Allan Sorensen is Head of Digital at Danske Medier and Chair of IAB Europe’s Policy Committee.
The views expressed by the Article 29 Working Party in its opinion on the proposed ePrivacy Regulation adopted 4 April 2017 are in blatant disregard of the very privacy and data protection laws it is tasked to enforce.
For example, the WP29 welcomes the “broad prohibitions and narrow exceptions” of the proposed ePrivacy Regulation and goes on to opine that “the introduction of open-ended exceptions along the lines of Article 6 GDPR, and in particular Art. 6(f) GDPR (legitimate interest ground), should be avoided.” The principle called into question by the WP29 in its opinion has formed part of EU data protection law since its inception, and the Court of Justice of the EU has been one of its most ardent defenders. Moreover, the legitimate interest ground has been reaffirmed by the EU legislator when it adopted the General Data Protection Regulation in 2016.
Further, the WP29’s opinion on the ePrivacy Regulation states that “take-it-or-leave-it” approaches are “rarely legitimate” when discussing the practice of website operators making access to their service conditional on the acceptance of processing based on cookies or similar devices. However, the existing ePrivacy Directive explicitly states that “[a]ccess to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.” Indeed, virtually all commercial transitions today are based on“take-it-or-leave-it” making it by far the most common way of doing business today.
I call on the co-legislators to bear in mind that documents adopted by the WP29 are only an opinion and do not carry force of law. Indeed, they do not even necessarily constitute valid interpretations of the law. The WP29 is not bound – and does not attempt – to issue opinions only in accordance with the law, nor is it bound to be neutral and objective when issuing opinions on political matters, such as the proposed ePrivacy Regulation.
The data protection authorities making up the WP29 stand to gain power, resources and prestige with any additional data protection regulation. What is best for data protection authorities, is not necessarily in the best interest of the consumer. The protection of the broader best interest of the consumer does not form part of the WP29’s mandate. But it is part of the responsibility of the legislator to look out for what is best for the people who they represent. Members of the European Parliament and member state governments should not forget that most European citizens welcome and even expect the possibility of having free access to a broad variety of news, information and online services in return for agreeing to see relevant advertisements.