New Guideline on the ePrivacy Directive Open for Public Consultation by the EDPB

On November 14, 2023, the European Data Protection Board (EDPB) adopted Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive, in which it addresses the applicability of Article 5(3) of the ePrivacy Directive (ePD) to different technical solutions for tracking.

According to the executive summary, with “the emergence of new tracking methods to both replace existing tracking tools (for example, cookies, due to discontinued support for third-party cookies),” and the creation of “new business models, [...] a critical data protection concern” has arisen because “while the applicability of Article 5(3) of the ePrivacy Directive is well established and implemented for some tracking technologies such as cookies, there is a need to remove ambiguities related to the application of the said provision to emerging tracking tools.”

To help clarify things, the Guidelines look at four key elements identified in the applicability of the ePD, namely “information, terminal equipment of a subscriber or user, gaining access and stored information and storage” which it then defines and analyzes. Next, the Guidelines offer some use cases where the analysis of the four key elements is applied to common techniques such as URL and pixel tracking, Local processing, Tracking based on IP only, Intermittent and mediated Internet of Things (IoT) reporting, or Unique Identifier. 

Below we look at the way the 4 key elements are analyzed, along with a use case where the analysis applies. According to the Guidelines, Article 5(3) ePD applies if the following 4 criteria apply:

• CRITERION A: the operations carried out relate to ‘information’. It should be noted that the term used is not ’personal data’, but ‘information’.
• CRITERION B: the operations carried out involve a ‘terminal equipment’ of a subscriber or user.
• CRITERION C: the operations carried out are made in the context of the ‘provision of publicly available electronic communications services in public communications networks’.
• CRITERION D: the operations carried out indeed constitute a ‘gaining of access’ or ‘storage’. Those two notions can be studied independently, as reminded in WP29 Opinion 9/2014: ‘Use of the words “stored or accessed” indicates that the storage and access do not need to occur within the same communication and do not need to be performed by the same party.

Information:

• The goal of Article 5(3) ePD is to protect the private sphere of the users, as stated in its Recital 24: ‘Terminal equipment of users of electronic communications networks and any information stored on such equipment are part of the private sphere of the users requiring protection under the European Convention for the Protection of Human Rights and Fundamental Freedoms’. Consequently, it is also protected by Article 7 of the EU Charter of Fundamental Rights.
• As confirmed by the Court of Justice of the EU: ‘That protection applies to any information stored in such terminal equipment, regardless of whether or not it is personal data, and is intended, in particular, as is clear from that recital, to protect users from the risk that hidden identifiers and other similar devices enter those users’ terminal equipment without their knowledge’
• The notion of information includes both non-personal data and personal data, regardless of how this data was stored and by whom, i.e. whether by an external entity (also including other entities than the one having access), by the user, by a manufacturer, or any other scenario.

Terminal Equipment of a Subscriber or User

• ‘terminal equipment’ is defined as: ‘equipment directly or indirectly connected to the interface of a public telecommunications network to send, process or receive information; in either case (direct or indirect), the connection may be made by wire, optical fibre or electromagnetically; a connection is indirect if equipment is placed between the terminal equipment and the interface of the network.’
• A terminal equipment may consist of any number of individual pieces of hardware, which together form the terminal equipment. This may or may not take the form of a physically enclosed device hosting all the display, processing, storage and peripheral hardware (for example, smartphones, laptops, connected cars or connected TVs, smart glasses).
• The ePD acknowledges that the protection of the confidentiality of the information stored on a user’s terminal equipment and integrity of the user’s terminal equipment is not limited to the protection of the private sphere of natural persons but also concerns the right to respect for their correspondence or the legitimate interests of legal persons. As such, a terminal equipment that allows for this correspondence and the legitimate interests of the legal persons to be carried out is protected under Article 5(3) ePD.
• The protection is guaranteed by the ePD to the terminal equipment associated with the user or subscriber involved in the communication, and it is not dependent on whether the electronic communication was initiated by the user or even on whether the user is aware of the said communication.

