The European Data Protection Board (EDPB) has adopted an Opinion on the interplay of the e-Privacy Directive 2002/58 with the GDPR. The Opinion was adopted in response to a request made by the Belgian Data Protection Authority (DPA) to clarify: (i) the material scope of the e-Privacy Directive and the GDPR; (ii) the interplay of each set of rules and extent to which processing can be governed by both; (iii) the competence, tasks and powers of EU DPAs, and (iv) the applicability of the cooperation and consistency mechanism by DPAs in relation to processing that triggers both sets of rules. The EDPB’s Opinion is without prejudice to the outcome of the current negotiations concerning the proposed e-Privacy Regulation. We have set out below some of the highlights of the Opinion.
(i) Material Scope
Whilst the GDPR lays down common rules on data processing, so as to ensure consistent protection of personal data across the EU, the e-Privacy Directive aims to “particularise and complement” the provisions of the GDPR, with respect to the processing of personal data in the electronic communication sector.
The Opinion notes that there are many examples of processing activities which can trigger the provisions of both the e-Privacy Directive and the GDPR, such as the use of cookies. This is evident from the CJEU decision in Wirtschaftsakademie (C-210/16), and the Advocate General’s opinion in the Fashion ID case (C-40/17). The CJEU’s decision in Planet49 (C-673/17) (decided after this Opinion was adopted by the EDPB) also demonstrates how both sets of rules may be applicable in a case involving cookies. Another example of an activity triggering the material scope of both sets of rules is the processing of traffic data and location data generated by electronic services, as they also involve personal data processing, insofar as they relate to individuals.
The Opinion highlights that Article 95 and recital 173 of the GDPR clarify the relationship between the e-Privacy Directive and the GDPR. Those provisions state that the GDPR shall not impose additional obligations on natural or legal persons in relation to the processing of personal data, where they are already “subject to specific obligations with the same objective” under the e-Privacy Directive. For example, electronic communications service providers who have notified a personal data breach in accordance with national rules implementing the e-Privacy Directive are not required to separately notify DPAs of the same breach under Article 33 of the GDPR.
Recital 10 to the e-Privacy Directive similarly provides that: “in the electronic communications sector [the GDPR] applies in particular to all matters concerning protection of fundamental rights and freedoms, which are not specifically covered by the provisions of this Directive, including the obligations on the controller and the rights of individuals”.
(ii) Interplay of the e-Privacy Directive and the GDPR
The Opinion notes that the e-Privacy Directive takes precedence over the more general provisions of the GDPR, in situations where the e-Privacy Directive contains specific rules for processing personal data. For example, the full range of possible legal bases for processing personal data under Article 6 of the GDPR cannot be applied by a provider of an electronic communications service to the processing of traffic data, because Article 6 of the e-Privacy Directive explicitly limits the conditions in which traffic data, including personal data, may be processed. However, Article 6 of the e-Privacy Directive does not curtail the other provisions of the GDPR, such as the rights of data subjects, and the requirement to process data in a lawful, fair and transparent manner.
In addition, Article 5(3) of the e-Privacy Directive, which requires prior consent for the use of cookies, takes precedence over Article 6 of the GDPR, thus preventing a controller from relying on an alternative legal basis for processing cookie data.
(iii) Competence, Tasks and Powers of EU DPAs
Not all EU DPAs are designated in national law as responsible for enforcing compliance with the e-Privacy Regulations. Accordingly, the Opinion states that DPAs cannot enforce the national implementing provisions of the e-Privacy Directive, when exercising their competences under the GDPR, unless national law gives them competence to do so. For example, the e-Privacy Regulations 2011, which implement the e-Privacy Directive in Ireland, provide the Irish Data Protection Commission with specific functions and enforcement powers which enable it to enforce the unsolicited direct marketing and cookie rules etc., with ComReg holding other regulatory functions and responsibilities.
As mentioned above, the processing of personal data may involve operations subject to the material scope of the e-Privacy Directive and the GDPR. For example, Article 5(3) of the e-Privacy Directive contains a specific rule for the cookies, but it does not contain a specific rule for any prior or subsequent processing activities (e.g. the analysis of data regarding web browsing activity for purposes of online behavioural advertising or security purposes). As a result, the DPAs are competent under the GDPR to assess the lawfulness of all other processing operations following the deployment of cookies. The mere fact that a subset of the processing falls within the scope of the e-Privacy directive, does not limit the competence of DPAs under the GDPR.
An infringement of the GDPR might also constitute an infringement of national e-Privacy rules. The DPA may take an infringement of e-Privacy rules into consideration when applying the GDPR, however, any enforcement decision must be justified on the basis of the GDPR. If national law designates the DPA as the competent authority under the e-Privacy Directive, this DPA has the competence to directly enforce national e-Privacy rules in addition to the GDPR (otherwise it does not).
The Opinion notes that where several authorities are competent for enforcement of the e-Privacy Directive and the GDPR, they should cooperate to avoid an organisation being sanctioned twice in case of an infringement of the GDPR and the e-Privacy Directive concerning the same processing activity.
(iv) Applicability of the cooperation and consistency mechanisms
The Opinion highlights that the cooperation and consistency mechanisms available to DPAs under the GDPR concern the monitoring of the application of the GDPR, and do not apply to the enforcement of the national implementation of the e-Privacy Directive. However, the cooperation and consistency mechanism remain fully applicable insofar as the processing is subject to the general provisions of the GDPR (and not to a specific rule contained in the e-Privacy Directive).