Greetings from Brussels!
The European Data Protection Board recently published an opinion on the intersection between the ePrivacy Directive and the GDPR with particular regard to the competencies, tasks and powers of the European data protection authorities. Suffice to say, given the uncertainty around the legislative future of ePrivacy, coupled with its permeating influence, the document is a worthwhile read for those of you — and you are many — involved in electronic communications and EU personal data. Interestingly, the EDPB’s opinion responds to an inquiry from our local Belgian DPA here, concerning how these two rules are to be interpreted. At play, it is also important to consider that until the ePrivacy Regulation sees the light of day, the ePrivacy Directive will continue to be implemented and thus interpreted at the national level.
What does this mean in reality? Well, in a nutshell, the opinion states that when the processing of personal data triggers the material scope of both the GDPR and the ePrivacy Directive, the national DPAs are competent to scrutinize the data processing operations as governed by national ePrivacy rules insofar as the national laws confer the competence upon them. Any such scrutiny must be covered by the supervisory powers afforded the DPA through the applicable national law “transposing” the ePrivacy Directive. Moreover, depending on the overall national regulatory framework and applicable laws, there may be more than one authority involved.
The EDPB opinion goes further to state that an infringement of the GDPR might, in turn, constitute an infringement of national ePrivacy law. Under such a scenario, the EDPB holds that the DPA may take such a finding into consideration when applying the GDPR; for example, when assessing compliance with the lawfulness or fairness principle under Article 5(1)a of the GDPR. Any actual enforcement action must, however, be justified solely on the basis of the GDPR, unless the DPA has additional powers in relation to national ePrivacy rules.
In accordance with the principle lex specialis and where applicable, it remains the case that any specific ePrivacy provisions take precedence over the more general provisions of the GDPR, such as Article 6, which provides for a full range of possible legal bases to process personal data. In other words, the ePrivacy Directive contains “special rules” with respect to the processing of personal data in the electronic communication sector. What is clear here is that organizations working through their GDPR-compliance implementations also need to be careful they don’t trip over the ePrivacy Directive. There are jurisdictional complexities to address, and those that infringe upon both sets of law could face double scrutiny and possibly harsher enforcement.
Overall, the opinion provides helpful guidance on the interplay of overlapping rules. We will have to wait to see when and where the final version of the ePrivacy Regulation lands. It is also worth noting that the EDPB published a statement 13 March encouraging EU member states to finalize their positions on the proposed ePrivacy Regulation so that negotiations with the European Parliament can begin as soon as possible. ePrivacy seems to be in vogue and looks likely to become the new buzzword for 2019 in privacy circles.
If you want to comment on this post, you need to login.