EDPB Privacy指令の対象となるトラッキング技術を明確にするためのガイドライン Ver2.0 (2024.10.16)
こんにちは、丸山満彦です。
EDPBが2023.11.14に公表した、ガイドライ、Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive (ePrivacy指令第5条(3)の技術的範囲に関するガイドライン 2/2023)の更新版...
● European Data Protection Board; EDPB
・2024.10.16 Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive
・[PDF] Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive - Version 2.0
| Executive summary | エグゼクティブサマリー |
| In these Guidelines, the EDPB addresses the applicability of Article 5(3) of the ePrivacy Directive to different technical solutions. These Guidelines expand upon the Opinion 9/2014 of the Article 29 Working Party on the application of ePrivacy Directive to device fingerprinting and aim to provide a clear understanding of the technical operations covered by Article 5(3) of the ePrivacy Directive. | 本ガイドラインにおいて、EDPBは、eプライバシー指令第5条(3)項の異なる技術的ソリューションへの適用可能性について取り上げている。本ガイドラインは、eプライバシー指令のデバイス・フィンガープリンティングへの適用に関する第29条作業部会の意見9/2014をさらに発展させ、eプライバシー指令第5条(3)項の対象となる技術的オペレーションについて明確な理解を提供することを目的としている。 |
| The emergence of new tracking methods to both replace existing tracking tools (for example, cookies, due to discontinued support for third-party cookies by some browser vendors) and create new business models has become a critical data protection concern. While the applicability of Article 5(3) of the ePrivacy Directive is well established and implemented for some tracking technologies such as cookies, there is a need to address ambiguities related to the application of the said provision to emerging tracking tools. | 新しいトラッキング手法の出現は、既存のトラッキングツール(例えば、一部のブラウザベンダーによるサードパーティクッキーのサポート中止により、クッキー)を置き換えるだけでなく、新たなビジネスモデルを生み出すものでもあり、データ保護の観点から重大な懸念事項となっている。eプライバシー指令第5条(3)項の適用可能性は、クッキーなどの一部のトラッキング技術については十分に確立され、実施されているが、新たなトラッキングツールへの同規定の適用に関する曖昧さに対処する必要がある。 |
| The Guidelines identify three key elements for the applicability of Article 5(3) of the ePrivacy Directive (section 2.1), namely ‘information’, ‘terminal equipment of a subscriber or user’ and ‘gaining access and ‘storage of information and stored information’. The Guidelines further provide a detailed analysis of each element (section 2.2-2.6). | 本ガイドラインでは、eプライバシー指令第5条(3)の適用可能性に関する3つの主要要素を識別している(セクション2.1)。すなわち、「情報」、「加入者またはユーザーの端末機器」、および「アクセス取得と情報の保存および保存された情報」である。本ガイドラインではさらに、各要素の詳細な分析を提供している(セクション2.2~2.6)。 |
| In section 3, that analysis is applied to a non-exhaustive list of use cases representing common techniques, namely: | 第3項では、その分析を一般的な技術を代表する非網羅的なユースケースのリストに適用している。すなわち、 |
| - URL and pixel tracking | - URLおよびピクセルトラッキング |
| - Local processing | - ローカル処理 |
| - Tracking based on IP only | - IPのみに基づくトラッキング |
| - Intermittent and mediated Internet of Things (IoT) reporting | - 断続的および仲介されたモノのインターネット(IoT)の報告 |
| - Unique Identifier | - 固有識別子 |
| Table of contents | 目次 |
| 1 Introduction | 1 序文 |
| 2 Analysis | 2 分析 |
| 2.1 Key elements for the applicability of Article 5(3) ePD | 2.1 第5条(3)ePDの適用可能性に関する主な要素 |
| 2.2 Notion of ‘information’ - Criterion A | 2.2 「情報」の概念 - 基準 A |
| 2.3 Notion of ‘terminal equipment of a subscriber or user’ – Criterion B.1 | 2.3 「加入者またはユーザーの端末設備」の概念 - 基準 B.1 |
| 2.4 Notion of ‘public communications network’ – Criterion B.2 | 2.4 「公衆通信ネットワーク」の概念 - 基準 B.2 |
| 2.5 Notion of ‘gaining access’ – Criterion C.1 | 2.5 「アクセス」の概念 - 基準 C.1 |
| 2.6 Notions of storage of information’ and ‘stored information’ – Criterion C.2 | 2.6 「情報の保存」および「保存された情報」の概念 - 基準 C.2 |
| 3 Use cases | 3 ユースケース |
| 3.1 URL and pixel tracking | 3.1 URLおよびピクセルトラッキング |
| 3.2 Local processing | 3.2 ローカル処理 |
| 3.3 Tracking based on IP only | 3.3 IPのみに基づくトラッキング |
| 3.4 Intermittent and mediated IoT reporting | 3.4 断続的および仲介されたIoTレポート |
| 3.5 Unique Identifier | 3.5 固有識別子 |
| The European Data Protection Board | 欧州データ保護委員会 |
| Having regard to Article 70 (1)(e) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, (hereinafter, ‘GDPR’), | 個⼈データの処理に関する⾃然⼈の保護及び当該データの⾃由な移動に関する 2016 年 4 ⽉ 27 ⽇付欧州議会及び理事会規則(EU)2016/679、並びに指令 95/46/ECの廃⽌(以下「GDPR」という、)の第 70 条(1)(e)を考慮し、 |
| Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018[1], | 欧州経済領域(EEA)協定、特に2018年7月6日付のEEA合同委員会決定第154/2018号により改正された附属書XIおよび議定書37に留意し、 |
| Having regard to Article 15(3) of the Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, as amended by Directive 2009/136/EC (hereinafter, ‘ePrivacy Directive’ or ‘ePD’), | 電子通信分野におけるパーソナルデータの処理およびプライバシーの保護に関する2002年7月12日付欧州議会および理事会の指令2002/58/EC(以下「eプライバシー指令」または「ePD」)の第15条(3)項を考慮し、 |
| Having regard to Article 12 and Article 22 of its Rules of Procedure, | その規則第12条および第22条を考慮し、 |
| HAS ADOPTED THE FOLLOWING GUIDELINES: | 以下のガイドラインを採択した。 |
| ------ | ------ |
| 1 INTRODUCTION | 1 序文 |
| 1. According to Article 5(3) ePD, ‘the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user’ is only allowed on the basis of consent or necessity for specific purposes set out in that Article. As reminded in Recital 24 of the ePD[2], the goal of that provision is to protect the users’ terminal equipment, as they are part of the private sphere of the users. It results from the wording of the Article, that Article 5(3) ePD does not exclusively apply to cookies, but also to ‘similar technologies’. However, there is currently no comprehensive list of the technical operations covered by Article 5(3) ePD. | 1. ePD第5条(3)項によると、「加入者または利用者の端末機器における情報の保存、またはすでに保存されている情報へのアクセス」は、同条に定める特定の目的のための同意または必要性に基づいてのみ許可される。ePDの注釈24[2]で指摘されているように、この規定の目的は、ユーザーの端末機器を防御することであり、それはユーザーの私的領域の一部である。この条項の文言から、第5条(3)項のePDはクッキーのみに適用されるのではなく、「類似技術」にも適用される。しかし、現時点では、第5条(3)項のePDが対象とする技術的作業の包括的なリストは存在しない。 |
| 2. Article 29 Working Party (hereinafter, ‘WP29’) Opinion 9/2014 on the application of ePrivacy Directive to device fingerprinting (hereinafter, ‘WP29 Opinion 9/2014’) has already clarified that fingerprinting falls within the technical scope of Article 5(3) ePD[3], but due to the new advances in technologies further guidance is needed with respect to the tracking techniques currently observed. The technical landscape has been evolving during the last decade, with the increasing use of identifiers embedded in operating systems, as well as the creation of new tools allowing the storage of information in terminal equipment. | 2. デバイス・フィンガープリンティングへのeプライバシー指令の適用に関する第29条作業部会(以下、「WP29」)意見書9/2014(以下、「WP29意見書9/2014」)は、フィンガープリンティングが第5条(3)ePDの技術的範囲に該当することをすでに明確にしているが[3]、技術の新たな進歩により、現在確認されているトラッキング技術に関してさらなるガイダンスが必要となっている。技術的状況は、この10年間で進化しており、オペレーティングシステムに組み込まれた識別子の使用が増えているほか、端末機器に情報を保存できる新しいツールも開発されている。 |
| 3. The ambiguities regarding the scope of application of Article 5(3) ePD have created incentives to implement alternative solutions for tracking internet users and lead to a tendency to circumvent the legal obligations provided by Article 5(3) ePD. All such situations raise concerns and require a supplementary analysis in order to complement the previous guidance from the EDPB. | 3. 第5条(3)ePDの適用範囲に関する曖昧さにより、インターネットユーザーを追跡するための代替ソリューションを導入するインセンティブが生じ、第5条(3)ePDで規定された法的義務を回避する傾向につながっている。このような状況はすべて懸念材料であり、EDPBによるこれまでのガイダンスを補完するために追加的な分析が必要である。 |
| 4. The aim of these Guidelines is to conduct a technical analysis on the scope of application of Article 5(3) ePD, namely to clarify what is technically covered by the phrase ‘to store information or to gain access to information stored in the terminal equipment of a subscriber or user’. These Guidelines do not address the circumstances under which a processing operation may fall within the exemptions from the consent requirement provided for by the ePD[4], as these circumstances should be analysed on a case-by-case basis accounting for the relevant member state transposition(s), and guidance issued by national Competent Authorities. | 4. 本ガイドラインの目的は、第5条(3)項ePDの適用範囲について技術的な分析を行うこと、すなわち、「加入者または利用者の端末機器に保存された情報にアクセスすること、または当該情報にアクセスできるようにすること」という表現が技術的に何をカバーするのかを明確にすることである。本ガイドラインでは、ePDで規定された同意要件の免除に該当する可能性がある処理操作の状況については取り扱わない。これらの状況は、関連する加盟国の国内法化や各国の管轄当局が発行するガイダンスを考慮した上で、個別に分析すべきである。 |
| 5. A non-exhaustive list of specific use-cases will be analysed in the final part of these Guidelines. | 5. 特定の使用事例の網羅的ではないリストは、本ガイドラインの最終部分で分析される。 |
| 2 ANALYSIS | 2 分析 |
| 2.1 Key elements for the applicability of Article 5(3) ePD | 2.1 第5条(3)項ePDの適用可能性に関する主な要素 |
| 6. Article 5(3) ePD applies if: | 6. 第5条(3)ePDは以下の場合に適用される: |
| a. CRITERION A: the operations carried out relate to ‘information’. It should be noted that the term used is not ’personal data’, but ‘information’. | a. 判断基準 A:実施される業務は「情報」に関連する。ここで使用される用語は「個人データ」ではなく「情報」であることに留意すべきである。 |
| b. CRITERION B: the operations carried out involve a ‘terminal equipment’ of a subscriber or user (B.1), which imply the need to assess the notion of a ‘public communications network’ (B.2). | b. 判断基準 B:実施される業務には、加入者またはユーザーの「端末設備」(B.1)が関与し、これは「公衆通信ネットワーク」(B.2)の概念をアセスメントする必要性を意味する。 |
| c. CRITERION C the operations carried out indeed constitute ‘storage’ (C.1) or a ‘gaining of access’ (C.2). Those two notions can be studied independently, as reminded in WP29 Opinion 9/2014: ‘Use of the words “stored or accessed” indicates that the storage and access do not need to occur within the same communication and do not need to be performed by the same party’[5]. | c. 判断基準 C:実施される業務は、実際には「保存」(C.1)または「アクセス」(C.2)を構成する。WP29 意見書 9/2014 において言及されているように、この2つの概念は個別に検討することができる。「保存またはアクセス」という表現は、保存とアクセスが同一のコミュニケーション内で発生する必要はなく、同一の当事者によって実行される必要もないことを示している[5]。 |
| For the sake of readability, the entity gaining access to information stored in the user’s terminal equipment will be hereafter referred to as an ‘accessing entity’. | 以下では、読みやすさを考慮して、ユーザーの端末機器に保存された情報にアクセスする事業体を「アクセス事業体」と呼ぶ。 |
| 2.2 Notion of ‘information’ - Criterion A | 2.2 「情報」の概念 - 判断基準 A |
| 7. As expressed in CRITERION A, this section details what is covered by the notion of ‘information’. The choice of the term ‘information’, encompassing a broader category than the mere notion of personal data, is related to the scope of the ePrivacy Directive. | 7. 判断基準 Aで述べたように、このセクションでは「情報」という概念が何を対象とするかを詳細に説明する。「情報」という用語の選択は、単なる個人データの概念よりも幅広いカテゴリーを包含するものであり、eプライバシー指令の適用範囲に関連している。 |
| 8. The goal of Article 5(3) ePD is to protect the private sphere of the users, as stated in its Recital 24: ‘Terminal equipment of users of electronic communications networks and any information stored on such equipment are part of the private sphere of the users requiring protection under the European Convention for the Protection of Human Rights and Fundamental Freedoms’. It is also protected by Article 7 of the EU Charter of Fundamental Rights. | 8. ePD第5条(3)項の目的は、その序文24項に述べられているように、「電子通信ネットワークのユーザーの端末機器およびその機器に保存されているあらゆる情報は、欧州人権および基本的自由の保護のための条約に基づき保護を必要とするユーザーの私的領域の一部である」というユーザーの私的領域を防御することである。また、EU基本権憲章第7条によっても保護されている。 |
| 9. In fact, scenarios that do intrude into this private sphere even without involving any personal data are explicitly covered by the wording of Article 5(3) and Recital 24 ePD, for example the storage of viruses on the user’s terminal equipment. This shows that the definition of the term ‘information’ should not be limited to the property of being related to an identified or identifiable natural person. | 9. 実際、個人データが関与していなくても、この私的領域に侵入するシナリオは、例えばユーザーの端末機器にウイルスが保存されている場合など、第5条(3)項およびePDの第24項の文言によって明確にカバーされている。これは、「情報」という用語の定義が、特定された、または特定可能な自然人に関連する財産に限定されるべきではないことを示している。 |
| 10. This has been confirmed by the Court of Justice of the EU: ‘That protection applies to any information stored in such terminal equipment, regardless of whether or not it is personal data, and is intended, in particular, as is clear from that recital, to protect users from the risk that hidden identifiers and other similar devices enter those users’ terminal equipment without their knowledge’[6]. | 10. このことは、EU司法裁判所によっても確認されている。「その保護は、個人データであるか否かに関わらず、そのような端末機器に保存されているあらゆる情報に適用される。特に、その前文から明らかなように、隠された識別子やその他の類似の装置がユーザーの端末機器にユーザーの知らないうちに侵入するリスクからユーザーを防御することを目的としている」[6]。 |
| 11. The questions on whether the origin of this information and the reasons why it is stored in the terminal equipment should be considered when assessing the applicability of Article 5(3) ePD have been previously clarified. For example, in the WP29 Opinion 9/2014: ‘It is not correct to interpret this as meaning that the third-party does not require consent to access this information simply because he did not store it. The consent requirement also applies when a read-only value is accessed (e.g. requesting the MAC address of a network interface via the OS API)’ [7]. | 11. この情報の発信元や、それが端末機器に保存されている理由が、ePD第5条(3)項の適用可能性をアセスメントする際に考慮されるべきかどうかという問題については、以前に明確にされている。例えば、WP29意見書9/2014では、 「この情報を保存していないという理由だけで、サードパーティがこの情報へのアクセスに同意を必要としないと解釈するのは正しくない。読み取り専用値にアクセスする場合(例えば、OS API 経由でネットワークインターフェースの MAC アドレスを要求する場合)にも、同意要件が適用される」[7]。 |
| 12. In conclusion, the notion of information includes both non-personal data and personal data, regardless of how this data was stored and by whom, i.e. whether by an external entity (also including other entities than the one having access), by the user, by a manufacturer, or any other scenario. | 12. 結論として、情報の概念には、このデータが誰によってどのように保存されたかに関わらず、すなわち、外部事業体(アクセス権を有する事業体以外の事業体も含む)、利用者、製造事業者、またはその他のシナリオによるものかに関わらず、非個人データおよび個人データの両方が含まれる。 |
| 2.3 Notion of ‘terminal equipment of a subscriber or user’ – Criterion B.1 | 2.3 「加入者または利用者の端末設備」の概念 - 判断基準 B.1 |
| 13. This section builds on the definition used in Directive 2008/63/EC and as referenced in Article 2 Directive (EU) 2018/1972, where ‘terminal equipment’ is defined as: ‘equipment directly or indirectly connected to the interface of a public telecommunications network to send, process or receive information; in either case (direct or indirect), the connection may be made by wire, optical fibre or electromagnetically; a connection is indirect if equipment is placed between the terminal equipment and the interface of the network’[8]. | 13. このセクションでは、指令 2008/63/EC で使用され、指令 (EU) 2018/1972 第 2 条で参照されている定義を基にしており、ここで「端末機器」は次のように定義されている。「情報を送信、処理、または受信するために、公衆電気通信ネットワークのインターフェースに直接または間接的に接続される機器。いずれの場合も(直接または間接)、接続は有線、光ファイバー、または電磁気的に行うことができる。機器が端末機器とネットワークのインターフェースの間に配置されている場合、接続は間接的である[8]。 |
| 14. Recital 24 ePD provides a clear understanding of the role of the terminal equipment for the protection offered by Article 5(3) ePD. The ePD protects users’ privacy not only in relation to the confidentiality of their information but also by safeguarding the integrity of the user’s terminal equipment. This understanding will guide the interpretation of the notion of the terminal equipment throughout these Guidelines. | 14. 序文24 ePDは、第5条(3)項ePDが提供する保護における端末機器の役割について明確な理解を提供している。ePDは、利用者の情報の機密性に関連するだけでなく、利用者の端末機器の完全性を保護することによっても、利用者のプライバシーを防御する。この理解は、本ガイドライン全体を通じて端末機器の概念の解釈の指針となる。 |
| 15. Article 3 ePD states that for the ePD to apply the processing of personal data has to be carried out in connection with the provision of publicly available electronic communications services in public communications networks. This entails that a device should be usable in connection with such service and that, in order to be qualified as a terminal equipment, it should be connected or connectable[9] to the interface of a public communications network. The EDPB notes that the amendments made in 2009[10] in the text of Article 5(3) ePD extended the protection of terminal equipment by deleting the reference to the ‘use of electronic communications network’ as a means to store information or to gain access to information stored in the terminal equipment. Therefore, as long as a device has a network interface that makes it eligible for connection (even if such connection is not in place), Article 5(3) ePD applies to every entity that would store and gain access to information already stored in the terminal equipment whatever the means of access to the terminal equipment is, and whether connected or disconnected from a network | 15. 第3条 ePDでは、ePDを適用するには、公衆通信網における公衆利用可能な電子通信サービスの提供に関連してパーソナルデータの処理を行わなければならないと規定している。 これは、端末がそのようなサービスに関連して使用可能であるべきであり、端末機器として適格であるためには、公衆通信網のインターフェースに接続されているか、接続可能であるべきであることを意味する[9]。欧州議会・理事会は、2009年に第5条(3)ePDの条文に[10]加えられた改正により、端末機器に情報を保存したり、端末機器に保存された情報にアクセスしたりする手段としての「電子通信ネットワークの利用」に関する言及が削除され、端末機器の防御が拡大されたことを指摘している。したがって、接続の対象となるネットワーク・インターフェースを有する機器(たとえ接続されていない場合でも)については、第5条(3) ePDが適用され、端末機器にすでに保存されている情報へのアクセスや保存を行うすべての事業体に対して、端末機器へのアクセス手段や、ネットワークへの接続・切断の有無に関わらず、適用される |
