Review ePrivacy Regulation draft and how it would affect Matomo Analytics

[mattab]

Goal of this issue is to review the ePrivacy Regulation draft and see how it affects Matomo tracking, fingerprinting, and any other aspects of our privacy features and how to be compliant with these privacy laws. https://en.wikipedia.org/wiki/EPrivacy_Regulation_(European_Union)

As far as I can see, here is the current latest version of the eprivacy regulation draft: https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1579563538672&uri=CONSIL:ST_13808_2019_INIT

It seems still to be WIP, in November 2019: https://iapp.org/news/a/eu-member-states-reject-eprivacy-regulation-draft/

The Permanent Representatives Committee of the Council of the European Union has rejected the draft ePrivacy Regulation brought forth by the Finnish Presidency of the Council of the EU, according to advocacy organization European Digital Rights. Politico Europe Senior Policy Reporter Laurens Cerulus reports more than a dozen countries objected to the text.

-> What is the status of ePrivacy and if the draft text goes ahead, how would it impact Matomo and Matomo users?

[mattab]

See example justification from etracker translate.google.com/translate?sl=de&tl=en&u=https%3A%2F%2Fwww.etracker.com%2Fblog%2Fetracker-analytics-mit-reinem-session-tracking-einwilligungsfrei%2F

[mattab]

Quick update:

New ePrivacy proposals from Croatian Presidency
In what has been seen as a big win for lobbying by the ad tech industry, on Friday 21 February, the Croatian Presidency of the European Union proposed sweeping changes to Articles 6 and 8 of the draft ePrivacy Regulation.

The new text (Recital 21b) says that service providers "whose website content or services are accessible without direct monetary payment and wholly or mainly financed by advertising," may rely on "legitimate interest" for placing tracking cookies "provided the end-user has been provided with clear, precise and user-friendly information about the purposes of the cookies or similar techniques used and has accepted such use."

Whether "has accepted such use" means consent would be required is unclear. Indeed the whole document is slightly contradictory as according to Article 8(1)g "a provider should not be able to rely upon legitimate interests if the storage or processing of information in the end-user's terminal equipment or the information collected from it were to be used to determine the nature or characteristics on an end-user or to build an individual profile of an end-user."

So far, so unclear.

from GDPR Today newsletter https://noyb.eu

[Daten-David]

I had posted a question in the Matomo forum. @mattab asked me to publish it here as well (sorry for delay).
One remark: This issue here addresses the upcoming ePrivacy REGULATION. My question addresses the old ePrivacy DIRECTIVE.

Let's go:

I work as an external data protection officer. Consulting my clients I struggle with Matomo and cookie consent under art. 5 para. 3 ePrivacy DIRECTIVE (of 2009 aka Cookie Directive, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:02009L0136-20091219). Note: This is not the same as the future ePrivacy REGULATION (which will replace the directive one day).

I understand (and agree) that under GDPR web analytics as provided by Matomo can be used under legitimate interest and no consent is required for such data processing.But legitimate interest in GDPR is not the same as "strictly necessary" in ePrivacy Directive. What does Matomo know about this issue?

I have found a statement by Matomo of 2014 which considers Matomo analytics as strictly necessary - but the statement does not provide any arguments for this finding: https://matomo.org/blog/2014/10/cnil-recommends-piwik-analytics-tool-no-cookie-consent/

I have found talks (in German) touching the issue in the forum but they do not exactly address the core question: https://forum.matomo.org/t/opt-in-implementierung/34402/3

A posting in the forum refers to a statement by eTracker which looks at the issue like I tend to do (https://www.etracker.com/blog/cookie-urteil-des-eugh-auswirkungen-auf-den-einsatz-von-etracker/): No processing consent under GDPR but still cookie consent under ePrivacy Directive.

I would be very grateful if you could provide additional arguments on the issue. I would love to tell my clients consent is NOT required BOTH under GDPR and ePrivacy Directive.

Thanks a lot!

[mattab]

In the draft of eprivacy available here: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CONSIL:ST_6087_2021_INIT
(PDF from Feb 21)

Article 8 states as below:

which reads:

The use of processing and storage capabilities of terminal equipment and the collection
of information from end-users’ terminal equipment, including about its software and
hardware, other than by the end-user concerned shall be prohibited, except on the
following grounds:
[..several exceptions here..]
the end-user has given consent; or
[..several exceptions here..]
it is necessary for the sole purpose of audience measuring, provided that such
measurement is carried out by the provider of the service requested by the end-
user, or by a third party, or by third parties jointly on behalf of or jointly
with provider of the service requested provided that, where applicable, the
conditions laid down in Articles 26 or 28 of Regulation (EU) 2016/679 are
met; or

Below they cover a slightly different case:

I don't actually understand the difference between Article 8) 1. and Article 8) 2.

-> but maybe this would mean that Eprivacy does not restrict web analytics use case and use of 1st party cookies or fingerprint?

To be continued 🚀

[Daten-David]

I don't actually understand the difference between Article 8) 1. and Article 8) 2.

Article 8 para 1 addresses access to data which is on the device.

Article 8 para 2 addresses data which is sent ("emitted") by the device. You could say this refers to signals sent out to detect a WiFi or Bluetooth sender.

Article 8 para 1 lit. d is actually the law that addresses analytics as provided by Matomo. If this draft turns into law this would be extremely helpful to promote Matomo.

Google Analytics user might call for the same exemption. But there might be arguments to which extent Google Analytics serves the "sole purpose of audience measuring".

As soon as an analytics account is connected to additional services like advertising the purpose is bigger than audience measuring.