identifies the offer of publicly available directories of end-users of electronic communications services. The ePrivacy Regulation introduces its own definition in this regard. According to Art. 4 Sec. 3 lit. d ePrivacy Regulation, these are directories of end-users of number-based electronic communications services (Art. 4 No. I.2.d) that are available to the public or at least a section thereof. It does not matter whether the directories are maintained in written or electronic form. The decisive factor is that the purpose of the directories is primarily to identify the end-users listed in it.
If a directory fulfils these criteria, providers of number-based interpersonal communications services who wish to have the data of their end-users entered in such a directory must comply with the requirements of Art. 15 ePrivacy Regulation. In particular, the consent of the end-user concerned must be obtained prior to the inclusion in the directory – insofar as the end-users are natural persons[48] – unless a Member State determines by way of national law that an inclusion in a directory should generally be permissible subject to the objection of the end-user, Article 15 Sec. 1aa ePrivacy Regulation.[49]
Art. 2 Sec. 1 lit. c) of the ePrivacy Regulation suggests that providers of publicly available directories are directly bound by the ePrivacy Regulation. Recital 8 of the ePrivacy Regulation underlines this interpretation, as it explicitly states that the ePrivacy Regulation applies to providers of publicly available directories. The relevant provision of Art. 15, however, is not directed at this group of addressees, but rather addresses providers of number-based interpersonal communications services in the context of the use of publicly available directories.
Pursuant to Art. 15 Sec. 3aa ePrivacy Regulation, Member States can decide autonomously whether they want to create corresponding obligations for the providers of publicly available directories in addition to or instead of the obligations arising from the ePrivacy Regulation for providers of number-based interpersonal communications services. However, there are no obligations for providers of publicly available directories arising directly from the ePrivacy Regulation.[50]
[48] Consent of end-users who are legal persons is not required, however there is the possibility to object to certain entries, see Art. 15.
[49] See commentary on Art. 15 for details on the obligations with regard to publicly available directories.
[50] For further details see commentary regarding Art. 15.
4. Direct marketing communications towards end-users, Art. 2 Sec. 1 lit. d)
The last case of application stipulated within the material scope of Art. 2 Sec. 1 lit. d) ePrivacy Regulation is the sending of direct marketing communications to end-users. ‘Direct marketing communications’ are defined in Art. 4 Sec. 3 lit. f) ePrivacy Regulation as any form of advertising, whether written or oral, sent via publicly available electronic communications service directly to one or more specific end-users, including the placing of voice-to-voice calls and the use of automated calling and communications systems, with or without human interaction, and electronic messaging. This definition is supplemented by Art. 4 Sec. 3 lit. g) and lit. i), which define special forms of direct marketing communications via voice-to-voice calls (lit. g) and direct marketing calls (lit. i). Automated calling and communications systems that can also be used for direct marketing purposes according to Art. 2 Sec. 1 lit. d) are defined in Art. 4 Sec. 3 lit. h).[51]
Providers and advertisers who wish to use the aforementioned communication services and technologies for direct marketing purposes are subject to special provisions and obligations under Art. 16 ePrivacy Regulation.[52] Generally, this provision stipulates a prohibition of such advertising, subject to consent of the affected end-users and certain exceptions in which the consent requirement does not apply, such as in the case of Art. 16 Sec. 2 ePrivacy Regulation.[53]
According to recital 32, advertising on internet websites that is displayed to end-users on online advertising spaces does explicitly not fall under the notion of direct marketing communications within the meaning of Art. 2 Sec. 1 lit. d) ePrivacy Regulation and is also not covered by the provision of its Art. 16.[54] This also applies if this advertising is personalised and thus tailored to a specific end-user (so-called targeted advertising). This restriction of scope was not regulated as clearly in the ePR Commission Proposal 2017. Rather, the interpretation of Art. 16 of the ePR Commission Proposal 2017 in combination with its definition of direct marketing communications also allowed such advertising measures to be included in the scope of application if the criterion of ‘sending’ was interpreted in a sufficiently broad and technology-neutral way. The Art. 29 Working Group suggested to apply such a broad interpretation, which also covers directing and presenting of advertisements on websites, or rather even to explicitly clarify within the ePrivacy Regulation that such direct marketing measures are also covered by Art. 16.[55]
However, the Council draft only covers targeting on websites via Art. 8 ePrivacy Regulation, which applies to the process of behavioural tracking and evaluation, in particular by means of cookies.[56] The advertising itself is not regulated if it is not ‘directly communicated’ in the aforementioned limited sense.[57]
[51] See Art. 4 No. III.4. for further details on the definitions regarding direct marketing communications.