| 16. Equipment that are part of the public electronic communications network itself would not be considered terminal equipment under Article 5(3) ePD[11]. | 16. 公衆電子通信網の一部である機器は、第5条3項ePDの端末機器とはみなされない[11]。 |
| 17. A terminal equipment may be comprised of any number of individual pieces of hardware, which together form the terminal equipment. This may or may not take the form of a physically enclosed device hosting all the display, processing, storage and peripheral hardware (for example, smartphones, laptops, network-attached storage device, connected cars or connected TVs, smart glasses). | 17. 端末機器は、一体となって端末機器を構成する個々のハードウェアの任意の数で構成することができる。これは、すべての表示、処理、保存、周辺ハードウェアをホストする物理的に囲まれたデバイスの形態を取る場合も取らない場合もある(例えば、スマートフォン、ラップトップ、ネットワーク接続ストレージデバイス、コネクテッドカーまたはコネクテッドTV、スマートグラス)。 |
| 18. The ePD acknowledges that the protection of the confidentiality of the information stored on a user’s terminal equipment and integrity of the user’s terminal equipment is not limited to the protection of the private sphere of natural persons but also concerns the right to respect for their correspondence or the legitimate interests of legal persons[12]. As such, a terminal equipment that allows for this correspondence and the legitimate interests of the legal persons to be carried out is protected under Article 5(3) ePD. | 18. ePDは、ユーザーの端末機器に保存された情報の機密性およびユーザーの端末機器の完全性の防御が、自然人の私的領域の防御に限定されるものではなく、通信の秘密または法人[12]の正当な利益の尊重の権利にも関わるものであることを認めている。したがって、この通信および法人の正当な利益を可能にする端末機器は、ePD第5条3項により防御される。 |
| 19. The user or subscriber may own or rent or otherwise be provided with the terminal equipment. Multiple users or subscribers may share the same terminal equipment. | 19. ユーザーまたは加入者は、端末機器を所有、レンタル、またはその他の方法でプロバイダから提供を受けることができる。複数のユーザーまたは加入者が同一の端末機器を共有することも可能である。 |
| 20. This protection is guaranteed by the ePD to the terminal equipment associated to the user or subscriber, and it is not dependant on whether the user set up the means of access (for example if they initiated the electronic communication) or even on whether the user is aware of the said means of access). | 20. この防御は、ePDにより、ユーザーまたは契約者に結び付けられた端末設備に対して保証されるものであり、ユーザーがアクセス手段を設定したかどうか(例えば、電子通信を開始したかどうか)、あるいはユーザーが当該アクセス手段を認識しているかどうかにかかわらず適用される。 |
| 2.4 Notion of ‘public communications network’ – Criterion B.2 | 2.4 「公衆通信網」の概念 - 判断基準B.2 |
| 21. As the situation regulated by the ePD is the one related to ‘the provision of publicly available electronic communications services in public communications networks in the Community’[13], and the definition of a terminal equipment specifically mentions the notion of a ‘public communications network’, it is crucial to clarify this notion to identify the context in which Article 5(3) ePD applies. | 21. ePDが規定する状況は、「欧州共同体における公衆通信網における公衆利用可能な電子通信サービスの提供」に関するものである[13]。また、端末機器の定義には「公衆通信網」という概念が明確に示されているため、第5条(3)項のePDが適用される状況を識別するには、この概念を明確にすることが不可欠である。 |
| 22. The notion of electronic communications network is not defined within the ePD itself. That concept was referred to originally in Directive 2002/21/EC (the Framework Directive) on a common regulatory framework for electronic communications networks and services[14], subsequently replaced by Article 2(1) of Directive 2018/1972 (the European Electronic Communications Code). It now reads: | 22. 電子通信ネットワークの概念は、ePD自体では定義されていない。この概念は、当初は電子通信ネットワークおよびサービスに関する共通規制枠組みに関する指令2002/21/EC(枠組み指令)で言及されていたが[14]、その後、指令2018/1972(欧州電子通信コード)の第2条(1)に置き換えられた。現在の条文は以下の通りである。 |
| ”electronic communications network” means transmission systems, whether or not based on a permanent infrastructure or centralised administration capacity, and, where applicable, switching or routing equipment and other resources, including network elements which are not active, which permit the conveyance of signals by wire, radio, optical or other electromagnetic means, including satellite networks, fixed (circuit- and packet-switched, including internet) and mobile networks, electricity cable systems, to the extent that they are used for the purpose of transmitting signals, networks used for radio and television broadcasting, and cable television networks, irrespective of the type of information conveyed.[15] | 「電子通信ネットワーク」とは、恒久的なインフラまたは集中管理機能に基づくかどうかに関わらず、伝送システムを意味し、該当する場合は、交換またはルーティング機器、および、衛星ネットワーク、固定(回線交換およびパケット交換、インターネットを含む)および移動体通信ネットワーク、電力ケーブルシステムなど、有線、無線、光、またはその他の電磁的手段による信号伝送を可能にする、非アクティブなネットワーク要素を含むその他のリソースを意味する 信号伝送の目的で使用される範囲において、有線ネットワーク、固定(回線交換およびパケット交換、インターネットを含む)および移動ネットワーク、電力ケーブルシステム、ラジオおよびテレビ放送に使用されるネットワーク、ケーブルテレビネットワーク(伝達される情報の種類に関係なく)が含まれる。[15] |
| 23. This definition is neutral with respect to the transmission technologies. An electronic communications network, according to this definition, is any network system that allows transmission of electronic signals between its nodes, regardless of the equipment and protocols used. | 23. この定義は、伝送技術に関しては中立である。この定義によれば、電子通信網とは、使用される機器やプロトコルに関わらず、ノード間の電子信号の伝送を可能にするあらゆるネットワークシステムである。 |
| 24. The notion of electronic communications network under Directive 2018/1972 does not depend on the public or private nature of the infrastructure, nor on the way the network is deployed or managed (‘whether or not based on a permanent infrastructure or centralised administration capacity’[16].) As a result, the definition of electronic communications network, under Article 2 of Directive 2018/1972, is broad enough to cover any type of infrastructure. It includes networks managed or not by an operator, networks co-managed by a group of operators, or even ad-hoc networks in which a terminal equipment may dynamically join or leave a mesh of other terminal equipment using short range transmission protocols. | 24. 指令 2018/1972 の電子通信網の概念は、インフラの公衆性または私設性、あるいはネットワークの展開または管理方法(「恒久的なインフラまたは集中管理能力に基づくかどうか」[16])に依存しない。その結果、指令2018/1972第2条に基づく電子通信ネットワークの定義は、あらゆる種類のインフラをカバーするのに十分なほど広範である。この定義には、事業者によって管理されているか否かに関わらず、事業者グループによって共同管理されているネットワーク、あるいは、近距離伝送プロトコルを使用して他の端末機器のネットワークに動的に参加または離脱する端末機器が存在する臨時のネットワークも含まれる。 |
| 25. This definition of network does not give any limitation with regards to the number of terminal equipment present in the network at any time. Some networking schemes rely on nodes relaying information in an ad-hoc manner to nodes presently connected[17] and can at some point in time have as little as two peers communicating. Such cases would be within the general scope of the ePD directive, as long as the network protocol allows for further inclusion of peers. | 25. このネットワークの定義は、ネットワークに存在する端末装置の数について、いかなる制限も設けていない。一部のネットワーク構成では、現在接続されているノードに情報をアドホックに中継するノードに依存しており[17]、ある時点では、わずか2つのピアがコミュニケーションを行う場合もある。このようなケースは、ネットワークプロトコルがピアの追加を許可している限り、ePD指令の一般的な範囲内である。 |
| 26. The public availability of the communication network is necessary for the device to be considered a terminal equipment and in consequence for the applicability of Article 5(3) ePD. It should be noted that the fact that the network is made available to a limited subset of the public (for example, subscribers, whether paying or not, subject to eligibility conditions) does not make such a network private[18]. | 26. コミュニケーションネットワークが一般に利用可能であることは、端末機器と見なされるために必要であり、結果としてePD第5条(3)の適用可能性にも必要である。ネットワークが一般の一部のサブセット(例えば、支払い有無に関わらず、適格条件を満たす加入者)にのみ利用可能であるという事実が、そのネットワークをプライベートなものにするわけではないことに留意すべきである[18]。 |
| 2.5 Notion of ‘gaining access’ – Criterion C.1 | 2.5 「アクセス」の概念 - 判断基準 C.1 |
| 27. To correctly frame the notion of ‘gaining access’, it is important to consider the scope of the ePD, stated in its Article 1: ‘to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy, with respect to the processing of personal data in the electronic communication sector and to ensure the free movement of such data and of electronic communication equipment and services in the Community’. | 27. 「アクセス」の概念を正しく理解するには、ePDの適用範囲を考慮することが重要である。ePDは、その第1条で次のように規定している。「電子通信分野におけるパーソナルデータの処理に関して、基本的な権利および自由、特にプライバシーの権利を同等のレベルで保護し、欧州共同体におけるデータおよび電子通信機器・サービスの自由な移動を確保する」。 |
| 28. In a nutshell, the ePD is a privacy preserving legal instrument aiming to protect the confidentiality of communications and the integrity of devices. In Recital 24 ePD, it is clarified that, in the case of natural persons, the user’s terminal equipment is part of their private sphere and that accessing information stored on it without their knowledge may seriously intrude upon their privacy. | 28. 簡単に言えば、ePDは、コミュニケーションの機密性とデバイスの完全性を保護することを目的としたプライバシー保護の法的手段である。ePDの序文24では、自然人(自然人とは、個人を意味する)の場合、ユーザーの端末機器は個人の領域の一部であり、ユーザーの認識なしにその機器に保存された情報にアクセスすることは、プライバシーを著しく侵害する可能性があることが明確にされている。 |
| 29. Legal persons are also safeguarded by the ePD[19]. In consequence, the notion of ‘gaining access’ under Article 5(3) ePD, has to be interpreted in a way that safeguards those rights against violation by third parties. | 29. 法人もePDによって保護されている[19]。したがって、ePD第5条(3)項の「アクセス」の概念は、サードパーティによる侵害からこれらの権利を保護する形で解釈されなければならない。 |
| 30. Storing information or gaining access can be independent operations, and performed by independent entities. Storing of information and access to information already stored do not need to be both present for Article 5(3) ePD to apply. | 30. 情報の保存またはアクセスは、それぞれ独立した操作であり、独立した事業体によって実行される可能性がある。情報の保存と、すでに保存されている情報へのアクセスは、第5条(3)ePDの適用にあたり、両方が存在する必要はない。 |
| 31. As noted in the WP29 Opinion 9/2014: ‘Use of the words “stored or accessed” indicates that the storage and access do not need to occur within the same communication and do not need to be performed by the same party. Information that is stored by one party (including information stored by the user or device manufacturer) which is later accessed by another party is therefore within the scope of Art. 5(3)’[20]. Consequently, there are no restrictions placed on the origin of information on the terminal equipment for the notion of access to apply. | 31. 2014年9月WP29意見書9に記載されているように、「保存またはアクセス」という文言は、保存とアクセスが同じコミュニケーション内で発生する必要はなく、同じ当事者によって実行される必要もないことを示している。ある当事者(ユーザーまたは機器製造事業者によって保存された情報を含む)によって保存され、その後別の当事者によってアクセスされる情報は、したがって第5条(3)項の適用範囲内にある[20]。したがって、アクセスという概念を適用するにあたり、端末機器上の情報の発信元に制限は課されない。 |
| 32. Whenever an entity takes steps towards gaining access to information stored in the terminal equipment, Article 5(3) ePD would apply. Usually this entails the accessing entity to proactively send specific instructions to the terminal equipment in order to receive back the targeted information. For example, this is the case for cookies, where the accessing entity instructs the terminal equipment to proactively send information on each subsequent Hypertext Transfer Protocol (‘HTTP’) call. | 32. 事業体が端末機器に保存された情報へのアクセスを試みる場合、第5条(3)項ePDが適用される。通常、アクセスを行う事業体は、対象となる情報を受け取るために、端末機器に特定の指示を積極的に送信する必要がある。例えば、クッキーの場合、アクセスを行う事業体が端末機器に、その後の各ハイパーテキスト転送プロトコル(「HTTP」)呼び出しに関する情報を積極的に送信するよう指示する。 |
| 33. That is equally the case when the accessing entity distributes software on the terminal equipment of the user that is stored and will then proactively call an Application Programming Interface (‘API’) endpoint over the network. Additional examples would include JavaScript code, where the accessing entity instructs the browser of the user to send asynchronous requests with the targeted information. Such access clearly falls within the scope of Article 5(3) ePD, as the accessing entity explicitly instructs the terminal equipment to send the information. | 33. アクセス事業体が、ユーザーの端末機器にソフトウェアを配布し、それを保存して、その後、ネットワーク上でアプリケーション・プログラミング・インターフェース(「API」)のエンドポイントを能動的に呼び出す場合も同様である。その他の例としては、アクセス事業体がユーザーのブラウザに指示して、対象情報を含む非同期リクエストを送信するJavaScriptコードがある。このようなアクセスは、アクセスを行う事業体が端末機器に明示的に指示して情報を送信させるものであるため、ePD第5条(3)項の適用範囲に明確に該当する。 |
| 34. In some cases, the entity instructing the terminal equipment to send back the targeted data and the entity receiving information might not be the same. This may result from the provision and/or use of a common mechanism between the two entities. Instructing the device to send already stored information (for example, through the use of a protocol, or an SDK[21] that imply the proactive sending of information by the terminal equipment) makes an intrusion into the terminal equipment possible, therefore such an access triggers the applicability of Article 5(3).) ePD. As noted in WP29 Opinion 09/2014, this can be the case when a website instructs the terminal equipment to send information to third-party advertising services through the inclusion of a tracking pixel[22]. This use-case is further developed in section 3.1. | 34. 場合によっては、対象データを送り返すよう端末機器に指示する事業体と情報を受信する事業体が同一ではない場合がある。これは、両事業体が共通の仕組みを提供および/または使用していることが原因である可能性がある。端末機器にすでに保存されている情報を送信するよう端末機器に指示すること(例えば、プロトコルや、端末機器による積極的な情報送信を暗示するSDK[21]の使用による)は、端末機器への侵入を可能にするため、このようなアクセスは第5条(3)項の適用性を引き起こす。)ePD。WP29意見書09/2014で指摘されているように、ウェブサイトがトラッキングピクセルを組み込むことで端末機器にサードパーティの広告サービスに情報を送信するよう指示する場合、これが該当する可能性がある[22]。このユースケースについては、セクション3.1でさらに詳しく説明する。 |
| 2.6 Notions of storage of information’ and ‘stored information’ – Criterion C.2 | 2.6 情報の保存および保存された情報に関する概念 - 判断基準 C.2 |
| 35. Storage of information in the sense of Article 5(3) ePD refers to placing information on a physical electronic storage medium that is part of a user or subscriber’s terminal equipment[23]. | 35. 第 5 条(3)の意味における情報の保存とは、ユーザーまたは契約者の端末機器の一部である物理的な電子保存媒体に情報を置くことを指す[23]。 |
| 36. Typically, information is not stored in the terminal equipment of a user or subscriber through direct access to the memory of the device by another party, but rather by instructing software on the terminal equipment to generate specific information. Storage taking place through such instructions is considered to be initiated directly by the other party. This includes making use of established protocols such as browser cookie storage as well as customized software, regardless of who created or installed the protocols or software on the terminal equipment. | 36. 一般的に、他の当事者がユーザーまたは加入者の端末機器のメモリに直接アクセスして情報を保存するのではなく、端末機器上のソフトウェアに特定の情報を生成するよう指示することで情報が保存される。このような指示によって行われる保存は、他の当事者によって直接開始されたものと見なされる。これには、ブラウザのクッキー保存などの確立されたプロトコルやカスタマイズされたソフトウェアの利用が含まれるが、端末機器にプロトコルやソフトウェアを作成またはインストールした者が誰であるかは問わない。 |
| 37. The ePD does not place any upper or lower limit on the length of time that information must persist on a storage medium to be counted as stored, nor is there an upper or lower limit on the amount of information to be stored. | 37. ePDは、保存されたとみなされるために情報が記憶媒体上に保持されなければならない時間について、上限または下限を定めていない。また、保存されるべき情報量についても上限または下限を定めていない。 |
| 38. Similarly, the notion of storage does not depend on the type of medium on which the information is stored. Typical examples would include hard disc drives (‘HDD’), solid state drives (‘SSD’), electrically-erasable programmable read-only memory (‘EEPROM’) and random-access memory (‘RAM’), but less typical scenarios involving a medium such as magnetic tape or central processing unit (‘CPU’) cache are not excluded from the scope of application. The storage medium may be connected internally (e.g. through a SATA connection), externally (e.g. through a USB connection) | 38. 同様に、保存という概念は、情報が保存される媒体の種類に依存しない。 典型的な例としては、ハードディスクドライブ(「HDD」)、ソリッドステートドライブ(「SSD」)、電気的消去・プログラム可能読取り専用メモリ(「EEPROM」)、およびランダムアクセスメモリ(「RAM」)が含まれるが、磁気テープや中央処理装置(「CPU」)キャッシュなどの媒体を含む、あまり一般的ではないシナリオも適用範囲から除外されるものではない。記憶媒体は、内部(例えばSATA接続)または外部(例えばUSB接続)で接続することができる。 |
| 39. ‘Stored information’ refers to information already existing on the terminal equipment, regardless of the source or nature of this information. This includes any result from information storage in the sense of Article 5(3) ePD as described above (either by the same party that would later gain access or by another third party). It furthermore includes results of information storage processes beyond the scope of Article 5(3),) ePD, such as: storage on the terminal equipment by the user or subscriber themselves, or by a hardware manufacturer (such as the MAC addresses of network interface controllers), sensors integrated into the terminal equipment or processes and programs executed on the terminal equipment, which may or may not produce information that is dependent on or derived from stored information. | 39. 「保存された情報」とは、情報の出所や性質に関わらず、すでに端末機器上に存在する情報を指す。これには、前述の第5条(3)項ePDの規定に基づく情報保存の結果(後にアクセスする当事者自身によるものか、または別のサードパーティによるものかに関わらず)が含まれる。さらに、第5条(3)項ePDの範囲を超える情報保存処理の結果も含まれる。例えば、ユーザーまたは契約者自身による端末機器への保存、またはハードウェア製造事業者による保存(ネットワーク・インターフェース・コントローラのMACアドレスなど)、端末機器に組み込まれたセンサー、または端末機器上で実行されるプロセスやプログラムなどである。これらは、保存された情報に依存する、または保存された情報から派生する情報を生成する場合もあれば、生成しない場合もある。 |