Gaining access:

• The ePD is a privacy preserving legal instrument aiming to protect the confidentiality of communications and the integrity of devices. In Recital 24 ePD, it is clarified that, in the case of natural persons, the user’s terminal equipment is part of their private sphere and that accessing information stored on it without their knowledge may seriously intrude upon their privacy.
• Storage and access do not need to be cumulatively present for Article 5(3) ePD to apply. The notion of ’gaining access’ is independent from the notion of ‘storing information’. Moreover, the two operations do not need to be carried out by the same entity.
• Whenever the accessing entity wishes to gain access to information stored in the terminal equipment and actively takes steps towards that end, Article 5(3) ePD would apply. Usually this entails the accessing entity to proactively send specific instructions to the terminal equipment in order to receive back the targeted information. For example, this is the case for cookies, where the accessing entity instructs the terminal equipment to proactively send information on each subsequent HTTP (Hypertext Transfer Protocol) call.
• In some cases, the entity instructing the terminal to send back the targeted data and the entity receiving information might not be the same. This may result from the provision and/or use of a common mechanism between the two entities. For example, one entity may have used protocols that imply the proactive sending of information by the terminal equipment which may be processed by the receiving entity. In these circumstances, Article 5(3) ePD may still apply.

‘Stored Information’ and ‘Storage’

• Storage of information in the sense of Article 5(3) ePD refers to placing information on a physical electronic storage medium that is part of a user or subscriber’s terminal equipment
• Typically, information is not stored in the terminal equipment of a user or subscriber through direct access by another party, but rather by instructing software on the terminal equipment to generate specific information. Storage taking place through such instructions is considered to be initiated directly by the other party. This includes making use of established protocols such as browser cookie storage as well as customized software, regardless of who created or installed the protocols or software on the terminal equipment.
• The ePD does not place any upper or lower limit on the length of time that information must persist on a storage medium to be counted as stored, nor is there an upper or lower limit on the amount of information to be stored.
• Similarly, the notion of storage does not depend on the type of medium on which the information is stored. The storage medium may be connected internally, externally (e.g. through a USB connection) or through a network protocol (e.g. a network-attached-storage device).
• As long as the networked storage medium constitutes a functional equivalent of a local storage medium, that storage medium will be considered part of the terminal equipment.
• ‘Stored information’ may not just result from information storage in the sense of Article 5(3) ePD as described above; it can also be stored by the user or subscriber, or by a hardware manufacturer, or any other entity; or it can be the result of sensors integrated into the terminal; or it can be produced through processes and programs executed on the terminal equipment, which may or may not produce information that is dependent on or derived from stored information.

Use case - URL and Pixel Tracking

A tracking pixel is a hyperlink to a resource, usually an image file, embedded into a piece of content like a website or an email. This pixel usually fulfills no purpose related to the content itself; its sole purpose is to establish a communication by the client to the host of the pixel, which would otherwise not have occurred. Establishment of a communication transmits various information to the host of the pixel, depending on the specific use case.

In the case of an email, the sender may include a tracking pixel to detect when the receiver reads the email. Tracking pixels on websites may link to an entity aggregating many such requests and thus being able to track users’ behavior. Such tracking pixels may also contain additional identifiers as part of the link. These identifiers may be added by the owner of the website, possibly related to the user’s activity on that website. They may also be dynamically generated through client-side applicative logic. In some cases, links to legitimate images may also be used for the same purpose by adding additional information to the link.

Tracking links are functioning in the same way, but the identifier is appended to the website address. When the URL is visited by the user, the targeted website loads the requested resource but also collects an identifier which is not relevant in terms of resource identification. They are very commonly used by websites to identify the origin of their inbound source of traffic. For example, e-commerce websites can provide tracked links to partners to use on their domain so that the e-commerce website knows which of their partners is responsible for a sale and pay a commission, a practice known as affiliate marketing.

Both tracking links and tracking pixels can be distributed through a wide variety of channels, for example through emails, websites, or even, in the case of tracking links, through any kind of text messaging systems.

Under the condition that said pixel or tracked URL have been distributed over a public communication network, it is clear that it constitutes storage on the communication network user’s terminal equipment, at the very least through the caching mechanism of the client-side software. As such, Article 5(3) ePD is applicable.

The inclusion of such tracking pixels or tracked links in the content sent to the user constitutes an instruction to the terminal equipment to send back the targeted information (the specified identifier). In the case of dynamically constructed tracking pixels, it is the distribution of the applicative logic (usually a JavaScript code) that constitutes the instruction. As a consequence, the collection of the identifiers provided by tracking pixels and tracked URL can be considered a ‘gaining of access’ in the meaning of Article 5(3) ePD, and thus the latter is applicable to that step as well.

The Guidelines are open for public consultation for a period of six weeks, between November 16, 2023 and December 28, 2023.