Privacy & Cybersecurity Law Blog

On October 16, 2024, the European Data Protection Board (the “EDPB”) announced it had adopted Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive (the “Guidelines”), following a public consultation. Read our previous blog on the Guidelines. 

In these Guidelines, the EDPB addresses the applicability of Article 5(3) of the ePrivacy Directive to different technical solutions, particularly tracking technologies beyond cookies. According to the EDPB, the Guidelines expand upon Opinion 9/2014 of the Article 29 Working Party on the application of the ePrivacy Directive and aim to provide a clear understanding of the technical operations covered by Article 5(3) of the ePrivacy Directive.

The Guidelines analyze the following three key criteria for the applicability of Article 5(3) of the ePrivacy Directive:

• Criterion A: operations carried out that relate to “information.” Notably, the Guidelines clarify that this concept is not limited to personal data.
• Criterion B: operations carried out that involve the “terminal equipment” of a subscriber or user (B.1), which implicates the need to further assess the notion of a “public communications network” (B.2). The Guidelines clarify that “terminal equipment” may include any device with a network interface that makes it eligible for connection (e.g., connected cars or TVs) regardless of whether it is currently connected or not.
• Criterion C: operations carried out that constitute “gaining access” to (C.1) or “storage” of (C.2) information.

The Guidelines contain details on certain use cases related to URL and pixel tracking, local processing, tracking based on IP only, intermittent and mediated Internet of Things reporting, and unique identifiers. Overall, the Guidelines expand the applicability of the ePrivacy Directive to address the current nature of the information ecosystem and the increasing use of non-cookie tracking technology.