[52] According to recitals 8, the provisions of the ePrivacy Regulation apply to all natural and legal persons using electronic communications services in order to send direct marketing commercial communications.
[53] See the commentary on Art. 16 ePrivacy Regulation for further details on this provision.
[54] The same considerations apply to advertising in apps or games.
[55] Art. 29 WP, WP 247 (2017), p. 20 f.
[56] In this regard see Art. 8 No. I.2.a)bb)
[57] Thus, the legal situation existing under Art. 13 of the ePrivacy Directive is maintained, as the latter did not cover the mere broadcasting of advertisements on websites as direct marketing communication neither.
III. Exceptions to the material scope of application, Art. 2 Sec. 2
While Art. 2 Sec. 1 ePrivacy Regulation defines the material scope of application of the ePrivacy Regulation in a very broad manner, its Art. 2 Sec. 2 stipulates exceptions that further restrict and, thus, specify the material scope of application of the ePrivacy Regulation. The provision lists four cases explicitly exempted from the application of the ePrivacy Regulation, namely -activities outside of the scope of Union law, and in any event measures, processing activities and operations concerning national security and defence, regardless of who is carrying out those activities, whether it is a public authority or a private operator acting at the request of a public authority (Art. 2 Sec. 2 lit. a ePrivacy Regulation), -activities of Member States regarding the common foreign and security policy of the EU pursuant to Chapter 2 Title V TEU[58] (Art. 2 Sec. 2 lit. b ePrivacy Regulation), -issues concerning electronic communications services that are not publicly available, (Art. 2 Sec. 2 lit. c ePrivacy Regulation), i.e. when the services are offered to closed groups of end-users only, -activities for the purpose of criminal persecution, execution of criminal penalties and safeguarding of public security carried out by competent authorities (Art. 2 Sec. 2 lit. d ePrivacy Regulation) and – electronic communications data processed after receipt by the end-user (Art. 2 Sec. 2 lit. e ePrivacy Regulation).
[58] See Art. 77 ff. TFEU.
1. Outside the scope of European Union law, Art. 2 Sec. 2 lit. a)
The first exception to the material scope of the ePrivacy Regulation regards activities falling outside the scope of Union law, Art. 2 Sec. 2 lit. a) ePrivacy Regulation. This exception refers to matters that are outside the material scope of application of Union law only and not to its territorial scope, as the latter is regulated by Art. 3 ePrivacy Regulation.
The restriction of the scope of application of the ePrivacy Regulation to only such matters that fall into the general regulatory scope of Union law also follows from Art. 16 Sec. 2 TFEU, as this provision empowers the EU to enact privacy and data protection provisions only within this boundary.[59] Therefore, Art. 2 Sec. 2 lit. a) ePrivacy Regulation is mainly of declaratory nature with regard to Art. 16 Sec. 2 TFEU.
