On 12 March 2019, the European Data Protection Board ("EDPB") adopted an opinion clarifying the interplay between Directive 2002/58/EC (the "ePrivacy Directive") and the General Data Protection Regulation (the "GDPR") (the "Opinion"). At the request of the Belgian Data Protection Authority, the EDPB provides guidance on whether (and to what extent):
- the competences, tasks and powers of data protection authorities under the GDPR are limited when the processing of personal data falls under the scope of both the GDPR and the ePrivacy Directive;
- data protection authorities should take into consideration the provisions of the ePrivacy Directive when exercising their competences, tasks and powers under the GDPR, while tackling possible infringements of national rules implementing the ePrivacy Directive;
- the cooperation and consistency mechanisms under the GDPR apply to processing that falls under the scope of both the GDPR and the ePrivacy Directive.
Interaction between GDPR and ePrivacy Directive
The objective of the GDPR is to protect fundamental rights and freedoms of natural persons with regard to the processing of personal data and the free movement of personal data within the EU. By contrast, the ePrivacy Directive seeks to safeguard the right to privacy and confidentiality in the electronic communications sector, as well as the free movement of personal data and of electronic communications equipment and services in the EU. The EDPB thus notes that there are many types of processing activities that may fall within the scope of both legal instruments. In its opinion, the EDPB focuses on four sorts of interplay.
First, some provisions of the ePrivacy Directive "particularise" rules of the GDPR in regard to processing of personal data in the electronic communications sector. In these situations, the EDPB states that the ePrivacy Directive ("lex specialis") will prevail over the general provisions of the GDPR ("lex generalis").
Second, it is possible that provisions of the ePrivacy Directive complement the GDPR, e.g., by extending the scope of the protected rights and legitimate interests.
Third, the opinion notes that Article 95 of the GDPR seeks to prevent unnecessary administrative burdens being imposed on natural and legal persons in relation to processing of personal data, when these persons are subject to (similar) specific obligations set out in the ePrivacy Directive.
Fourth, any processing of personal data which falls outside the scope of the ePrivacy Directive will be governed by the GDPR.
Competences, Tasks and Powers of Data Protection Authorities
By definition, data protection authorities are charged with the enforcement of the GDPR. Their competence in this respect will not be limited if a particular subset of data processing operations also falls within the scope of the ePrivacy Directive.
However, the EDPB notes that the domestic rules transposing the ePrivacy Directive may only be enforced by the authority that is appointed as competent by the EU Member States. While it is possible that this is the national data protection authority, it may also be another body (e.g., a national telecommunications authority). Consequently, if the processing of personal data falls under the scope of both the GDPR and the ePrivacy Directive, the designated authority will be competent for the enforcement of the specific rules envisaged by the ePrivacy Directive.
With respect to any processing operations that are not subject to these rules, responsibility is entrusted to the data protection authorities. At the same time, if the data protection authority finds that a particular action constitutes an infringement of both the GDPR and the ePrivacy Directive, it may take this circumstance into account when applying the GDPR so that enforcement of both instruments remains consistent. Nonetheless, any decision must be justified on the basis of the GDPR, insofar as the data protection authority is entrusted with supervisory powers solely in relation to that instrument.
As regards the potential application of the cooperation and consistency mechanisms under the GDPR towards types of processing that fall under the scope of both the GDPR and the ePrivacy Directive, the EDPB notes that they do not apply to the enforcement of the national rules implementing the ePrivacy Directive. Since these mechanisms are related to the GDPR, they are only relevant to the extent that the processing of data is subject to the general provisions of the GDPR and not to the special rules of the ePrivacy Directive.
The above clarifications are essential in the light of the need to ensure consistent interpretation among EU data protection authorities of the boundaries of their competences, tasks and powers. In accordance with the requirements of the GDPR (Articles 61 and 62), they should also adhere to a coherent practice of mutual assistance and joint operations.
Finally, the EDPB notes that the Opinion is without prejudice to the outcome of the current negotiations on the future ePrivacy Regulation among the European institutions. If and when adopted, the new ePrivacy Regulation will replace the ePrivacy Directive and its national implementing laws.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.