“They will cover many scenarios”, said an EDPB member informally a couple of days ago, talking about what would become the EDPB’s new Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive (subject to a public consultation – more on that later).
After having gone through them in detail, I cannot help but feel that this was an understatement of the enormity of the impact that these guidelines would have.
Before publishing an analysis of the “content” part of the guidelines themselves (which redefine the “cookie” rule (Art. 5(3) of the ePrivacy Directive) to also cover pixels, URLs, IP addresses and more), I feel it is important to examine the issue of competence of the EDPB from a legal perspective: on what basis did it adopt these guidelines? Does it even have the authority to do so?
[In a subsequent article (next week) [EDIT: link to Part II], I will provide a critical look at the content of the guidelines as such and areas where I feel that there needs to be an in-depth discussion.]
[EDIT: On 16 October 2024, the EDPB published its final, “post-consultation” version. Most of the issues affecting the initial version continue to affect the final version. See comparison here.]
EDPB & ePrivacy
The EDPB is the successor of the Article 29 Working Party (instituted by the Data Protection Directive, Directive 95/46/EC), to which Article 15(3) of the ePrivacy Directive referred:
“The Working Party on the Protection of Individuals with regard to the Processing of Personal Data instituted by Article 29 of Directive 95/46/EC shall also carry out the tasks laid down in Article 30 of that Directive with regard to matters covered by this Directive, namely the protection of fundamental rights and freedoms and of legitimate interests in the electronic communications sector.”
That Article 30 of the Data Protection Directive listed the tasks of the Article 29 Working Party, which included in general (i) addressing opinions to the Commission (30(1) & (2)) and (ii) making “recommendations on all matters relating to the protection of persons with regard to the processing of personal data in the [EU]” (30(3)).
No “guidelines”, note.
When the GDPR became applicable, all references to the DPD had to be interpreted as references to the GDPR, and all references to the Article 29 Working Party had to be interpreted as references to the EDPB (Art. 94(2) GDPR).
In 2019, the EDPB published an Opinion on the interplay between the ePrivacy Directive and the GDPR (Opinion 05/2019), which was not an opinion for the attention of the Commission but an opinion requested by the Belgian Data Protection Authority in accordance with Article 64(2) GDPR (“Any supervisory authority, the Chair of the Board or the Commission may request that any matter of general application or producing effects in more than one Member State be examined by the Board with a view to obtaining an opinion […]”). In this Opinion, the EDPB quoted its own interpretation of the new scope of Article 15(3) ePD:
“The [European Data Protection Board] shall also carry out the tasks laid down in [Article 70 of Regulation (EU) 2016/679] with regard to matters covered by this Directive, namely the protection of fundamental rights and freedoms and of legitimate interests in the electronic communications sector.”
Now, Article 70 GDPR is far broader in terms of types of powers than Article 30 DPD ever was. Guidelines, binding decisions, etc., the EDPB has more tools in its arsenal than the Article 29 Working Party.
“That is surely what the legislator intended”, you might think.
However, there is at least one issue with that: the EDPB’s own members are not always the ones with jurisdiction over ePrivacy enforcement (whether in relation to cookie rules or in relation to other parts of the ePD, such as pure telecom provisions). Opinions and recommendations are one thing, but guidelines (which inherently seem to be at least slightly more binding upon authorities themselves) and binding decisions? Why should for instance an authority entrusted with data protection enforcement be permitted to dictate the position that another authority should take with respect to points that fall within its sole remit?
Because the EDPB itself does not tackle this issue in the new guidelines, three options emerge rapidly:
- EDPB guidelines in relation to ePrivacy should only be seriously taken into account in countries and matters in which the ePrivacy regulator is a member of the EDPB. [I suspect that the EDPB might not be too happy with this option.]
- The EDPB can adopt guidelines that tell regulators – even regulators who are not part of the EDPB – how they should be interpreting and applying the ePrivacy rules and that tell organisations how they should be complying with those rules. [This would, I assume, be the EDPB’s preferred approach, but it then raises serious questions regarding the legality of the EDPB’s authority.]
- In relation to the ePD, the EDPB’s powers are (i) the full range of Art. 70 GDPR solely in relation to the processing of personal data and (ii) for all other aspects, limited to powers that are equivalent to what the Article 29 Working Party had. [In my view, probably the “least bad” solution for everyone.]
