New Draft Guidelines on Tracking Techniques under ePrivacy Directive

On November 15, the European Data Protection Board (EDPB) adopted Guidelines on the technical scope of Article 5(3) of the ePrivacy Directive. The Guidelines are designed to clarify the technical operations, particularly new and emerging tracking techniques, that fall under the purview of the Directive. The aim is to provide greater legal certainty to data controllers and individuals alike.

The European Privacy Directive (ePD) Article 5(3) is a crucial piece of legislation that governs the storage of information or the gaining of access to information already stored in a user's terminal equipment. This article aims to clarify the scope of Article 5(3) ePD and its applicability to various technologies and scenarios.

What Does Article 5(3) ePD Cover?

Article 5(3) ePD applies to operations related to 'information', not just 'personal data', involving a 'terminal equipment' of a subscriber or user. The operations must occur in the context of the 'provision of publicly available electronic communications services in public communications networks'. The operations must also constitute a 'gaining of access' or 'storage'.

The term 'information' includes both non-personal and personal data, regardless of how this data was stored and by whom. The 'terminal equipment' refers to any equipment directly or indirectly connected to the interface of a public telecommunications network to send, process or receive information.

When Does Article 5(3) ePD Apply?

Article 5(3) ePD applies when an entity wishes to gain access to information stored in the terminal equipment and actively takes steps towards that end. This includes situations where the entity instructs the terminal equipment to send back targeted information, such as with cookies or JavaScript code.

Storage of information refers to placing information on a physical electronic storage medium that is part of a user or subscriber’s terminal equipment. This includes a wide range of storage mediums, from hard disc drives and solid state drives to random-access memory and central processing unit cache.

Use Cases of Article 5(3) ePD

Several broad categories of identifiers and information can be subject to the applicability of Article 5(3) ePD. These include:

URL and Pixel Tracking: Tracking pixels and links are often used to track user behavior. The inclusion of such tracking pixels or tracked links in the content sent to the user constitutes an instruction to the terminal equipment to send back the targeted information, thus falling under the scope of Article 5(3) ePD.

Local Processing: Technologies that rely on local processing instructed by software distributed on users’ terminal can fall under Article 5(3) ePD when the information produced by the local processing is made available to selected actors through client-side API.

Tracking Based on IP Only: In cases where the IP address originates from the terminal equipment of a subscriber or user, gaining access to IP addresses would trigger the application of Article 5(3) ePD.

Intermittent and Mediated IoT Reporting: IoT devices that produce information continuously over time and make it available to a remote server can fall under the scope of Article 5(3) ePD, depending on how the information is collected and relayed.

Unique Identifier: The use of unique or persistent identifiers, usually derived from persistent personal data, falls under the scope of Article 5(3) ePD when the entity collecting is instructing the browser to send that information.

In conclusion, the scope of Article 5(3) ePD is broad and covers a wide range of technologies and scenarios. It is crucial for entities to understand its applicability to ensure compliance with the legislation.