| 3 USE CASES | 3 利用例 |
| 40. As pointed out in the introduction of these guidelines[24], they do not analyse the application of the exemptions to the obligation to collect consent provided by Article 5(3) ePD. The EDPB reminds that for all of the cases where there is a storage of information or a gaining of access to information already stored, it would have to be assessed if a consent is needed or whether an exemption under Article 5(3) ePD could apply. The reader should therefore consider the exemptions in their use case, in conjunction with this technical analysis. | 40. これらのガイドラインの序文で指摘されているように[24]、第5条(3)項ePDで規定されている同意取得義務に対する適用除外の適用については分析されていない。EDPBは、情報の保存またはすでに保存されている情報へのアクセスがあるすべてのケースについて、同意が必要かどうか、または第5条(3)項ePDに基づく適用除外が適用できるかどうかをアセスメントする必要があることを改めて指摘する。したがって、読者は、この技術分析と併せて、自らのユースケースにおける適用除外を考慮すべきである。 |
| 41. Without prejudice of the specific context in which those technical categories can be used which are necessary to qualify whether Article 5(3) ePD is applicable, it is possible to identify, in a non-exhaustive manner, broad categories of identifiers and information that are widely used and can be subject to the applicability of Article 5(3) ePD. | 41. 第5条(3)項ePDの適用可能性を判断するために必要な技術カテゴリーが使用される特定の状況を損なうことなく、広く使用され、第5条(3)項ePDの適用可能性の対象となり得る識別子および情報の幅広いカテゴリーを網羅的ではない方法で識別することが可能である。 |
| 42. Network communication usually relies on a layered model that necessitates the use of identifiers to allow for a proper establishment and carrying out of the communication. The communication of those identifiers to remote actors is instructed through software following agreed upon communication protocols. As outlined above, the fact that the receiving entity might not be the entity instructing the sending of information does not preclude the application of Article 5(3) ePD. This might concern routing identifiers such as the MAC or IP address of the terminal equipment, but also session identifiers (SSRC, Websocket identifier), or authentication tokens. | 42. ネットワーク通信は通常、適切なコミュニケーションの確立と遂行を可能にするために識別子の使用を必要とする階層モデルに依存している。 遠隔のアクターへのこれらの識別子の通信は、合意された通信プロトコルに従ってソフトウェアを通じて指示される。上述の通り、情報の送信を指示する事業体と受信事業体が異なる場合でも、ePD第5条(3)項の適用を妨げるものではない。これは、端末装置のMACアドレスやIPアドレスなどのルーティング識別子、セッション識別子(SSRC、WebSocket識別子)、または認証トークンに関するものである可能性がある。 |
| 43. In the same manner, the application protocol can include several mechanisms to provide context data (such as HTTP header including ‘accept’ field or user agent), caching mechanism (such as ETag[25]) or other functionalities (cookies being one of them, or HSTS[26]). Once again, relying on those mechanisms to collect information (for example in the context of fingerprinting[27] or the tracking of resource identifiers) can lead to the application of Article 5(3) ePD. | 43. 同様に、アプリケーションプロトコルは、コンテキストデータ(「accept」フィールドやユーザーエージェントを含むHTTPヘッダーなど)を提供する複数のメカニズム、キャッシュメカニズム(ETag[25]など)、またはその他の機能(クッキーやHSTS[26]など)を含めることができる。繰り返しになるが、これらのメカニズムに依存して情報を収集する(例えばフィンガープリンティング[27]やリソース識別子の追跡など)と、ePD第5条(3)項の適用につながる可能性がある。 |
| 44. On the other hand, there are some contexts in which local applications installed in the terminal equipment uses some information strictly inside the terminal, as it might be the case for smartphone system APIs (access to camera, microphone, GPS sensor, accelerator chip, radio chip, local file access, contact list, identifiers access, etc.). This might also be the case for web browsers that process information stored or generated information inside the device (such as cookies, local storage, WebSQL, or even information provided by the users themselves). The use of such information by an application would not constitute a ‘gaining of access to information already stored’ in the meaning of Article 5(3) ePD as long as the information does not leave the device, but when this information or any derivation of this information is accessed, Article 5(3) ePD would apply. | 44. 一方、端末機器にインストールされたローカルアプリケーションが、スマートフォンのシステムAPI(カメラ、マイク、GPSセンサー、加速度チップ、無線チップ、ローカルファイルアクセス、連絡先リスト、識別子へのアクセスなど)の場合のように、端末内部の情報を厳密に使用する状況もある。また、デバイス内に保存された情報やデバイス内で生成された情報(クッキー、ローカルストレージ、WebSQL、あるいはユーザー自身が提供した情報など)を処理するウェブブラウザにも当てはまる可能性がある。アプリケーションによるこのような情報の利用は、その情報が端末から送信されない限り、ePD第5条(3)項の「すでに保存されている情報へのアクセス」には該当しないが、この情報またはこの情報の派生物にアクセスされた場合は、ePD第5条(3)項が適用される。 |
| 45. Finally, in some cases malicious software elements are distributed by actors, for example crypto mining software or more generally malware, exploiting the processing abilities of the terminal equipment for the benefit of the distributing actor. The distribution of said malicious software in user’s terminal equipment would constitute a ‘storage’ in the meaning of Article 5(3) ePD. In addition, should the software establish a network connection to send information at a later stage, it would constitute a ‘gaining of access’ in the meaning of Article 5(3) ePD | 45. 最後に、場合によっては、悪意のあるソフトウェア要素が、例えば暗号マイニングソフトウェアやより一般的なマルウェアなど、端末機器の処理能力を悪用して、配布者の利益のために配布されることがある。ユーザーの端末機器における当該悪意のあるソフトウェアの配布は、ePD第5条(3)項の「保存」に該当する。さらに、当該ソフトウェアが後日情報を送信するためにネットワーク接続を確立する場合には、ePD第5条(3)項にいう「アクセス権の取得」に該当する。 |
| 46. For a subset of these categories that present a specific interest, either because of their widespread usage or because a specific study is warranted with regards to the circumstances of their use, a specific analysis is provided below. | 46. これらのカテゴリーのうち、その広範な使用状況から、またはその使用状況に関して特定の調査が必要であることから、特に興味深いと思われるカテゴリーについては、以下に具体的な分析を行う。 |
| 3.1 URL and pixel tracking | 3.1 URLおよびピクセルトラッキング |
| 47. A tracking pixel is a hyperlink to a resource, usually an image file, embedded into a piece of content like a website or an email. This pixel usually fulfils no purpose related to the requested content itself; its sole purpose is to automatically establish a communication by the client to the host of the pixel, which would otherwise not have occurred. This is however not systematic and tracking pixels can also be created by adding additional information to hyperlink loading images that are relevant to the content displayed to the user. Establishment of the communication transmits various information to the host of the pixel, depending on the specific use case. | 47. トラッキングピクセルとは、通常は画像ファイルであるリソースへのハイパーリンクを、ウェブサイトや電子メールなどのコンテンツの一部に埋め込むことである。このピクセルは通常、要求されたコンテンツ自体に関連する目的を果たすことはなく、唯一の目的は、クライアントからピクセルのホストへの自動的なコミュニケーションを確立することであり、そうしなければコミュニケーションは発生しない。ただし、これは必ずしもシステム化されているわけではなく、ユーザーに表示されるコンテンツに関連するハイパーリンク読み込み画像に追加情報を加えることによってトラッキングピクセルを作成することも可能である。コミュニケーションが確立されると、特定の使用事例に応じて、さまざまな情報がピクセルのホストに送信される。 |
| 48. In the case of an email, the sender may include a tracking pixel to detect when the receiver reads the email. Tracking pixels on websites may link to an entity collecting many such requests and thus being able to track users’ behaviour. Such tracking pixels may also contain additional identifiers, metadata or content as part of the link. These data points may be added by the owner of the website, possibly related to the user’s activity on that website so that analytical usage reports can be generated. They may also be dynamically generated through client-side applicative logic supplied by the entity. | 48. 電子メールの場合、送信者は受信者が電子メールを読んだことを検知するためのトラッキングピクセルを含めることができる。ウェブサイト上のトラッキングピクセルは、多くのそのようなリクエストを収集し、それによってユーザーの行動を追跡できる事業体とリンクしている可能性がある。そのようなトラッキングピクセルは、リンクの一部として、追加の識別子、メタデータ、またはコンテンツを含む可能性もある。これらのデータポイントは、分析利用レポートを生成できるように、ウェブサイトの所有者が追加したものであり、そのウェブサイト上でのユーザーの活動に関連している可能性がある。また、それらは事業体が提供するクライアント側の応用ロジックを通じて動的に生成される可能性もある。 |
| 49. Tracking links can function in the same way, but the identifier is appended to the website address. When the Uniform Resource Locator (‘URL’) is visited by the user, the targeted website loads the requested resource but also collects an identifier which is not relevant in terms of resource identification. They are very commonly used by eCommerce websites to identify the origin of their inbound source of traffic. For example, such websites can provide tracked links to partners to use on their domain so that the e-commerce website knows which of their partners is responsible for a sale and pay a commission, a practice known as affiliate marketing. | 49. トラッキングリンクも同様に機能するが、識別子はウェブサイトアドレスに追加される。ユーザーが統一資源位置指定子(Uniform Resource Locator、以下「URL」)を訪問すると、対象のウェブサイトは要求されたリソースを読み込むが、リソース識別の観点では関連性のない識別子も収集する。これらは、Eコマースウェブサイトが流入元のトラフィックの発生源を識別するために非常に一般的に使用されている。例えば、そのようなウェブサイトは、パートナーのドメインで使用するための追跡リンクを提供することができ、それによって、eコマースウェブサイトは、どのパートナーが販売に貢献したかを把握し、コミッションを支払うことができる。これは、アフィリエイトマーケティングとして知られている。 |
| 50. Both tracking links and tracking pixels can be distributed through a wide variety of channels, for example through emails, websites, or even, in the case of tracking links, through any kind of text messaging systems. That distribution to the user’s terminal equipment does constitute storage, at the very least through the caching mechanism of the client-side software. As such, Article 5(3) ePD is applicable, even if this storage is not permanent. | 50. トラッキングリンクおよびトラッキングピクセルは、電子メール、ウェブサイト、さらにはトラッキングリンクの場合にはあらゆる種類のテキストメッセージシステムを通じてなど、多種多様なチャンネルを通じて配信することができる。ユーザーの端末機器への配信は、少なくともクライアントサイドソフトウェアのキャッシュメカニズムを通じて、保存に該当する。そのため、この保存が恒久的でない場合でも、ePD第5条(3)項が適用される。 |
| 51. The addition of tracking information to URLs or images (pixels) sent to the user constitutes an instruction to the terminal equipment to send back the targeted information (the specified identifier). In the case of dynamically constructed tracking pixels, it is the distribution of the applicative logic (usually a JavaScript code) that constitutes the instruction. As a consequence, it can be considered that the collection of identifiers provided through such tracking mechanisms constitutes a ‘gaining of access’ in the meaning of Article 5(3) ePD, thus it applies to that step as well. | 51. ユーザーに送信されるURLまたは画像(ピクセル)に追跡情報を追加することは、対象情報(特定の識別子)を送り返すよう端末機器に指示することに相当する。動的に構築された追跡ピクセルの場合、指示に相当するのは応用論理(通常はJavaScriptコード)の配布である。したがって、このようなトラッキングメカニズムを通じて提供される識別子の収集は、ePD第5条(3)項の「アクセス権の取得」に該当すると考えられ、したがって、このステップにも適用される。 |
| 3.2 Local processing | 3.2 ローカル処理 |
| 52. Some technologies rely on local processing instructed by software distributed on users’ terminal equipment, where the information produced by the local processing is then made available to selected actors through client-side API. This may for example be the case for an API provided by the web browser, where locally generated results may be accessed remotely. | 52. いくつかの技術は、ユーザーの端末機器に配布されたソフトウェアが指示するローカル処理に依存しており、ローカル処理によって生成された情報は、クライアントサイドAPIを通じて、選択された関係者に提供される。これは、例えば、ローカルで生成された結果がリモートでアクセスされる可能性があるウェブブラウザが提供するAPIの場合に該当する可能性がある。 |
| 53. If at any point and for example in the client-side code, the processed information is made available to a third-party, for example sent back over the network to a server, such an operation (instructed by the entity producing the client-side code distributed on the user terminal equipment) would constitute a ‘gaining of access to information already stored’. The fact that this information is being produced locally does not preclude the application of Article 5(3) ePD. | 53. いかなる時点においても、例えばクライアント側コードにおいて、処理された情報がサードパーティに利用可能となった場合、例えばネットワークを通じてサーバーに送り返された場合、そのような操作(ユーザー端末機器に配布されたクライアント側コードを生成する事業体によって指示された)は、「すでに保存されている情報へのアクセス」に該当する。この情報がローカルで生成されているという事実は、ePD第5条(3)項の適用を妨げるものではない。 |
| 3.3 Tracking based on IP only | 3.3 IPのみに基づく追跡 |
| 54. Some providers are developing solutions that only rely on the collection of one component, namely the IP address, in order to track the navigation[28] of the user, in some case across multiple domains. In that context Article 5(3) ePD could apply even though the instruction to make the IP available has been made by a different entity than the receiving one. | 54. プロバイダの中には、ユーザーのナビゲーション(場合によっては複数のドメインにわたる)を追跡するために、IPアドレスという1つのコンポーネントの収集のみに依存するソリューションを開発しているところもある[28]。その場合、IPアドレスを入手するよう指示した事業体が、情報を受け取る事業体とは異なる場合でも、ePD第5条(3)項が適用される可能性がある。 |
| 55. However, gaining access to IP addresses would only trigger the application of Article 5(3) ePD in cases where this information originates from the terminal equipment of a subscriber or user. While it is not systematically the case (for example when CGNAT[29] is activated), the static outbound IPv4 originating from a user’s router would fall within that case, as well as IPV6 addresses since they are partly defined by the host. Unless the entity can ensure that the IP address does not originate from the terminal equipment of a user or subscriber, it has to take all the steps pursuant to the Article 5(3) ePD. | 55. しかし、IPアドレスへのアクセスは、この情報が加入者またはユーザーの端末装置から発信された場合のみ、第5条(3)項ePDの適用を誘発する。これは必ずしも常に起こるわけではないが(CGNAT[29]が有効になっている場合など)、ユーザーのルーターから発信される静的アウトバウンドIPv4アドレスは、そのケースに該当する。また、IPv6アドレスはホストによって部分的に定義されるため、このケースに該当する。事業体が、IPアドレスがユーザーまたは加入者の端末設備から発信されていないことを確実にできない限り、ePD第5条(3)に従ってすべての措置を講じなければならない。 |
| 56. While the present guidelines do not analyse the application of the exemptions to the obligation to collect consent provided by Article 5(3) ePD, it is important to once again recall that the applicability of this article does not systematically mean that consent needs to be collected. The EDPB thus reminds that in each case it would have to be assessed if a consent is needed or whether an exemption under Article 5(3) ePD could apply[30]. | 56. 本ガイドラインでは、ePD第5条(3)項で規定された同意の収集義務に対する適用除外の適用について分析していないが、この条項の適用可能性が必ずしも同意の収集を意味するわけではないことを改めて想起することが重要である。したがって、EDPBは、各事例において、同意が必要かどうか、またはePD第5条(3)項に基づく適用除外が適用できるかどうかをアセスメントする必要があることを改めて指摘する[30]。 |
| 3.4 Intermittent and mediated IoT reporting | 3.4 断続的かつ仲介されたIoTの報告 |
| 57. IoT (Internet of Things) devices produce information continuously over time, for example through sensors embedded in the device, which may or may not be locally pre-processed. In many cases, information is made available to a remote server, but the modalities of that collection can vary. | 57. IoT(モノのインターネット)デバイスは、例えばデバイスに組み込まれたセンサーを通じて、長期間にわたって継続的に情報を生成する。この場合、ローカルで事前処理が行われる場合も行われない場合もある。多くの場合、情報はリモートサーバーに提供されるが、その収集方法は様々である。 |
| 58. Some IoT devices have a direct connection to a public communication network with a cellular SIM card. Other may have an indirect connection to a public communication network, for example through the use of WIFI or the relay of information to another device through a point-to-point connection (for example, through Bluetooth). The other device can for example be a smartphone or a dedicated gateway which may or may not pre-process the information before sending it to the server. | 58. いくつかのIoTデバイスは、セルラーSIMカードを使用して、直接的に公衆通信ネットワークに接続する。他のIoTデバイスは、例えばWIFIを使用したり、他のデバイスに情報をポイント・ツー・ポイント接続(例えばBluetooth経由)で中継したりするなど、間接的に公衆通信ネットワークに接続する。他のデバイスは、例えばスマートフォンや専用ゲートウェイであり、サーバーに情報を送信する前に、情報を事前処理する場合もあれば、事前処理しない場合もある。 |
| 59. IoT devices might be instructed by the manufacturer to always stream the collected information, yet still locally cache the information first, for example until a connection is available. | 59. IoTデバイスは、製造事業者から収集した情報を常にストリーミングするように指示される場合があるが、接続が利用可能になるまで、例えば、情報を最初にローカルにキャッシュするように指示される場合もある。 |
| 60. In any case the IoT device, where it is connected (directly or indirectly) to a public communications network, would itself be considered a terminal equipment. The fact that the information is streamed or cached for intermittent reporting does not change the nature of that information. In both situations Article 5(3) ePD would apply as there is, through the instruction of code on the IoT device to send the dynamically stored data to the remote server, a ‘gaining of access’. | 60. いずれの場合も、IoTデバイスが(直接または間接的に)公衆通信ネットワークに接続されている場合、そのIoTデバイス自体が端末設備とみなされる。情報が断続的な報告のためにストリーミングまたはキャッシュされるという事実は、その情報の性質を変えるものではない。いずれの場合も、IoTデバイス上のコードの指示により動的に保存されたデータを遠隔サーバーに送信する「アクセス権の取得」があるため、第5条(3)のePDが適用される。 |
