Thanks Rigo -
Seems pretty clear to me:
> Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.
If device fingerprinting data forms part of that collection of information, it falls within the definition of personal data…
(my 2c…)
Hope you are well - too long since we had a change to connect!
R
Robin Wilton, Director - Internet Trust
wilton@isoc.org

internetsociety.org | @internetsociety
> On 16 Oct 2024, at 21:54, Rigo Wenning <rigo@w3.org> wrote:
>
> Tara, Nick,
>
> don't know whether you've seen it. The European Data protection board has issued a new/updated recommendation on fingerprinting based on the Art. 5 (3) of the ePrivacy Directive.
>
> The EDPB seems to argue that all information in the terminal equipment falls under Art. 5 (3), not only personal information. And consequently accessing that information is only legal under the preconditions enumerated in Art. 5 (3). Which means any collection of the number of fonts or other fingerprinting information falls under this Article.
>
> It remains to be seen whether the courts will follow that argumentation.
>
> https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-22023-technical-scope-art-53-eprivacy-directive_en
>
> -- Rigo
