EDPB ePrivacy Guidelines: Comments Highlighting Risks to Businesses with Digital Activities

Keller and Heckman has submitted comments to the European Data Protection Board (EDPB) in the context of a public consultation on their draft guidelines 2/2023 on the Technical Scope of Art. 5(3) of ePrivacy Directive, on behalf of various organisations that wished to contribute in a meaningful manner without drawing attention to their identity.

What guidelines?

Based on the EDPB’s proposed guidelines, Article 5(3) of the ePrivacy Directive (ePD), commonly called the “cookie rule,” would be extended to cover not only cookies and similar active storage of, and active access to, information on a user’s device (e.g., phone, computer, home router), but also nearly any interaction with a computer or network (such as the automatic transmission of information to a web server when accessing a webpage, or the ephemeral storage that a computer generates for any website or application being loaded, purely in order to be able to run it).

Keller and Heckman Partner Peter Craddock (heading our EU Data & Technology law practice) has published several leading articles on the topic (see, for instance, the summary on “Why every company with digital activities should comment on the EDPB’s new ePrivacy guidelines,” and more in-depth articles published on LinkedIn), and several organisations have shared their concerns that the EDPB’s proposed guidelines could lead to turbocharged consent banners and could neuter various validation techniques that are notably critical for fighting fraud and ensuring compliance.

Requests brought forward in the submissions filed

The relevant organisations’ requests can be summarised as follows:

• Re-evaluating the EDPB’s authority to adopt those (proposed) guidelines and (i) restricting them to only the material and territorial scope of the General Data Protection Regulation (GDPR) or (ii) transforming them into mere recommendations, ideally with also the support of all competent regulators;
   
• Restricting the scope of the notions of “access” and “storage” under Art. 5(3) of the ePrivacy Directive to active storage specifically directed by the entity to whom the obligations under that provision apply, and active access to terminal equipment on the initiative of such entity;
   
• Providing guidance on how the consent exemptions would apply, based on the EDPB’s (thus adapted) understanding of the notions of “access” and “storage,” and in particular on the scope of the “service” consent exemption to provide greater legal certainty, notably as regards to (i) “access” or “storage” that is statutorily authorised or required for the activities of the relevant service provider and (ii) activities that underlie a service, from its conception all the way to actual provision of the service to a given user, as well as the reuse of lessons from a given user’s interaction in order to improve the service for a subsequent user
   
• In relation to consent, confirming that (i) organisations are permitted to bundle a broad range of technologies covered by Art. 5(3) ePD together into one or more simple terms in any consent request form, without this affecting the validity of any consent given, and that (ii) any such bundling of technologies further to an expansion of the scope of Art. 5(3) ePD (compared to the most recent guidance of authorities) does not negate any consent given beforehand

You can view the submissions in question here. The EDPB should also soon make them available through their public consultation page here.