Paul Voigt, Axel von dem Bussche: the EU ePrivacy Regulation – Preliminary Guidance and Commentary

Article 4 ePrivacy Regulation - Definitions

Article 4 ePrivacy Regulation

Article 4 ePrivacy Regulation – Definitions

1. For the purposes of this Regulation, following definitions shall apply:

(a) the definitions in Regulation (EU) 2016/679;

(b) the definitions of ‘electronic communications network’, ‘electronic communications service’, ‘interpersonal communications service’, ‘number-based interpersonal communications service’, ‘number-independent interpersonal communications service’, ‘end-user’ and ‘call’ in paragraphs (1), (4), (5), (6), (7), (14) and (31) respectively of Article 2 of Directive (EU) 2018/1972;

(c) the definition of ‘terminal equipment’ in Article 1(1) of Commission Directive 2008/63/EC;

(d) the definition of ‘information society service’ in point (b) of Article 1 (1) of Directive (EU) 2015/1535.

 2. For the purposes of this Regulation, the definition of ‘interpersonal communications service’ referred to in point (b) of paragraph 1 shall include services which enable interpersonal and interactive communication merely as a minor ancillary feature that is intrinsically linked to another service.

 2a. For the purposes of this Regulation, the definition of ‘processing’ referred to in Article 4 (2) of Regulation 2016/679 shall not be limited to processing of personal data.

 3. In addition, for the purposes of this Regulation the following definitions shall apply:

(a) ‘electronic communications data’ means electronic communications content and electronic communications metadata;

(b) ‘electronic communications content’ means the content exchanged by means of electronic communications services, such as text, voice, videos, images, and sound;

(c) ‘electronic communications metadata’ means data processed by means of electronic communications services for the purposes of transmitting, distributing or exchanging electronic communications content; including data used to trace and identify the source and destination of a communication, data on the location of the device generated in the context of providing electronic communications services, and the date, time, duration and the type of communication;

(d) ‘publicly available directory’ means a directory of end-users of number-based interpersonal communications services, whether in printed or electronic form, which is published or made available to the public or to a section of the public, including by means of a directory enquiry service and the main function of which is to enable identification of such end-users;

(e) ‘electronic message’ means any message containing information such as text, voice, video, sound or image sent over an electronic communications network which can be stored in the network or in related computing facilities, or in the terminal equipment of its recipient, including e-mail, SMS, MMS and functionally equivalent applications and techniques;

(f) ‘direct marketing communications’ means any form of advertising, whether written or oral, sent via a publicly available electronic communications service directly to one or more specific end-users, including the placing of voice-to-voice calls, the use of automated calling and communication systems with or without human interaction, electronic message etc.;

(g) ‘direct marketing voice-to-voice calls’ means live calls, which do not entail the use of automated calling systems and communication systems;

(h) ‘automated calling and communication systems’ means systems capable of automatically initiating calls to one or more recipients in accordance with instructions set for that system, and transmitting sounds which are not live speech, including calls made using automated calling and communication systems which connect the called person to an individual;

(i) ‘direct marketing calls’ means direct marketing voice-to-voice calls and calls made via automated calling and communication systems for the purpose of direct marketing.

(j) ‘location data’ means data processed by means of an electronic communications network or service, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service;

(11) The services used for communications purposes, and the technical means of their delivery, have evolved considerably. End-users increasingly replace traditional voice telephony, text messages (SMS) and electronic mail conveyance services in favour of functionally equivalent online services such as Voice over IP, messaging services and web-based e-mail services. In order to ensure an effective and equal protection of end-users when using functionally equivalent services, this Regulation uses the definition of electronic communications services set forth in the Directive (EU) 2018/1972. That definition encompasses not only internet access services and services consisting wholly or partly in the conveyance of signals but also interpersonal communications services, which may or may not be number-based, such as for example, Voice over IP, messaging services and web-based e-mail services. The protection of confidentiality of communications is crucial also as regards interpersonal communications services that are ancillary to another service; therefore, such type of services also having a communication functionality should be covered by this Regulation.

(11aa) In all the circumstances where electronic communication is taking place between a finite, that is to say not potentially unlimited, number of end-users which is determined by the sender of the communications, e.g. any messaging application allowing two or more people to connect and communicate, such services constitute interpersonal communications services. Conversely, a communications channel does not constitute an interpersonal communications service when it does not enable direct interpersonal and interactive exchange of information via electronic communications networks between a finite number of persons, whereby the persons initiating or participating in the communication determine its recipient(s). This is for example the case when the entity providing the communications channel is at the same time a communicating party, such as a company that operates a communications channel for customer care that allows customers solely to communicate with the company in question. Also, where access to an electronic communications is available for anyone, e.g. communications in an electronic communications channel in online games which is open to all persons playing the game, such channel does not constitute an interpersonal communications feature. This reflects the end-users’ expectations regarding the confidentiality of a service.

 (13) The development of fast and efficient wireless technologies has fostered the increasing availability for the public of internet access via wireless networks accessible by anyone in public and semi-private spaces such as ‘hotspots’ situated at different places within a city, department stores, shopping malls and hospitals. To the extent that those communications networks are provided to an undefined group of end-users, regardless if these networks are secured with passwords or not, the confidentiality of the communications transmitted through such networks should be protected. The fact that wireless electronic communications services may be ancillary to other services should not stand in the way of ensuring the protection of confidentiality of communications data and application of this Regulation. Therefore, this Regulation should apply to electronic communications data using publicly available electronic communications services and public electronic communications networks. In contrast, this Regulation should not apply to closed groups of end-users such as home (fixed or wireless) networks or corporate networks or networks to which the access is limited to a pre-defined group of end-users, e.g. to family members or members of a corporation. Similarly, this Regulation does not apply to data processed by services or networks used for purely internal communications purposes between public institutions, courts, court administrations, financial, social and employment administrations. As soon as electronic communications data is transferred from such a closed group network to a public electronic communications network, this Regulation applies to such data, including when it is M2M/IoT and personal/home assistant data. The provisions of this Regulation regarding the protection of end-users’ terminal equipment information also apply in the case of terminal equipment connected to a closed group network such as a home (fixed or wireless) network which in turn is connected to a public electronic communications network.

 (14) Electronic communications data should be defined in a sufficiently broad and technology neutral way so as to encompass any information concerning the content transmitted or exchanged (electronic communications content) and the information concerning an end-user of electronic communications services processed for the purposes of transmitting, distributing or enabling the exchange of electronic communications content; including data to trace and identify the source and destination of a communication, geographical location and the date, time, duration and the type of communication. Whether such signals and the related data are conveyed by wire, radio, optical or electromagnetic means, including satellite networks, cable networks, fixed (circuit- and packet-switched, including internet) and mobile terrestrial networks, electricity cable systems, the data related to such signals should be considered as electronic communications metadata and therefore be subject to the provisions of this Regulation. Electronic communications metadata may include information that is part of the subscription to the service when such information is processed for the purposes of transmitting, distributing or exchanging electronic communications content.

 (15) Electronic communications data should be treated as confidential. This means that any interference of electronic communications data, whether directly by human intervention or through the intermediation of automated processing by machines, without the consent of the communicating parties should be prohibited. Interception of electronic communications data may occur, for example, when someone other than the communicating parties, listens to calls, reads, scans or stores the content of electronic communications, or the associated metadata for purposes other than the exchange of communications. Interception also occurs when third parties monitor websites visited, timing of the visits, interaction with others, etc., without the consent of the end-user concerned. As technology evolves, the technical ways to engage in interception have also increased. Such ways may range from the installation of equipment that gathers data from terminal equipment over targeted areas, such as the so-called IMSI (International Mobile Subscriber Identity) catchers, to programs and techniques that, for example, surreptitiously monitor browsing habits for the purpose of creating end-user profiles. Other examples of interception include capturing payload data or content data from unencrypted wireless networks and routers, including browsing habits without the end-users’ consent.

 (16a) The protection of the content of electronic communications pertains to the essence of the fundamental right to respect for private and family life, home and communications protected under Article 7 of the Charter. Any interference with the content of electronic communications should be allowed only under very clear defined conditions, for specific purposes and be subject to adequate safeguards against abuse. This Regulation provides for the possibility of providers of electronic communications services to process electronic communications content in transit, with the informed consent of all the end-users concerned. For example, providers may offer services that entail the scanning of emails to remove certain pre-defined material. Given the sensitivity of the content of communications, this Regulation sets forth a presumption that the processing of such content data will result in high risks to the rights and freedoms of natural persons. When processing such type of content, the provider of the electronic communications service should consult the supervisory authority if necessary pursuant to Article 36 (1) of Regulation (EU) 2016/679. Such consultation should be in accordance with Article 36 (2) and (3) of Regulation (EU) 2016/679. The presumption does not encompass the processing of content to provide a service requested by the end-user where the end-user has consented to such processing and it is carried out for the purposes and duration strictly necessary and proportionate for such service.

 (17) The processing of electronic communications metadata can be useful for businesses, consumers and society as a whole. Vis-à-vis Directive 2002/58/EC, this Regulation broadens the possibilities for providers of electronic communications services to process electronic communications metadata. However, end-users attach great importance to the confidentiality of their communications, including their online activities, and they also want to control the use of electronic communications metadata for purposes other than conveying the communication. Therefore, providers of electronic communications networks and services should be permitted to process electronic communications metadata after having obtained the end-users’ consent. In addition, those providers should be permitted to process an end-user’s electronic communications metadata where it is necessary for the provision of an electronic communications service based on a contract with that end-user and for billing related to that contract. Examples of commercial usages of electronic communications metadata by providers of electronic communications services may include the provision of heat maps; a graphical representation of data using colours to indicate the presence of individuals. To display the traffic movements in certain directions during a certain period of time, an identifier is necessary to link the positions of individuals at certain time intervals. This identifier would be missing if anonymous data were to be used and such movement could not be displayed. Such usage of electronic communications metadata could, for example, benefit public authorities and public transport operators to define where to develop new infrastructure, based on the usage of and pressure on the existing structure. Where a type of processing of electronic communications metadata, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, a data protection impact assessment and, as the case may be, a consultation of the supervisory authority should take place prior to the processing, in accordance with Articles 35 and 36 of Regulation (EU) 2016/679.

 (30) Publicly available directories means any directory or service containing information on end-users of number-based interpersonal communication services such as name, phone numbers (including mobile phone numbers), email address, home address and includes inquiry services, the main function of which is to enable to identify such end-users. End-users that are natural persons should be asked for consent before their personal data are included in a directory, unless Member States provide that such end-users have the right to object to inclusion of their personal data. The legitimate interest of legal persons requires that end-users that are legal persons have the right to object to the data related to them being included in a directory. End-users who are natural persons acting in a professional capacity should be treated as legal persons for the purpose of the provisions on publicly available directories.

 (32) In this Regulation, direct marketing communications refers to any form of advertising sent by a natural or legal person directly to one or more specific end-users using publicly available electronic communications services.