| 3.5 Unique Identifier | 3.5 固有識別子 |
| 61. A common tool used by companies is the notion of ’unique identifiers‘ or ’persistent identifiers‘. Such identifiers can be derived from persistent personal data (name and surname, email, phone number, etc.), that is hashed on the user’s device, collected and shared amongst several controllers to uniquely identify a person over different datasets (usage data collected through the use of website or application, customer relation management (CRM) data related to online or offline purchase or subscription, etc.). On websites, the persistent personal data is generally obtained in the context of authentication or the subscription to newsletters. | 61. 企業が使用する一般的なツールは、「固有識別子」または「永続的識別子」という概念である。このような識別子は、永続的な個人データ(氏名、メールアドレス、電話番号など)から派生させることができる。つまり、ユーザーのデバイス上でハッシュ化され、複数の管理者間で収集および共有され、異なるデータセット(ウェブサイトやアプリケーションの使用を通じて収集された利用データ、オンラインまたはオフラインでの購入または購読に関連する顧客関係管理(CRM)データなど)を通じて個人を一意に識別する。ウェブサイト上では、永続的な個人データは一般的に、認証またはニュースレターの購読の文脈で取得される。 |
| 62. As outlined before, the fact that information is being entered by the user would not preclude the application of Article 5(3) ePD with regards to storage, as this information is stored temporarily on the terminal equipment before being collected. | 62. 前述の通り、情報がユーザーによって入力されているという事実によって、収集される前に一時的に端末機器に保存されるため、保存に関する第5条(3)ePDの適用が妨げられることはない。 |
| 63. In the context of ‘unique identifier’ collection on websites or mobile applications, the entity collecting is instructing the browser (through the distribution of client-side code) to send that information. As such a ’gaining of access’ is taking place and Article 5(3) ePD applies. | 63. ウェブサイトまたはモバイルアプリケーションにおける「固有識別子」の収集という文脈において、収集を行う事業体は、ブラウザに(クライアントサイドコードの配布を通じて)その情報を送信するよう指示している。したがって「アクセス権の取得」が行われ、ePD第5条(3)項が適用される。 |
| [1] References to ‘Member States’ made throughout this document should be understood as references to ‘EEA Member States’. | [1] 本文書全体を通じて言及される「加盟国」は、「欧州経済領域(EEA)加盟国」を指すものと理解すべきである。 |
| [2] ‘Terminal equipment of users of electronic communications networks and any information stored on such equipment are part of the private sphere of the users requiring protection under the European Convention for the Protection of Human Rights and Fundamental Freedoms. So-called spyware, web bugs, hidden identifiers and other similar devices can enter the user's terminal without their knowledge in order to gain access to information, to store hidden information or to trace the activities of the user and may seriously intrude upon the privacy of these users. The use of such devices should be allowed only for legitimate purposes, with the knowledge of the users concerned.’ | [2] 「電気通信ネットワークのユーザーの端末機器および当該機器に保存されたあらゆる情報は、欧州人権条約および基本自由の保護に関する条約に基づき防御を必要とするユーザーの私的領域の一部である。いわゆるスパイウェア、ウェブバグ、隠された識別子、およびその他の類似した装置は、情報を入手したり、隠された情報を保存したり、ユーザーの活動を追跡したりするために、ユーザーの端末にユーザーの認識なしに侵入することがあり、ユーザーのプライバシーに深刻な侵害をもたらす可能性がある。このような装置の使用は、関係するユーザーの認識を得た上で、合法的な目的にのみ許可されるべきである。 |
| [3] WP29 Opinion 9/2014, p. 11. | [3] WP29 意見書 9/2014、11ページ。 |
| [4] As stated in Article 5(3) ePD: ‘This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.’ | [4] ePD 第5条(3)項に次のように記載されている。「これは、電子通信ネットワークを介したコミュニケーションの伝達を唯一の目的とした技術的な保存またはアクセス、または加入者またはユーザーから明示的に要求された情報社会サービスを提供するプロバイダにとって厳密に必要なアクセスを妨げるものではない。」 |
| [5] WP29 Opinion 9/2014, p. 8. | [5] WP29意見書9/2014、8ページ。 |
| [6] Judgement of the Court of Justice of 1 October 2019, Planet 49, Case C‑673/17, ECLI:EU:C:2019:801, paragraph 70. | [6] 2019年10月1日付欧州司法裁判所の判決、Planet 49、Case C‑673/17、ECLI:EU:C:2019:801、第70項。 |
| [7] WP29 Opinion 9/2014, p. 8. | [7] WP29意見書9/2014、8ページ。 |
| [8] Commission Directive 2008/63/EC of 20 June 2008 on competition in the markets in telecommunications terminal equipment (Codified version), Article 1(1). | [8] 電気通信端末機器の市場における競争に関する2008年6月20日付欧州委員会指令2008/63/EC(法典化版)、第1条(1)。 |
| [9] That is, having the technical capabilities to be connected to the network even if that connection is not currently in place. | [9] すなわち、現在接続されていない場合でも、ネットワークに接続できる技術的能力を有すること。 |
| [10] Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws (Text with EEA relevance), OJ L 337, 18.12.2009, Article 2(5) and Recital 65. | [10] 2009年11月25日付欧州議会および理事会の指令2009/136/EC(電子通信ネットワークおよびサービスに関するユニバーサルサービスおよびユーザーの権利に関する指令2002/22/ECの改正)、電子通信分野におけるパーソナルデータの処理および 電子通信分野における個人データの処理およびプライバシー防御に関する指令 2002/58/EC、および消費者保護法の施行を担当する各国当局間の協力に関する規則(EC)No 2006/2004(EEA 関連条項)、OJ L 337、2009年12月18日、第2条(5)および第65項。 |
| [11] To identify the limits of the network in different contexts, refer to the BEREC Guidelines on Common Approaches to the Identification of the Network Termination Point in different Network Topologies (BoR (20) 46) | [11] さまざまな状況におけるネットワークの限界を識別するには、さまざまなネットワークトポロジーにおけるネットワーク終端点の識別に関する共通アプローチに関するBERECガイドライン(BoR (20) 46)を参照のこと。 |
| [12] Indeed, as reminded in Art. 2(13) of Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code, the user can be a natural or a legal person. | [12] 実際、欧州議会および2018年12月11日付理事会の欧州電子通信コードを制定する指令(EU)2018/1972の第2条(13)項で言及されているように、ユーザーは自然人または法人である可能性がある。 |
| [13] Article 3 ePD. | [13] 第3条ePD。 |
| [14] Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive) | [14] 2002年3月7日付欧州議会および理事会の電子通信ネットワークおよびサービスに関する共通規制枠組みに関する指令(枠組み指令)2002/21/EC |
| [15] Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code (Recast), Text with EEA relevance, Article 2(1). | [15] 2018年12月11日付欧州議会および理事会指令(EU)2018/1972 欧州電子通信コード(改正)の制定、EEA関連条文、第2条(1)。 |
| [16] Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code (Recast), Text with EEA relevance, Article 2(1). | [16] 欧州議会および2018年12月11日付理事会の欧州電子通信コード(改正)を定める指令(EU)2018/1972、EEA関連条項、第2条(1)。 |
| [17] For example, in the context of delay-tolerant networking scheme that implement ‘store and forward techniques’ such as the Briar open source project. | [17] 例えば、Briarオープンソースプロジェクトのような「ストア・アンド・フォワード技術」を実装する遅延耐性ネットワーキングスキームの文脈において。 |
| [18] For further analysis on the identification of public communication networks, refer to the BEREC Guidelines on the Implementation of the Open Internet Regulation (BoR (20) 112) | [18] 公衆通信ネットワークの識別に関するさらなる分析については、オープンインターネット規則(BoR (20) 112)の実施に関するBERECガイドラインを参照のこと。 |
| [19] Recital 26 ePD, see paragraph 17 above. | [19] 26項ePD、上記第17項を参照。 |
| [20] WP29 Opinion 9/2014, p. 8. | [20] WP29意見書9/2014、8ページ。 |
| [21] An SDK (“software development kit”) is a bundle of software development tools made available to facilitate the creation of application software. | [21] SDK(「ソフトウェア開発キット」)とは、アプリケーションソフトウェアの作成を容易にするために利用可能なソフトウェア開発ツールの集合である。 |
| [22] WP29 Opinion 9/2014, p. 9. | [22] WP29意見書9/2014、9ページ。 |
| [23] As defined in section 2.3 of these Guidelines. | [23] 本ガイドラインのセクション2.3で定義されている。 |
| [24] See paragraph 4 above. | [24] 上記第4項を参照。 |
| [25] The HTTP ETag is an identifier that allows to do conditional request based on the validity of the cached client data. | [25] HTTP ETagは、キャッシュされたクライアントデータの妥当性確認に基づく条件付きリクエストを可能にする識別子である。 |
| [26] HTTP Strict Transport Security (HSTS) allow servers to specify which resources should always be requested using HTTPS connections. | [26] HTTP Strict Transport Security (HSTS) は、サーバーがどのリソースを常にHTTPS接続でリクエストすべきかを指定することを可能にする。 |
| [27] As noted in the introduction, please see Opinion 9/2014 of the Article 29 Working Party on the application of ePrivacy Directive to device fingerprinting | [27] 序文で述べたように、eプライバシー指令のデバイス・フィンガープリンティングへの適用に関する第29条作業部会の2014年9月意見を参照のこと。 |
| [28] This is additional to and independent of the use and function of an IP address for the establishment and conveyance or transmission of underlying technical communications, or the fact that it may or may not be personal data (in respect of ePrivacy analysis, it is “information”) | [28] これは、基礎となる技術的コミュニケーションの確立および伝達または送信のためのIPアドレスの使用および機能、またはそれが個人データであるか否か(eプライバシー分析に関しては「情報」)とは別個のものである。 |
| [29] Carrier-grade NAT or CGNAT is used by Internet service providers to maximise the use of limited IP address space. It groups a number of subscribers under the same public IP address. | [29] キャリアグレードNATまたはCGNATは、インターネットサービスプロバイダが限られたIPアドレス空間を最大限に活用するために使用する。これは、多数の加入者を同一のパブリックIPアドレスの下にグループ化する。 |
| [30] WP29 Opinion 9/2014 provides for some example when consent might not be needed. | [30] 2014年9月WP29意見書9では、同意が不要となる場合の例がいくつか示されている。 |
● まるちゃんの情報セキュリティ気まぐれ日記
・2023.11.18 EDPB 意見募集 Privacy指令の対象となるトラッキング技術を明確にするためのガイドライン(案)(2023.11.16)
| Executive summary | Executive summary |
| In these Guidelines, the EDPB addresses the applicability of Article 5(3) of the ePrivacy Directive to different technical solutions. These Guidelines expand upon the Opinion 9/2014 of the Article 29 Working Party on the application of ePrivacy Directive to device fingerprinting and aim to provide a clear understanding of the technical operations covered by Article 5(3) of the ePrivacy Directive. | In these Guidelines, the EDPB addresses the applicability of Article 5(3) of the ePrivacy Directive to different technical solutions. These Guidelines expand upon the Opinion 9/2014 of the Article 29 Working Party on the application of ePrivacy Directive to device fingerprinting and aim to provide a clear understanding of the technical operations covered by Article 5(3) of the ePrivacy Directive. |
| The emergence of new tracking methods to both replace existing tracking tools (for example, cookies, due to discontinued support for third-party cookies) and create new business models has become a critical data protection concern. While the applicability of Article 5(3) of the ePrivacy Directive is well established and implemented for some tracking technologies such as cookies, there is a need to remove ambiguities related to the application of the said provision to emerging tracking tools. | The emergence of new tracking methods to both replace existing tracking tools (for example, cookies, due to discontinued support for third-party cookies by some browser vendors) and create new business models has become a critical data protection concern. While the applicability of Article 5(3) of the ePrivacy Directive is well established and implemented for some tracking technologies such as cookies, there is a need to address ambiguities related to the application of the said provision to emerging tracking tools. |
| The Guidelines identify four key elements for the applicability of Article 5(3) of the ePrivacy Directive (section 2.1), namely ‘information’, ‘terminal equipment of a subscriber or user’, ‘gaining access and ‘stored information and storage’. The Guidelines further provide a detailed analysis of each element (section 2.2-2.6). | The Guidelines identify three key elements for the applicability of Article 5(3) of the ePrivacy Directive (section 2.1), namely ‘information’, ‘terminal equipment of a subscriber or user’ and ‘gaining access and ‘storage of information and stored information’. The Guidelines further provide a detailed analysis of each element (section 2.2-2.6). |
| In section 3, that analysis is applied to a non-exhaustive list of use cases representing common techniques, namely: | In section 3, that analysis is applied to a non-exhaustive list of use cases representing common techniques, namely: |
| - URL and pixel tracking | - URL and pixel tracking |
| - Local processing | - Local processing |
| - Tracking based on IP only | - Tracking based on IP only |
| - Intermittent and mediated Internet of Things (IoT) reporting | - Intermittent and mediated Internet of Things (IoT) reporting |
| - Unique Identifier | - Unique Identifier |
| TABLE OF CONTENTS | Table of contents |
| 1 Introduction | 1 Introduction |
| 2 Analysis | 2 Analysis |
| 2.1 Key elements for the applicability of Article 5(3) ePD | 2.1 Key elements for the applicability of Article 5(3) ePD |
| 2.2 Notion of ‘information’ | 2.2 Notion of ‘information’ - Criterion A |
| 2.3 Notion of ‘Terminal Equipment of a Subscriber or User’ | 2.3 Notion of ‘terminal equipment of a subscriber or user’ – Criterion B.1 |
| 2.4 Notion of ‘electronic communications network’ | 2.4 Notion of ‘public communications network’ – Criterion B.2 |
| 2.5 Notion of ‘gaining access’ | 2.5 Notion of ‘gaining access’ – Criterion C.1 |
| 2.6 Notions of ‘Stored Information’ and ‘Storage’ | 2.6 Notions of storage of information’ and ‘stored information’ – Criterion C.2 |
| 3 Use cases | 3 Use cases |
| 3.1 URL and pixel tracking | 3.1 URL and pixel tracking |
| 3.2 Local processing | 3.2 Local processing |
| 3.3 Tracking based on IP only | 3.3 Tracking based on IP only |
| 3.4 Intermittent and mediated IoT reporting | 3.4 Intermittent and mediated IoT reporting |
| 3.5 Unique Identifier | 3.5 Unique Identifier |
| The European Data Protection Board | The European Data Protection Board |
| Having regard to Article 70 (1)(e) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, (hereinafter, ‘GDPR’), | Having regard to Article 70 (1)(e) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, (hereinafter, ‘GDPR’), |
| Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018 , | Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018[1], |
| Having regard to Article 15(3) of the Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, as amended by Directive 2009/136/EC (hereinafter, ‘ePrivacy Directive’ or ‘ePD’), | Having regard to Article 15(3) of the Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, as amended by Directive 2009/136/EC (hereinafter, ‘ePrivacy Directive’ or ‘ePD’), |
| Having regard to Article 12 and Article 22 of its Rules of Procedure, | Having regard to Article 12 and Article 22 of its Rules of Procedure, |
| Has Adopted The Following Guidelines: | HAS ADOPTED THE FOLLOWING GUIDELINES: |
| ----- | ------ |
| 1 INTRODUCTION | 1 INTRODUCTION |
| 1. According to Article 5(3) ePD, ‘the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user’ is only allowed on the basis of consent or necessity for specific purposes set out in that Article. As reminded in Recital 24 of the ePD, the goal of that provision is to protect the users’ terminal equipment, as they are part of the private sphere of the users. It results from the wording of the Article and has been made clear (for example, in the Article 29 Working Party (hereinafter, ‘WP29’) Opinion 4/2012 on Cookie Consent Exemption ), that Article 5(3) ePD does not exclusively apply to cookies, but also to ‘similar technologies’. However, there is currently no comprehensive list of the technical operations covered by Article 5(3) ePD. | 1. According to Article 5(3) ePD, ‘the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user’ is only allowed on the basis of consent or necessity for specific purposes set out in that Article. As reminded in Recital 24 of the ePD[2], the goal of that provision is to protect the users’ terminal equipment, as they are part of the private sphere of the users. It results from the wording of the Article, that Article 5(3) ePD does not exclusively apply to cookies, but also to ‘similar technologies’. However, there is currently no comprehensive list of the technical operations covered by Article 5(3) ePD. |
| 2. WP29 Opinion 9/2014 on the application of ePrivacy Directive to device fingerprinting (hereinafter, ‘WP29 Opinion 9/2014’) has already clarified that fingerprinting falls within the technical scope of Article 5(3) ePD, but due to the new advances in technologies further guidance is needed with respect to the tracking techniques currently observed. The technical landscape has been evolving during the last decade, with the increasing use of identifiers embedded in operating systems, as well as the creation of new tools allowing the storage of information in terminals. | 2. Article 29 Working Party (hereinafter, ‘WP29’) Opinion 9/2014 on the application of ePrivacy Directive to device fingerprinting (hereinafter, ‘WP29 Opinion 9/2014’) has already clarified that fingerprinting falls within the technical scope of Article 5(3) ePD[3], but due to the new advances in technologies further guidance is needed with respect to the tracking techniques currently observed. The technical landscape has been evolving during the last decade, with the increasing use of identifiers embedded in operating systems, as well as the creation of new tools allowing the storage of information in terminal equipment. |
