In late 2014 the European Union’s (“EU”) independent data protection advisory body, the Article 29 Working Party (“A29WP”), issued an opinion on the legal issues raised by device fingerprinting. Device fingerprinting refers to a process whereby various technical data about a device, which by themselves are not unique and do not make a device user identifiable, are combined to create a ‘device fingerprint’ that can be used to track internet behaviour.
The A29WP’s opinion (the “Opinion”), which is summarised below, is that device fingerprinting already threatens the data protection and privacy rights of EU citizens. In particular, fingerprinting is already being used as an alternative to cookies by organisations wishing to track the activity of internet users and, in the A29WP’s view, is subject to the same regulation under the e-Privacy Directive (Directive 2002/58/EC).
The Opinion reports that device fingerprinting has been explored as a way to avoid the regulatory obligations which must be complied with when using cookies. However, the e-Privacy Directive does not only apply to cookies and , as the A29WP makes clear in the Opinion, also governs ‘similar technologies’ meaning that device finger printing is subject to the same regulation as cookies.
According to the A29WP, the use of the words ‘stored or accessed’ makes it clear that either are required, and there is no need for simultaneous storage and access. This is important as a device may be fingerprinted by accessing read-only information without storing data on the device itself. As a result, such access will still fall within the scope of the e-Privacy Directive and will require the user’s consent.
The e-Privacy Directive does contain exemptions pursuant to which data may stored or accessed (and therefore fingerprinted) without consent. These allow for storage or access:
- for “the sole purpose of carrying out the transmission of a communication over an electronic communications network”; or
- where “strictly necessary in order to provide an information society service explicitly requested by the subscriber or user”.
The Opinion also provides several case studies to demonstrate how and in what situations device fingerprinting may occur. These include first party website analytics and tracking for online behavioural advertising, both of which would likely breach the relevant provisions of the e-Privacy Directive if the user’s prior consent is not obtained. There are also examples of situations where an exception may apply, for example network provision or user-interface customisation.
The Opinion focuses on e-privacy law and not regulation under the Data Protection Directive (95/46/EC); however, the A29WP does point out that data protection law is likely to apply. EU data protection law protects data which relates to identified or identifiable individuals. Whilst the data utilised to fingerprint devices may not in isolation, or perhaps even when combined, identify an individual web user, nonetheless it does allow devices to be distinguished from one another and for a particularly device’s internet activity to be tracked.
In the A29WP’s view, once a device has been ‘fingerprinted’ the tracking of its internet activity gives rise to a substantial risk that the individual user will become identifiable and, consequently, that EU data protection law will apply.
The e-Privacy Directive is a controversial piece of legislation which many businesses regard as overly onerous and impractical, and for this reason the A29WP’s Opinion will be unwelcome news to those seeking to exploit device-fingerprinting as a way to circumvent the consent requirement. However, as is made clear in both the Opinion and the e-Privacy Directive itself, the wording and scope of the Directive is broad and it is not limited to any particular technology. Furthermore, the approach of data protection authorities to interpret such provisions in favour of the rights of the data subject should not come as a surprise.
Organisations which fingerprint devices under the exceptions contained within the e-Privacy Directive must ensure that they observe a strict and narrow interpretation of those exceptions, as that is likely to be the approach taken by a data protection authority when enforcing the relevant provisions of national law implementing the e-Privacy Directive. Furthermore, it should be remembered that data protection law may apply to the data used to fingerprint a device and will therefore need to be complied with whenever such data is processed.