The provisions on direct marketing communications do should not apply to other form of marketing or advertising that is not sent directly to any specific end-user for reception by that end-user at addresses, number or other contact details, e.g. the display of advertising on a visited website or within an information society service requested by that end-user. In addition to direct communications advertising for the offering of products and services for commercial purposes, Member States may decide that direct marketing communications may include direct marketing communications sent by political parties that contact natural persons via publicly available electronic communications services in order to promote their parties. The same applies to messages sent by other non-profit organisations to support the purposes of the organisation.

  (33) Safeguards should be provided to protect end-users against direct marketing communications, which intrude into the privacy of end-users. The degree of privacy intrusion and nuisance is considered relatively similar independently of the wide range of technologies and channels used to conduct these electronic communications, whether using automated calling and communication systems, instant messaging applications, emails, SMS, MMS, Bluetooth, etc. It is therefore justified to require that consent of the end-users who are natural persons is obtained before direct marketing communications are sent to them in order to effectively protect them against the intrusion into their private life. Legal certainty and the need to ensure that the rules protecting against direct marketing communications remain future-proof justify the need to define in principle a single set of rules that do not vary according to the technology used to convey these direct marketing communications, while at the same time guaranteeing an equivalent level of protection for all citizens throughout the Union. However, it is reasonable to allow the use of contact details for electronic message within the context of an existing customer relationship for the offering of similar products or services. Such possibility should only apply to the same company that has obtained the contact details for electronic message in accordance with Regulation (EU) 2016/679.

 (33a) Voice-to-voice direct marketing calls that do not involve the use of automated calling and communication systems are more costly for the sender and impose no financial costs on end-users. Member States should therefore be able to establish and or maintain national systems which allow all or certain types of voice-to-voice calls to end-users who are natural persons and who have not objected, including in the context of an existing customer relationship.

The first paragraphs of Art. 4 are characterised by the fact that they do not introduce their own definitions of legal terms, but rather refer to existing definitions from other legal instruments, i.e. the GDPR, the EECC and Directive 2008/63/EC. On the one hand, this frequent use of references leads to a uniform understanding of terms across all laws. On the other hand, it makes the ePrivacy Regulation difficult to grasp and harbours a risk of imperfect definitions.

.

The close relationship between the ePrivacy Regulation and the GDPR has already been illustrated above (Art. 1 No. I.2.). According to Art. 1 Sec. 3 ePrivacy Regulation, it is a regulatory objective of the ePrivacy Regulation to complement and expand on the existing regulations of the GDPR and thus to create a coherent regulatory landscape. Since the scope of application of the ePrivacy Regulation and the GDPR overlap, it is essential that a uniform understanding of obligations exists within both laws. The ePrivacy Regulation does justice to this by setting out a general reference to the definitions of the GDPR in Art. 4 Sec. 1 lit. a).

The reference in Art. 4 Sec. 1 lit. a) ePrivacy Regulation is a general clause. It is not limited to particular terms or specified in more detail but instead intends to adapt all definitions introduced in the context of the GDPR, unless the ePrivacy Regulation explicitly provides otherwise. However, this reference concerns mainly Art. 4 GDPR, which provides definitions for the most relevant terms used within the GDPR. For many of the definitions in Art. 4, the GDPR also provides Recitals that may serve to determine terms of the ePrivacy Regulation.

a)  Modified definition of ‘processing’, Art. 4 Sec. 2a

Although closely related to each other, the objectives of the GDPR and the ePrivacy Regulation are not identical. Therefore, some of the referenced provisions of the GDPR can only be applied mutatis mutandis within the ePrivacy Regulation in order to fully comply with the regulatory purpose of the latter.[1] For this reason, some criticism was raised during the legislative process regarding the ePrivacy Regulation’s extensive use of references to the GDPR.[2]

The most apparent contradiction resulted from the reference to the definition of the term ‘processing’ in Art. 4 No. 2 GDPR. Processing in Art. 4 No. 2 GDPR is defined as ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction’.

Thus, in accordance with the scope of application and protective purpose of the GDPR, its definition of processing is limited to personal data only. A literal application of the definition, thus, would lead to the conclusion that non-personal data cannot be the subject of ‘processing’ in the sense of the ePrivacy Regulation. However, the ePrivacy Regulation generally does not distinguish between personal and non-personal data, as long as it is communications-related.[3] This contradiction, which still existed in the Commission’s Proposal of 2017, was remedied in the text of the ePrivacy Regulation that was eventually adopted by the Council. Art. 4 Sec. 2a of the ePrivacy Regulation now explicitly clarifies that the definition of processing from Art. 4 No. 2 GDPR is to be adopted with the modification that non-personal data can also be the subject of processing in the context of the ePrivacy Regulation.

b)  Definition of ‘consent’ within the ePrivacy Regulation

Consent is a core legal basis under the ePrivacy Regulation as well as under the GDPR,[4] and the starting point for many cases of application of both legal instruments.[5] However, the ePrivacy Regulation does not introduce its own autonomous definition for consent. Instead, the definition of Art. 4 No. 11 GDPR applies.

According to the referenced Art. 4 No. 11 GDPR ’consent’ means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of data relating to him or her’.

However, this definition must be modified in the context of its application to the ePrivacy Regulation. It applies only mutatis mutandis, as do all provisions of the GDPR relating to consent that are applied in the context of the ePrivacy Regulation.[6]

The necessity to modify the definition of consent results from the fact that consent under the GDPR is specifically tailored to natural persons, so-called data subjects.[7] In the context of the ePrivacy Regulation, however, the definition of consent must also fit legal persons due to its broadened scope of protection according to Art. 1 Sec. 1a ePrivacy Regulation. Therefore, within the framework of the ePrivacy Regulation, the reference to ‘data subject’ in Art. 4 No. 11 GDPR must be replaced by the term ‘end-user’, which also covers legal persons.[8] With regard to the requirements for valid consent, such as transparency and voluntariness, an adjustment must also take place to the extent that these are to be realised by the legal person.[9]

c)  Supervisory authority

The ePrivacy Regulation provides for enforcement of its rules primarily by supervisory authorities in Chapter IV, particularly Art. 18. The ePrivacy Regulation does not provide an autonomous definition of the term ‘supervisory authority’. However, the reference to the GDPR in Art. 4 Sec. 1 lit. a) ePrivacy Regulation applies and, additionally, Art. 18 Sec. 0 (sic!) ePrivacy Regulation requires that supervisory authorities that monitor the ePrivacy Regulation shall meet the same requirements as supervisory authorities under the GDPR. Art. 18 Sec. 1 ePrivacy Regulation even provides for the opportunity to instruct the same supervisory authorities that are responsible for the monitoring of the GDPR with the monitoring of the application of Art. 12 – Art. 16 GDPR (Art. 18 para. Xx).

The GDPR defines supervisory authorities in Art. 4 No. 21 as ‘an independent public authority which is established by a Member State pursuant to Art. 51’ GDPR. According to the referenced Art. 51 GDPR, ‘each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union’.

It follows from these definitions, that each Member State shall have its own national supervisory authority. It is also possible to have multiple supervisory authorities in a single Member State according to Art. 18 Sec. 1b ePrivacy Regulation. This is the case, for example, with the supervisory authorities of the GDPR in Germany.[10]

In the context of the GDPR, it can be observed that the matters affected by the regulation often have a cross-border character, so that several supervisory authorities could be concerned.[11] This is also likely to be the case in situations that fall within the scope of the ePrivacy Regulation. The regulation was created precisely for the purpose of regulating and enabling the transnational flow of electronic communications data (Art. 1 No. I.1.b). In cases where several supervisory authorities are concerned, the competent supervisory authority must be determined. In absence of explicit provisions within the ePrivacy Regulation, this determination will be made on the basis of the provisions of the GDPR referenced (see Art. 18).

According to Art. 18 Sec. 1ab ePrivacy Regulation, supervisory authorities are granted investigative and corrective powers, including the power to impose fines (Art. 23) in cases of non-compliance with the ePrivacy Regulation. This corresponds to the powers of the supervisory authorities under the GDPR, which are specified in more detail in Art. 58 (for the powers of supervisory authorities under the ePrivacy Regulation see Art. 18).

d)  Representative

According to Art. 4 No. 17 GDPR, the term ‘representative’ shall mean ‘a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Art. 27 [GDPR], represents the controller or processor with regard to their respective obligations under this Regulation’. The role of a representative is also included in the ePrivacy Regulation in Art. 3 Sec. 2 (Art. 3 No. II.).

Providers of electronic communications services (Art. 3 No. II.2.) or electronic communications networks (Art. 3 No. II.2.), who provide their services to end-users located in the EU but who are not established in the EU, are subject to the obligation to appoint such a representative established in the EU. This representative essentially acts as a contact point for supervisory authorities and end-users (Art. 3 No. II.). This obligation is also subject to a fine as per Art. 23 Sec. 2 lit. e) ePrivacy Regulation.

The definition of a representative in Art. 4 Sec. 17 GDPR as referenced in Art. 4 Sec. 1 lit. a) ePrivacy Regulation thus applies on the premise that the representative is to be appointed in accordance with the provisions of Art. 3 Sec. 2 – Sec. 5 ePrivacy Regulation and does not represent the controller or processor, but the actors who provide services as per Art. 3 Sec. 1 ePrivacy Regulation.

e)  Data protection impact assessment

The ePrivacy Regulation requires a ‘data protection impact assessment’ in certain cases. According to Art. 6a Sec. 2 ePrivacy Regulation, an impact assessment is always required prior to the processing of electronic communications content on the basis of Art. 6a Sec. 1 lit. b). In some circumstances it might also be necessary to conduct such an assessment prior to the processing of electronic communications metadata, if this is likely to result in high risks to the rights and freedoms of natural persons (Recital 17). However, the notion of data protection impact assessment is neither defined nor further specified in the ePrivacy Regulation.

The concept of data protection impact assessments was first introduced by the GDPR. If a type of data processing, particularly the use of new technologies, is likely to result in a high risk to the rights and freedoms of individuals, taking into account the nature, scope, context and purpose of the processing, the controller[12] shall assess the impact of the planned processing activities on the protection of personal data according to Art. 35 Sec. 1 GDPR.[13] The same applies if an  ongoing processing operation is modified in such a way that it risks potential changes (e.g. change of purposes, change of the processed data itself).[14]

A data protection impact assessment consists of an estimation of the impacts of the intended future processing activities with the aim of identifying high risks to the rights and interests of the data subjects and compliance with legal requirements.[15] The minimum requirements that need to be included in a data protection impact assessment are set out inArt. 35 Sec. 7 GDPR. The requirements are a systematic description of the planned processing operations and purposes; an assessment of the necessity and proportionality of the planned processing in relation to the purposes, and an assessment of the risks to the rights and freedoms of the concerned parties and the intended measures to address the risks.[16] There are no further criteria for the scope of a data protection impact assessment, leaving the legal requirements for the concrete procedure very vague.[17]

Processing of electronic communications content is considered a particularly risk-prone activity under the Privacy Regulation.[18] In this context, Recital 16a of the ePrivacy Regulation establishes a rebuttable presumption that the processing of such content data will result in  high risks to the rights and freedoms of natural persons. When processing electronic communications content, the service provider should consult, if necessary, the supervisory authority pursuant to Art. 36 Sec. 1 ePrivacy Regulation. The presumption does not apply if the processing is carried out in the context of a service requested by the end-user and the end-user has consented. Further, this presumption does not apply to the processing of electronic communications content based on Art. 6a Sec. 1 lit. a) ePrivacy Regulation. Such processing is also not subject to the requirement to carry out a data protection impact assessment. This flows from Art. 6a Sec. 2 ePrivacy Regulation, which only refers to the permission of Art. 6a Sec. 1 lit. b). However, it will arguably be regularly necessary to perform such data protection impact assessment in the context of Art. 6a Sec. 1 lit. a)  in order to meet the requirements set out by the permission with regard to the protection of the rights and interest of the concerned end-users (Art. 6a para. 20 et seqq.).

