EDPB opinion on ePrivace Directive and GDPR respective scope of application

On March 12, 2019, the European Data Protection Board (EDPB) published an opinion defining the GDPR’s scope of application and providing an interpretation on data protection authorities’ competences, tasks and powers.

The Belgian Data Protection Authority (DPA) requested the EDPB to examine and issue an opinion on the interplay between the ePrivacy Directive (2002/58/EC) and the Regulation 2016/679/EU (GDPR).

Purposes. The opinion clarifies that the GDPR’s objective is to protect personal data and ensure their free movement within the EU. The ePrivacy Directive has the objective to harmonise the national provisions required to ensure the right to privacy with respect to the processing of personal data in the electronic communication sector and to ensure their free movement. The ePrivacy Directive seeks to “particularise and complement” the provisions of the GDPR, with respect to the processing of personal data in the electronic communication sector.

Both legislation may be triggered. The EDPB clarifies the instances in which the processing triggers the material scope of both legislation.

The opinion explains that in principle, the material scope of the GDPR covers any form of processing of personal data, regardless of the technology used. While the ePrivacy Directive material scope applies when

 there is an electronic communications service (ECS);

 this service is offered over an electronic communications network;

 the service and network are publicly available;

 the service and network are offered in the EU.

Articles 5(3) and 13 of the ePrivacy Directive apply to providers of electronic communication services as well as website operators (e.g. for cookies) or other businesses (e.g. for direct marketing). The use of cookies is an example of processing activities which trigger the material scope of both the ePrivacy Directive and the GDPR. Another example concerns the customer data processed by electronic communications service providers.

According to the EDPB, although there is an overlap in material scope it doesn’t necessarily mean that there is a conflict between the rules. And also the application of the ePrivacy Directive does not curtail the applications of other provisions of the GDPR, such as the rights of the data subject. Nor does it negate the requirement that processing of personal data must be lawful and fair (article 5.1.a, GDPR).

The opinion provides for a set of general rule to understand how to manage the border line situations.

  • lex specialis derogate legi generali. A number of provisions of the ePrivacy Directive “particularise” the provisions of the GDPR. Special provisions of the ePrivacy Directive shall (as lex specialis) prevail over the more general provisions of the GDPR. One example of where the ePrivacy Directive “particularises” the provisions of the GDPR concerns the processing of so-called “traffic data”. Article 6, ePrivacy Directive limits the conditions in which traffic data, including personal data, may be processed. Also article 6, GDPR, sets forth the basis of several lawful grounds for the processing of personal data. However, the lawful grounds provided by the GDPR cannot be applied by the provider of an electronic communications service to processing of traffic data, because article 6 ePrivacy Directive explicitly provides for it;
  • avoid doubled obligations. Article 95, GDPR, warns about the imposition of unnecessary administrative burdens by prohibiting a subject to be bound by obligations with the same objective. For example, the controllers’ obligations in case of data breach are very similar under both legislative acts and therefore – following article 95, GDPR – the electronic communications service providers who have notified a personal data breach in compliance with the applicable national ePrivacy legislation are not required to separately notify DPAs of the same breach pursuant to article 33, GDPR.

DPAs’ powers. The second part of the opinion discusses the supervisory powers assigned DPAs when the processing of personal data triggers the material scope of both the GDPR and the ePrivacy Directive.

Generally speaking, DPAs are competent to enforce the GDPR. The mere fact that a subset of the processing falls within the scope of the ePrivacy directive, does not limit the competence of data protection authorities under the GDPR.

 

The topic of the recently issued opinion is actual, especially in light of the current negotiations of the ePrivacy Regulation, which will address many important elements, including DPAs’ competences. The Board reiterated the importance of adopting an ePrivacy Regulation. More on the ePrivacy regulation is available at

https://www.technethics.com…

 

Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR, in particular regarding the competence, tasks and powers of data protection authorities is available at https://edpb.europa.eu…

 

For more information on how EU privacy may impact your business, contact Francesca Giannoni-Crystal. Thanks to Federica Romanelli