Following a request from Belgium’s Data Protection Authority, the European Data Protection Board (EDPB) has issued a formal opinion on the interplay between the upcoming ePrivacy Directive (The Directive) and the General Data Protection Regulation (EU) 2016/679 (GDPR). The opinion itself sits at a fairly hefty 25 pages but is well worth the read if you take a personal interest in how data protection is taking shape throughout Europe. This article serves to provide a brief summary of the opinion and how it will affect organisations moving forward into the era of the ePrivacy directive.
What Belgium’s Data Protection Authority Requested
Belgium’s Data Protection Authority sought clarification on:
1.Regarding the competence, tasks and powers of the data protection authorities, whether
a. Data protection authorities are able or not able to exercise their competence, tasks and powers in relation to processing that triggers, at least in relation to certain processing operations, the material scope of both the GDPR and the ePrivacy Directive; and if so whether
b. Data protection authorities may or should take into account provision of the ePrivacy Directive and/or its national implementations when exercising their competencies, tasks and powers under the GDPR (e.g., when assessing the lawfulness of processing) and if so, to what extent.
2. Whether the cooperation and consistency mechanisms can or should be applied in relation to processing that triggers, at least in relation to certain processing operations, the material scope of both the GDPR and the ePrivacy Directive; and
3. The extent to which processing can be governed by the provisions of both the ePrivacy Directive and the GDPR and whether or not this affects the answers to questions… (a)i) and a)ii).
The EDPB addresses the above questions in their opinion as follows:
There will be instances where both the material scope of the GDPR and the ePrivacy Directive both apply to the processing operation
The example given by the EDPB refers to the use of cookies being an instance where both the GDPR and the ePrivacy directive apply. In 2008, the previous iteration of the EDPB, Working Party 29 (WP29) stated in its opinion on online behavioural advertising:
“If as a result of placing and retrieving information through the cookie or similar device, the information collected can be considered personal data then, in addition to Article 5(3), Directive 95/46/EC will also apply.”
This has further been reinforced by case law of the Court of Justice of the European Union (CJEU), in particular Wirtschaftsakademie (CJEU, C-210/16, 5 June 2018, C‑210/16, ECLI:EU:C:2018:388. See in particular paragraphs 33-34)
Despite this analysis from WP29 and the CJEU occurring under previous, and now outgoing law, the EDPB is satisfied that these established precedents will continue upon implementation of the Directive.
Where a processing operation falls within both the material scope of the GDPR and the Directive, Data Protection Authorities will only be able to scrutinise data processing operations under the Directive if they have been conferred the power to do so by national law.
Interplay between the ePrivacy Directive and the GDPR
The EDPB has indicated that the legal principle lex specialis derogate legi generali applies in instances where there is a direct overlap between the GDPR and the Directive. In essence this means that because the Directive has been legislated for specific circumstances, rather than a more general approach, as the GDPR adopts, these specific rules will override if the circumstance arises.
One example of this is the principle in the application of both Article 6 GDPR and Article 6 of the Directive (which concerns the processing of “traffic data”). Typically, a processing operation will be conducted under an Article 6 GDPR lawful basis, however, if this processing is to involve the processing of traffic data, the limitations imposed by Article 6 of the Directive will supersede the GDPR, due to the specific nature of the directive. In all other cases where the Directive does not cover a particular aspect of processing personal data, the GDPR applies as normal (e.g. all processing must do so with a lawful basis).
Competence of Tasks and the Power of Data Protection Authorities and Enforcement of the ePrivacy Directive
Whilst the GDPR is enforced by the competent Supervisory Authority in each Member State, the Directive provides for member states to designate their own competent enforcement body if they wish to do so. Member States also have discretion as to the level of fines imposed for non-compliance with the Directive.
It is anticipated that many member states will go ahead and assign enforcement of the Directive to the bodies already tasked with the GDPR, however, the EDPB makes it clear that there must be a strict divide between when enforcement action is taken under the GDPR and when it is under the Directive. To put it in plain terms, A Supervisory Authority empowered to enforce the Directive cannot just exercise its powers conferred upon it by its GDPR mandate when dealing with enforcement action the Directive.
On the Applicability of Cooperation and Consistency Mechanisms
Cooperation and consistency mechanisms adopted under the GDPR do not extend to national implementations of the Directive. Such cooperation may take place to the extent of nationally adopted legislation, but there is no strict requirement.
Personal data processed under the GDPR is still subject to cooperation and consistency, for example, one part of the processing operations may fall under the GDPR, whilst another part is strictly under the Directive.
Concluding thoughts
Due to the novelty of the Directive, some of these answers the EDPB have provided may be the cause of some initial confusion to some organisations. It is anticipated as the Directive matures, certain norms will develop within the sphere of data protection. Regardless, those who grasp the concepts introduced in the Directive quickly are set to benefit the most.
For more information please refer to our service pages or contact our Data Governance team.