Processing of electronic communications metadata can also constitute a high risk activity that requires a data protection impact assessment. This is not derived from the provisions of the ePrivacy Regulation, but can be found in Recital 17. Recital 17 sets out the same indicators for the requirement of a data protection impact assessment as the GDPR. These are the use of new technologies, nature, scope, context and purposes of processing. Based on the criteria established by the GDPR, strong indicators for a particularly risk-prone activity will be the processing of a large amount of metadata or the effect on a large number of end-users.[19]

[1] Such a corresponding application is expressly provided for in Art. 4a Sec. 1 ePrivacy Regulation concerning the provisions of the GDPR on consent.

[2] Cf. European Parliament, LIBE report A8-0324/2017, 20 October 2017, amendments 52 et seq.; see also Schmitz, ZRP 2017, 172, 173.

[3] In this context, see the comments on ‘electronic communications data’, Art. 4 para. 96 et seqq.

[4] Art. 6 Sec. 1 lit. a) GDPR, see Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) – A Practical Guide (2017), p. 93 et seqq.

[5] Cf. Art. 6a Sec. 1 lit. b); Art. 6b Sec. 1 lit. c), Art. 8 Sec. 1 lit. b) ePrivacy Regulation.

[6] Recital 3; the restriction that definitions are to be applied mutatis mutandis only applied to the definition of consent in the ePR Commission Proposal 2017, but is now extended to all relevant provisions. This is also stipulated in Art. 4a Sec. 1 ePrivacy regulation, see commentary regarding Art. 4a No. I.

[7] Cf. Art. 4a Sec. 1 ePrivacy Regulation.

[8] See details regarding the definition of ‘end-user’ at Art. 4 No. I.2.e).

[9] On the specific requirements for a valid declaration of consent in general and its transferability to declarations of consent of legal persons, see Art. 4a.

[10] In Germany, the multiplicity of supervisory authorities is due to the federal system, see Voigt/von dem Bussche, The EU General Data Protection Regulation, p. 189 (2017).

[11] Voigt/von dem Bussche, The EU General Data Protection Regulation, p. 189 (2017).

[12] The processor shall assist the controller in ensuring compliance with this obligation according to recital 95 GDPR.

[13] Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR), p. 47 (2017).

[14] Art. 35 Sec. 11 GDPR; Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR), p. 47 (2017).

[15] Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 47.

[16] Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 47.

[17] Von dem Bussche in: Plath, BDSG/DSGVO, Art. 35 (2016), para. 17; Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 49.

[18] Recital 16a.

[19] Cf. Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR), p. 48 (2017).

Unlike the reference to the GDPR in Art. 4 Sec. 1 lit. a) ePrivacy Regulation, the definitions adopted from the EECC are explicitly specified in Art. 4 Sec. 1 lit. b) ePrivacy Regulation. Consequently, the terms contained in the EECC relevant to the application of the ePrivacy Regulation are easier to identify.

a)  Electronic communications network, Art. 2 no. 1 EECC

The term ‘electronic communications network’ refers to ‘transmission systems, whether or not based on a permanent infrastructure or centralised administration capacity, and, where applicable, switching or routing equipment and other resources including network elements which are not active, which permit the conveyance of signals by wire, radio, optical or other electromagnetic means, including satellite networks, fixed (circuit- and packet-switched, including internet) and mobile networks, electricity cable systems, to the extent that they are used for the purpose of transmitting signals, networks used for radio and television broadcasting, and cable television networks, irrespective of the type of information conveyed’.

This definition is to be understood in a broad manner and corresponds to the principle of technology neutrality.[20] Recital 12 EECC clarifies that the regulations of the EECC cover the use of radio frequency of all types of electronic communications networks, in particular emerging technologies and autonomous systems of wirelessly interconnected radio devices, which can function independently of a central network operator. Furthermore, Recital 13 draws attention to the fact that requirements for communication networks are constantly growing who in turn are continuously evolving. The technology neutral design of the Regulation aims to encompass such developments and cover ‘function creeps’ as well.[21]

b)  Electronic communications service, Art. 2 no. 4 EECC

According to Art. 2 no. 4 EECC, the term ‘electronic communications service’ refers to services provided via electronic communications networks, usually for remuneration. This includes in particular:

– Internet access services (Art. 2 no. 4 lit. (a) EECC);

– Interpersonal communications services (Art. 2 no. 4 lit. (b) EECC); and

– Services consisting wholly or mainly of the conveyance of signals such as transmission services used for the provision of machine-to-machine services or for broadcasting (Art. 2 no. 4 lit. (c) EECC).

Other examples for electronic communications services are phone services (analogue voice telephones and voice-over-IP), text message services, email services (text messages and webmail) and fax services. Regarding end-users’ rights and freedoms, it makes no difference whether providers convey signals by themselves or merely enable the communication.[22] Therefore, the definition of electronic communications services does not follow a technological, but a functional approach as follows from Recital 15 EECC.[23]

According to Recital 16 EECC, the requirement of provision for remuneration does not necessarily require payment in money. Rather, the definition also includes electronic communications services provided in exchange for other goods and services which are perceived by the market participants as a monetary value or economic benefit. These are, in particular, user data (personal data within the meaning of the GDPR as well as other information) that is provided directly, indirectly, actively or passively, in exchange for access to a communication service.[24] All cases in which the service provider monetises user data are included.

In addition, it is also considered a remuneration if the end-user is exposed to advertisement in return for access to a service for the broadcasting of which the service provider is then paid by a third party. This relatively broad understanding of ‘remuneration’ in Union law is in accordance with the jurisprudence of the CJEU on the concept of remuneration in the context of the freedom of services in Art. 57 TFEU.[25]

aa)  Internet access services

The terminternet access services’ is not defined in the EECC, but in Art. 2 No. 2 Regulation (EU) 2015/2120 to which Art. 2 no. 4 lit. (a) of the EECC refers. According to this chain of legal references, the term ‘internet access services’ refers to publicly available electronic communications services, which provide access to the internet and thereby connect to virtually all end points of the internet, irrespective of the network technology and terminal equipment used. This includes a multitude of services and connection types, such as services providing internet access over DSL, fibre, cable modem, satellite connection or Wi-Fi hotspots.

bb)  Interpersonal communications service

Art. 4 Sec. 1 lit. b) ePrivacy Regulation contains an autonomous reference to Art. 2 no. 5 EECC regarding the definition of the term ‘interpersonal communications service’, although this definition is already provided by the reference to electronic communications services, as a sub-category of the latter. For more details on the definition of interpersonal communications services in the meaning of Art. 2 no. 5 EECC see Art. 4 No. I.2.b).

cc)  Services consisting wholly or mainly in the conveyance of signals

The third type of services that, according to the referenced provision of Art. 2 no. 4 EECC, qualify as electronic communications services are services consisting wholly or mainly in the conveyance of signals. Examples are transmission services used for the provision of machine-to-machine services or for broadcasting.

Generally, a conveyance of signals takes place when the content of the conveyance, broken down into data packets, is fed into an electronic communications network where it is conveyed to the receiving party.[26] As mentioned above, services that predominantly consist of this type of technical process qualify as electronic communications service pursuant to Art. 4 Sec. 1 lit. b ePrivacy Regulation, Art. 2 No. 4 and Recital 15 of the EECC.

Whether or not a provider’s service consists in the conveyance of signals is determined on the basis of the degree of responsibility that the provider bears for the conveyance of the signal.[27] This is decided on a  case-by-case basis. The CJEU found such responsibility in a case where a remunerated online calling service was  performed on the basis of the online service provider’s own legally binding contracts with providers of the relevant Public Switched Telephone Network (‘PSTN’) and internet providers, that exercised the conveyance of the signal.[28] The exercise of the conveyance of the signal by third parties was of no relevance to the court. The remuneration by the end-users and the own contractual obligations significantly implied its responsibility towards the users.

In contrast, the court denied responsibility in the case of a web-based e-mail service provider where there was no additional indicator for such responsibility of the provider, apart from the general communication element of its service. The court concluded that it was mainly the responsibility of the internet access providers and the operators of the various networks among the open internet to convey the signals necessary for the functioning of any web-based e-mail service.[29] According to the court, the responsibility of the supplier of web-based e-mail services required an additional element in connection to the responsibility vis-à-vis the users that held an e-mail account with the supplier. The mere participation in a conveyance service that was mainly performed by other parties did not suffice.

However, with the entering into force of the EECC, the responsibility for the conveyance of signals should no longer be a matter of concern. According to Recital 15 EECC, the end-user’s perspective is decisive. From the perspective of an end-user, it is irrelevant whether a provider conveys signals themselves or whether the communication is delivered via an intermediary internet access service. Therefore, only functional rather than technical considerations are decisive. The definition of electronic communications services introduced by the EECC influences the ePrivacy Directive and the corresponding Member States’ implementing laws (Art. 2 No. II.1.f). The ePrivacy Regulation stays in line with this trend when referencing the EECC.

The scrapping of the technical conveyance of signals as a decisive criterion for electronic communications services is the reason why OTT services are included in the new definition of the EECC (Art. 2 No. II.1.f), Art. 1 No. II.1.). OTT services usually do not convey signals themselves but rely on the conveyance of signals by others and are delivered over the network infrastructure of others.[30] This circumstance had previously led to a lack of clarity about their status as electronic communications services, which resulted in a lack of clarity in law.

The CJEU judgment above, which rejected the responsibility of web-based e-mail service providers for the conveyance of signals, also concluded that ‘pure’ OTT services with no other special characteristics do not constitute electronic communications services falling under any of the applicable European legal frameworks.[31] This finding revealed a major regulatory gap in the context of privacy protection, since end-users increasingly replace traditional telecommunications services, such as voice telephony, text messages (SMS) and electronic mail conveyance services with OTT services.[32] Therefore, it has been one major aim of the ePrivacy Regulation to finally include those services in the European electronic communications regulatory framework and thereby keep pace with recent technical developments and practical demands.[33]

With regard to the privacy interests of end-users, it makes no difference whether providers convey signals themselves or whether the communication is delivered via an internet access service.[34] Therefore, OTT must be considered a functionally equivalent service and necessarily falls within the scope of the ePrivacy Regulation. This is because the Regulation aims to ensure an equal level of data protection, regardless of the way the signals are conveyed.[35] It is impossible to achieve the regulatory objective to create high standards of protection of privacy and confidentiality of communications without regulatory recognition of OTT services.