Generally, whether or not a particular situation is covered by the material scope of Union law within the meaning of Art. 2 Sec. 2 lit. a) ePrivacy Regulation is determined by the EU’s areas of competence as stipulated in the EU treaties, namely the TFEU and the TEU. However, Art. 2 Sec. 1 lit. a) itself contains further clarification as to what is regarded to fall outside the scope of Union law, stipulating that in any event measures, processing activities and operations concerning national security and defence regardless of whether a public authority or a private operator is acting, shall be covered by this exception.[60]
These national security exceptions constitute embodiments of the general clause of Art. 4 Sec. 2 TEU, which qualifies national security policies of Member States as primarily internal matters not covered by the competences of the EU. Thus, Art. 2 Sec. 2 lit. a) ePrivacy Regulation is a specification of Art. 16 Sec. 2 TFEU and Art. 4 Sec. 2 TEU with respect to the scope of application of the ePrivacy Regulation. Given the, generally, very broad regulatory mandate of the EU, national security and defence are likely to be the main application of the exception in Art. 2 Sec. 2 lit. a) ePrivacy Regulation.
Consequently, the ePrivacy Regulation does not concern the protection of privacy rights and electronic communications interfered with in the context of security-related matters.[61] This applies, in particular, to the processing of electronic communications data by national intelligence services of the Member States, but arguably not by institutions and Member State entities that do not have a security relevance, such as the committee of a regional parliament.[62]
[59] Art. 16 TFEU (in addition to Art. 114), in turn, is the statutory basis for the adoption of the ePrivacy Regulation, see Art. 1 para. 1; ePR Commission Proposal2017 Explanatory Memorandum at 2.1
[60] Art. 2 Sec. 2 lit. a) ePrivacy Regulation is the counterpart to Art. 2 Sec. 2 lit. a) GDPR. The latter also stipulates an exception to the material scope of the GDPR for activities falling outside the scope of Union law, identifying activities of Member States concerning their national security policy as to fall outside the relevant scope of Union law, see recital 16 of the GDPR.
[61] For a more detailed discussion of national security matters in the context of Union law, see Schill/Krenn in: Grabitz/Hilff/Nettesheim, Das Recht der Europäischen Union, Art. 4 para. 39 et seqq
[62] Cf. CJEU, C-272/19, judgement from 9 September 2020 at para. 66 et seq., cf. also Bäcker in BeckOK-Datenschutzrecht, Art. 2 GDPR para. 8 et seq., as well as Art. 29 WP, WP 247 (2014), p. 22 et seq.
2. Exception regarding the common foreign and security policy, Art. 2 Sec. 2 lit. b)
As a second exception to the material scope of application, Art. 2 Sec. 2 lit. b) of the ePrivacy Regulation identifies situations that fall within the scope of Chapter 2 Title V of the TEU. This exception concerns the common foreign and security policy of the EU and is closely related to the aforementioned national security exception (recital 16 of the GDPR references both cases of exception jointly).[63]
While national security policy in terms of Art. 2 Sec. 2 lit. a) ePrivacy Regulation is exempt, because it is indeed a regulatory issue falling outside the competence of the EU due to Art. 4 Sec. 2 TEU, the common foreign and security policy is, certainly, an area of Union law, as its very name indicates.[64] However, this area of regulation is, nevertheless, dealt with separately and differently from the other tasks of the EU in its treaties, arguably in an exceptional way. Member States have a special degree of sovereignty and discretion regarding these sensitive areas of policy, as Art. 24 Sec. 2 TEU provides for extraordinary rules on decision-making with regard to such regulatory issues and explicitly stipulates that there is no legislative competence of the EU in this regard. Therefore, ordinary legal acts of the EU cannot be considered to cover issues related to the common foreign and security policy without further ado.[65]
Thus, not only electronic communications issues regarding national security matters are exempt from the material scope of application of the ePrivacy Regulation, but also issues regarding the common security as well as foreign policy of the EU in terms of Art. 24 TEU.[66]
[63] With the first exception, the GDPR also contains an exception corresponding to the ePrivacy Regulation for situations in connection with the common foreign and security policy, Art. 2 Sec. 2 lit. b) GDPR.
[64] See Art. 24 Sec. 1 TEU.
[65] The ePrivacy Regulation itself does not contain any clarifying recital with respect to Art. 2 Sec. 2 lit. a). However, due to the proximity of the exception regulation of the ePrivacy Regulation and Art. 2 Sec. 2 lit. b) GDPR, in particular, the similar wording and purpose of both provisions, recital 16 can be referred to.
