GDPR and ePrivacy Regulation update: PIA obligations, First EP hearing held and WP 29 calls for restriction on online marketing

shutterstock_112074470(1)PIA obligations under GDPR

In April the Article 29 Working Party, an advisory group to the EU Commission gathering the 28 EU Data Protection Authorities (DPAs) issued an Opinion on when and how the Data Privacy Impact Assessment foreseen in the General Data Protection Regulation should be implemented and what should be understood as processing that could result in high risks. The Opinion published by the Article 29 Working Party gives a comprehensive, and yet non-exhaustive perspective on when and how the DPIA should be applied by the controllers and processors. These situations are mainly those where the processing could result in high risks for the natural persons, especially concerning their rights and freedoms.

While the Article 29 Working Party Opinion does explain that the DPIA needs a case by case analysis, it also gives as examples types of processing that are very common in marketing. This could lead to confusion and further restrictions in eCommerce.

On 11 April the EU Parliament held its first hearing on the ePrivacy Regulation.

The event was split into three sections, the first focusing on electronic marketing, while the second on the issues specific to the telecoms or
media sectors, and the last focusing on security in telecommunications. The debate was clearly dominated by the supporters of stricter rules, to the detriment of those supporting the status quo around the rules for electronic marketing.
Many of those speaking stressed their opposition towards any flexibility foreseen by the EU Commission in the text and mainly suggesting that explicit consent is the only way forward to also match the provisions foreseen in the General Data Protection Regulation. Only the industry representatives called for the status quo to be maintained arguing technical or other difficulties linked to the business model (media and direct marketing). The debate was greatly influenced by the recently published Article 29 Working Party on ePrivacy, the group gathering all EU Data Protection Authorities, advising the EU Commission on data protection issues.

The most debated aspect was that of free choice in consent. Most of the speakers argued that consumers are not going to be free in their consent if presented only with choices and not with the option to completely refuse being tracked and being offered electronic marketing. If their suggestions are adopted, consumers would have to be offered access to websites without any tracking, decreasing accuracy and increasing costs in electronic marketing.

DPAs call for restrictions on Marketing online

The Article 29 Working Party, an advisory group to the EU Commission gathering the 28 EU Data Protection Authorities (DPAs), issued recently an Opinion on the EU Commission ePrivacy Regulation, proposed in January.
The DPAs are relatively critical towards the EU Commission suggesting the ePrivacy Regulation, in the current form, would actually diminish the rights of data subjects, especially when compared to the rights granted under the General Data Protection Regulation which will apply as of 25 May 2018.

The DPAs support the EU Commission in some of the choices made in this Regulation (general consent approach, or that metadata can reveal very sensitive information). However, there are four main areas of concern raised by the DPAs, which should mobilize industry to prevent the adoption of an overly burdensome ePrivacy framework.

First, the DPAs do not support the EU Commission’s approach to how the rules could apply differently to different companies in the value chain for the same type of data. The DPAs are referring to the analysis and content of metadata, and mainly stressing that such processing cannot take place without the consent of both senders and receivers of data, while the EU Commission seems to take a more flexible approach.

Second, the DPAs do not agree that providing consumers with choices regarding third party advertising can be seen as free and valid consent. Third, the DPAs request an explicit prohibition of tracking walls, claiming that the
“take it or leave it” approach, asking consumers to agree to be tracked or being banned from accessing the services is not acceptable and, most importantly, not in line with the General Data Protection Regulation.

Finally, DPAs criticize the EU Commission’s approach towards the tracking of user terminals, calling as well for a clear consent mechanism to be implemented. The Opinion will be extremely influential in the upcoming debates around the ePrivacy Regulation and including in the development of the Opinions of the other actors involved, such as the European Data Protection Supervisor. The latter has already signaled it support for the Opinion and confirmed it would issue its own Opinion following the Easter break.

Questions on GDPR or ePrivacy?

Contact us at or 0032 486 901 931