Understanding Article 5(3) of the ePrivacy Directive and its Implications on Device Tracking and User Consent

The ePrivacy Directive, specifically Article 5(3), restricts the storage and access of information on users’ devices without their consent, except under specific conditions. This legislation plays a crucial role in protecting users from unauthorized storage and access to their devices. As technology continues to evolve, further guidance on how this directive applies to emerging tracking technologies is essential. Understanding the safeguards outlined in Article 5(3) not only enables organizations to align their practices with regulatory requirements, but also empowers users to exercise greater control and autonomy over their personal data privacy. As a result, the EDPB has sought to clarify how Article 5(3) of the ePrivacy Directive applies to device tracking using new technologies in its new Guidelines 2/2023.

Article 5(3) safeguards privacy by limiting unauthorized access to information, terminal equipment, and storage.

Article 5(3) applies if the following criteria are met:

1. The Operation Relates to “Information”

Article 5(3) covers “information” broadly, not limited to personal data. The aim is to protect the user’s private sphere by restricting unauthorized access, regardless of whether the data is considered personal.

2. Involves Terminal Equipment

A user’s terminal equipment, as outlined in Directive 2008/63/EC, is any device that can connect to a public communications network, either directly or indirectly. Devices meeting these requirements fall under Article 5(3), emphasizing the protection of user privacy.

3. Storage or Access of Information

The “storage” and “gaining access” aspects operate independently, allowing for various scenarios, such as storing data by one entity and accessing it by another.

Article 5(3) defines “information” as both personal and non-personal data, protecting all information stored on terminal equipment.

The term “information” under Article 5(3) is intentionally broad. Both personal and non-personal data fall within its scope, covering even non-identifiable data, such as viruses or hidden identifiers, that could intrude on users’ private spheres. Court rulings have confirmed that Article 5(3) protections apply to any information stored on terminal equipment, regardless of its nature or origin.

Terminal devices on public networks, like smartphones and connected cars, are protected regardless of user knowledge.

The definition of terminal equipment encompasses devices directly or indirectly connected to a public telecommunications network. This includes various connected devices, such as smartphones, computers, and even connected cars. Importantly, protection applies to the device itself, regardless of user awareness of the access or storage taking place.

The ePrivacy Directive covers electronic communication services on public and private networks, ensuring protection for connected devices.

The ePrivacy Directive applies specifically to services provided through public communications networks. The term “network” here is broad, encompassing any infrastructure that enables electronic communication, whether public or private. This ensures that devices connected to these networks are protected under the ePrivacy Directive, even if the network is not fully public.

This legislation protects users from unauthorized access to their devices by entities instructing devices to send information or store data.

The ePrivacy Directive seeks to protect users from unauthorized access to their devices. “Gaining access” includes any activity where an entity instructs a device to send information, such as with cookies or APIs that enable data collection. Similarly, “storage of information” includes storing data on the user’s device via instructions from an external entity, like storing cookies or using APIs to collect device data.

Ambiguities in the ePrivacy Directive have led to alternative tracking solutions that circumvent the law, highlighting the need for updated guidance for data access and storage on devices.

Recital 24 of the ePrivacy Directive underscores that users’ terminal equipment, such as computers and smartphones, are private, warranting privacy safeguards. This privacy scope extends beyond traditional “cookies” to include “similar technologies,” such as device fingerprinting, which was formally recognized as falling under Article 5(3) by the WP29 Opinion 9/2014. Despite the intended protections, ambiguities in Article 5(3)’s scope have led to alternative tracking solutions, some designed to bypass the legal requirements of the ePrivacy Directive. These issues have highlighted a need for updated guidance, particularly as technological advances lead to new ways to access and store data on devices.

That said, the new EDPB Guidelines also create controversies, such as drawing questionable parallels between cookies that have been placed on the device by third parties, and the device’s own IP address. According to Dr Boštjan Makarovič, Aphaia’s managing partner, an IP address is any device’s fundamental identifier on the internet when the device connects with other devices or IP-based services, which had been the case long before the amended ePrivacy Directive was introduced in 2009. “One should therefore not assume that third parties should refrain from using the IP address when communicating with the device, especially since one can choose to keep it hidden from other devices and services using a VPN.”

Elevate your data protection standards with Aphaia. Schedule a consultation, and embark on a journey toward strengthening security, GDPR compliance, and the peace of mind that comes with knowing your data protection is in expert hands. Contact Aphaia today.