[66] For a more detailed illustration of the notion of common security and foreign policy in terms of Chapter 2 Title V TEU see Kaufmann-Bühler in: Grabitz/Hilff/Nettesheim, Das Recht der Europäischen Union, Art. 23 et seqq.
3. Not publicly available, Art. 2 Sec. 2 lit. c)
An electronic communications service must be publicly available in order to open up the scope of application of the ePrivacy Regulation, Art. 2 Sec. 2 lit. c). This requirement is not explicitly determined for electronic communications network. Recital 13 ePrivacy Regulation, in turn, refers to this feature only with regard to electronic communications networks. However, the conditions to determine public availability are of general validity and, thus, applicable to electronic communications services as well. Arguably, the omission of electronic communications networks in the context of the exception in Art. 2 Sec. 2 lit. c) is due to an editorial mistake.[67] Therefore, the requirement of public availability applies to both, electronic communications services and networks as a prerequisite for the application of the ePrivacy Regulation.
Recital 13 defines ‘public availability’ as the provision to an undefined group of end-users, in distinction to closed groups of potential users, such as in the case of company-internal networks (Intranets), where the use is strictly limited to the employees or members of the respective company. The latter fall outside the material scope of the ePrivacy Regulation, even if they are related to electronic communications.
Example: A corporate network which is accessible only to employees for professional purposes does not constitute a ‘publicly available’ electronic communications service.[68]
Modification: The above corporation also operates a professional chat system as an electronic communications service that is only available to its own employees for work purposes via said network. It is offered to a closed group of end-users only and not publicly available. However, if the communication runs over a public communications network, such as the internet, the ePrivacy Regulation may still be applicable, since the protective purpose of the ePrivacy Regulation is to protect the confidentiality of communications transmitted over public communications networks.
[67] See also Art. 2 No. III.3. on this issue.
[68] EDPB, Opinion 5/2019 from 12 March 2019, p. 10.
4. Processing for law enforcement purposes, Art. 2 Sec. 2 lit. d)
Art. 2 Sec. 2 lit. d) refers to activities of competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. The ePrivacy Regulation does not contain definitions or an explanatory recital on this particular exception, however, reference to the GDPR reveals an almost identically worded exception in its Art. 2 Sec. 2 lit. d).
a) Transferability of the reference to Directive (EU) 2016/680 from the GDPR
The GDPR in its recital 19 explains the reason behind the exception, namely that there is a European law specifically created for the protection of personal data in the case of processing by public authorities for the purpose of law enforcement, criminal persecution or the protection of public security, which supersedes the GDPR. The referenced legal act is Directive (EU) 2016/680 of the European Parliament and of the Council.[69] Thus, according to recital 19 GDPR, Directive (EU) 2016/680 constitutes a superior lex specialis[70] as far as data processing for law enforcement measures by competent authorities is concerned. This reasoning might also be transferable to the ePrivacy Regulation due to the proximity of the wording of both provisions, with the consequence that all use cases covered by Directive (EU) 2016/680 are falling under the exception of Art. 2 Sec. 2 lit. d) ePrivacy Regulation.
However, the reasoning behind the exception in the GDPR, which is based on the lex specialis relation with Directive (EU) 2016/680, is not necessarily transferable to the ePrivacy Regulation. The ePrivacy Regulation does not merely serve the protection of personal data and therefore, it cannot be assumed that the regulatory purposes of the ePrivacy Regulation are already sufficiently covered by Directive (EU) 2016/680, as the latter does at least not explicitly address ePrivacy issues as defined in Arts. 1 and 2 Sec. 1 ePrivacy Regulation. Those latter may have a broader scope or a different direction of protection compared to the protection of personal data alone (Art. 1 No. I.1.). Thus, the material scope of the referenced Directive (EU) 2016/680 and the material scope of the ePrivacy Regulation are not fully congruent and there is no lex specialis relation between both laws. In the case of the GDPR, on the other hand, the object of protection coincides with that of the Directive (EU) 2016/680 (protection of personal data, albeit in specific situations), which is why a reference is possible ‘without further ado’ to the more specific directive.
