- National implementations of the ePrivacy Directive vs. the European General Data Protection Regulation (GDPR)
- What does the ePrivacy Directive address?
- Where does the General Data Protection Regulation (GDPR) come into play?
- Why is data transfer to third countries important?
- Sharing data with non-EU countries in a GDPR-compliant way
- How can a solution look in detail ?
Google confirmed the upcoming end of third-party cookies in March 2021. Apple and Mozilla have already been limiting the tracking of user behaviour within their Safari and Firefox browsers respectively for some time. Decision-makers in EU authorities are determined to continue strengthening ePrivacy while also national data protection supervisory authorities are increasingly dedicated to the execution of supportive legal frameworks.
Within two years, the world of online marketers and data analysts alike has been turned upside down. The General Data Protection Regulation and the national telecommunication laws with ePrivacy Directive have reshuffled the cards and thereby created major uncertainty in the industry.
Which practices are legal?
Can I make reliable decisions based on data that is attained only from compliant sources? Which data can I rely on in the first place?
Conventional solutions do not yet promise legally compliant data collection approaches that focus not only on GDPR but also on individual national implementations of the ePrivacy Directive.
So, do I have to learn to live with significant losses of critical data? Or is there still a way to collect reliable and relevant data?
In order to be able to answer this question more precisely, we will provide you with the most important insights below, which we have taken into account during the development of our tracking solution in close cooperation with lawyers.
These insights should act as a sort of guide for you to be prepared better than your competitors in the case of an audit by data protection supervisory authorities.
National implementations of the ePrivacy Directive vs. the European General Data Protection Regulation (GDPR)
Put very simply, all national implementations of the ePrivacy Directive have one thing in common. They determine the influence companies are allowed to take on users’ personal devices.
In comparison, the GDPR, which applies to all of Europe and the EEA, determines how companies and other organisations – for this purpose “data controllers” – must handle personal data collected from, stored on and redistributed by natural persons – in this sense “data subjects”. All data tracking tools must follow both laws.
What does the ePrivacy Directive address?
The ePrivacy Directive regulates the influence that companies are allowed to take on users’ personal devices. This can be best described with the following question: Am I placing something (e.g. cookies) on the personal device of the data subject or am I reading information (e.g. device information) from her personal device?
Here are two example questions to make this more tangible : Has the user been on my site before? Does a user use my offer via mobile device or via desktop?
[There, the essential condition for tracking is NOT regulated by the GDPR but rather by the ePrivacy directive!]
The ePrivacy Directive requires that cookies may only be set without consent if they are technically necessary.
Consequently, data analysis, marketing, personalisation and other related use cases are not justified. Therefore, only with the user’s consent are companies allowed to place and store let’s say a cookie on the visitor’s computer, tablet or smartphone.
As a result, if you want to use data for purposes other than technical necessity, the user’s consent becomes mandatory.
[The actual use of personal data is NOT included in the ePrivacy directive!]
Where does the General Data Protection Regulation (GDPR) come into play?
If you have received the required consent to locate a technology (e.g cookie) on the user’s device, the GDPR regulates the specific use of personal data. You need to determine the intended data application for each tool in your marketing stack.
How you can handle this
Check whether data actually has personally identifiable information
– Consider objective and subjective personally identifiable information
Check why you are allowed to use this data with personally identifiable information
– Obtain consent from the user
– Fulfilment of contract would otherwise be impossible
– Legitimate interest of your company
Ad 1: Do my collected data points have personally identifiable information?
First of all, be clear about which data actually reflect personally identifiable information. It is important to differentiate between two types of personal data described within the GDPR. Essentially, it is about who is able to establish personally identifiable information.
As a consequence, data such as IP addresses or car license plates are inevitably classified as “data with an objective personally identifiable information”.
Ad 2: Why might I use collected data?
1. Getting Consent – Is there a Positive Consent?
To use users’ personal data (objective and subjective) for analytics, marketing and other purposes their consent is required in accordance with the GDPR. If you obtain this consent – usually by using a Consent Management Platform (CMP) – you can also provethat consent has been properly obtained.