| 3. The ambiguities regarding the scope of application of Article 5(3) ePD have created incentives to implement alternative solutions for tracking internet users and lead to a tendency to circumvent the legal obligations provided by Article 5(3) ePD. All such situations raise concerns and require a supplementary analysis in order to complement the previous guidance from the EDPB. | 3. The ambiguities regarding the scope of application of Article 5(3) ePD have created incentives to implement alternative solutions for tracking internet users and lead to a tendency to circumvent the legal obligations provided by Article 5(3) ePD. All such situations raise concerns and require a supplementary analysis in order to complement the previous guidance from the EDPB. |
| 4. The aim of these Guidelines is to conduct a technical analysis on the scope of application of Article 5(3) ePD, namely to clarify what is covered by the phrase ‘to store information or to gain access to information stored in the terminal equipment of a subscriber or user’. These Guidelines do not intend to address the circumstances under which a processing operation may fall within the exemptions from the consent requirement provided for by the ePD. | 4. The aim of these Guidelines is to conduct a technical analysis on the scope of application of Article 5(3) ePD, namely to clarify what is technically covered by the phrase ‘to store information or to gain access to information stored in the terminal equipment of a subscriber or user’. These Guidelines do not address the circumstances under which a processing operation may fall within the exemptions from the consent requirement provided for by the ePD[4], as these circumstances should be analysed on a case-by-case basis accounting for the relevant member state transposition(s), and guidance issued by national Competent Authorities. |
| 5. A non-exhaustive list of specific use-cases will be analysed in the final part of these Guidelines. | 5. A non-exhaustive list of specific use-cases will be analysed in the final part of these Guidelines. |
| 2 ANALYSIS | 2 ANALYSIS |
| 2.1 Key elements for the applicability of Article 5(3) ePD | 2.1 Key elements for the applicability of Article 5(3) ePD |
| 6. Article 5(3) ePD applies if: | 6. Article 5(3) ePD applies if: |
| a. CRITERION A: the operations carried out relate to ‘information’. It should be noted that the term used is not ’personal data’, but ‘information’. | a. CRITERION A: the operations carried out relate to ‘information’. It should be noted that the term used is not ’personal data’, but ‘information’. |
| b. CRITERION B: the operations carried out involve a ‘terminal equipment’ of a subscriber or user. | b. CRITERION B: the operations carried out involve a ‘terminal equipment’ of a subscriber or user (B.1), which imply the need to assess the notion of a ‘public communications network’ (B.2). |
| c. CRITERION C: the operations carried out are made in the context of the ‘provision of publicly available electronic communications services in public communications networks’. | |
| d. CRITERION D: the operations carried out indeed constitute a ‘gaining of access’ or ‘storage’. Those two notions can be studied independently, as reminded in WP29 Opinion 9/2014: ‘Use of the words “stored or accessed” indicates that the storage and access do not need to occur within the same communication and do not need to be performed by the same party. | c. CRITERION C the operations carried out indeed constitute ‘storage’ (C.1) or a ‘gaining of access’ (C.2). Those two notions can be studied independently, as reminded in WP29 Opinion 9/2014: ‘Use of the words “stored or accessed” indicates that the storage and access do not need to occur within the same communication and do not need to be performed by the same party’[5]. |
| For the sake of readability, the entity gaining access to information stored in the user’s terminal equipment will be hereafter referred to as an ‘accessing entity’. | For the sake of readability, the entity gaining access to information stored in the user’s terminal equipment will be hereafter referred to as an ‘accessing entity’. |
| 2.2 Notion of ‘information’ | 2.2 Notion of ‘information’ - Criterion A |
| 7. As expressed in CRITERION A, this section details what is covered by the notion of ‘information’. The choice of the term, much broader than the notion of personal data, is related to the scope of the ePrivacy Directive. | 7. As expressed in CRITERION A, this section details what is covered by the notion of ‘information’. The choice of the term ‘information’, encompassing a broader category than the mere notion of personal data, is related to the scope of the ePrivacy Directive. |
| 8. The goal of Article 5(3) ePD is to protect the private sphere of the users, as stated in its Recital 24: ‘Terminal equipment of users of electronic communications networks and any information stored on such equipment are part of the private sphere of the users requiring protection under the European Convention for the Protection of Human Rights and Fundamental Freedoms’. Consequently, it is also protected by Article 7 of the EU Charter of Fundamental Rights. | 8. The goal of Article 5(3) ePD is to protect the private sphere of the users, as stated in its Recital 24: ‘Terminal equipment of users of electronic communications networks and any information stored on such equipment are part of the private sphere of the users requiring protection under the European Convention for the Protection of Human Rights and Fundamental Freedoms’. It is also protected by Article 7 of the EU Charter of Fundamental Rights. |
| 9. In fact, scenarios that do intrude into this private sphere even without involving any personal data are explicitly covered by the wording of the Article 5(3) ePD and by Recital 24, for example the storage of viruses on the user’s terminal. This shows that the definition of the term ‘information’ should not be limited the property of being related to an identified or identifiable natural person. | 9. In fact, scenarios that do intrude into this private sphere even without involving any personal data are explicitly covered by the wording of Article 5(3) and Recital 24 ePD, for example the storage of viruses on the user’s terminal equipment. This shows that the definition of the term ‘information’ should not be limited to the property of being related to an identified or identifiable natural person. |
| 10. This has been confirmed by the Court of Justice of the EU: ‘That protection applies to any information stored in such terminal equipment, regardless of whether or not it is personal data, and is intended, in particular, as is clear from that recital, to protect users from the risk that hidden identifiers and other similar devices enter those users’ terminal equipment without their knowledge’ . | 10. This has been confirmed by the Court of Justice of the EU: ‘That protection applies to any information stored in such terminal equipment, regardless of whether or not it is personal data, and is intended, in particular, as is clear from that recital, to protect users from the risk that hidden identifiers and other similar devices enter those users’ terminal equipment without their knowledge’[6]. |
| 11. Whether the origin of this information and the reasons why it is stored in the terminal equipment should be considered when assessing the applicability of Article 5(3) ePD have been previously clarified, for example in the WP29 Opinion 9/2014: ‘It is not correct to interpret this as meaning that the third-party does not require consent to access this information simply because he did not store it. The consent requirement also applies when a read-only value is accessed (e.g. requesting the MAC address of a network interface via the OS API)’. | 11. The questions on whether the origin of this information and the reasons why it is stored in the terminal equipment should be considered when assessing the applicability of Article 5(3) ePD have been previously clarified. For example, in the WP29 Opinion 9/2014: ‘It is not correct to interpret this as meaning that the third-party does not require consent to access this information simply because he did not store it. The consent requirement also applies when a read-only value is accessed (e.g. requesting the MAC address of a network interface via the OS API)’ [7]. |
| 12. In conclusion, the notion of information includes both non-personal data and personal data, regardless of how this data was stored and by whom, i.e. whether by an external entity (also including other entities than the one having access), by the user, by a manufacturer, or any other scenario. | 12. In conclusion, the notion of information includes both non-personal data and personal data, regardless of how this data was stored and by whom, i.e. whether by an external entity (also including other entities than the one having access), by the user, by a manufacturer, or any other scenario. |
| 2.3 Notion of ‘Terminal Equipment of a Subscriber or User’ | 2.3 Notion of ‘terminal equipment of a subscriber or user’ – Criterion B.1 |
| 13. This section builds on the definition used in Directive 2008/63/EC, where ‘terminal equipment’ is defined as: ‘equipment directly or indirectly connected to the interface of a public telecommunications network to send, process or receive information; in either case (direct or indirect), the connection may be made by wire, optical fibre or electromagnetically; a connection is indirect if equipment is placed between the terminal equipment and the interface of the network’ . | 13. This section builds on the definition used in Directive 2008/63/EC and as referenced in Article 2 Directive (EU) 2018/1972, where ‘terminal equipment’ is defined as: ‘equipment directly or indirectly connected to the interface of a public telecommunications network to send, process or receive information; in either case (direct or indirect), the connection may be made by wire, optical fibre or electromagnetically; a connection is indirect if equipment is placed between the terminal equipment and the interface of the network’[8]. |
| 14. Recital 24 ePD provides a clear understanding of the role of the terminal equipment for the protection offered by Article 5(3) ePD. The ePD protects users’ privacy not only in relation to the confidentiality of their information but also by safeguarding the integrity of the user’s terminal equipment. This understanding will guide the interpretation of the notion of the terminal equipment throughout these Guidelines. | 14. Recital 24 ePD provides a clear understanding of the role of the terminal equipment for the protection offered by Article 5(3) ePD. The ePD protects users’ privacy not only in relation to the confidentiality of their information but also by safeguarding the integrity of the user’s terminal equipment. This understanding will guide the interpretation of the notion of the terminal equipment throughout these Guidelines. |
| 15. Whenever a device is not an endpoint of a communication and only conveys information without performing any modifications to that information, it would not be considered as the terminal equipment in that context. Hence, if a device solely acts as a communication relay, it should not be considered a terminal equipment under Article 5(3) ePD. | 15. Article 3 ePD states that for the ePD to apply the processing of personal data has to be carried out in connection with the provision of publicly available electronic communications services in public communications networks. This entails that a device should be usable in connection with such service and that, in order to be qualified as a terminal equipment, it should be connected or connectable[9] to the interface of a public communications network. The EDPB notes that the amendments made in 2009[10] in the text of Article 5(3) ePD extended the protection of terminal equipment by deleting the reference to the ‘use of electronic communications network’ as a means to store information or to gain access to information stored in the terminal equipment. Therefore, as long as a device has a network interface that makes it eligible for connection (even if such connection is not in place), Article 5(3) ePD applies to every entity that would store and gain access to information already stored in the terminal equipment whatever the means of access to the terminal equipment is, and whether connected or disconnected from a network |
| 16. Equipment that are part of the public electronic communications network itself would not be considered terminal equipment under Article 5(3) ePD[11]. | |
| 16. A terminal equipment may be comprised of any number of individual pieces of hardware, which together form the terminal equipment. This may or may not take the form of a physically enclosed device hosting all the display, processing, storage and peripheral hardware (for example, smartphones, laptops, connected cars or connected TVs, smart glasses). | 17. A terminal equipment may be comprised of any number of individual pieces of hardware, which together form the terminal equipment. This may or may not take the form of a physically enclosed device hosting all the display, processing, storage and peripheral hardware (for example, smartphones, laptops, network-attached storage device, connected cars or connected TVs, smart glasses). |
| 17. The ePD acknowledges that the protection of the confidentiality of the information stored on a user’s terminal equipment and integrity of the user’s terminal equipment is not limited to the protection of the private sphere of natural persons but also concerns the right to respect for their correspondence or the legitimate interests of legal persons. As such, a terminal equipment that allows for this correspondence and the legitimate interests of the legal persons to be carried out is protected under Article 5(3) ePD. | 18. The ePD acknowledges that the protection of the confidentiality of the information stored on a user’s terminal equipment and integrity of the user’s terminal equipment is not limited to the protection of the private sphere of natural persons but also concerns the right to respect for their correspondence or the legitimate interests of legal persons[12]. As such, a terminal equipment that allows for this correspondence and the legitimate interests of the legal persons to be carried out is protected under Article 5(3) ePD. |
| 18. The user or subscriber may own or rent or otherwise be provided with the terminal equipment. Multiple users or subscribers may share the same terminal equipment in the context of multiple communications (for example, in the case of a connected car) and a single communication may involve more than one terminal equipment. | 19. The user or subscriber may own or rent or otherwise be provided with the terminal equipment. Multiple users or subscribers may share the same terminal equipment. |
| 19. The protection is guaranteed by the ePD to the terminal equipment associated to the user or subscriber involved in the communication, and it is not dependant on whether the electronic communication was initiated by the user or even on whether the user is aware of the said communication. | 20. This protection is guaranteed by the ePD to the terminal equipment associated to the user or subscriber, and it is not dependant on whether the user set up the means of access (for example if they initiated the electronic communication) or even on whether the user is aware of the said means of access). |
| 2.4 Notion of ‘electronic communications network’ | 2.4 Notion of ‘public communications network’ – Criterion B.2 |
