On November 14, 2023, the European Data Protection Board EDPB published its guidelines on the material scope of Art. 5 (3) of the GDPR. e‑Privacy Directive published (Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive).
Art. 5 para. 3 in its current version was amended by the DIRECTIVE 2009/136/EC and has the following wording:
(3. Member States shall ensure that the Storage of information or the Access on information that has already been Terminal device of a subscriber or user is only permitted if the subscriber or user concerned has given clear and comprehensive consent on the basis of Informationwhich it receives in accordance with Directive 95/46/EC, inter alia, on the purposes of processing, its Consent has given. This shall not prevent technical storage or access if the sole purpose is to carry out the transmission of a communication over an electronic communications network or if this is strictly necessary to enable the provider of an information society service explicitly requested by the subscriber or user to provide this service.
It is undisputed that this provision does not only cover cookies; this is why cookie policies usually refer to “similar technologies”, but the scope of application is unclear in detail.
The EDPB attempts to shed light on the darkness of such technologies with the express intention of preventing circumvention, i.e. with a deliberately broad interpretation.
The facts of Art. 5 para. 3 have four elements:
- Information” is stored or read out;
- It is about a “terminal device”;
- the transactions are in connection with a telecommunications transmission in a public network (“provision of publicly available electronic communications services in public communications networks”);
- there is a “storage” of or “access” to information.
The EDSA discusses these four elements:
“Information”
- Not only personal data is covered, because it is about the confidentiality of information and protection against intrusion, not informational self-determination, i.e. not a certain use of data with personal reference – this is the guiding principle for the interpretations of the EDPB, but without attempting to determine the limits of the corresponding protected area;
- It is sufficient if information is only read – and not changed – which is why, for example, a MAC address is also recorded.
“Terminal device”
- An end device is any device that not only transmits information. Whether an end device belongs to a user, is rented or only used is irrelevant.
- It also does not matter whether the user wants or is aware of the processing of information via the end device.
- Examples include smartphones, laptops, connected cars, smart TVs and smart glasses.
Telecommunication transmission
- This requirement is hardly restrictive. However, only public networks are covered. However, a certain restriction of the user group, e.g. to subscribers, does not exclude it from the scope of application.
“Access” to information
- Information of a legal entity is also protected against access.
- Access is also recorded if the data is not stored at all or is stored by another body. The origin of the data read out is also irrelevant. Art. 5 para. 3 therefore applies whenever information is actively accessed.
- Use cases are instructions from the server to the end device with a feedback of information, such as when reading cookies. Access to information via an API in software on the end device, for example, or a Java script via which a browser provides information, would also be recorded because the procurement of information is also actively initiated here.
- This also applies if one body initiates the transmission of information to another body.
“Storage” of information
- This means that information is stored on a physical data carrier that functionally belongs to the end device, for example in RAM or a cache, or on an external but connected memory. This is usually not done directly, but via software on the end device that generates the information, but it can also be done by the user themselves or another location, as long as the storage is only actively initiated.
- How large the information is and how long it is stored does not matter.
Use cases
The use cases discussed by the EDSA include the following:
- The reading of MAC or IP addresses;
- Fingerprinting based on information such as HTTP header information;
- Pixel tracking or tracking through links, i.e. in both cases the call of a coded URL by the mail client or browser with a corresponding transfer of information to a server. The transmission of the pixel or coded link results in the active reading of information:
Under the condition that said pixel or tracked URL have been distributed over a public communication network, it is clear that it constitutes storage on the communication network user’s terminal equipment, at the very least through the caching mechanism of the client-side software. As such, Article 5(3) ePD is applicable;
- a request for information via an API, provided that information is subsequently transmitted via a network;
- Tracking solely via an IP address, provided that this information is read out by the end device – for example by a router – even with a dynamic IP address, which is also generated on the server side via DHCP, for example;
- reading information from a connected IoT device if it transmits information via a public network (e.g. via WiFi or a SIM card), but not if information is transmitted via a non-public connection (point-to-point connection);
- the reading of a unique identifier, e.g. a hash value based on user data or a login.
However, access to information exclusively in the end device itself, such as an application in the cell phone to the camera or in the browser to cookies or other locally stored data, is not recorded.
A look at Switzerland
Switzerland has a related provision in Art. 45c TCA (“Processing on third-party devices”):
Editing data on third-party devices by means of telecommunication transmission is only permitted: […]
b. if the users are informed about the processing and its purpose informs and be advised that they may not process the Reject can.
In principle, this provision requires information about the processing and its purpose and the right to object, even if data is processed “on third-party devices”. However, its scope of application is largely unclear. The wording, for example, only refers to processing on the third-party device. According to the message, however, the reading of information should also be covered (“processing of data within the meaning of Article 45c includes storage, access and any other processing”).
The doctrine then argues that Art. 45c TCA only covers the processing of personal data. However, the dispatch on Art. 45c TCA in itself suggests a broader interpretation, especially since it not only mentions privacy as the purpose of protection (and even here: Art. 13 BV also concerns the processing of non-personal data), but also the protection against access to devices, and expressly intends a reference to Art. 5 para. 3 (but in the original version of the Directive, which had provided for a right of objection, but not a requirement for consent).
However, as soon as personal data is processed, data protection law is applicable. The following information applies:
- The concept of personal data still corresponds to the Logistep decision. A date is only personal if it can be assigned to a natural person with reasonable effort. A cookie ID, a Mac address, etc. does not generally constitute personal data for the operator. It would be different if the operator uses this information in a way that enables identification, e.g. in criminal proceedings involving the ISP or in connection with a user login.
- Consent is generally not required. Art. 45c TCA only provides for a right to object and, as is well known, data protection law does not require consent as long as the processing principles are complied with.
- The principles of data protection law require transparency. In addition, there is the obligation to provide information in accordance with Art. 19 FADP.
- Neither Art. 45c TCA nor data protection law require a cookie banner. It is sufficient to provide information in a privacy policy or cookie notice.
- If a cookie banner is used, it does not have to be designed in a certain way as long as it is not misleading. In principle, an “OK” button, an “Agree” button, a “Configure” button or a combination is permitted. Anyone who uses an “Agree” and a “Configure” button, but no “Reject” button, is not behaving in a particularly user-friendly manner, but is not violating Swiss law. Such a design is also unlikely to violate the principle of good faith, insofar as it applies at all (which presupposes the processing of personal data). User-unfriendly behavior is not contrary to good faith; the threshold of interference is not that low, and there is no special relationship with the user of a website that could require a higher standard.
- Anyone who decides to work with consent is allowed to do so.. In Switzerland, there is no requirement to technically facilitate the withdrawal of consent (nor the objection pursuant to Art. 45c TCA). Accordingly, there is no obligation to offer an opt-out menu or similar on an ongoing basis. However, anyone working with consent must observe the privacy by default principle. Depending on the design of the setting options, this may result in the requirement to deactivate the cookies affected by consent by default.
- The purpose is the benchmark for assessing proportionality. The controller freely sets the purpose in accordance with the principle of private autonomy within the framework of mandatory law. There is no legal purpose in the private sector outside of mandatory processing, i.e. no “iustum pretium” for data processing. Data protection law only requires that the controller does not leave the scope of the self-imposed purpose. Accordingly, it cannot be said that the operation of a website or app does not objectively require cookies, which is why their use would be disproportionate, because “operation of the website” describes a purpose, the determination of which is the responsibility of the controller and not of the legislator, an authority or a “reasonable man”.