Examples for OTT services that are also interpersonal communications services are instant messengers like WhatsApp, Telegram, Signal and iMessage, Voice-over-IP services like Skype, Viber, FaceTime and e-mail services such as Gmail, Outlook.com, Yahoo, web.de and GMX.

Although signals may be conveyed between machines as well, they do not constitute interpersonal communication.[36] Since the ePrivacy Regulation aims to ensure the protection of the rights to privacy and confidentiality of communications, those special conveyances must also be covered by the protection, Recital 12 ePrivacy Regulation. As a result of the development of the markets and of the communications services as well as the technical means of providing the communications data, the conveyance of signals only depends on the conveyance via electronic communications services.

Example (1): Company T builds and deploys smart meters. These devices measure the electricity consumption in a residential unit and transmit the data collected to a central server for billing purposes. While no human is involved in the communication, it is an electronic communications service as signals are conveyed. Another example is the communication process between self-driving cars to warn about vicinity to objects or other risks.

dd)  Exception: services including content control

Services that provide content or exercise editorial control over content do not constitute electronic communications services within the EECC, according to Art. 2 No. 4. This exception refers to various web services such as news sites or online shops where content is determined unilaterally by the web service provider. Therefore, such services do not fall within the scope of the ePrivacy Regulation, an exception that is also made by  reference in Art. 4 Sec. 1 lit. b) ePrivacy Regulation. According to Recital 7 EECC, audiovisual policy and content is regulated separately, by means of autonomous legislation. This is because it involves regulatory objectives and purposes, such as freedom of expression, media pluralism, the protection of minors, that are different to the objectives of protection of privacy and confidentiality that are pursued with regards to communications.[37]

The exception for content and editorial control is not without difficulties, especially with regard to the only recently included OTT services. OTT services frequently use algorithmic means and filters to supervise and control content, so-called ‘editorial control’.[38] However, the use of such algorithmic means may well pose privacy risks that cannot necessarily be addressed adequately within the framework of the regulation of audiovisual media services alone, but rather constitute a matter of concern for the ePrivacy Regulation.[39] Thus, it seems questionable to which extent the exception of editorial control in privacy-related cases will be applied. Unfortunately, the ePrivacy Regulation does not provide any more detailed provisions on this.

c)  Interpersonal communications services, Art. 4 Sec. 1 lit. b)

The term ‘interpersonal communications services’ is defined in Art. 2 no. 5 EECC. The term refers to a sub-category of the notion ‘electronic communications service’ referred to above, but is listed separately in Art. 4 Sec. 1 lit. b) ePrivacy Regulation within the references to the EECC. According to the definition in Art. 2 no. 5 EECC, it includes all services that enable a direct interpersonal and interactive exchange of information between a finite number of persons,[40] whereby the initiating or participating persons are the recipients. Recital 17 EECC lists examples for this type of services,such as traditional voice calls between two individuals or all types of emails, messaging services, or group chats.

Communications involving legal persons can also constitute interpersonal communications services within the definition. This is when natural persons act on behalf of those legal persons or are involved at least at one side of the communication.[41] This is in accordance with the regulatory purpose of the ePrivacy Regulation, which requires that legal persons not be excluded rationae personae from the scope of the definition of interpersonal communications services, Art. 1 Sec. 1a.

Furthermore, Art. 2 no. 5 EECC explicitly refers once again to the necessity of remuneration for the relevant service. However, this is only of a declaratory nature. Interpersonal communications services as a sub-category of electronic communications services already have to be provided for remuneration according to the definition pursuant to Art. 2 no. 4 EECC.[42]

aa)  Communication ‘merely as a minor ancillary feature’ to another service

The referenced definition in Art. 2 no. 5 EECC excludes services that enable interpersonal or interactive communication as a merely minor ancillary feature which is intrinsically linked to another main service. Whether a communication feature is ‘purely ancillary’ or ‘insignificant’ in terms of this definition is interpreted rather narrowly and determined from the perspective of end-users.[43]

However, although the ePrivacy Regulation references this definition of the EECC, the reference does not cover the exception mentioned above. According to Art. 4 Sec. 2 ePrivacy Regulation, such interpersonal communication services are included in the protection of the confidentiality of communications even if ‘merely a minor ancillary feature’.[44] Thus, contrary to the referenced EECC definition, interpersonal communications services that only fulfil a subordinate function within another service are explicitly within the scope of the ePrivacy Regulation. In other words, in the context of Art. 4 Sec. 1 lit. b), Sec. 2 ePrivacy Regulation, communication capabilities are not the decisive aspect of a product for its categorisation as interpersonal communications service. Instead, communication capabilities as a side feature is sufficient under the ePrivacy Regulation.[45]

Examples for such ancillary interpersonal communications services are chat functionalities in computer games, support chats in online shops or the personal messaging tools in services like Facebook, Instagram, Twitter, Snapchat, TikTok or web forums.

Thus, social networks providing personal message or chat functionalities as part of their services will qualify as interpersonal communications services regardless of their technical design and capabilities. The question that remains is how to deal with social networks that do not offer traditional messaging functions, but provide possibilities for the users to share information and content only.[46] This assessment might vary depending on the specific set-up of each network. Thereby, the end users’ expectations of confidentiality should be decisive, i.e. whether the user can define the group of recipients or whether the user even knows, with whom the exchange takes place.[47] For example, messages exchanged over timelines of social networks that are visible only for a finite number of contacts may well fall under the scope of interpersonal communications services.[48]

On the other hand, the Council of the European Union proposed an amendment to the Recitals in the sense that customer care chats and in-game communications open to all players of a game should not be considered interpersonal communications services, because of the end-user’s usually diminished expectations in the  confidentiality of such services.[49]

bb)  Interactivity

A service is ‘interactive’ when it allows the recipient of the information to respond.[50] The service must allow for communications between a certain number of individuals determined by the sender.[51] If those requirements are not met, the ePrivacy Regulation does not apply due to lack of an interpersonal communications service.[52]

Examples of interpersonal communications services are: Voice calls between two individuals; all types of emails; messaging services and group chats. [53]

In contrast, examples that are generally not considered interpersonal communications services are: services enabling linear broadcasting, video on demand, websites, social networks, blogs, or exchange of information between machines. A web forum is not an interpersonal communications service per se as it does not facilitate communication between a defined and finite group of recipients, but to the general public. The same applies to websites that feature a comments section. [54]

d)  Number-based and number-independent interpersonal communications services, Art. 4 Sec. 1 lit. b)

Art. 4 Sec. 1 lit. b) ePrivacy Regulation refers to ‘number-based interpersonal communications services’ and ‘number-independent interpersonal communications services’ as terms to be determined on the basis of the definitions referenced in the EECC. As has been pointed out above, the general term of interpersonal communications services constitutes a sub-category of electronic communications services and is defined in Art. 2 no. 5 EECC.[55] This category of interpersonal communications services is further specified by means of the additional factors ‘number-based’ or ‘number-independent’ as set out in Art. 2 no. 6 and Art. 2 no. 7 EECC.

According to the referenced definition in Art. 2 no. 6 EECC, a service is considered number-based, if it ‘connects with publicly assigned numbering resources, namely, a number or numbers in national or international numbering plans, or which enables communication with a number or numbers in national or international numbering plans’. Recital 18 EECC further restricts this definition to the effect that the assignment of any arbitrary number as an identifier is insufficient. Instead, the end-user numbers must be assigned to the relevant services in order to ensure end-to-end connectivity or enable end-users to reach persons to whom such numbers have been assigned. Providers of such services are subject to additional obligations, as these services participate in and benefit from publicly assured interoperable ecosystems and, thus, are a subject of public interest.[56] Such additional obligations for providers of these special services are inter alia set out in Arts. 12, 13 and Art. 14 ePrivacy Regulation.

A service is defined as number-independent, when it ‘does not connect with publicly assigned numbering resources, namely, a number or numbers in national or international numbering plans, or which does not enable communication with a number or numbers in national or international numbering plans’, according to the referenced definition set out in Art. 2 no. 7 EECC. As number-independent interpersonal communications services do not participate in the publicly assured interoperable ecosystem, providers of such services are not subject to specific regulatory obligations, unless public interest requires otherwise.[57]

e)  End-User, Art. 4 Sec. 1 lit. b)

Art. 4 Sec. 1 lit. b) ePrivacy Regulation refers to the definition of the term ‘end-user’ in Art. 2 no. 14 EECC. The term end-user is a frequently recurring notion within the ePrivacy Regulation and is highly relevant to its application, as the end-user is the central subject of protection in the Regulation.

According to Art. 2 no. 14 EECC, ‘end-user’ shall mean ‘a user not providing public electronic communications networks or publicly available electronic communications services’. A ‘user’, in turn, is an ‘individual or legal person using or requesting a publicly available electronic communications service’ (Art. 2 no. 13 EECC Directive). Thus, in accordance with the subject matter of the ePrivacy Regulation as defined in its Art. 1 Sec. 1a, legal person in the sense of non-human entities, such as corporations, can be considered end-users.[58]

aa)  Distinction between end-users and providers

The primary focus of the definition in Art. 2 no. 14 EECC are regulatory questions regarding the provision of telecommunications networks and services. In that context, a subject is either an ‘end-user’ or ‘a provider’ and therefore the difference between both terms is relatively clear. However, in ePrivacy-scenarios, the identification of end-users may be more difficult.

In the context of the ePrivacy Regulation, there might be entities that provide public communications networks or publicly available electronic communications services and thus cannot be considered end-users in that regard. They may, however, engage in different parallel activities, either for internal purposes or in other fields of business, which might classify them as end-users.

Example: X is a freelance software developer and provides a messaging app for smart devices that relies on a server infrastructure provided by himself. X is, thus, not an end-user regarding actions in connection with his business of providing a messaging app. However, he uses his messaging app as a user as well. In that regard, he is not acting as a provider of communications services.

Therefore, the distinction between an end-user and a non-end-user requires a focus on the respective activities. Despite not qualifying as an end-user when providing public communication networks or publicly available electronic communication services, it is still possible to qualify as an end-user, should one use or request the usage of publicly available electronic communications. In this case, protection under Art. 5 ePrivacy Regulation and its further provisions is granted after all.

bb)  End-Users in machine-to-machine communications

The wording of the referenced definition of end-users in Art. 2 no. 14, no. 13 EECC does not allow for an interpretation that includes machines, which results in machine-to-machine communications falling outside the scope of protection of the ePrivacy Regulation.[59] However, according to Recital 12 ePrivacy Regulation, transmission of machine-to-machine communication is included if it is carried out via publicly available electronic communications networks or services.[60] In order to fall within the ePrivacy Regulation, said communication must be attributed to an individual or a legal person, who is then considered the respective end-user. According to Recital 12, providers of machine-to-machine communications typically operate at the application level, above electronic communications services. Providers of such services and their costumers are therefore considered end-users, and not providers, of these services and benefit from the protection of confidentiality of their communications data.[61]

Examples: T is a teenager who uses a messenger service via his/her mobile phone’s cellular connection. P is a professional carpenter who uses a PC for office work that is connected to the internet via cable modem. Corporation L has deployed several servers in a datacentre that provides computational capacity for L’s internal needs only; the servers are connected to the internet via the data centre’s routers and several fibre optic connections. When communicating with other parties, T, P and L are end-users.

