EDPB’s new publications on the ePrivacy Directive, processors and legitimate interests

The question

What are the key takeaways for organisations processing personal data set out in the recent Guidelines and Opinions adopted by the European Data Protection Board (EDPB)?

The key takeaway

One of the EDPB’s priorities is to ensure that regulatory frameworks keep pace with the latest technological developments. While certain exceptions apply, both the Guidelines and the Opinion reinforce that when processing or controlling personal data, businesses (a) must comply with applicable data protection laws including the EU General Data Protection Legislation (EU GDPR), and (b) have a responsibility to ensure that data protection standards are maintained even when personal data is transferred to third parties.

The background

The EDPB is an independent organisation that aims to ensure that EU data protection laws are applied consistently across relevant jurisdictions. It publishes guidance, adopts recommendations and encourages closer co-operation between national data protection authorities that enforce the EU GDPR. While its recommendations and guidance are no longer directly applicable in the UK, due to the similarities between the two pieces of legislation they are often relevant to organisations following UK data protection laws.

The EDPB has recently issued several guidelines and opinions that are relevant to organisations that process personal data subject to the EU GDPR. These include guidelines on the scope of the EU’s ePrivacy Directive (the ePD) and on the application of the legitimate interests lawful basis for processing personal data, and an opinion on the use of processors and sub-processors by a data controller.

The development

The key takeaways from each EDPB publication are as follows:

Guidelines on the Technical Scope of Article 5(3) of the ePrivacy Directive:

• Following consultations, the EDPB adopted the final version of the guidelines on the technical scope of the ePD on 7 October 2024. While there have been no significant amendments to the draft dated 14 November 2023, these guidelines remain crucial for explaining the applicability of the ePD to emerging tracking tools. See our Snapshots Winter 2023 article for our previous discussion on this topic.
• These guidelines emphasise that new tracking tools such as pixel tracking and tracking based on IP are not exempt from the regulations. The emergence of these tools in the market has caught the attention of regulators and more targeted rules are likely to follow.

Opinion 22/2024 on certain obligations following from the reliance on processor(s) and sub-processor(s)

• In this opinion, adopted on 7 October 2024, the EDPB provides advice on the extent of checks a controller must implement to verify whether processors and sub-processors provide “sufficient guarantees” to ensure the implementation of appropriate technical and organisational measures under Article 28 EU GDPR. In particular, controllers should be able to identify processors and sub-processors and have this information readily available at all times.

Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR

• Legitimate interest is one of the six lawful bases under which data controllers can process personal data in compliance with the EU GDPR. These guidelines outline the requirements a controller must meet before relying on this lawful basis. The draft guidelines were adopted on 8 October 2024 and were subject to public consultation until 20 November 2024.
• When relying on legitimate interests as the lawful basis for direct marketing, controllers must meet three conditions: (i) a legitimate interest must be pursued; (ii) data processing must be necessary for that interest; and (iii) a balancing test must confirm that the interest does not override individuals’ rights.
• The EDPB clarifies in the draft guidance that extensive data processing, such as tracking individuals across multiple platforms, is less likely to pass the balancing test. Less intrusive activities, like sending commercial communications to existing customers who have purchased similar products, are easier to justify as a valid legitimate interest for processing personal data.

Why is this important?

In the UK, the Privacy and Electronic Communications Regulations (PECR) implement the ePD, with Article 5(3) of the ePD being reflected in Section 6 of the PECR. PECR complements the general data protection regime in the UK under the Data Protection Act 2018 and the EU GDPR as it forms part of retained EU law in the UK (the UK GDPR). Whilst the new guidelines on the ePD are not directly applicable to PECR (ie given that the UK has left the EU), they may offer further guidance into newly emerging tracking tools.

The guidelines on legitimate interests and on the reliance on processors also show the direction of legislative travel for these areas and provide useful guardrails for organisations that are subject to the UK GDPR as well as the EU GDPR.

Any practical tips?

New tracking tools that can optimise consumer data may offer businesses attractive opportunities. However, when adopting these technologies, businesses should consider the EDPB’s guidance, as regulators are likely to expect them to have considered this when implementing them.

Similarly, when outsourcing data processing to third parties, businesses must be cautious and bear the EDPB’s recommendations in mind. It is critical to ensure the third-party processor provides the same level of protection for that data as the controller. Practically, organisations should aim to achieve this by performing due diligence on processors, and ensuring that the contracts with processors include all the appropriate protections.

Winter 2024