| 20. Another element to consider in order to assess the applicability of Article 5(3) ePD is the notion of ‘electronic communications network’. In fact, the situation regulated by the ePD is the one related to ‘the provision of publicly available electronic communications services in public communications networks in the Community’. It is therefore crucial to delimit the electronic communications network context in which Article 5(3) ePD applies. | 21. As the situation regulated by the ePD is the one related to ‘the provision of publicly available electronic communications services in public communications networks in the Community’[13], and the definition of a terminal equipment specifically mentions the notion of a ‘public communications network’, it is crucial to clarify this notion to identify the context in which Article 5(3) ePD applies. |
| 21. The notion of electronic communications network is not defined within the ePD itself. That concept was referred to originally in Directive 2002/21/EC (the Framework Directive) on a common regulatory framework for electronic communications networks and services , subsequently replaced by Directive 2018/1972 (the European Electronic Communications Code). It now reads: | 22. The notion of electronic communications network is not defined within the ePD itself. That concept was referred to originally in Directive 2002/21/EC (the Framework Directive) on a common regulatory framework for electronic communications networks and services[14], subsequently replaced by Article 2(1) of Directive 2018/1972 (the European Electronic Communications Code). It now reads: |
| ‘”electronic communications network” means transmission systems, whether or not based on a permanent infrastructure or centralised administration capacity, and, where applicable, switching or routing equipment and other resources, including network elements which are not active, which permit the conveyance of signals by wire, radio, optical or other electromagnetic means, including satellite networks, fixed (circuit- and packet-switched, including internet) and mobile networks, electricity cable systems, to the extent that they are used for the purpose of transmitting signals, networks used for radio and television broadcasting, and cable television networks, irrespective of the type of information conveyed’. | ”electronic communications network” means transmission systems, whether or not based on a permanent infrastructure or centralised administration capacity, and, where applicable, switching or routing equipment and other resources, including network elements which are not active, which permit the conveyance of signals by wire, radio, optical or other electromagnetic means, including satellite networks, fixed (circuit- and packet-switched, including internet) and mobile networks, electricity cable systems, to the extent that they are used for the purpose of transmitting signals, networks used for radio and television broadcasting, and cable television networks, irrespective of the type of information conveyed.[15] |
| 22. This definition is neutral with respect to the transmission technologies. An electronic communications network, according to this definition, is any network system that allows transmission of electronic signals between its nodes, regardless of the equipment and protocols used. | 23. This definition is neutral with respect to the transmission technologies. An electronic communications network, according to this definition, is any network system that allows transmission of electronic signals between its nodes, regardless of the equipment and protocols used. |
| 23. The notion of electronic communications network under Directive 2018/1972 does not depend on the public or private nature of the infrastructure, nor on the way the network is deployed or managed (‘whether or not based on a permanent infrastructure or centralised administration capacity’ .) As a result, the definition of electronic communications network, under Article 2 of Directive 2018/1972, is broad enough to cover any type of infrastructure. It includes networks managed or not by an operator, networks co-managed by a group of operators, or even ad-hoc networks in which a terminal equipment may dynamically join or leave a mesh of other terminal equipment using short range transmission protocols. | 24. The notion of electronic communications network under Directive 2018/1972 does not depend on the public or private nature of the infrastructure, nor on the way the network is deployed or managed (‘whether or not based on a permanent infrastructure or centralised administration capacity’[16].) As a result, the definition of electronic communications network, under Article 2 of Directive 2018/1972, is broad enough to cover any type of infrastructure. It includes networks managed or not by an operator, networks co-managed by a group of operators, or even ad-hoc networks in which a terminal equipment may dynamically join or leave a mesh of other terminal equipment using short range transmission protocols. |
| 24. This definition of network does not give any limitation with regards to the number of terminal equipment present in the network at any time. Some networking schemes rely on asynchronous information propagation to present peers in the network and can at some point in time have as little as two peers communicating. Article 5(3) ePD would still apply in such cases, as long as the network protocol allows for further inclusion of peers. | 25. This definition of network does not give any limitation with regards to the number of terminal equipment present in the network at any time. Some networking schemes rely on nodes relaying information in an ad-hoc manner to nodes presently connected[17] and can at some point in time have as little as two peers communicating. Such cases would be within the general scope of the ePD directive, as long as the network protocol allows for further inclusion of peers. |
| 25. The public availability of the communication service over the communication network is necessary for the applicability of Article 5(3) ePD . It should be noted that the fact that the network is made available to a limited subset of the public (for example, subscribers, whether paying or not, subject to eligibility conditions) does not make such a network private. | 26. The public availability of the communication network is necessary for the device to be considered a terminal equipment and in consequence for the applicability of Article 5(3) ePD. It should be noted that the fact that the network is made available to a limited subset of the public (for example, subscribers, whether paying or not, subject to eligibility conditions) does not make such a network private[18]. |
| 2.5 Notion of ‘gaining access’ | 2.5 Notion of ‘gaining access’ – Criterion C.1 |
| 26. To correctly frame the notion of ‘gaining access’, it is important to consider the scope of the ePD, stated in its Article 1: ‘to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy, with respect to the processing of personal data in the electronic communication sector and to ensure the free movement of such data and of electronic communication equipment and services in the Community’. | 27. To correctly frame the notion of ‘gaining access’, it is important to consider the scope of the ePD, stated in its Article 1: ‘to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy, with respect to the processing of personal data in the electronic communication sector and to ensure the free movement of such data and of electronic communication equipment and services in the Community’. |
| 27. In a nutshell, the ePD is a privacy preserving legal instrument aiming to protect the confidentiality of communications and the integrity of devices. In Recital 24 ePD, it is clarified that, in the case of natural persons, the user’s terminal equipment is part of their private sphere and that accessing information stored on it without their knowledge may seriously intrude upon their privacy. | 28. In a nutshell, the ePD is a privacy preserving legal instrument aiming to protect the confidentiality of communications and the integrity of devices. In Recital 24 ePD, it is clarified that, in the case of natural persons, the user’s terminal equipment is part of their private sphere and that accessing information stored on it without their knowledge may seriously intrude upon their privacy. |
| 28. Legal persons are also safeguarded by the ePD . In consequence, the notion of ‘gaining access’ under Article 5(3) ePD, has to be interpreted in a way that safeguards those rights against violation by third parties. | 29. Legal persons are also safeguarded by the ePD[19]. In consequence, the notion of ‘gaining access’ under Article 5(3) ePD, has to be interpreted in a way that safeguards those rights against violation by third parties. |
| 29. Storage and access do not need to be cumulatively present for Article 5(3) ePD to apply. The notion of ’gaining access’ is independent from the notion of ‘storing information’. Moreover, the two operations do not need to be carried out by the same entity. | 30. Storing information or gaining access can be independent operations, and performed by independent entities. Storing of information and access to information already stored do not need to be both present for Article 5(3) ePD to apply. |
| 30. As noted in the WP29 Opinion 9/2014 on the application of Directive 2002/58/EC to device fingerprinting: ‘Use of the words “stored or accessed” indicates that the storage and access do not need to occur within the same communication and do not need to be performed by the same party. Information that is stored by one party (including information stored by the user or device manufacturer) which is later accessed by another party is therefore within the scope of Art. 5(3)’. Consequently, there are no restrictions placed on the origin of information on the terminal equipment for the notion of access to apply. | 31. As noted in the WP29 Opinion 9/2014: ‘Use of the words “stored or accessed” indicates that the storage and access do not need to occur within the same communication and do not need to be performed by the same party. Information that is stored by one party (including information stored by the user or device manufacturer) which is later accessed by another party is therefore within the scope of Art. 5(3)’[20]. Consequently, there are no restrictions placed on the origin of information on the terminal equipment for the notion of access to apply. |
| 31. Whenever the accessing entity wishes to gain access to information stored in the terminal equipment and actively takes steps towards that end, Article 5(3) ePD would apply. Usually this entails the accessing entity to proactively send specific instructions to the terminal equipment in order to receive back the targeted information. For example, this is the case for cookies, where the accessing entity instructs the terminal equipment to proactively send information on each subsequent HTTP (Hypertext Transfer Protocol) call. | 32. Whenever an entity takes steps towards gaining access to information stored in the terminal equipment, Article 5(3) ePD would apply. Usually this entails the accessing entity to proactively send specific instructions to the terminal equipment in order to receive back the targeted information. For example, this is the case for cookies, where the accessing entity instructs the terminal equipment to proactively send information on each subsequent Hypertext Transfer Protocol (‘HTTP’) call. |
| 32. That is equally the case when the accessing entity distributes software on the terminal of the user that will then proactively call an API (application programming interface) endpoint over the network. Additional examples would include JavaScript code, where the accessing entity instructs the browser of the user to send asynchronous requests with the targeted content. Such access clearly falls within the scope of Article 5(3) ePD, as the accessing entity explicitly instructs the terminal equipment to send the information. | 33. That is equally the case when the accessing entity distributes software on the terminal equipment of the user that is stored and will then proactively call an Application Programming Interface (‘API’) endpoint over the network. Additional examples would include JavaScript code, where the accessing entity instructs the browser of the user to send asynchronous requests with the targeted information. Such access clearly falls within the scope of Article 5(3) ePD, as the accessing entity explicitly instructs the terminal equipment to send the information. |
| 33. In some cases, the entity instructing the terminal to send back the targeted data and the entity receiving information might not be the same. This may result from the provision and/or use of a common mechanism between the two entities. For example, one entity may have used protocols that imply the proactive sending of information by the terminal equipment which may be processed by the receiving entity. In these circumstances, Article 5(3) ePD may still apply. | 34. In some cases, the entity instructing the terminal equipment to send back the targeted data and the entity receiving information might not be the same. This may result from the provision and/or use of a common mechanism between the two entities. Instructing the device to send already stored information (for example, through the use of a protocol, or an SDK[21] that imply the proactive sending of information by the terminal equipment) makes an intrusion into the terminal equipment possible, therefore such an access triggers the applicability of Article 5(3).) ePD. As noted in WP29 Opinion 09/2014, this can be the case when a website instructs the terminal equipment to send information to third-party advertising services through the inclusion of a tracking pixel[22]. This use-case is further developed in section 3.1. |
| 2.6 Notions of ‘Stored Information’ and ‘Storage’ | 2.6 Notions of storage of information’ and ‘stored information’ – Criterion C.2 |
| 34. Storage of information in the sense of Article 5(3) ePD refers to placing information on a physical electronic storage medium that is part of a user or subscriber’s terminal equipment. | 35. Storage of information in the sense of Article 5(3) ePD refers to placing information on a physical electronic storage medium that is part of a user or subscriber’s terminal equipment[23]. |
| 35. Typically, information is not stored in the terminal equipment of a user or subscriber through direct access by another party, but rather by instructing software on the terminal equipment to generate specific information. Storage taking place through such instructions is considered to be initiated directly by the other party. This includes making use of established protocols such as browser cookie storage as well as customized software, regardless of who created or installed the protocols or software on the terminal equipment. | 36. Typically, information is not stored in the terminal equipment of a user or subscriber through direct access to the memory of the device by another party, but rather by instructing software on the terminal equipment to generate specific information. Storage taking place through such instructions is considered to be initiated directly by the other party. This includes making use of established protocols such as browser cookie storage as well as customized software, regardless of who created or installed the protocols or software on the terminal equipment. |
| 36. The ePD does not place any upper or lower limit on the length of time that information must persist on a storage medium to be counted as stored, nor is there an upper or lower limit on the amount of information to be stored. | 37. The ePD does not place any upper or lower limit on the length of time that information must persist on a storage medium to be counted as stored, nor is there an upper or lower limit on the amount of information to be stored. |