Corporation M is a provider of telecommunication networks and owns several fibre-optic backbones. Individual X is a freelance software developer and provides a messaging app for smart devices that relies on a server infrastructure provided by herself. M and X are not end-users in the described capacity.

f)  Definition of ‘call’, Art. 4 Sec. 1 lit. b)

The last definition of the EECC referenced by Art. 4 Sec. 1 lit. b) ePrivacy Regulation is the definition of the term ‘call’, which is set out in Art. 2 no. 31 EECC. According to Art. 2 no. 31 EECC, ‘call’ means ‘a connection established by means of a publicly available interpersonal communications service allowing two-way voice communication’. Some of the obligations specified in the ePrivacy Regulation specifically refer to providers enabling calls as part of their service, which are usually also providers of number-based interpersonal communications services. These obligations are found in Arts. 12, 13 and Art. 14 ePrivacy Regulation, and refer to the conditions and requirements regarding calling line identification, as well as to handling of nuisance calls.[62]

[20] Cf. recital 13 et. seq. EECC.

[21] Cf. recital 13, 14 EECC.

[22] Recital 15 EECC.

[23] Cf. below at Art. 4 No. I.2.cc) regarding the relevance of conveyance of signals within the functional approach to electronic communications services.

[24] Recital 16 EECC.

[25] Judgment of the CJEU of 26 April 1988, C-352/85, at para. 16; Judgement of the CJEU from 11 September 2014, C-291/13, at para. 27 et seq.; Judgement of the CJEU from 15 September 2016, C-484/14, at para. 41 et seq.; Cf. recital 16 EECC.

[26] CJEU, judgement from 13 June 2019 – C-193/18, para. 34.

[27] CJEU, judgement from 30 April 2014 – C-475/12, para. 43; CJEU, judgement from 5 June 2019 – C-142/18, para. 29.

[28] CJEU, judgement from 5 June 2019 – C-142/18, para. 33.

[29] CJEU, judgement from 13 June 2019 – C-193/18, para. 32 et seq., particularly at 36.

[30] BEREC, Report on OTT services, BoR (16) 35, p. 14.

[31] Cf. CJEU, judgement from 13 June 2019 – C-193/18, para. 38.

[32] Directorate-General for Internal Policies, An Assessment of the Commission’s Proposal on Privacy and Electronic Communications, May 2017, p. 36.

[33] ePR Commission, Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), 2017/003, Explanatory Memorandum, p. 1.

[34] Cf. recital 15 EECC.

[35] Cf. EDPB, statement from 25 May 2018 on the revision of the ePrivacy Regulation and its impact on the protection of individuals with regard to the privacy and confidentiality of their communications, at p. 2.

[36] Cf. recital 17 sent. 5 EECC.

[37] This regulatory matter is covered by the Directive (EU) 2018/1808 of the European Parliament and of the Council of 14 November 2018 amending Directive 2010/13/EU on the coordination of certain provisions laid down by law, regulation or administrative action in Member States concerning the provision of audiovisual media services (Audiovisual Media Services Directive) in view of changing market realities and is partly subject to the Proposal for a Regulation of the European Parliament and of the Council on a Single Market For Digital Services (Digital Services Act) and amending Directive 2000/31/EC from 15 December 2020, Doc. No. 2020/0361 (COD).

[38] Directorate-General for Internal Policies, An Assessment of the Commission’s Proposal on Privacy and Electronic Communications, May 2017, p. 38 et seq.

[39] Ibid.

[40] A finite number shall mean a not potentially unlimited number of natural persons, which is determined by the sender of the communication, according to recital 17 EECC.

[41] Recital 17 EECC.

[42] See Art. 4 No. I.2.b) above regarding the remuneration for electronic communications services.

[43] Recital 17 EECC.

[44] See also recital 11a ePrivacy Regulation.

[45] Woger, PinG 2018, 80, 82.

[46] The social network Instagram, for example, did not contain a messaging function when it was initially launched in 2010. Users could only share content, which could then be commented on by other users – generally publicly visible. Only in December 2013 the feature ‘instagram direct’ was introduced, allowing direct and private messaging between users. Additionally, this feature was only available at the mobile app until 2020, when it was introduced in the web app as well. See ‘Introducing Instagram Direct Message’, 12 December 2013, https://about.instagram.com/blog/announcements/introducing-instagram-direct-message (last access: 25 March 2021); Ashley Carmen, ‘Instagram starts bringing DMs to the web, 14 January 2020, https://www.theverge.com/2020/1/14/21063269/instagram-web-dm-test-launch-browser-access-messages-facebook (last access: 25 March 2021).

[47] Cf. Council of the European Union, ST 11001/19, p. 10.

[48] Directorate-General for Internal Policies, An Assessment of the Commission’s Proposal on Privacy and Electronic Communications, p. 39 et seq.

[49 Council of the European Union, ST 11001/19, p. 10.

[50] Recital 17 EECC.

[51] Recital 17 EECC.

[52] Recital 17 EECC Directive.

[53] Cf. recital 17 EECC Directive.

[54] Cf. recital 17 EECC Directive.

[55] See para. 46 et seqq.

[56] Cf. recital 18 EECC.

[57] Recital 18 EECC.

[58] Cf. Art. 1 No. I.1.a).

[59] Directorate-General for Internal Policies, An Assessment of the Commission’s Proposal on Privacy and Electronic Communications, May 2017, p. 42.

[60] Regarding the requirement of public availability, see Art. 4 No. III.1.a), Art. 2 No. III.4.; Similarly to the regime of the ePrivacy Directive see EDPB, statement from 25 May 2018 on the revision of the ePrivacy Regulation and its impact on the protection of individuals with regard to the privacy and confidentiality of their communications, p. 2.

[61 Recital 12.

[62] See commentaries regarding Art. 12, Art. 13 and Art. 14 respectively.

According to Art. 4 Sec. 1 lit. c) ePrivacy Regulation, the term ‘terminal equipment’ shall be defined as in Art. 1 Sec. 1 Directive 2008/63/EC. The latter defines terminal equipment as ‘equipment directly or indirectly connected to the interface of a public telecommunications network to send, process or receive information; in either case (direct or indirect), the connection may be made by wire, optical fibre or electromagnetically; a connection is indirect if equipment is placed between the terminal and the interface of the network’ (Art. 1 Sec. 1 lit. a) Directive 2008/63/EC); or ‘satellite earth station equipment’ (Art. 1 Sec. 1 lit. b) Directive 2008/63/EC).[63]

The definition of terminal equipment is of major relevance with regard to Art. 8 ePrivacy Regulation. The latter intends to secure the integrity of terminal equipment by means of a prohibition of interference.[64] The main case of application for this provision is likely to be the application of cookies, which repeatedly has been the subject of legal disputes in the ePrivacy context in recent years.[65]

It follows from the referenced definition of terminal equipment in Art. 1 Sec. 1 lit. a) Directive 2008/63/EC that, generally, any device that is directly or indirectly connected to the interface of a public telecommunications network to send, process or receive information can be considered terminal equipment in terms of the ePrivacy Regulation. This encompasses, for instance, routers, modems, desktop and portable computers, tablets, smartphones or other smart devices like smart TVs or smart speakers. The two relevant factors for such devices to qualify as terminal equipment are (i) the existence of a public telecommunications network and (ii) a connection therewith.

a)  Public telecommunications network

The term ‘public telecommunications network’ is not defined in EU law, neither in Directive 2008/63/EC nor the ePrivacy Regulation. Consequently, the meaning must be determined autonomously.

Albeit not referring to public telecommunications networks, the ePrivacy Regulation references the definitions of the resembling terms ‘electronic communications network’ and ‘public electronic communications network’ set out in Art. 2 no. 1, no. 8 EECC. According to these definitions, an ‘electronic communications network’ is a transmission system which permits the conveyance of signals by wire, radio, optical or other electromagnetical means, irrespective of the type of information conveyed.[66] The definition includes all networks regardless of whether they are permanent or provisional, centralized or decentralized and encompasses all necessary equipment of such networks, including active as well as non-active components, switching or routing equipment and other resources. Such an electronic communications network is ‘public’ when used wholly or mainly for the provision of publicly available electronic communications services (for the requirement of public availability within the ePrivacy Regulation see Art. 2 No. III.4.[67]

However, the referenced definition of terminal equipment in Art. 1 Sec. 1 Directive 2008/63/EC uses the formulation public telecommunications network and, thus, differs from the notions of the EECC referring to electronic communications. Both terms also differ in content. According to the understanding of the European legislator, which is reflected in the Framework Directive, telecommunications services are a special type of signal transmission and a subcategory of the generic term electronic communications services, which includes telecommunications as well as other means of transmission, for example, broadcasting, which is to be distinguished from telecommunications.[68] Thus, electronic communications services constitutes the more general and broadly understood generic term and is consequently the more appropriate choice of terminology in the context of the technology-neutral ePrivacy Regulation. The same arguably applies to the relationship between public electronic communications network and public telecommunications network. Consequently, the terminology based on telecommunications is generally interpreted more restrictively than electronic communications services and networks as defined in the EECC and adapted by the ePrivacy Regulation.

However, to refer unconditionally to such rather restrictively formulated definition in Art. 1 Sec. 1 Directive 2008/63/EC does not fit into the overall concept of the ePrivacy Regulation, which is intended to establish technology-neutrality and adaptation of the law to the present state of the art. Generally, the term ‘telecommunication’ is no longer used within the ePrivacy Regulation. It was most likely not the intention of the legislator to introduce such a meaning for the definition of ‘terminal equipment’ in the ePrivacy Regulation, that is restricted to equipment connected to telecommunications networks, while consistently referring to electronic communications networks and services as the relevant case of application of the regulation.[69] Furthermore, Recital 13 states that terminal equipment connected to a closed (non-public) network also falls under the scope of the ePrivacy Regulation if this network, in turn, is connected to a public electronic communications network. Thus, in connection with public availability and in contrast to of Art. 1 Sec. 1 Directive 2008/63/EC, it is not a decisive factor whether terminal equipment is connected to a telecommunications network. Rather, in the context of the ePrivacy Regulation, terminal equipment must be connected to a public electronic communications network, contrary to the referenced definition in Directive 2008/63/EC which refers to public telecommunications networks. Therefore, it may be referred to the definition of ‘public electronic communications network’ as defined in the EECC and illustrated above (para. 74), in order to determine whether an end-user’s device is connected to a network that meets the requirements of the ePrivacy Regulation and thus qualifies as terminal equipment. In consequence, the reference in Art. 4 Sec. 1 lit. c) ePrivacy Regulation to the definition of terminal equipment in Directive 2008/63/EC applies only mutatis mutandis.