ATTENTION: A detail that is often disregarded is that you are NOTallowed to send this data to companies from third countries (such as the U.S.) without further user consent – even though the consent has been voluntarily granted by the user. This possibility is not allowed by the fact that the U.S.- EU PrivacyShield has been cancelled. Transferring personal data to European companies is still no problem for you, of course.
2. Fulfilment of contract impossible – Other justification than “consent”.
One of the two simpler legal bases for collecting and using personal data is the fulfilment of a contract (e.g. online purchase). Data for contract performance is really a “no-brainer” in this context.
However, remember that the purpose of data collection must be communicated to the user and connected to the data you collect. Moreover, at any point in time, you may only process this data if it is used for exactly the same purpose.
For example, if you collected personal data to perform a contract with the purpose of processing for “shipping” the goods, you cannot use this data for analysis to determine what regions/cities your orders were most frequently delivered to.
3. Legitimate interest – Other justification than “consent”.
Data collection for legitimate interest is quite a simple justification on the one hand, but rather difficult to define unfortunately on the other hand.
Your legitimate interest comes into play when your company’s interest in processing personal data exceeds the user’s interest in privacy. But seriously – what can that be, other than, for example, anonymising your user’s data before you simply send it out into the world?
Why is data transfer to third countries important?
In practice, it is usually the case that many of your tools are offered by companies where a majority of ownership belongs to a non-EU entity. For example the U.S. companies are obliged to make their data accessible to the U.S. government under the U.S. CLOUD Act – an absolute no-go for all European data protectors.
Unfortunately, these tools are thereby completely lacking the required legal justification according to the GDPR. At least since the Schrems EUGH verdicts (Schrems II), popular and helpful tools such as Google Analytics, Facebook and Omniture (Adobe Analytics) are no longer compliant with the GDPR when integrated in the conventional way, because personal data is sent directly to the U.S.
If you have received a consent for Google Analytics according to the ePrivacy Directive, you still can NOT send personal data to Google. The following example may clarify this:
- The IP address of your user is considered personal data.
- Your site sends its IP address to Google to anonymise it using “anonymizeIP=true”.
- And there you are, trapped!
It is simply not possible to leave the anonymisation of your data to a company in a third country. In that case, European law is no longer the only law that applies to the data that is anonymised. In the above case, the U.S. company Google would already be in possession of this information.
Sharing data with non-EU countries in a GDPR-compliant way
So how can you escape this dilemma and still keep using all your usual, really good tools? It’s rather simple.
- As a European company, store your collected data on your servers (as first party).
- Make sure you don’t use a cloud operated by a non-EU company.
- Pay attention to the GDPR regulations
- Anonymise personal data yourself
- Only send your data to tools from third country providers after you have anonymised these data.
All your tools have an API that you can access after your server-side anonymisation. You only have to decide per API which data you want/need to anonymise before sending.
With these procedures in place you are already prepared for any requests from either self-appointed “data protectionists” or an unexpected, mandatory investigation by your supervisory authority – now you can relax and concentrate on your core business again.
TIP: To be on the safe side, your IT department should keep an eye on possible changes to the APIs in order to make data available within your tools without interruption and with the quality you require.
How can a solution look in detail ?
To illustrate a complete solution, you can see how JENTIS solves this challenge below.
- Consent for processing data from personal devices according to ePrivacy regulations is collected
- Personal data (such as IP address) is anonymised by an EU company
- We use the cloud servers based in the EU
- Anonymised data is sent “server side” to all other tools, without their ability to access personal devices.
If you want to save time, money and energy, this solution is available as a Plug&Play tool. In that way, you fulfil all requirements of the GDPR and the Privacy directive provisions for your website and solve related issues easily and permanently.
With the twin-server technology, absolutely reliable server-side tracking is possible for the first time, which guarantees client-side tracking based on consent. Data quantity, data quality, data sovereignty, data security, data distribution – all available from one source.
Backed up by JENTIS, all tools in your marketing stack that are dependent on data become not only compliant but also future-ready in one swoop. If you don’t want to solve these challenges alone, we are happy to share more about JENTIS with you.