On 7 October 2024 the EDPB adopted new guidelines regarding the technical scope of article 5(3) of the ePrivacy directive. Article 5(3) applies to “the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user”. In Sweden the ePrivacy directive has been implemented into Swedish law trough chapter 9 section 28 in the Electronic Communications Act (2022:482). According to the guidelines, the applicability of article 5(3) “is well established”, but “that there is a need to address ambiguities related to the application of the said provision to emerging tracking tools.” New tracking methods are replacing existing tracking tools and creating new business models, resulting in a need for further guidance.
The guidelines identify three key elements for the applicability of article 5(3).
- The operations carried out relate to ‘information’ (note that information is not synonymous with personal data).
- The operations carried out involve a ‘terminal equipment’ of a subscriber or user, which imply the need to assess the notion of a ‘public communications network’.
- The operations carried out indeed constitute ‘storage’ or a ‘gaining of access’.
The guidelines also include a non-exhaustive list of common techniques:
- URL and pixel tracking.
- Local processing.
- Tracking based on IP only.
- Intermittent and mediated Internet of Things reporting
- Unique identifier