Further examples for apublic telecommunications networks’ are classic telephone networks consisting of copper cable and the respective active infrastructure; networks operated by Internet access providers over copper cable or fibreglass; satellite networks; cellular networks, e.g. 4G/LTE, or Wi-Fi networks, whether public or available for-pay, e.g. in a hotel.

b)  Connection

There must be a connection between the public telecommunications network and the end-user’s device in order for the latter to qualify as terminal equipment. It is of no importance for the applicability of the ePrivacy Regulation, whether the connection of the device to the telecommunications network is made on a physical level or not, since the referenced definition in Art. 1 Sec. 1 Directive 2008/63/EC encompasses all practical relevant connection types.

aa)  Indirect network connections

Devices connected indirectly to a public telecommunications network are equally considered ‘terminal equipment’ according to Art. 1 Sec. 1 Directive 2008/63/EC. Following this provision, ‘a connection is indirect if equipment is placed between the terminal and the interface of the network’.

Example: A mobile phone using its cellular connection to communicate with a cell tower is directly connected to a public telecommunications network; the same applies to a landline phone that is directly plugged into the socket provided by the network operator. A tablet computer that uses its Wi-Fi adaptor to connect to a mobile phone which is connected to the Internet by cellular connection (‘tethering’) is indirectly connected as mentioned above.

In the context of Directive 2008/63/EC, the term ‘indirectly’ has been interpreted in a way that includes only passive intermediary equipment between the end-user’s device and the network.[70] Such strict interpretation, however, cannot be upheld within the ePrivacy Regulation, as it would exclude a wide number of cases of application in which devices are connected to a network via other active devices, i.e. devices with own amplifying effect, control function or energy intake.[71] In the context of the referenced Directive 2008/63/EC, an exclusion of active devices may be appropriate, as it concerns matters of competition law and pursues different legislative purposes. In the context of the ePrivacy Regulation, however, such application would be detrimental to its regulatory purposes to ensure high standards of protection of privacy and the confidentiality of communications for a broad spectrum of technologies and cases of application. This illustrates the problems that come with the  approach of the ePrivacy Regulation to ‘copy-and-paste’ existing definitions from other European legal instruments without adapting them to the ePrivacy context.

Therefore, in the context of the ePrivacy Regulation, the term ‘indirectly’ has to be interpreted in a wider sense, allowing to include active intermediary equipment. It would counteract the ePrivacy Regulation’s approach, which seeks to provide effective and comprehensive protection of information on end-user’s devices, to exclude these cases from the scope of Art. 8 ePrivacy Regulation.

bb)  Connection to wireless adapters

Interpreted in a narrow sense, a device that is only equipped with a wireless adaptor (e.g. Wi-Fi or Bluetooth), but not connected to a network cannot be considered as terminal equipment, since a device merely in the process to connect is not yet connected. However, the relevant provisions regarding the protection of terminal equipment in Art. 8 ePrivacy Regulation include limitations of third-party interception of data that is emitted by terminal equipment when trying to connect to other devices or networks in Art. 8 Sec. 2.[72] If devices ‘not yet connected’ were not considered ‘terminal equipment’, there would be no reasonable field of application left for the aforementioned Art. 8 Sec. 2 ePrivacy Regulation (cf. Art. 8). Therefore, in the context of the ePrivacy Regulation, for a wireless device to be regarded as ‘connected to the interface of a public telecommunications network’ and therefore qualify as ‘terminal equipment’, it is sufficient if the respective device is only in the process of connection to a network.

Example: A Wi-Fi-enabled device does not have to be connected to a Wireless LAN to be in the material scope of the ePrivacy Regulation. It is sufficient when its wireless adaptor is enabled.

cc)  Outbound connections at private networks

Since the definition of terminal equipment in Art. 1 Sec. 1 Directive 2008/63/EC only refers to devices connected to public networks, the ePrivacy Regulation does generally not apply to devices which are connected to private networks, i.e. networks with a closed group of users. Such private networks are, for example, corporate networks where access is limited to members of the corporation.[73] However, many private networks nowadays also contain some kind of gateway to other public networks, especially the internet. For example, many company networks have a gateway that allows their employees access to the internet. The same applies to all Wi-Fi networks in private homes.

In cases of a device also being able to make connections to public electronic communications networks while connected to a private network, this device is exposed to the same kind of privacy threats as it would be if it were connected directly to such a network. Therefore, while the ePrivacy Regulation does not apply to the internal functioning of private networks, its regulatory purpose requires it to apply to outbound connections. Recital 13 correspondingly provides for such an interpretation of the term terminal equipment, thus deviating from the originally referenced definition in Art. 1 Sec. 1 Directive 2008/63/EC and setting out that ‘the provisions of this Regulation regarding the protection of end-users’ terminal equipment information also apply in the case of terminal equipment connected to a closed group network such as a home (fixed or wireless) network which in turn is connected to a public electronic communications network’.[74]

Example: Company A operates a computer network in its office. It also employs a security software that periodically accesses all computers in the network as well as the ongoing network traffic for security issues. None of these activities are subject to the ePrivacy Regulation, because they take place inside a private network only. However, the network also provides a gateway to the Internet. When one of the computers creates a connection to an external web server and that web server tries to access information on said computer, the ePrivacy Regulation applies.

[63] ‘Satellite earth station equipment’ is defined in Art. 1 Sec. 2 of Directive 91/163/EEC as ‘equipment which is capable of being used either for transmission only, or for transmission and reception (transmitreceive), or for reception only (receive-only), of radio-communication signals by means of satellites or other space-based systems, but excluding purpose-built satellite earth station equipment intended for use as part of the public telecommunications network of a Member State’. In the context of the ePrivacy Regulation, in particular the more detailed specification of the notion of terminal equipment, the term ‘satellite earth station equipment’ does not occur and does not play any further role for the application of the regulation. Consequently, it will also be neglected within the framework of this commentary.

[64] See the commentary on Art. 8.

[65] See Art. 8.

[66] See Art. 2 no. 1 of the EECC.

[67] Art. 2 no. 8 EECC.

[68] See Art. 2 lit. c) Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive); see also the definition at https://eur-lex.europa.eu/summary/glossary/electronic_communications_services.html (last access:  7 April 2021).

[69] Cf. recital 12, 13; the ePrivacy Regulation does not contain any explicit reference to public telecommunications networks.

[70] Lünenbürger/Stamm, in: Scheurle/Mayen, Telekommunikationsgesetz, § 3 TKG (2018), para. 71 with reference to Bundesrat parliamentary paper 365/15, p. 7 and thereby to the Note of the European Commission’s ‘Telecommunication Conformity Assessment and Market Surveillance Committee’ on ‘Application of the R&TTE Directive to indirectly connected equipment and to equipment with LAN Ports’ of 01 February 2012, Ref. Ares(2015)1711191 – 22/04/2015.

[71] Lünenbürger/Stamm, in: Scheurle/Mayen, Telekommunikationsgesetz, § 3 TKG (2018), para. 71.

[72] See Art. 8.

[73] Recital 13.

[74] The ePR Commission Proposal 2017 did not yet contain such a clarification with regard to private networks.

As the final definition referenced from another act of European law, Art. 4 Sec. 1 lit. d) ePrivacy Regulation refers to ‘information society services’ as defined in Art. 1 Sec. 1 lit. b) Directive (EU) 2015/1535.[75] These are any services ‘normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.’

a) Legal definitions of Art. 1 Sec. 1 lit. b) and Annex I Directive (EU) 2015/1535

Additionally, some of the elements of this definition are specified in Art. 1 Sec. 1 lit. b) Directive (EU) 2015/1535:

i. ‘at a distance’, describes that the parties are not simultaneously present while the service is provided;

ii.‘by electronic means’, means that the service is sent initially and received at its destination by means of electronic equipment for the processing (including digital compression) and storage of data, and entirely transmitted, conveyed and received by wire, by radio, by optical means or by other electromagnetic means;

iii. ‘at the individual request of a recipient of services’ means that the service is provided through the transmission of data on individual request.

Examples for such information society services are online search engines, social networks or online sales platforms. For the purpose of determining whether a service constitutes an information society service within the meaning of this definition, Annex I to Directive (EU) 2015/1535 may be referred to in addition. It provides an indicative list of services that are not included in the definition of information society services  and therefore provides the basis for a negative delimitation.[76]

According to Annex I Directive (EU) 2015/1535, a service is not provided at distance in the case of consultation of an electronic catalogue in a shop with the customer on site, or a plane ticket reservation made by means of network computers but in the physical presence of the customer at the travel agency. Furthermore, a service is not provided by electronic means if it contains material content even though it is provided via electronic devices, or if distribution of the service takes place offline, or if the service is not provided via electronic processing/inventory systems.[77] In the ePrivacy context, the latter exception is particularly relevant. Based on Annex I No. 2, it mainly covers voice telephony services. However, arguably, only classic telephony and fax services that operate via Public Switched Telephone Networks (‘PSTN’; particularly the landline network and mobile phone network) are covered by this exception. Voice telephony services provided via the internet, meanwhile, fulfil the criterion of electronic processing and are thus likely to constitute information society services.

Generally, there is a large potential of overlap between the definitions of ‘information society services’ and the definition of ‘electronic communications services’. Recital 10 EECC sets out that electronic communications services as defined by the EECC may constitute information society services in terms of Art. 1 Sec. 1 lit. b) Directive EU 2015/1535 as well. Both laws are generally applicable in parallel. There is thus a partially overlapping regulation by the Union legislator.[78]

b) Service provided for remuneration

Neither Art. 1 Sec. 1 lit. b) of the Directive (EU) 2015/1535 nor its Annexes contain a more detailed explanation or definition of the requirement of remuneration included in the definition of information society services. However, Union law in general applies a broad understanding of the term ‘remuneration’, which does not require a monetary payment; the provision of the service in an otherwise commercial context is sufficient.[79] This broad understanding of the term applies in the context of the definition of electronic communication services[80] and is transferable to information society services, as has been confirmed by the CJEU.[81]

[75] In principle, the reference is superfluous at this point, as the general reference to all definitions of the GDPR in Art. 4 Sec. 1 lit. a) ePrivacy Regulation already indirectly refers to the definition of Art. 1 Sec. 1 lit. b) Directive (EU) 2015/1535 referenced via Art. 4 No. 25 GDPR (Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services).

[76] Art. 1 Sec. 1 lit. b) Directive (EU) 2015/1535.

[77] Directive (EU) 2015/1535, Annex I Indicative list of services not covered by the second subparagraph of point (b) of Article 1(1), at no. 2.

[78] Cf. Buchner/Kühling, DS-GVO, Art. 4 para. 5a (2020).

[79] See Art. 4 No. I.2.b) above.

[80] Recital 16 EECC.

[81] Judgement of the CJEU from 15 September 2016, C-484/14, at para. 41 et seq.

The ePrivacy Regulation adopts many definitions of other European laws through various references contained in Art. 4 Sec. 1. This leads to a uniform terminology across laws and, thus, contributes to the uniformity of the legal order. Naturally, however, inconsistencies and contradictions arise in individual cases when definitions from legal instruments are used which pursue different protective purposes or regulatory objectives than the ePrivacy Regulation. It may therefore be necessary to amend definitions in a way that allows the best possible contribution to the regulatory purpose of the ePrivacy Regulation.