EDPB & Guidelines on Art. 5(3) ePD
With the above in mind, how should we look at these new Art. 5(3) ePD guidelines?
As I will explain (and – spoiler alert – criticise) in a subsequent article, these new guidelines include many considerations that lead to a de facto broadening of the commonly understood scope of Art. 5(3) ePD in a manner that has significant consequences, in particular in the light of recent data protection case law.
Yet the EDPB made it clear in its aforementioned Opinion 05/2019 that a data protection authority cannot claim authority over enforcement of the ePD without a clear legal basis:
“In case national law confers competence for the enforcement of the ePrivacy Directive on the data protection authority, the law should also determine the tasks and powers of the data protection authority in relation to the enforcement of the ePrivacy Directive. The data protection authority cannot automatically rely on the tasks and powers foreseen in the GDPR to take action to enforce national ePrivacy rules, as these GDPR tasks and powers are tied to the enforcement of the GDPR. National law may assign tasks and powers inspired by the GDPR, but may also grant other tasks and powers to the data protection authority for enforcement of national ePrivacy rules in accordance with article 15a of the ePrivacy Directive” (Opinion 05/2019, para. 66)
Put differently, a data protection authority that has not been explicitly given powers in relation to Art. 5(3) GDPR cannot enforce it, unless and to the sole extent that the information being processed is personal data.
Thinking about the options listed above, this would mean the following:
- Under option 1 (i.e. if we consider that EDPB guidelines on the ePD should only be taken seriously in relation to countries and matters in relation to which the regulator is a member of the EDPB), these guidelines would then be applied differently depending on the jurisdiction:(a) if the data protection authority is empowered with enforcement of Art. 5(3) ePD locally, the guidelines are relevant;(b) if the data protection authority is not entrusted with that authority, the guidelines are only relevant insofar as they relate to the processing of personal data.What makes this second point particularly awkward is that these guidelines barely speak of “personal data”, pretty much only to say that Art. 5(3) ePD applies to all “information” – personal data and non-personal data.
- Under option 2 (i.e. if the guidelines are pretty much binding for every regulator entrusted with enforcement of Art. 5(3) ePD), there are obvious issues of representation, as the regulator not part of the EDPB is being told what to do and how to interpret a particular provision, without having been part of the discussion.
- Under option 3, the use of “guidelines” in this context would be seen as a mistake, and they should then purely be viewed as an opinion for the Commission or as simple recommendations, nothing more. Indeed, as mentioned above, these guidelines in practice do not really talk about the rules applicable to “personal data” but explicitly aim to cover all kinds of information. If it then had wished to adopt actual “guidelines”, the EDPB should have limited the scope of its considerations to situations where the information in question is “personal data”.
Either way, in its current form and taking into account the procedure that led to its adoption, this set of guidelines raises serious questions as to its own legality and nature.
Can the public consultation help?
These guidelines are subject to a public consultation, running until 28 December 2023. [EDIT: deadline pushed back to 18 January 2024]
Past consultations have shown that the EDPB usually sticks to its position. One notable exception was its adoption of a slightly more pragmatic approach in (only some parts of) its recommendations on “supplementary measures” for data transfers, but more often the changes appear to lead to a slight hardening of the EDPB’s position (see e.g. the recent administrative fines guidelines, which were barely modified and in fact were modified to propose even higher fines).
It therefore appears unlikely that the EDPB will suddenly restrict the scope of these guidelines to only cover situations relating to personal data – but nothing should prevent it from transforming them into recommendations to better mirror the Article 29 Working Party powers while taking into account the limits of the EDPB’s own membership.
From that perspective, it may remain useful to raise this question in any comments you make on the guidelines.
Would you like to send comments to the EDPB, but are you concerned about the fact that your name as responder will be made public? Get in touch – we have helped clients submit responses confidentially, by serving as the intermediary and signatory.
And stay tuned for next week’s in-depth analysis of the “content” part of the guidelines. [EDIT: link to Part II]
[EDIT: On 16 October 2024, the EDPB published its final, “post-consultation” version. Most of the issues affecting the initial version continue to affect the final version. See comparison here.]
[As with my previous article on “pay or data“, this article is intended to spark discussion. I would obviously be delighted to read other suggestions of solutions to this issue, and hope that the EDPB itself will at one point clarify its take on this.]