Therefore, the exception stipulated in Art. 2 Sec. 2 lit. d) ePrivacy Regulation must be interpreted and applied autonomously for this regulation and is not suitable for a blanket reference to the parallel provision in Art. 2 Sec. 2 lit. d) GDPR and its recital 19.
b) Authorities and measures covered by Art. 2 Sec. 2 lit. d)
In order to apply the exception stipulated in Art. 2 Sec. 2 lit, d) ePrivacy Regulation, there is a need to clarify what is meant by the term ‘competent authorities’ and the enumerated privileged tasks of such authorities ought to fall outside the scope of the regulation, which can be jointly summarised as law enforcement measures. The legal terms contained in Art. 2 Sec. 2 lit. d) are subject to interpretation and, at least for purposes of definition, Directive (EU) 2016/680 can be referred to, even if its scope is limited to the protection of personal data.
Art. 3 Sec. 7 Directive (EU) 2016/680 defines the term ‘competent authority’ referred to in Art. 2 Sec. 2 lit. d) ePrivacy Regulation as ‘any public authority competent for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; or any other body or entity entrusted by Member State law to exercise public authority and public powers for the aforesaid purposes’. It affects, in particular, Member State prosecutors, investigative authorities such as the police, other law-enforcement authorities and courts.[71] This definition can be applied to the ePrivacy Regulation, as it does not refer to any specific, personal data-related purposes of Directive 2016/680, which could conflict with the ePrivacy Regulation. Furthermore, it is to be assumed that the legislator has intended to choose a uniform legal terminology when introducing the term of ‘competent authorities’ in the ePrivacy Regulation.
In addition to determining the competent authorities covered by the exception, Art. 2 Sec. 2 lit. d) ePrivacy Regulation also enumerates the particular administrative activities that are to be excluded from its scope of application. These are ‘data processing activities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security’. In large parts, these relevant activities will have to be specified by means of the applicable criminal and ordinance law of Member States. However, the recitals to Directive (EU) 2016/680 offer general guidance in this regard. Recital 12 stipulates that investigative measures exercised in mere suspicion of a criminal offence[72] as well as coercive measures by the police, e.g. in case of protests and riots, both constitute relevant activities under the Directive. Thus, these measures are at least exempt from the scope of application of the GDPR[73] and are also likely to be covered by the exception of Art. 2 Sec. 2 lit. d) ePrivacy Regulation, if a uniform understanding of law enforcement measures is applied.
In conclusion, it follows for the exception of Art. 2 Sec. 2 lit. d) ePrivacy Regulation that, although a general recourse to the parallel exception of the GDPR is not possible, all matters covered by the Directive (EU) 2016/680 generally still fall outside the material scope of application of the ePrivacy Regulation as well.
[69] Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.
[70] According to the legal principle of lex specialis derogat legi generali, a more specific law supersedes a rather general law, where both laws are, theoretically, applicable and provide for conflicting application.
[71] Such application of the provision is implied by recital 20 of the GDPR, relating to the GDPR counterpart-provision of Art. 2 Sec. 2 lit. d).
[72] According to recital 13 of Directive (EU) 2016/680, the notion ‘criminal offence’ is to be based on an autonomous concept of Union law, which is to be determined by the CJEU. The definition of criminal offence under Union law, however, refers to conduct that constitutes an infringement of the legal system of the concerned member state, cf. CJEU, judgement from 5 June 2012 C-489/10, at para. 37. Consequently, ‘criminal offence’ is indirectly determined on the basis of Member State law and not genuinely in terms of Union law. Regarding further details on the application of the Law Enforcement Directive, see EDPB, Guidelines 01/2021 on the adequacy referential of the Law Enforcement Directive, 2 February 2021.
[73] Art. 2 Sec. 2 lit. d) GDPR.
