@mattab opened this Issue on January 21st 2020 Member

Goal of this issue is to review the ePrivacy Regulation draft and see how it affects Matomo tracking, fingerprinting, and any other aspects of our privacy features and how to be compliant with these privacy laws. https://en.wikipedia.org/wiki/EPrivacy_Regulation_(European_Union)

As far as I can see, here is the current latest version of the eprivacy regulation draft: https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1579563538672&uri=CONSIL:ST_13808_2019_INIT

It seems still to be WIP, in November 2019: https://iapp.org/news/a/eu-member-states-reject-eprivacy-regulation-draft/

The Permanent Representatives Committee of the Council of the European Union has rejected the draft ePrivacy Regulation brought forth by the Finnish Presidency of the Council of the EU, according to advocacy organization European Digital Rights. Politico Europe Senior Policy Reporter Laurens Cerulus reports more than a dozen countries objected to the text.

-> What is the status of ePrivacy and if the draft text goes ahead, how would it impact Matomo and Matomo users?

@mattab commented on February 28th 2020 Member

See example justification from etracker translate.google.com/translate?sl=de&tl=en&u=https%3A%2F%2Fwww.etracker.com%2Fblog%2Fetracker-analytics-mit-reinem-session-tracking-einwilligungsfrei%2F

@mattab commented on March 10th 2020 Member

Quick update:

New ePrivacy proposals from Croatian Presidency
In what has been seen as a big win for lobbying by the ad tech industry, on Friday 21 February, the Croatian Presidency of the European Union proposed sweeping changes to Articles 6 and 8 of the draft ePrivacy Regulation.

The new text (Recital 21b) says that service providers "whose website content or services are accessible without direct monetary payment and wholly or mainly financed by advertising," may rely on "legitimate interest" for placing tracking cookies "provided the end-user has been provided with clear, precise and user-friendly information about the purposes of the cookies or similar techniques used and has accepted such use."

Whether "has accepted such use" means consent would be required is unclear. Indeed the whole document is slightly contradictory as according to Article 8(1)g "a provider should not be able to rely upon legitimate interests if the storage or processing of information in the end-user's terminal equipment or the information collected from it were to be used to determine the nature or characteristics on an end-user or to build an individual profile of an end-user."

So far, so unclear.

from GDPR Today newsletter https://noyb.eu

@Daten-David commented on April 22nd 2020

I had posted a question in the Matomo forum. @mattab asked me to publish it here as well (sorry for delay).
One remark: This issue here addresses the upcoming ePrivacy REGULATION. My question addresses the old ePrivacy DIRECTIVE.

Let's go:

I work as an external data protection officer. Consulting my clients I struggle with Matomo and cookie consent under art. 5 para. 3 ePrivacy DIRECTIVE (of 2009 aka Cookie Directive, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:02009L0136-20091219). Note: This is not the same as the future ePrivacy REGULATION (which will replace the directive one day).

I understand (and agree) that under GDPR web analytics as provided by Matomo can be used under legitimate interest and no consent is required for such data processing.But legitimate interest in GDPR is not the same as "strictly necessary" in ePrivacy Directive. What does Matomo know about this issue?

I have found a statement by Matomo of 2014 which considers Matomo analytics as strictly necessary - but the statement does not provide any arguments for this finding: https://matomo.org/blog/2014/10/cnil-recommends-piwik-analytics-tool-no-cookie-consent/

I have found talks (in German) touching the issue in the forum but they do not exactly address the core question: https://forum.matomo.org/t/opt-in-implementierung/34402/3

A posting in the forum refers to a statement by eTracker which looks at the issue like I tend to do (https://www.etracker.com/blog/cookie-urteil-des-eugh-auswirkungen-auf-den-einsatz-von-etracker/): No processing consent under GDPR but still cookie consent under ePrivacy Directive.

I would be very grateful if you could provide additional arguments on the issue. I would love to tell my clients consent is NOT required BOTH under GDPR and ePrivacy Directive.

Thanks a lot!

Powered by GitHub Issue Mirror