Interplay between the GDPR and ePrivacy Directive: practical summary.
Since the adoption of the GDPR (or even earlier), interrelation between the GDPR and the EU’s ePrivacy Directive has indeed been a debatable topic. To help privacy practitioners, in early 2019, the EDPB issued Opinion 5/2019 “On the interplay between the ePrivacy Directive and the GDPR, in particular regarding the competence, tasks and powers of data protection authorities”. In this article, DPOrganizer summarises the approaches taken by the EDPB and provides some practical examples.
Clash of material scopes
While the applicability of the GDPR bears no relation to the aspects of communications (indeed, it covers any form of processing, unless specific exemptions under the GDPR Article 2 apply), the scope of the ePrivacy Directive is limited to a significant extent. As the EDPB explains, “the ePrivacy Directive applies when each of the following conditions are met:
– there is an electronic communications service (ECS);
– this service is offered over an electronic communications network;
– the service and network are publicly available;
– the service and network are offered in the EU.
Activities which do not meet all of the above criteria are generally out of scope of the ePrivacy Directive”.
E.g., the above means that electronic communications conducted through some private networks (e.g., corporate networks) will not be subject to the ePrivacy Directive. With that said, those still may fall within the scope of the GDPR.
However, in the context of this article, the cases of processing operations falling within the scope of both the GDPR and ePrivacy Directive would look more intriguing. The Working Party 29 (the EDPB’s predecessor) has already considered the issue of placing and retrieving information through a cookie or similar technology. In its Opinion 2/2010 “On online behavioural advertising”, the WP29 clarified that, if personal data are in scope, the EU Data Protection Directive (now replaced by the GDPR) will apply in addition to the ePrivacy Directive.
In a nutshell, it might well be the case that both the GDPR and ePrivacy Directive apply to the particular data processing operation.
The examples of those cases are manifold:
– processing of cookies, IP addresses and online identifiers (as defined by the GDPR Recital 30);
– processing of personal data for the purposes of direct marketing communications conducted through public networks;
– inclusion of subscribers into directories, processing involving itemised billing, calling line identification;
– processing of traffic data and location data generated by electronic communication services.
So, how should those cases (as mentioned above) then be approached?
‘Lex specialis derogate legi generali’
This means that, when both the GDPR and ePrivacy Directive apply to the same processing operation and introduce contradictory rules, special provisions of the ePrivacy Directive will prevail over general rules of the GDPR.
In other words, in situations where the ePrivacy Directive and the GDPR are both applicable, the ePrivacy Directive requirements need to be first complied with in order to fulfil the principle of lawfulness under the GDPR. If the ePrivacy Directive requirements are not complied with, the processing of the personal data under the GDPR will be unlawful.
The most classic example here is probably direct marketing.
Under the GDPR Recital 47, “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest” (i.e., the processing might be carried out on the basis of ‘legitimate interest’), while Article 13 of the ePrivacy Directive, as a general rule, requires consent to be obtained from data subjects in cases of direct marketing.
This means that, when direct marketing communications are delivered through public communication networks and meet other ePrivacy Directive applicability criteria, special provisions of the directive will apply, and the data controller will have to obtain the data subject consent for direct marketing. In other cases – e.g., where the ePrivacy Directive provides for exemptions from the general requirement to obtain consent or where direct marketing messages are delivered through paper-based mails – general rules of the GDPR will apply.
The same holds true for so-called “traffic data”. Article 6 of the ePrivacy Directive outlines specific circumstances to be taken into account when identifying retention periods and requires consent to be obtained when “traffic data” is processed for the purpose of marketing electronic communications services or for the provision of value added services. In the rest part, general rules of the GDPR will continue to apply.
This phenomenon (where special rules are not applicable, general rules continue to apply) the EDPB calls “co-existence”. As the GDPR Recital 173 suggests, the GDPR “should apply to all matters concerning the protection of fundamental rights and freedoms vis-à-vis the processing of personal data which are not subject to specific obligations with the same objective set out in [ePrivacy Directive], including the obligations on the controller and the rights of natural persons”.
In essence, several ePrivacy Directive provisions complement GDPR provisions. As Recital 12 of the directive suggests, “Subscribers to a publicly available electronic communications service may be natural or legal persons. By supplementing Directive 95/46/EC [predecessor of the GDPR], [ePrivacy Directive] is aimed at protecting the fundamental rights of natural persons and particularly their right to privacy, as well as the legitimate interests of legal persons. [ePrivacy Directive] does not entail an obligation for Member States to extend the application of Directive 95/46/EC to the protection of the legitimate interests of legal persons, which is ensured within the framework of the applicable Community and national legislation”.
The GDPR Article 95 specifically outlines that it “should not impose additional obligations on natural or legal persons in relation to processing in connection with the provision of publicly available electronic communications services in public communication networks in the Union in relation to matters for which they are subject to specific obligations with the same objective set out in [ePrivacy Directive]”.
The EDPB, in turn, clarifies this with provision with the following example:
An example that illustrates the application of this article relates to the personal data breach notification obligation, which is imposed by both the ePrivacy Directive and the GDPR. They both provide for an obligation to ensure security, as well as an obligation to notify personal data breaches to the competent national authority and the data protection authority, respectively. These obligations are applicable in parallel under the two different pieces of legislation, according to their respective scopes of application. Clearly, an obligation to notify under both acts, once in compliance with the GDPR and once in compliance with national ePrivacy legislation would constitute an added burden without immediate apparent benefits for data protection. Following article 95 of the GDPR, the electronic communications service providers who have notified a personal data breach in compliance with applicable national ePrivacy legislation are not required to separately notify data protection authorities of the same breach pursuant to article 33 of the GDPR.
Does the GDPR call for more consistency? The ePrivacy Regulation’s scope.
Seemingly, the above rules provide for extensive explanations on how to deal with potential clashes between the GDPR and the ePrivacy Directive. However, Recital 173 of the GDPR still recognizes insufficient clarity and calls for even more consistency: “In order to clarify the relationship between [the GDPR] and [ePrivacy Directive], that Directive should be amended accordingly. Once [the GDPR] is adopted, [ePrivacy Directive] should be reviewed in particular in order to ensure consistency with [the GDPR]”.
The ePrivacy Directive has never been reviewed since then, but currently is expected to be replaced by the ePrivacy Regulation (Regulation on Privacy and Electronic Communications).
Point 1.1 of the Explanatory Memorandum of the Proposal for a Regulation on Privacy and Electronic Communications outlines that “this proposal reviews the ePrivacy Directive, foreseeing in the Digital Single Market Strategy objectives and ensuring consistency with the GDPR”.
Further to this, point 1.2 sets forth that “this proposal is lex specialis to the GDPR and will particularise and complement it as regards electronic communications data that qualify as personal data. All matters concerning the processing of personal data not specifically addressed by the proposal are covered by the GDPR. The alignment with the GDPR resulted in the repeal of some provisions, such as the security obligations of Article 4 of the ePrivacy Directive”.
Thus, it would be fair to say that the interplay between the GDPR and the ePrivacy Regulation follows the same approach as that between the GDPR and the ePrivacy Directive: to complement, to particularise, and to co-exist.