5 internet tracking techniques invading your privacy, according to the EU
Data protection regulates more than just cookies
TL;DR
This newsletter is about the EDPB's guidelines on the technical scope of the ePrivacy Directive. It looks at what ePrivacy is about, what the guidelines clarify about its scope, and the kinds of tracking activity it regulates.
Here are the key takeaways:
The ePrivacy Directive is an EU law regulating the processing of personal data in the electronic communications sector.
One of the Directive's aims is to ensure the confidentiality of user's communications on electronic communication services.
Accordingly, under Article 5(3) of the Directive, service providers cannot store or gain access to information on a user's device unless they have the user's consent or the information is needed convey communications or to provide a service requested by the user.
In November 2023, the European Data Protection Board published guidelines on the technical scope of this obligation.
These guidelines provide the Board's interpretation of Article 5(3) and its application to various forms of technical operations for tracking, including:
Tracking URLs and pixels
Local processing
IP-based tracking
Intermittent and mediated IoT reporting
Unique identifiers
The Board considers all of these tracking techniques to be within the scope of Article 5(3) and therefore cannot be used by service providers unless:
The user has given their consent to the use of the technique
The technique is needed to convey the user's communications
The technique is needed to provide a service requested by the user
What is ePrivacy?
The ePrivacy Directive (ePD) is an EU law regulating the processing of personal data in the electronic communications sector.
Such rules were first introduced by the EU in the late 90s in response to the privacy concerns of the telecommunication services proliferating at that time. Since then, these rules have been updated several times to keep pace with technological developments, including the rise of internet-based services.
Accordingly, the ePD applies to telecommunications companies, internet service providers and providers of interpersonal communications services. It therefore covers the instant messaging and web-based email services commonly used today.
One of the ePD's aims is to ensure the confidentiality of communications on these services (Article 5). This obligation has three parts:
Service providers cannot intercept or surveil communications of its users without user consent or legal authorisation from national law (Article 5(1)).
Service providers can store communications for lawful business practices, such as providing evidence of a commercial transaction (Article 5(2)).
Service providers cannot store or gain access to information on a user's device unless they have the user's consent, the information is needed convey the user's communications or to provide a service requested by the user (Article 5(3)).
What do the EDPB guidelines say?
In November 2023, the European Data Protection Board (EDPB) published guidelines on the technical scope of Article 5(3).
These guidelines therefore address the third part of the confidentiality obligation under Article 5. It clarifies which technical operations on electronic communication services constitute the storing or gaining access to information on a user's device.
The guidelines complement the extensive legal coverage that already exists for web cookies.1 It therefore addresses the lack of official guidance on similar technologies that may also be subject to the ePD's confidentiality obligations.2
There are two key sections in the EDPB's guidance. The first provides a comprehensive interpretation of Article 5(3), and the second applies this interpretation to different technical operations for internet tracking.
Interpretation of Article 5(3)
The first key section looks at the meaning of the Article 5(3), the full text of which reads as follows:
Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with [the GDPR], inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.
The EDPB guidelines focus on the first part of this provision. In particular, it seeks to clarify what is covered by the phrase 'to store information or gain access to information stored in the terminal equipment of a subscriber or user.'
This part of Article 5(3) is broken down into the following chunks:
'Information' means "both non-personal and personal data, regardless of how this data was stored and by whom."3
'Terminal equipment' means devices that form the endpoints of a communication, such as smartphones, laptops, connected cars or TVs and even smart glasses.4
'Provision of publicly available electronic communications services in public communications networks' means "any network system that allows transmission of electronic signals between its nodes, regardless of the equipment and protocols used."5
'Gaining of access' means an entity wishing to gain access to information on a user's terminal equipment and actively taking steps to this end. This includes, for example, sending instructions to the user's device to send the targeted information.6
'Storage' means "placing information on a physical electronic storage medium that is part of a user or subscriber's terminal equipment." This includes using software on the user's device to generate specific information that is then stored on that device.7
Application of Article 5(3)
The second key section of the EDPB's guidance applies its interpretation of Article 5(3).
The table below summarises how the EDPB applies its interpretation of Article 5(3) to the technical operations used in various electronic communications services. It includes a description of the operation and how they fall within the scope of the ePD.
According to the EDPB, service providers cannot use any of the above tracking techniques unless either:
The user has given their consent to the use of the technique
The technique is needed to convey the user's communications
The technique is needed to provide a service requested by the user
See for instance Case C-40/17, Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV (29 July 2019) and Case C-673/17, Bundesverband der Verbraucherzentralen and Verbraucherverbände — Verbraucherzentrale Bundesverband eV v Planet49 GmbH (1 October 2019).
EDPB, Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive (14 November 2023), para. 1.
EDPB, Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive (14 November 2023), para. 12.
EDPB, Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive (14 November 2023), paras. 15 and 16.
EDPB, Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive (14 November 2023), para. 22.
EDPB, Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive (14 November 2023), para. 31.
EDPB, Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive (14 November 2023), paras. 34 and 35.