This is precisely the purpose of Art. 4 Sec. 2 and Sec. 2a of the ePrivacy Regulation. Art. 4 Sec. 2 ePrivacy Regulation amends the definition of ‘interpersonal communications service’ from the EECC in such a way that it benefits the protection of privacy and confidentiality of communications in terms of the ePrivacy Regulation more effectively (see above at Art. 4 No. I.2.b)bb). Art. 4 Sec. 2a ePrivacy Regulation, meanwhile, modifies the data protection law definition of the term ‘processing’ from the GDPR to the extent that, in accordance with the ePrivacy Regulation, the protective purpose can also be extended to legal persons (see above at Art. 4 No. I.1.a).

 

Only Art. 4 Sec. 3 ePrivacy Regulation introduces autonomous definitions of the ePrivacy Regulation. Those are not adopted from other existing legal instruments.

Art. 4 Sec. 3 lit. a) ePrivacy Regulation introduces a definition for the term ‘electronic communications data’. According to this definition, electronic communications data is an umbrella term for two further sub-categories of data, namely ‘electronic communications content’ and ‘electronic communications metadata’; both are defined in Art. 4 Sec. 2 lit. b) and lit. c) ePrivacy Regulation. Principally, both terms are mutually exclusive and every element of an electronic communications transmission can be assigned to either one of them.

The general prohibition of processing set out in Art. 5 ePrivacy Regulation refers to electronic communications data, thus  covering electronic communications content and electronic communications metadata at the same time.[82] However, the distinction between these three terms is essential for the application of the ePrivacy Regulation, as the material provisions of the ePrivacy Regulation also differentiate between the individual categories of data. Depending on which category of data is affected, the participating providers are subject to different obligations set out in Art. 6a-6c of the ePrivacy Regulation in order to lawfully process said data.[83] For instance, providers may be allowed to process electronic communications metadata for further compatible purposes under Art. 6c ePrivacy Regulation, while there is no corresponding provision for compatible processing of electronic communications content.[84] Also in the context of the storage and erasure of electronic communications data, different regulations apply within Art. 7 ePrivacy Regulation, depending on whether it concerns the sub-category of metadata or content.

a)  Electronic communications content, Art. 4 Sec. 3 lit. b)

Exchange of information is the object and purpose of any communication process. The concept of electronic communications content is broad and refers to the content of the information exchanged, which is the core of a communication process.[85] According to Art. 4 Sec. 3 lit. b) ePrivacy Regulation, the term ‘electronic communications content’ refers to ‘the content exchanged by means of electronic communications services, such as text, voice, videos, images and sound’. Thus, it does not matter in what format the content was exchanged between the parties to the communication, the decisive factor is that the data in question was subject of processing within an electronic communications service before it was exchanged. The use of an electronic communications service is therefore mandatory for the qualification of data as electronic communications content.

Electronic communications content is considered a particularly sensitive category of electronic communications data, as the protection of the content exchanged between the parties to a communication process pertains to the essence of the fundamental right to respect for private and family life, home and communications protected under Art. 7 CFR.[86] This categorisation implies that electronic communications content is primarily relevant in connection with the communication exchange of natural persons. But the protection of electronic communications content also plays a prominent role in connection with legal persons. It follows from Recital 3 that legal persons are included in the scope of protection of the ePrivacy Regulation precisely because the information disclosed and exchanged by them in communication processes is considered equally sensitive, economically valuable and worthy of protection, especially with regard to trade secrets.[87] Although such information may eventually result from metadata, it can primarily be assigned to the category of electronic communications content.

According to Recital 16a, within the framework of the ePrivacy Regulation, there should therefore be a presumption that any processing of this category of data constitutes a high risk activity with regard to the rights and freedoms of the parties concerned.[88] Accordingly, the requirements for processing electronic communications content are strict, especially in comparison to the processing of electronic communications metadata. For instance, unlike metadata in Art. 6c, the ePrivacy Regulation does not provide for the possibility of further processing for compatible purposes for electronic communications content without end-user consent.

Another example for the restrictive handling of electronic communications content is the opening clause in Art. 7 Sec. 4 ePrivacy Regulation, which allows Member States to create legal bases for the retention of electronic communications metadata beyond the general deletion period.[89] Such a possibility does not exist in the context of electronic communications content in Art. 7 ePrivacy Regulation, not even for exceptional circumstances.

b)  Electronic communications metadata, Art. 4 Sec. 3 lit. c)

In contrast to electronic communications content, the term electronic communications metadata is defined as ‘data processed by means of electronic communications services for the purposes of transmitting, distributing or exchanging electronic communications content; including data used to trace and identify the source and destination of a communication, data on the location of the device generated in the context of providing electronic communications services, and the date, time, duration and the type of communication’ in Art. 4 Sec. 3 lit. c) ePrivacy Regulation. In this context, Recital 14 complements the definition, explaining that regardless whether signals are conveyed by wire, radio, optical or electromagnetic means, including satellite networks, cable networks, fixed (circuit- and packet-switched, including internet) and mobile terrestrial networks, electricity cable systems, the data related to such signals should be considered electronic communications metadata. Thus, electronic communications metadata refers to the process of content transmission itself and captures all framework information accompanying the relevant communication process.

It is undisputed that location data (for a definition of this term see Art. 4 No. III.8.) generated for the purposes of granting and maintaining access and connection to a certain electronic communications service is considered metadata in terms of Art. 4 Sec. 3 lit. c) ePrivacy Regulation. However, location data might also be generated outside the provision of electronic communications services, e.g. taken from a GPS receiver of a device. Within the ePR Commission Proposal 2017, such location data was not considered metadata in terms of the ePrivacy Regulation and therefore excluded from its scope of application.[90] This gave rise to a debate in the following legislative process with respect to the question whether all location data should be treated and protected equally, regardless of its source.[91] Ultimately, the Council of the European Union decided to introduce a broader understanding of metadata that encompasses all metadata under the same legal framework, thus, including location data generated outside the context of the provision of electronic communications services.[92] According to Recital 17 of the ePrivacy Regulation in its current version, end-users have a legitimate and strong privacy interest in the control and confidentiality of all geographical location data that could be considered electronic communications metadata. The scope of protection of the ePrivacy Regulation therefore extends to all such data, not excluding location data from particular sources per se.

[82] Art. 5 No. III.

[83] See Arts. 6, 6a, 6b and 6c respectively.

[84] Art. 6c.

[85] Herbrich, jurisPR-ITR 18/2017 Anm. 2, B.I.

[86] Recital 16a.

[87] According to recital 15aaa, trade secrets are additionally protected under Directive (EU) 2016/943.

[88] Although recital 16a refers exclusively to natural persons in this context, this presumption can probably be applied accordingly to legal persons in light of Art. 1 Sec. 1a ePrivacy Regulation and its recital 3.

[89] Art. 7.

[90] ePR Commission Proposal 2017, at para. 17.

[91] Council of the European Union, ST 12293/19, p. 3.

[92] See Council of the European Union, Presidency, Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) from 5 January 2021, Doc. No. 5008/21, p. 4 at para. 22, p. 26 at para. 17.

The term ‘publicly available directory’ is defined as a ‘directory of end-users of number-based interpersonal communications services, whether in printed or electronic form, which is published or made available to the public or to a section of the public, including by means of a directory enquiry service and the main function of which is to enable identification of such end-users’. This term is therefore only relevant in the context of provisions concerning a certain sub-category of electronic communications services: the number-based interpersonal communications services as referred to in Art. 4 Sec. 1 lit. b) ePrivacy Regulation (see para. 57 et seqq.). Art. 15 of the ePrivacy Regulation contains the main material provision regarding the requirements for publicly available directories, the core of which is the necessity of end-user consent,[93] while Recital 30 provides supplementary explanations to the definition of such directories.

According to the definition provided in Art. 4 Sec. 3 lit. d), it is irrelevant for the application of the ePrivacy Regulation whether the directory is made publicly available in printed or electronic form. In addition, it follows from Recital 31 that the directory does not need to include a search function, a simple list is sufficient.[94] Furthermore, the definition in Art. 4 Sec. 3 lit. d) ePrivacy Regulation and its associated Recital 30 do not impose any restriction on specific categories of data or information that must be collected within the publicly available directory. It follows from the provision that the decisive factor in order to qualify as a relevant publicly available directory is that affected persons or entities are listed in the directory due to their status as end-users of number-based interpersonal communications services and that the main function of the directory is to allow the identification of its listed end-users.[95]

With regard to the public availability of the directory, the same understanding is applied as in the context of Art. 2 Sec. 2 ePrivacy Regulation.[96] The corresponding Recital 13 specifies public availability as the making available to an undefined group of end-users, in distinction to closed groups of potential users such as in the case of company-internal networks (or so-called Intranets), where the use is strictly limited to the employees or members of the respective company. The provision gives examples of excluded directories that are only available to closed groups, such as internal address books.

Examples for publicly available directories include printed phone books, online phone directories, but also a directory of users of messaging services, as long it is accessible to the general public or a section thereof (e.g. all registered users of a particular messaging service, but which is basically open for registration to everyone or everyone of a certain age group). Information which may be included in such a directory is, for instance, name, phone numbers, email and home addresses.[97]

[93] See Art. 15.

[94] However, as far as a search function is provided within the publicly available directory in question, additional restrictions for its operation apply according to recital 31.

[95] Recital 30.

[96] For details see Art. 2 No. III.3.

[97] Recital 30.

‘Electronic message’ shall mean ‘any message containing information such as text, voice, video, sound or image sent over an electronic communications network which can be stored in the network or in related computing facilities, or in the terminal equipment of its recipient, including e-mail, SMS, MMS and functionally equivalent applications and techniques’.

The term electronic message in this version of the ePrivacy Regulation adopted by the Council of the European Union was introduced as a substitute for the term ‘electronic mail’ which was used in the ePR Commission Proposal 2017.[98] In addition, an exemplary list of various means of communications and messaging types that are to be covered by the term electronic message was added to the definition in Art. 4 Sec. 3 lit. e). This list includes emails, but also other messaging types such as SMS and all functionally equivalent means. The modification of the definition by the Council of the European Union thus appears to have been made so not to limit the term to emails by default, but to design it as technology-neutral as possible. This is in line with the overall approach of the ePrivacy Regulation.

Within the ePrivacy Regulation, the notion of electronic messages is of particular relevance with regard to spam electronic messages and direct marketing communications (for the latter see Art. 4 No. III.4. below).[99] In line with the definition in Art. 4 Sec. 3 lit. e) of the version of the ePR Commission Proposal 2017, which merely referred to electronic mails, its Art. 16 Sec. 2 also used the latter terminology only. It suggested that Art. 16 Sec. 2 ought to apply to direct marketing communications transmitted via email only and that other marketing messages that reach end-users via SMS, for example, fall outside its scope.[100] However, such a restriction of the regulatory matter with regard to direct marketing communications would be outdated, unjustified and ultimately incompatible with the regulatory purpose of the ePrivacy Regulation. The change of terminology from ‘electronic mail’ to ‘electronic message’ in Art. 4 Sec. 3 lit. e) ePrivacy Regulation was necessary. It prevents misinterpretations of the regulation in Art. 16 ePrivacy Regulation and reduces the risk of legal loopholes, and encompasses alternative communication channels which are already frequently used for marketing purposes by businesses.

