On November 14, 2023, the EDPB published Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive.
As usual, the guidelines are subject to public consultation for a period ending December 28, 2023.
Probably, this action was necessary as a result of difficulties in the trialogue negotiation process regarding the proposed text of the ePrivacy Regulation that was to replace and repeal the current Directives 2002/58/EC and 2009/136/EC. At the same time, as stated in the introduction to the aforementioned guidelines, “due to new technological advances, additional guidance is needed with respect to currently observed tracking techniques.” The purpose of the guidelines, therefore, is to clarify the scope of the aforementioned requirement that, as a general rule, accessing content or storing new content in the user’s terminal is subject to the user’s prior consent.
Applicable legislation
The protection of private life, or so-called privacy, in electronic communications is governed by specific EU regulations.
Directives 2002/58/EC and 2009/136/EC
The matter was originally addressed by Directive 2002/58/EC, subsequently amended by Directive 2009/136/EC; among other things, with specific reference to the aforementioned requirement of paragraph 3 of Article 5 of Directive 2002/58. In this regard, in fact, the second directive made a substantial change to the original text, modifying the user’s previous right of refusal with respect to online trackers and replacing it with prior express consent: as a result, “the user’s consent can no longer be presumed and must result from the user’s active conduct” (CJEU, Case C-673/17, Planet 49, p. 56).
The aforementioned directives, as will be discussed more fully below, represent a special law with respect to the general data protection law, first governed by Directive 95/46/EC and later by the GDPR. On the relationshipbetween the two disciplines, Directive 2002/58/EC itself specifies that its provisions “clarify and supplement Directive 95/46/EC” (thus, the GDPR) and Recital (10) adds that “[i]n the electronic communications sector, Directive 95/46/EC shall apply, in particular with regard to all aspects concerning the protection of fundamental rights and freedoms not specifically covered by the provisions of this Directive.”
Italian Privacy Code
The principles of the aforementioned directives were implemented in the Italian legal system with the Privacy Code and, most recently, with Legislative Decree No. 69/2012. Specifically, the requirement of paragraph 3, Article 5 of Directive 2002/58 has been transposed into Article 122(1) of the Privacy Code.
As a result, the subject of confidentiality of the contents of electronic communications is governed by two complementary bodies of law and in a kind to kind relationship:
- The GDPR when the information involved qualifies as personal data and is not specifically regulated by Articles 121 et seq. of the Privacy Code
- By Articles 121 et seq. of the Privacy Code in the other cases.