| 37. Similarly, the notion of storage does not depend on the type of medium on which the information is stored. Typical examples would include hard disc drives (HDD), solid state drives (SSD), flash drives and random-access memory (RAM), but less typical scenarios involving a medium such as magnetic tape or central processing unit (CPU) cache are not excluded from the scope of application. The storage medium may be connected internally (e.g. through a SATA connection), externally (e.g. through a USB connection) or through a network protocol (e.g. a network-attached-storage device). | 38. Similarly, the notion of storage does not depend on the type of medium on which the information is stored. Typical examples would include hard disc drives (‘HDD’), solid state drives (‘SSD’), electrically-erasable programmable read-only memory (‘EEPROM’) and random-access memory (‘RAM’), but less typical scenarios involving a medium such as magnetic tape or central processing unit (‘CPU’) cache are not excluded from the scope of application. The storage medium may be connected internally (e.g. through a SATA connection), externally (e.g. through a USB connection) |
| 38. As long as the networked storage medium constitutes a functional equivalent of a local storage medium (including the fact that its only purpose is for the user of the terminal equipment to store information that will be processed on the terminal equipment itself), that storage medium will be considered part of the terminal equipment. | |
| 39. Finally, ‘stored information’ may not just result from information storage in the sense of Article 5(3) ePD as described above (either by the same party that would later gain access or by another third party). It may also be stored by the user or subscriber, or by a hardware manufacturer, or any other entity; be the result of sensors integrated into the terminal; or be produced through processes and programs executed on the terminal equipment, which may or may not produce information that is dependent on or derived from stored information. | 39. ‘Stored information’ refers to information already existing on the terminal equipment, regardless of the source or nature of this information. This includes any result from information storage in the sense of Article 5(3) ePD as described above (either by the same party that would later gain access or by another third party). It furthermore includes results of information storage processes beyond the scope of Article 5(3),) ePD, such as: storage on the terminal equipment by the user or subscriber themselves, or by a hardware manufacturer (such as the MAC addresses of network interface controllers), sensors integrated into the terminal equipment or processes and programs executed on the terminal equipment, which may or may not produce information that is dependent on or derived from stored information. |
| 3 USE CASES | 3 USE CASES |
| 40. As pointed out in the introduction of these guidelines[24], they do not analyse the application of the exemptions to the obligation to collect consent provided by Article 5(3) ePD. The EDPB reminds that for all of the cases where there is a storage of information or a gaining of access to information already stored, it would have to be assessed if a consent is needed or whether an exemption under Article 5(3) ePD could apply. The reader should therefore consider the exemptions in their use case, in conjunction with this technical analysis. | |
| 40. Without prejudice of the specific context in which those technical categories can be used which are necessary to qualify whether Article 5(3) ePD is applicable, it is possible to identify, in a non-exhaustive manner, broad categories of identifiers and information that are widely used and can be subject to the applicability of Article 5(3) ePD. | 41. Without prejudice of the specific context in which those technical categories can be used which are necessary to qualify whether Article 5(3) ePD is applicable, it is possible to identify, in a non-exhaustive manner, broad categories of identifiers and information that are widely used and can be subject to the applicability of Article 5(3) ePD. |
| 41. Network communication usually relies on a layered model that necessitates the use of identifiers to allow for a proper establishment and carrying out of the communication. The communication of those identifiers to remote actors is instructed through software following agreed upon communication protocols. As outlined above, the fact that the receiving entity might not be the entity instructing the sending of information does not preclude the application of Article 5(3) ePD. This might concern routing identifiers such as the MAC or IP address of the terminal equipment, but also session identifiers (SSRC, Websocket identifier), or authentication tokens. | 42. Network communication usually relies on a layered model that necessitates the use of identifiers to allow for a proper establishment and carrying out of the communication. The communication of those identifiers to remote actors is instructed through software following agreed upon communication protocols. As outlined above, the fact that the receiving entity might not be the entity instructing the sending of information does not preclude the application of Article 5(3) ePD. This might concern routing identifiers such as the MAC or IP address of the terminal equipment, but also session identifiers (SSRC, Websocket identifier), or authentication tokens. |
| 42. In the same manner, the application protocol can include several mechanisms to provide context data (such as HTTP header including ‘accept’ field or user agent), caching mechanism (such as ETag or HSTS) or other functionalities (cookies being one of them). Once again, the abuse of those mechanisms (for example in the context of fingerprinting or the tracking of resource identifiers) can lead to the application of Article 5(3) ePD. | 43. In the same manner, the application protocol can include several mechanisms to provide context data (such as HTTP header including ‘accept’ field or user agent), caching mechanism (such as ETag[25]) or other functionalities (cookies being one of them, or HSTS[26]). Once again, relying on those mechanisms to collect information (for example in the context of fingerprinting[27] or the tracking of resource identifiers) can lead to the application of Article 5(3) ePD. |
| 43. On the other hand, there are some contexts in which local applications installed in the terminal uses some information strictly inside the terminal, as it might be the case for smartphone system APIs (access to camera, microphone, GPS sensor, accelerator chip, radio chip, local file access, contact list, identifiers access, etc.). This might also be the case for web browsers that process information stored or generated information inside the device (such as cookies, local storage, WebSQL, or even information provided by the users themselves). The use of such information by an application would not be subject to Article 5(3) ePD as long as the information does not leave the device, but when this information or any derivation of this information is accessed through the communication network, Article 5(3) ePD may apply. | 44. On the other hand, there are some contexts in which local applications installed in the terminal equipment uses some information strictly inside the terminal, as it might be the case for smartphone system APIs (access to camera, microphone, GPS sensor, accelerator chip, radio chip, local file access, contact list, identifiers access, etc.). This might also be the case for web browsers that process information stored or generated information inside the device (such as cookies, local storage, WebSQL, or even information provided by the users themselves). The use of such information by an application would not constitute a ‘gaining of access to information already stored’ in the meaning of Article 5(3) ePD as long as the information does not leave the device, but when this information or any derivation of this information is accessed, Article 5(3) ePD would apply. |
| 44. Finally, in some cases malicious software elements are distributed over a network by actors, for example crypto mining software or more generally malware, exploiting the processing abilities of the terminal for the benefit of the distributing actor. While that software may only establish a network connection that would trigger the application of Article 5(3) ePD at a later stage (for example to retrieve a computed result), the sole fact that the software instructing the nefarious processing has been distributed over a network would imply the application of Article 5(3) ePD. | 45. Finally, in some cases malicious software elements are distributed by actors, for example crypto mining software or more generally malware, exploiting the processing abilities of the terminal equipment for the benefit of the distributing actor. The distribution of said malicious software in user’s terminal equipment would constitute a ‘storage’ in the meaning of Article 5(3) ePD. In addition, should the software establish a network connection to send information at a later stage, it would constitute a ‘gaining of access’ in the meaning of Article 5(3) ePD |
| 45. For a subset of these categories that present a specific interest, either because of their widespread usage or because a specific study is warranted with regards to the circumstances of their use, a specific analysis is provided below. | 46. For a subset of these categories that present a specific interest, either because of their widespread usage or because a specific study is warranted with regards to the circumstances of their use, a specific analysis is provided below. |
| 3.1 URL and pixel tracking | 3.1 URL and pixel tracking |
| 46. A tracking pixel is a hyperlink to a resource, usually an image file, embedded into a piece of content like a website or an email. This pixel usually fulfils no purpose related to the content itself; its sole purpose is to establish a communication by the client to the host of the pixel, which would otherwise not have occurred. Establishment of a communication transmits various information to the host of the pixel, depending on the specific use case. | 47. A tracking pixel is a hyperlink to a resource, usually an image file, embedded into a piece of content like a website or an email. This pixel usually fulfils no purpose related to the requested content itself; its sole purpose is to automatically establish a communication by the client to the host of the pixel, which would otherwise not have occurred. This is however not systematic and tracking pixels can also be created by adding additional information to hyperlink loading images that are relevant to the content displayed to the user. Establishment of the communication transmits various information to the host of the pixel, depending on the specific use case. |
| 47. In the case of an email, the sender may include a tracking pixel to detect when the receiver reads the email. Tracking pixels on websites may link to an entity aggregating many such requests and thus being able to track users’ behaviour. Such tracking pixels may also contain additional identifiers as part of the link. These identifiers may be added by the owner of the website, possibly related to the user’s activity on that website. They may also be dynamically generated through client-side applicative logic. In some cases, links to legitimate images may also be used for the same purpose by adding additional information to the link. | 48. In the case of an email, the sender may include a tracking pixel to detect when the receiver reads the email. Tracking pixels on websites may link to an entity collecting many such requests and thus being able to track users’ behaviour. Such tracking pixels may also contain additional identifiers, metadata or content as part of the link. These data points may be added by the owner of the website, possibly related to the user’s activity on that website so that analytical usage reports can be generated. They may also be dynamically generated through client-side applicative logic supplied by the entity. |
| 48. Tracking links are functioning in the same way, but the identifier is appended to the website address. When the URL (Uniform Resource Locator) is visited by the user, the targeted website loads the requested resource but also collects an identifier which is not relevant in terms of resource identification. They are very commonly used by websites to identify the origin of their inbound source of traffic. For example, e-commerce websites can provide tracked links to partners to use on their domain so that the e-commerce website knows which of their partners is responsible for a sale and pay a commission, a practice known as affiliate marketing. | 49. Tracking links can function in the same way, but the identifier is appended to the website address. When the Uniform Resource Locator (‘URL’) is visited by the user, the targeted website loads the requested resource but also collects an identifier which is not relevant in terms of resource identification. They are very commonly used by eCommerce websites to identify the origin of their inbound source of traffic. For example, such websites can provide tracked links to partners to use on their domain so that the e-commerce website knows which of their partners is responsible for a sale and pay a commission, a practice known as affiliate marketing. |
| 49. Both tracking links and tracking pixels can be distributed through a wide variety of channels, for example through emails, websites, or even, in the case of tracking links, through any kind of text messaging systems. | 50. Both tracking links and tracking pixels can be distributed through a wide variety of channels, for example through emails, websites, or even, in the case of tracking links, through any kind of text messaging systems. That distribution to the user’s terminal equipment does constitute storage, at the very least through the caching mechanism of the client-side software. As such, Article 5(3) ePD is applicable, even if this storage is not permanent. |
| 50. Under the condition that said pixel or tracked URL have been distributed over a public communication network, it is clear that it constitutes storage on the communication network user’s terminal equipment, at the very least through the caching mechanism of the client-side software. As such, Article 5(3) ePD is applicable. | |
| 51. The inclusion of such tracking pixels or tracked links in the content sent to the user constitutes an instruction to the terminal equipment to send back the targeted information (the specified identifier). In the case of dynamically constructed tracking pixels, it is the distribution of the applicative logic (usually a JavaScript code) that constitutes the instruction. As a consequence, it can be considered that the collection of the identifiers provided by tracking pixels and tracked URL do constitute a ‘gaining of access’ in the meaning of Article 5(3) ePD and thus the latter is applicable to that step as well. | 51. The addition of tracking information to URLs or images (pixels) sent to the user constitutes an instruction to the terminal equipment to send back the targeted information (the specified identifier). In the case of dynamically constructed tracking pixels, it is the distribution of the applicative logic (usually a JavaScript code) that constitutes the instruction. As a consequence, it can be considered that the collection of identifiers provided through such tracking mechanisms constitutes a ‘gaining of access’ in the meaning of Article 5(3) ePD, thus it applies to that step as well. |