[98] See Council of the European Union, Presidency, Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) from 5 January 2021, Doc. No. 5008/21, p. 64, Art. 4 Sec. 3 lit. e).

[99] Cf. recital 16, recital 33, Art. 16 Sec. 2 ePrivacy Regulation.

[100] For further details regarding the regulatory content of Art. 16 Sec. 2 ePrivacy Regaulation see Art. 16.

The term ‘direct marketing communications’ is defined in Art. 4 Sec. 2 lit. f) ePrivacy Regulation as ‘any form of advertising, whether written or oral, sent via a publicly available electronic communications service directly to one or more specific end-users, including the placing of voice-to-voice calls, the use of automated calling and communication systems with or without human interaction, electronic message’. The terms ‘electronic communications service’, ‘voice-to-voice calls’ and ‘electronic message’ referred to in the definition are all addressed in more detail in other parts of Art. 4 ePrivacy Regulation.[101] For a general definition of public availability, reference can be made to Art. 2 Sec. 2 ePrivacy Regulation.[102] In principle, however, public availability always exists if the offer of an electronic communications service is not merely directed at a closed group of end-users which is limited by default (for example, a corporate network).

The term advertising is not legally defined within the ePrivacy Regulation. However, Art. 2 lit. a) Directive 2006/114/EC provides a definition[103], which offers a basis for interpretation. It encompasses a wide understanding of the term, meaning ‘the making of a representation in any form in connection with a trade, business, craft or profession in order to promote the supply of goods or services, including immovable property, rights and obligations’. Therefore, it might be assumed that advertising in terms of the ePrivacy Regulation does not only include product-related promotions, but also any form of indirect promotion of sales, such as general image marketing or sponsoring.[104]

Examples of advertising are the offering of additional services (even if complimentary) included in an email message acknowledging the receipt of customer inquiries[105], or customer satisfaction surveys via phone or electronic mail[106], as these are at least in parts intended to keep customers and to promote further sales.

The most relevant regulation referring to the definition of direct marketing communications is  Art. 16 ePrivacy Regulation which sets out a prohibition of the use of electronic communications services for the dissemination of such communications (see Art. 16 para. Xx). In contrast to the preceding provision of Art. 13 ePrivacy Directive, which  regulated specific means of communication (e.g. automated calling or fax), Art. 16 ePrivacy Regulation is meant to be technology-neutral.[107] According to the rationale of the ePrivacy Regulation, the privacy burden associated with this type of commercial messaging is the same regardless of the communication channel used.[108] The technology-neutrality of the regulation is achieved by the broad formulation of the definition of direct marketing communications in Art. 4 Sec. 3 lit. d) ePrivacy Regulation. The objective is to achieve a framework regulation for direct marketing communications that is future-proof, applies to all forms of direct marketing communications and does not exclude individual measures solely on the basis of particular technical details.[109]

According to Recital 33 ePrivacy Regulation, means of communication explicitly encompassed by the provision are automated calling and communication systems with or without human interaction, instant messaging applications, emails, text messages, MMS or messages sent via the Bluetooth standard.

The definition contains hardly any restrictions with regard to the technical component of direct marketing communications. It does, however, provide for restrictions with regard to the recipient and sender of such communication. Commercial communications which are not sent to a specific end-user for reception by that end-user at addresses, numbers or other contact details shall not be covered by the definition.[110] The specification of the recipient within the meaning of the regulation is therefore made on the basis of the personal contact details used for communication of direct marketing. This excludes the display of advertising on a  website or as part of an information society service requested by that end-user, cf. Recital 32.[111] The ePR Commission Proposal 2017 referred to the identifiability of the end-users (and not to specific means of communication and receipt) in order to distinguish ePrivacy-relevant direct marketing communications from general advertising measures which are not covered by the scope of the ePrivacy Regulation.[112] This terminology was aligned with the GDPR (Art. 4 No. 1) and generally allowed an interpretation of Art. 16 that also covered the mere broadcasting of advertising if it was based on behavioural tracking or profiling mechanisms (Art. 16.). Such application is now no longer provided for in Art. 16 ePrivacy Regulation.[113]

Regarding the sender of direct marketing communications, Member States may decide that communications sent by political parties and non-profit organizations for the promotion of their purposes can be covered by the rules applying to direct marketing communications, in addition to commercial operations.[114] Conversely, this also means that as long as Member States do not explicitly include these actors, only communications sent by businesses for commercial purposes are relevant.

[101] See Art. 4 No. I.2.b), No. I.2.f), No.III.3. respectively.

[102] See Art. 2 No. III.3.

[103] Directive 2006/114/EC of the European Parliament and of the Council of 12 December 2006 concerning misleading and comparative advertising.

[104] Cf. Fritzsche, in: Fritzsche/Münker/Stollwerck, BeckOK UWG (2019), § 7 UWG para. 45.

[105] German Federal Court of Justice (Bundesgerichtshof), judgement of 15 December 2015 – VI ZR 134/15, para. 19.

[106] German Federal Court of Justice (Bundesgerichtshof), judgement of 10 July 2018 – VI ZR 225/17 recital 17-18.

[107] With regard to the change of the term ‘electronic mail’ in Art. 16 Sec. 2 ePrivacy regulation to ‘electronic message’, see Art. 4 No. III.3.

[108] Recital 33.

[109] Recital 33.

[110] Recital 32.

[111] In the version of the ePrivacy Regulation proposed by the ePR Commission in 2017, this had not been specified in such a clear manner. Rather, advertising broadcast on websites could under certain circumstances also have been considered as direct marketing communication in the sense of the Regulation, see commentary on Art. 16.

[112] ePR Commission Proposal 2017, Art. 4 Sec. 3 lit. f) and recital 32.

[113] See Art. 4 No. III.2.

[114] Recital 33.

Building on the definition of direct marketing communications in Art. 4 Sec. 3 lit. f) ePrivacy Regulation, Art. 4 Sec. 3 lit. g) provides the definition of a special form of these communications, namely ‘direct marketing voice-to-voice calls’. These are defined as ‘live calls, which do not entail the use of automated calling systems and communication systems’.[115] Thus, voice-to-voice calls are based on human interaction, which is not a general requirement of direct marketing communications within Art. 4 Sec. 3 lit. f) ePrivacy Regulation. The opposite of voice-to-voice calls are ‘automated calling and communications systems’ as defined in Art. 4 Sec. 3 lit. h) ePrivacy Regulation, which might also be used as means of direct marketing communication (see Art. 4 No. III.6.).

As voice-to-voice calls necessarily require engagement of a human person for each exercised communication, they are generally a more costly means of direct marketing communications.[116] As a result, it will typically not be possible for senders of such communications to transmit the direct marketing messages at such a mass and frequency comparable to that of automated systems. Furthermore, it can be assumed that the personal nuisance factor of conversations with natural persons is typically lower than it is for automated means of direct marketing communications. Therefore, under certain circumstances, direct marketing voice-to-voice calls are subject to fewer restrictions than other forms of communication.[117] Voice-to-voice calls may thus be considered a legally privileged means of direct marketing communications.

[115] The term ‘call’ is defined in Art. 4 Sec. 1 lit. b) ePrivacy Regulation by means of reference to Art. 2 No. 31 EECC, see above at Art. 4 No. I.3.f).

[116] Recital 33a.

[117] Cf. Recital 33a; Art. 16 Sec. 4 ePrivacy Regulation grants Member States the possibility to establish or maintain laws with regard to direct marketing voice-to-voice calls, which enable senders to issue voice-to-voice calls without necessarily having to obtain explicit consent of the end-users, see commentary on Art. 16.

In contrast to the aforementioned definition of direct marketing voice-to-voice calls, ‘automated calling and communications systems’ in terms of Art. 4 Sec. 3 lit. h) ePrivacy Regulation are defined as ‘systems capable of automatically initiating calls to one or more recipients in accordance with instructions set for that system, and transmitting sounds which are not live speech, including calls made using automated calling and communication systems which connect the called person to an individual’. In these cases, the called end-user does not have a natural person as conversation partner, but is exposed to pre-formulated conversation modules and audio recordings. For senders, this constitutes a cost-efficient communication alternative, which can be used on a much larger scale and is therefore potentially more intrusive with regards to the interests of affected end-users.[118]

[118] Cf. recital 40 ePrivacy Directive.

 

‘Direct Marketing Calls’ are defined as ‘direct marketing voice-to-voice calls and calls made via automated calling and communication systems for the purpose of direct marketing’ in Art. 4 Sec. 3 lit. i) ePrivacy Regulation. The term is thus to be understood as a collective term or umbrella term for both of the special forms of direct marketing communications, voice-to-voice calls (Art. 4 Sec. 3 lit. g), see Art. 4 No. III.5. et seq.) and automated calls and communications systems (Art. 4 Sec. 3 lit. h), see Art. 4 No. III.6.). Within the ePrivacy Regulation, the term ‘direct marketing calls’ is only referred to in Art. 16, for the purpose of joint reference to the two forms of direct marketing communication mentioned above. The term direct marketing calls has no independent meaning beyond that. Therefore, reference is made to the comments on the two sub-categories of direct marketing calls.

The term ‘location data’ is defined as ‘data processed by means of an electronic communications network or service, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service’. This definition largely corresponds to the definition of location data in Art. 2 Sec. 2 lit. c) ePrivacy Directive. The only addition made was that location data can also be processed by means of electronic communications services, not just networks. The ePR Commission Proposal 2017 did not envisage an autonomous definition of location data. This was only introduced by the Portuguese Presidency of the Council of the European Union in order to provide legal certainty and consistency of the text.[119]

Location data is usually collected within the framework of electronic communication services or networks via the Global Navigation Satellite System (GNSS) functionalities of the terminal equipment that is used for communication by end-users. Transmission of this category of data can generally be deactivated by end-users via default system settings on the terminal equipment. In this context, however, special obligations apply to the operators of electronic communications networks and the providers of services in connection with emergency calls. Here, it must be possible to collect the location data in spite of conflicting user settings.[120]

In addition to the special provisions for emergency calls, the primary relevance of location data in the context of the ePrivacy Regulation lies in its capacity as a special category of electronic communications metadata.[121] Arguably, end-users will have privacy interests in this category of metadata particularly worthy of protection, as it reveals their place of residence and physical movements. Correspondingly, the ePrivacy Regulation contains special provisions for this category of data. An example is Art. 6b ePrivacy Regulation, which sets out that different requirements apply to the processing of location data compared to other metadata.[122]

[119] See Council oft he European Union, Presidency, Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) from 5 January 2021, Doc. No. 5008/21, p. 6 at para. 31.

[120] Cf. Art. 13 Sec. 3 ePrivacy Regulation, recital 28; for detail see Art. 13.

[121] Regarding the classification of location data as electronic communications metadata see Art. 4 No. III.1.b).

[122] cf. Art. 6b Sec. 1 lit. e) ePrivacy Regulation; see Art. 6b para. 27 et seqq.