5. Electronic communications data processed after receipt by the end-user, Art. 2 Sec. 2 lit. e)
The last exception from the material scope of the ePrivacy Regulation stipulated in its Art. 2 Sec. 2 lit. e) refers to processing of electronic communications data after receipt by the designated end-user. This exception for data processing after receipt by the addressed end-user was only introduced in the draft adopted by the Council of the European Union and was not yet contained in the ePR Commission Proposal 2017.[74]
Electronic communications data as defined by Art. 4 Sec. 3 lit. a) – lit. c) ePrivacy Regulation remains electronic communications data even if the relevant electronic communications service for which it has been processed is terminated. However, if the data are received by the end-user of an electronic communications service in such a way that they are under the end-user’s control and disposal, the protection of the ePrivacy Regulation shall not apply to processing by the end-users concerned or by third parties commissioned by them, recital 8aa. Recitals 8aa and 15a imply that in these cases it shall be assumed that the end-user, as intended addressee and, thus, the authorised party, may freely dispose of the data and has a legitimate interest in this free disposability, which is why the ePrivacy Regulation should not restrict these interests.[75]
However, this freedom of disposal and exemption from the general prohibition on processing of electronic communications data only applies to the end-users addressed by the electronic communications service. The providers of these services, on the other hand, must delete the electronic communications data they hold after receipt by the end-user concerned. According to recital 15a, the relevant time of receipt depends on the particularities of the respective electronic communications service, in particular on its technical design. Art. 19 Sec. 2 lit. da) ePrivacy Regulation mandates the EDPB to interpret and determine this point in time.
However, electronic communications data stored as information on end-user terminal equipment enjoys the protection of Art. 8 ePrivacy Regulation against unauthorised access even after receipt by the end-user.[76]
[74] The exceptions of Art. 2 Sec. 2 lit. a) – lit. d), on the other hand, were all already provided for in the draft of the Commission.
[75] However, this does not mean that the power of disposal and the content of the relevant data are not restricted by other laws.
[76] Cf. recital 8aa, stating that only processing of electronic communications data upon receipt on end-user terminal equipment by entrusted third parties shall not be covered by the ePrivacy Regulation.
IV. Relationship to other EU legislation, Art. 2 Sec. 4, Sec. 5
Art. 2 Sec. 4 and Sec. 5 ePrivacy Regulation further specify the material scope of application of the ePrivacy Regulation by delineating it to other legal acts of the EU concerning related subject matters. Most certainly due to a editorial mistake, Sec. 3 is missing in the numbering of the sections of Art. 2 in the text of the ePrivacy Regulation adopted by the Council of the European Union. In the ePR Commission Proposal 2017, a third section is provided for, which concerns data processing by institutions and authorities of the EU.
1. Directive 2000/31/EC regarding information society services, Art. 2 Sec. 4
Art. 2 Sec. 4 ePrivacy Regulation clarifies that the provisions of Directive 2000/31/EC for operations of information society services in the Internal Market,[77] in particular the liability provisions for intermediary services of Art. 12-15 of the Directive, shall not be contradicted in their applicability by the provisions of the ePrivacy Regulation. Both regulatory instruments must therefore be applied in parallel, in such a way that the provisions of both are given full effect and none is undermined. The relationship with Directive 2000/31/EC is regulated similarly within the framework of the GDPR.[78] The referenced Directive 2000/31/EC is intended to contribute to the functioning of the Internal Market in digital economy matters and, thus, serves the purposes of Art. 26 TFEU.[79]
Directive 2000/31/EC affects, in particular, issues of electronic commerce. Thus, the reference in Art. 2 Sec. 4 ePrivacy Regulation is of particular relevance with regard to the requirements of Art. 16 ePrivacy Regulation and the material scope as defined in Art. 2 Sec. 1 lit. d), both of which concern matters of electronic commerce in the context of ePrivacy.
[77] Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market.
[78] Art. 2 Sec. 4 GDPR.
[79] Cf. recital 21 GDPR.