| 3.2 Local processing | 3.2 Local processing |
| 52. Some technologies rely on local processing instructed by software distributed on users’ terminal, where the information produced by the local processing is then made available to selected actors through client-side API. This may for example be the case for an API provided by the web browser, where locally generated results may be accessed remotely. | 52. Some technologies rely on local processing instructed by software distributed on users’ terminal equipment, where the information produced by the local processing is then made available to selected actors through client-side API. This may for example be the case for an API provided by the web browser, where locally generated results may be accessed remotely. |
| 53. If at any point and for example in the client-side code, the processed information made available is being sent back over the network, for example to a server, such an operation (instructed by the entity producing the client-side code distributed on the user terminal) would constitute a ‘gaining of access to information already stored’. The fact that this information is being produced locally does not preclude the application of Article 5(3) ePD. | 53. If at any point and for example in the client-side code, the processed information is made available to a third-party, for example sent back over the network to a server, such an operation (instructed by the entity producing the client-side code distributed on the user terminal equipment) would constitute a ‘gaining of access to information already stored’. The fact that this information is being produced locally does not preclude the application of Article 5(3) ePD. |
| 3.3 Tracking based on IP only | 3.3 Tracking based on IP only |
| 54. Some providers are developing advertising solutions that only rely on the collection of one component, namely the IP address, in order to track the navigation of the user, in some case across multiple domains. In that context Article 5(3) ePD could apply even though the instruction to make the IP available has been made by a different entity than the receiving one. | 54. Some providers are developing solutions that only rely on the collection of one component, namely the IP address, in order to track the navigation[28] of the user, in some case across multiple domains. In that context Article 5(3) ePD could apply even though the instruction to make the IP available has been made by a different entity than the receiving one. |
| 55. However, gaining access to IP addresses would only trigger the application of Article 5(3) ePD in cases where this information originates from the terminal equipment of a subscriber or user. While it is not systematically the case (for example when CGNAT is activated), the static outbound IPv4 originating from a user’s router would fall within that case, as well as IPV6 addresses since they are partly defined by the host. Unless the entity can ensure that the IP address does not originate from the terminal equipment of a user or subscriber, it has to take all the steps pursuant to the Article 5(3) ePD. | 55. However, gaining access to IP addresses would only trigger the application of Article 5(3) ePD in cases where this information originates from the terminal equipment of a subscriber or user. While it is not systematically the case (for example when CGNAT[29] is activated), the static outbound IPv4 originating from a user’s router would fall within that case, as well as IPV6 addresses since they are partly defined by the host. Unless the entity can ensure that the IP address does not originate from the terminal equipment of a user or subscriber, it has to take all the steps pursuant to the Article 5(3) ePD. |
| 56. While the present guidelines do not analyse the application of the exemptions to the obligation to collect consent provided by Article 5(3) ePD, it is important to once again recall that the applicability of this article does not systematically mean that consent needs to be collected. The EDPB thus reminds that in each case it would have to be assessed if a consent is needed or whether an exemption under Article 5(3) ePD could apply[30]. | |
| 3.4 Intermittent and mediated IoT reporting | 3.4 Intermittent and mediated IoT reporting |
| 56. IoT (Internet of Things) devices produce information continuously over time, for example through sensors embedded in the device, which may or may not be locally pre-processed. In many cases, information is made available to a remote server, but the modalities for that collection varies. | 57. IoT (Internet of Things) devices produce information continuously over time, for example through sensors embedded in the device, which may or may not be locally pre-processed. In many cases, information is made available to a remote server, but the modalities of that collection can vary. |
| 57. Some IoT devices have a direct connection to a public communication network, for example through the use of WIFI or a cellular SIM card. IoT devices might be instructed by the manufacturer to always stream the collected information, yet still locally cache the information first, for example until a connection is available. | 58. Some IoT devices have a direct connection to a public communication network with a cellular SIM card. Other may have an indirect connection to a public communication network, for example through the use of WIFI or the relay of information to another device through a point-to-point connection (for example, through Bluetooth). The other device can for example be a smartphone or a dedicated gateway which may or may not pre-process the information before sending it to the server. |
| 58. Other IoT devices do not have a direct connection to a public communication network and might be instructed to relay the information to another device through a point-to-point connection (for example, through Bluetooth). The other device is generally a smartphone which may or may not preprocess the information before sending it to the server. | 59. IoT devices might be instructed by the manufacturer to always stream the collected information, yet still locally cache the information first, for example until a connection is available. |
| 59. In the first case the IoT device, where it is connected to a public communications network, would itself be considered a terminal. The fact that the information is streamed or cached for intermittent reporting does not change the nature of that information. In both situations Article 5(3) ePD would apply as it is, through the instruction of the IoT device to send the dynamically stored data to the remote server, there is ‘gaining of access’. | |
| 60. In the case of IoT devices connected to the network via a relay device (a smartphone, a dedicated hub, etc.) with a purely point to point connection between the IoT device and the relay device, the transmission of data to the relay could fall outside of the Article 5(3) ePD as the communication does not take place on a public communication network. However, the information received by the relay device would be considered stored by a terminal and Article 5(3) ePD would apply as soon as this relay is instructed to send that information to a remote server. | 60. In any case the IoT device, where it is connected (directly or indirectly) to a public communications network, would itself be considered a terminal equipment. The fact that the information is streamed or cached for intermittent reporting does not change the nature of that information. In both situations Article 5(3) ePD would apply as there is, through the instruction of code on the IoT device to send the dynamically stored data to the remote server, a ‘gaining of access’. |
| 3.5 Unique Identifier | 3.5 Unique Identifier |
| 61. A common tool used by advertising companies is the notion of ’unique identifiers‘ or ’persistent identifiers‘. Such identifiers are usually derived from persistent personal data (name and surname, email, phone number, etc.), that is hashed on the user’s device, collected and shared amongst several controllers to uniquely identify a person over different datasets (usage data collected through the use of website or application, customer relation management (CRM) data related to online or offline purchase or subscription, etc.). On websites, the persistent personal data is generally obtained in the context of authentication or the subscription to newsletters. | 61. A common tool used by companies is the notion of ’unique identifiers‘ or ’persistent identifiers‘. Such identifiers can be derived from persistent personal data (name and surname, email, phone number, etc.), that is hashed on the user’s device, collected and shared amongst several controllers to uniquely identify a person over different datasets (usage data collected through the use of website or application, customer relation management (CRM) data related to online or offline purchase or subscription, etc.). On websites, the persistent personal data is generally obtained in the context of authentication or the subscription to newsletters. |
| 62. As outlined before, the fact that the information is being inputted by the user would not preclude the application of Article 5(3) ePD with regards to storage, as this information is stored temporarily on the terminal before being collected. | 62. As outlined before, the fact that information is being entered by the user would not preclude the application of Article 5(3) ePD with regards to storage, as this information is stored temporarily on the terminal equipment before being collected. |
| 63. In the context of ‘unique identifier’ collection on websites or mobile applications, the entity collecting is instructing the browser (through the distribution of client-side code) to send that information. As such a ’gaining of access’ is taking place and Article 5(3) ePD applies. | 63. In the context of ‘unique identifier’ collection on websites or mobile applications, the entity collecting is instructing the browser (through the distribution of client-side code) to send that information. As such a ’gaining of access’ is taking place and Article 5(3) ePD applies. |
| [1] References to ‘Member States’ made throughout this document should be understood as references to ‘EEA Member States’. | [1] References to ‘Member States’ made throughout this document should be understood as references to ‘EEA Member States’. |
| [2] ‘Terminal equipment of users of electronic communications networks and any information stored on such equipment are part of the private sphere of the users requiring protection under the European Convention for the Protection of Human Rights and Fundamental Freedoms. So-called spyware, web bugs, hidden identifiers and other similar devices can enter the user's terminal without their knowledge in order to gain access to information, to store hidden information or to trace the activities of the user and may seriously intrude upon the privacy of these users. The use of such devices should be allowed only for legitimate purposes, with the knowledge of the users concerned.’ | |
| [2] WP29 Opinion 4/2012 on Cookie Consent Exemption, WP 194, p. 2. | [3] WP29 Opinion 9/2014, p. 11. |
| [4] As stated in Article 5(3) ePD: ‘This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.’ | |
| [3] WP29 Opinion 9/2014 on the application of Directive 2002/58/EC to device fingerprinting. | [5] WP29 Opinion 9/2014, p. 8. |
| [4] Judgement of the Court of Justice of 1 October 2019, Planet 49, Case C‑673/17, ECLI:EU:C:2019:801, paragraph 70. | [6] Judgement of the Court of Justice of 1 October 2019, Planet 49, Case C‑673/17, ECLI:EU:C:2019:801, paragraph 70. |
| [7] WP29 Opinion 9/2014, p. 8. | |
| [5] Commission Directive 2008/63/EC of 20 June 2008 on competition in the markets in telecommunications terminal equipment (Codified version), Article 1(1). | [8] Commission Directive 2008/63/EC of 20 June 2008 on competition in the markets in telecommunications terminal equipment (Codified version), Article 1(1). |
| [9] That is, having the technical capabilities to be connected to the network even if that connection is not currently in place. | |
| [10] Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws (Text with EEA relevance), OJ L 337, 18.12.2009, Article 2(5) and Recital 65. | |
| [11] To identify the limits of the network in different contexts, refer to the BEREC Guidelines on Common Approaches to the Identification of the Network Termination Point in different Network Topologies (BoR (20) 46) | |
| [12] Indeed, as reminded in Art. 2(13) of Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code, the user can be a natural or a legal person. | |
| [13] Article 3 ePD. | |
| [6] Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive) | [14] Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive) |
| [7] Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code (Recast), Text with EEA relevance, Article 2(1). | [15] Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code (Recast), Text with EEA relevance, Article 2(1). |
| [8] Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code (Recast), Text with EEA relevance, Article 2(1). | [16] Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code (Recast), Text with EEA relevance, Article 2(1). |
| [9] Article 2 ePD defines the user as ‘any natural person using a publicly available electronic communications service, for private or business purposes, without necessarily having subscribed to this service’. In addition, Article 3 ePD states that it should apply in the context of ‘the provision of publicly available electronic communications services in public communications networks’. Finally, the terminal equipment itself as defined in the Directive 2008/63/EC is described as ‘equipment directly or indirectly connected to the interface of a public telecommunications network’. | [17] For example, in the context of delay-tolerant networking scheme that implement ‘store and forward techniques’ such as the Briar open source project. |
| [18] For further analysis on the identification of public communication networks, refer to the BEREC Guidelines on the Implementation of the Open Internet Regulation (BoR (20) 112) | |
| [10] Recital 26 ePD, see paragraph 17 above. | [19] Recital 26 ePD, see paragraph 17 above. |
| [20] WP29 Opinion 9/2014, p. 8. | |
| [21] An SDK (“software development kit”) is a bundle of software development tools made available to facilitate the creation of application software. | |
| [22] WP29 Opinion 9/2014, p. 9. | |
| [11] As defined in section 2.3 of these Guidelines. | [23] As defined in section 2.3 of these Guidelines. |
| [24] See paragraph 4 above. | |
| [25] The HTTP ETag is an identifier that allows to do conditional request based on the validity of the cached client data. | |
| [26] HTTP Strict Transport Security (HSTS) allow servers to specify which resources should always be requested using HTTPS connections. | |
| [27] As noted in the introduction, please see Opinion 9/2014 of the Article 29 Working Party on the application of ePrivacy Directive to device fingerprinting | |
| [28] This is additional to and independent of the use and function of an IP address for the establishment and conveyance or transmission of underlying technical communications, or the fact that it may or may not be personal data (in respect of ePrivacy analysis, it is “information”) | |
| [12] Carrier-grade NAT or CGNAT is used by Internet service providers to maximise the use of limited IP address space. It groups a number of subscribers under the same public IP address. | [29] Carrier-grade NAT or CGNAT is used by Internet service providers to maximise the use of limited IP address space. It groups a number of subscribers under the same public IP address. |
| [30] WP29 Opinion 9/2014 provides for some example when consent might not be needed. | |
| ーーー | ーーー |
Comments