Approaching its second anniversary this month, the European General Data Protection Regulation (GDPR) has never been as relevant as in these unprecedented COVID-19 times. While several countries are considering the implementation of contact tracing apps, a consensus has seemed to surface on subjecting their use to a voluntary basis. The notion of “consent” remains therefore the cornerstone (albeit not the only one) of the European data protection framework.
GDPR and ePrivacy: A layered regulation of privacy in Europe
While GDPR has taken the world by storm, it was never meant to be the only tool to regulate data protection in Europe by 25 May 2018. That day was also the initial deadline to revise the framework of privacy in the online communication sector. Currently, this subset of data protection is governed by Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector, dating back to 2002 (ePrivacy Directive). As with general data protection in a pre-GDPR era, the ePrivacy Directive has been implemented and interpreted differently by Member States. Its successor, the ePrivacy Regulation, would harmonize this sector … provided it gets adopted.
Overturning the decades-long consensus shook industry players who are currently challenging the Supervisory Authorities positions.
The EDPB therefore revised its previous guidelines on two aspects:
- access to whole or part of an online service should not be denied if the user has not consented to the placement of cookies, as the lack of options would prevent such consent from being freely given; and
Amidst this fragmenting playing field, the revised guidelines from the EDPB bring some welcome clarification while waiting for the ePrivacy Regulation.
All publishers whose websites and/or apps are accessible to a European audience should:
- Have a clear overview of all first- and third-party cookies used on their website;
- Assess which of these cookies are (i) strictly essential for the provision of the service, or (ii) nonessential. All analytics or geolocation should, by nature, be considered as nonessential;
- Ensure that no cookie is dropped on the user’s terminal prior to a first layer of information;
- This first layer of information could be a banner containing key information about (i) the identity of the publisher, (ii) the roles of the cookies, and (iii) the rights of the users;
- When consent is required, include;
- A graphic interface using neutral graphic designs;
- Options not limited to (i) consenting or (ii) seeking more information, but also include (iii) refusal to consent and (iv) postponement of the decision;
- Consent-gathering mechanism for each purpose; and
- The possibility of users to withdraw their consent, which may require the deployment of a cookie-management interface;
- Access to the website should not be denied merely due to the user’s refusal to consent (either by not addressing the consent request or by refusal); and
- Document both the consent-gathering process and the actual consent-gathering action as part of GDPR’s accountability framework.