2. Applicability of the Radio Equipment Directive, Art. 2 Sec. 5
Art. 2 Sec. 5 of the ePrivacy Regulation stipulates that the provisions of the so-called Radio Equipment Directive[80] shall not be affected by the rules of the ePrivacy Regulation. Other than with the provision of Art. 2 Sec. 4 ePrivacy Regulation, there is no equivalent to this stipulation in the GDPR. However, recital 10 and the Explanatory Memorandum to the ePrivacy Regulation explicitly address the Radio Equipment Directive. In particular, it is stipulated that the Commission’s competence to adopt further legal acts on the basis of the Directive shall not be affected.
According to recital 10, radio equipment and related software placed on the Internal Market must comply with the provisions of the Radio Equipment Directive. The term ‘radio equipment’ is defined as electrical or electronic product, which intentionally emits and/or receives radio waves for the purpose of radio communication and/or radiodetermination, or an electrical or electronic product which must be completed with an accessory, such as antenna, so as to intentionally emit and/or receive radio waves for the purpose of radio communication and/or radiodetermination in Art. 2 Sec. 1 no. 1 of the Radio Equipment Directive. However, it does not follow from the exception in Art. 2 Sec. 5 ePrivacy Regulation that the provisions of the ePrivacy Regulation do not apply to radio equipment. Rather, similar to Art. 2 Sec. 4 ePrivacy Regulation, both regulatory instruments are to be applied in parallel in such a way that both are fully effective and individual provisions of the Radio Equipment Directive are not undermined by the application of the ePrivacy Regulation. Thus, in cases involving radio equipment in terms of the aforementioned definition, both the ePrivacy Regulation as well as the Member State provisions implementing the Radio Equipment Directive must be identified and assessed.
[80] Directive 2014/53/EU of the European Parliament and of the Council of 16 April 2014 on the harmonisation of the laws of the Member States relating to the making available on the market of radio equipment and repealing Directive 1999/5/EC.
3. Processing by the union institutions, bodies, offices and agencies
Art. 2 Sec. 3 of the ePR Commission Proposal 2017, which is missing in the ePrivacy Regulation in the form of the version adopted by the Council of the EU on 10 February 2021, stipulated that there is a more specific regulatory instrument for data processing in the ePrivacy context by EU institutions, bodies, offices and agencies, according to which its lawfulness has to be determined. The relevant legal instrument is Regulation (EU) 2018/1725,[81] which has meanwhile replaced the referenced Regulation 45/2001. This declaratory finding is still relevant even without an explicit reference in the ePrivacy Regulation.
However, to a certain extent, Art. 2 Sec. 3 ePR Commission Proposal 2017 does not only refer to the material scope, but also limits the personal scope of the proposal, as processing operations of such EU actors arguably had been explicitly exempt from its application. The provision mainly referred to the characteristics of the data processing entities, which had to be public authorities of the EU, and not to the circumstances of processing. A similar restriction of scope is also found in Art. 2 Sec. 3 GDPR and its corresponding recital 17.[82]
Since an explicit reference to EU institutions is now missing in the ePrivacy Regulation, it appears that the restriction is not supposed to apply any longer. Ultimately, however, data processing by Union institutions, bodies, offices and agencies remains being regulated (solely) by Regulation (EU) 2018/1725 and will likely not be covered by the scope of the ePrivacy Regulation. Regardless of explicit conflict clauses in the respective laws themselves, this should result from the general rule of lex specialis derogat legi generali, at least for those cases in which parallel application results in an actual a conflict of laws.[83]
[81] Regulation EU 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.
[82] Although Art. 2 Sec. 3 GDPR still explicitly refers to the predecessor Regulation 45/2001, it explicitly clarifies that an updated regulation on this particular subject matter shall be issued within the ambit of Art. 98 GDPR, which will be covered by the reference of Art. 2 Sec. 3 GDPR.
[83] According to the legal principle of lex specialis derogat legi generali, a more specific law supersedes a rather general law, where both laws are theoretically applicable and provide for conflicting application; see in this context also Art. 1 I.2.a).