It appears that we may be about to experience a new phase in the life of Article 5 (3) of the ePrivacy Directive as amended in 2009, as brief as it may possibly be as a result of the coming Regulation and the revisions that the ePrivacy Directive may be subject to in its wake.
Twitter privacy activist Alexander Hanff has been able to create considerable attention (such as here and here) for his position that client side scripts used by publishers in order to detect AdBlockers used by their (would-be) readers are in conflict with said Article, posting on Twitter a letter from the Günther Oettinger’s team in the EU Commission that, as per him, confirms his position.
Aside from the slightly amusing twist that the Commission, in making reference in the same letter to add-ons or plug-ins expressing a user’s preference regarding, for example, whether or not he or she does or does not accept the storage of information on his/her “terminal equipment”, appears to overlook that adblockers have to be detected first before they can be “respected” as conveying a preference, we shall have a brief look at how things would play out under German law, as it is in place at this time.
First, we should make one thing clear from the beginning: An EU Directive is in all but a few cases not directly applicable as an act of law. And even in the exceptional cases in which a Directive is directly applicable (for the criteria to be met see, e.g., ECJ in Dori v Recreb), this does not mean that individuals may make claims against other individuals on the basis of the Directive, nor does it mean – and it is astounding that this is so often forgotten (to name and shame one: The German Federal Data Protection Authority here (page 85), and repeated in public speeches) – that the Member States can apply it directly to take measures against individuals. All its direct applicability does is allow individuals to rely on the Directive against a Member State. Or, in other words, an EU Directive is never binding for individuals, whether or not a Member State is bound to apply it directly. Do read things up.
Against this background, we need to look at the applicable provisions under German law to determine if and, if yes, in what cases using scripts to detect adblockers violates the law. It is, of course, true that EU law demands that one takes into account EU law when interpreting and applying provisions of the Member State’s law (effet util); but to do that, the national law first needs to leave room for interpretation. Or in other words: if the provision in German law that we want to apply to the case in hand is comprehensive and clear, we cannot interpreted it to the contrary just because an EU directive may seem to require another solution.
This post does not aim at adding further insight to the question of whether section 5 (3) of the directive has been, and has been properly, implemented in Germany or not (but, no, it has not). The provision that we would look at when trying to answer the question is section 15 (3) of the Telemedia Act, a translation of which (flawed as it may be) would read as follows:
“The service provider may for the purposes of advertising, market research or the requirements-oriented design of the telemedia in a needs-based generate usage profiles based on pseudonyms to the extent that the user of the service has not objected to it. The service provider must inform the user of the service on his right to object in accordance with section 13 (1). These usage profiles must not be collated with data on the individual behind the pseudonym.”
Without wanting to do a full exegesis of this provision, it is clear that it does not require an active declaration of consent; in fact, it does even require any form of expressing consent at all. All this does is give the user the right to say “I don’t want any usage profiles generated from my visits”. Also, the provision as highlighted by its context in the Telemedia Act does not deal with “information” but, much narrower, only with personal data. And thirdly, it applies to usage profiles and not to (single pieces of) information.
As a consequence, as long as the publisher does not generate usage profiles (which he does not have to do when only trying to detect whether or not the user uses an adblocker for the individual session), and as long as the publisher does not collect and/or process personal data as a result of running the script, it is difficult to see how one could argue that applying such scripts could violate German law. In addition, even if usage profiles are created, one would still have to say that giving the user the right and opportunity to voice his/her objection to the script being deployed would suffice to meet the legal requirements.
If we accept that the letter of the Commission mentioned above is correct in its legal statement, and if we further assume that applying the script to detect adblockers does not solely serve the purpose of carrying of transmitting the communication, the consequence may well be that the question highlights the fact that Germany has not properly implemented the Directive. But that does not change the fact that, in the opinion of this post, neither individuals nor the Authorities in Germany have a means to stop the use of scripts under section 15 (3) of the Telemedia Act, at least not as a matter of principle and not in all cases.
Whether or not this will change, once the coming Regulation is entered into force, remains to be seen. As we write, it is not clear what will happen to the Directive, as it is currently under review, inter alia in the context of the Regulation. To confuse the situation further, just read the definition of “personal data” in Article 4 (1) of the final draft of the Regulation together with the corresponding Recital 30 and tell me what that means with respect to cookies, script technologies and so on that only serve such limited purposes as detecting a certain technology, i.e. that do not, in real-life terms, aim at collecting personal data. All we know is that it will be interesting.