EDPB issues opinion on interplay between ePrivacy Directive and GDPR
What happens when the two pieces of legislation overlap
03 April 2019
On 12 March 2019 the European Data Protection Board (EDPB) issued an opinion regarding the interplay between the Regulation (EU) no. 2016/679 on the protection of natural persons regarding the processing of personal data and on the free movement of such data (GDPR) and the Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (ePrivacy Directive) addressing what happens when the two pieces of legislation overlap and what are the powers and competences of the data protection authorities in such a scenario.
On 3 December 2018, the Belgian data protection authority asked the EDPB to issue an opinion (Opinion 5/2019) regarding the interplay between the GDPR and the ePrivacy Directive and the competences of the data protection authorities in applying the ePrivacy Directive. Broadly speaking, the scope of the GDPR covers any form of processing of personal data in the EU, regardless of the technology used, whereas the ePrivacy Directive applies to electronic communication services, that are offered over an electronic communication network, for which the services and the networks are publicly available and the service, together with the network, are offered in the EU.
The aim of the ePrivacy Directive is to ensure the protection of fundamental rights and freedoms of the public when they make use of electronic communication networks.
Thus, the ePrivacy Directive acts like a specific subset of rules that fall under the general rules set out by the GDPR in what concerns processing of personal data Nonetheless, further harmonization between the provisions of the GDPR and the ePrivacy Directive is expected once the new ePrivacy Regulation is implemented.
CONTENTS OF THE OPINION 5/2019
Interplay between the ePrivacy Directive and the GDPR
Even though it has been recognized that there are certain domains which are subject to the provisions of both regulations, such as matters related to cookies or customer relationship between electronic communication service providers and a natural person, this does not necessarily lead to conflict between the two sets of rules.
In its case law, the Court of Justice of the European Union also confirms that it is possible for processing of personal data to fall within the material scope of both the ePrivacy Directive and the GDPR.
According to the ePrivacy Directive, the ePrivacy Directive is meant to particularise and complement the GDPR.
The ePrivacy Directive contains specific provisions which particularise and take precedence over the general provisions of the GDPR. However, any processing of personal data which is not specifically regulated under the ePrivacy Directive (for which the ePrivacy Directive does not contain specific rules), remains subject to the provisions of the GDPR. Examples of the particular application of the ePrivacy Directive can be given with regard to traffic data or information stored in the end-user's device constituting personal data.
As stated in the Opinion, the ePrivacy Directive also contains complementary provisions to the GDPR. For example, the ePrivacy Directive protects subscribers and users of a publicly available electronic communication service. Such users can be natural or legal persons, which means that, by supplementing the GDPR, the ePrivacy Directive protects not only the rights of natural persons, but also the legitimate interests of legal persons.
The GDPR itself recognizes the complementary role of the ePrivacy Directive by including article 95 which states that the GDPR should not impose additional obligations on natural or legal persons in relation to processing […] in relation to matters for which they are subject to specific obligations with the same objective set out in the ePrivacy Directive.
Such additional obligations could become applicable, for example, in case of the personal data breach notification obligation prescribed by both legislative acts. The result of applying article 95 of the GDPR is that once a breach notification is issued under the ePrivacy Directive, there is no need for a separate data breach notification under the GDPR.
Competence, tasks and powers of data protection authorities
The Opinion clarifies that the data protection authorities benefit of powers and competences to act in the implementation and enforcement of the ePrivacy Directive only to the extent that the national legislation expressly conferred upon them such powers and responsibilities.
In Romania, the data protection authority was expressly conferred powers to enforce Law no. 506/2004 implementing the ePrivacy Directive.
The Opinion further states that in this case, when the GDPR and the ePrivacy Directive are enforced by the same authority, the local law needs to determine the tasks and powers of the data protection authority in relation to the enforcement of the ePrivacy Directive. The data protection authority cannot automatically rely on the tasks and powers foreseen in the GDPR to take action to enforce national ePrivacy rules, because the GDPR's tasks and powers are tied to the enforcement of the GDPR. However, the competence of data protection authorities under the GDPR remains in any event unabridged as regards processing operations which are not subject to special rules contained in the ePrivacy Directive. The mere fact that a subset of the processing falls within the scope of the ePrivacy Directive, does not limit the competence of data protection authorities under the GDPR.
An infringement of the GDPR might also constitute an infringement of national ePrivacy rules. The data protection authority may take this factual finding as to an infringement of ePrivacy rules into consideration when applying the GDPR (e.g. when assessing compliance with the lawfulness or fairness principle under article 5(1) a) GDPR).
Key Take-Away Issues
- The ePrivacy Directive is meant to particularise and complement the GDRP by setting special rules related to the processing of personal data and the protection of privacy in the electronic communications sector.
- The special rules under the ePrivacy Directive take precedence over the general provisions of the GDPR.
- Processing of personal data may thus trigger, as material scope, the application of both the GDPR and the ePrivacy Directive.
- In such cases, the data protection authorities benefit of powers and competences to act in the implementation and enforcement of the ePrivacy Directive only to the extent that the national legislation expressly conferred upon them such powers and responsibilities.
- The mere fact that a subset of the processing falls within the scope of the ePrivacy Directive, does not limit the competence of data protection authorities under the GDPR.