In its response dated 3 July 2019 (Response; file no. 19/11351, available in German here) to an inquiry by members of the German parliament (Inquiry), the German government took stand on the current draft Regulation on Privacy and Electronic Communications (ePrivacy Regulation), and particularly on “tracking”. The German government summarises its assessment of the ePrivacy Regulation:
“Germany has declared its view at a session of the Council of the EU on 7 June 2019 in Luxembourg. The ePrivacy Regulation must guarantee a high level of protection that goes beyond the protection that the GDPR provides. The current draft does not achieve this objective. Germany cannot support the current draft.”
German government’s assessment of the ePrivacy Regulation
The Inquiry sought, among other things, the German government’s responses on (i) whether “tracking” should be regulated more extensively at an EU level and (ii) what specific amendments have to be made to the ePrivacy Regulation.
First, in its Response the German government defines the tracking of users on the internet and in the digital environment as “comprehensive collecting and storing information on users’ behaviour and activities when using connected devices or services” (Tracking). The behaviour and activities that are tracked may include interactions with websites, browsing histories and communications via web-based email and messenger services. In connection with the use of mobile devices, additional information such as location, date and time of visiting a site may be processed.
Second, the German government reiterates that the lawful access to information collected and stored in users’ devices (e.g. via cookies) is regulated by Directive 2002/58/EC, amended by Directive 2009/136/EC (ePrivacy Directive) and its to-be successor, the ePrivacy Regulation, which will be considered lex specialis to the GDPR. The subsequent processing of personal data might, however, be subject to the GDPR.
Third, the German government summarises its concerns with the current draft of the ePrivacy Regulation:
- Article 6 of the ePrivacy Regulation (Permitted processing of e-communications data): The German government argues against extending permission to process e-communications metadata for other purposes than the original purposes without the end-users’ consent, and in favour of limiting the processing of e-communications metadata that constitutes geolocation data.
- Article 8 of the ePrivacy Regulation (Protection of end-users’ terminal equipment information): The German government argues in favour of not extending permission to access the end-users’ terminal equipment information for tracking purposes (e.g. setting cookies) without the end-users’ consent and suggests keeping the exceptions narrow, rather than extending them.
- Former Article 10 of the ePrivacy Regulation (Information and options for privacy settings to be provided): The German government suggests re-inserting the former Article 10 of the ePrivacy Regulation. Article 10 provided that certain software providers (particularly browser providers) were obliged to offer end-users the option to prevent third parties from storing information on the end-users’ terminal equipment and from processing information already stored on the equipment. Upon installation, the end-users needed to be informed about their privacy settings options and were required to choose a setting and – if necessary – to consent to a setting to finalise the installation.
Next discussion of ePrivacy Regulation on 9 September 2019
The German government made its remarks before the latest draft of the ePrivacy Regulation by the Finnish presidency of the Council of the EU dated 26 July 2019 (available here). The latest draft of the ePrivacy Regulation, however, does not implement the German government’s remarks and mainly focusses on Article 6 of the ePrivacy Regulation. The Finnish government proposes to split Article 6 into four articles in order to differentiate between regulations on
- Processing of e-communications data
- Processing of e-communications content
- Processing of e-communications metadata
- Further processing of e-communications metadata
The Council of the EU will discuss the latest draft of the ePrivacy Regulation on 9 September 2019. This session will focus on Articles 5, 6, 7 and – if time permits – also on Articles 8 and 10. We expect that the German government’s remarks will likely be made part of these discussions.
Comment
It remains to be seen whether the rather restrictive approach of the German government will in the end be implemented in the ePrivacy Regulation.
According to the statement made by the German delegation at the session of the Council of the EU on 7 June 2019 in Luxembourg, the German government is currently working on a comprehensive statement on the ePrivacy Regulation, which will be published as soon as possible.
The definition of Tracking provided in the Response differs from the definitions used by German data protection authorities, whose definition requires an additional tracing of website visitors. It would thus be desirable to have a harmonised definition for Tracking in the comprehensive statement.