The European Data Protection Board published an opinion on the interplay between the EU Directive on Privacy and Electronic Communications and the General Data Protection Regulation to generally clarify whether the processing of personal data triggers the material scope of both the GDPR and the ePrivacy Directive.
In order to answer these questions, the opinion dated 12 March 2019 addresses the material scope of the ePrivacy Directive and the GDPR, the interplay between the two, the competence, tasks and powers of EU Data Protection Authorities (DPA), and the applicability of the GDPR cooperation and consistency mechanisms to processing operations where the material scopes of both the GDPR and the ePrivacy Directive are triggered.
This article shortly examines the main highlights of the opinion.
Interplay between the ePrivacy Directive and the GDPR
There are many examples of processing activities which trigger the material scope of both the ePrivacy Directive and the GDPR. A clear example is the use of cookies which provide collection of personal data through a provider of electronic communication services. Although an overlap in material scope exists between the ePrivacy Directive and the GDPR, this does not necessarily lead to a conflict between the rules. This is clearly understood from article 1(2) of the ePrivacy Directive which expressly provides that "the provisions of this Directive particularise and complement Directive 95/46/EC (…)". This means in situations where the ePrivacy Directive “particularises” (i.e. renders more specific) the rules of the GDPR, the special provisions of the ePrivacy Directive shall take precedence over the more general provisions of the GDPR. However, any processing of personal data which is not specifically governed by the ePrivacy Directive remains subject to the provisions of the GDPR. For example, the GDPR provisions regarding the exercise of data subjects’ rights with respect to their personal data will apply, as there are no specific ePrivacy provisions on these rights.
Further, by supplementing the GDPR, the ePrivacy Directive protects not only the fundamental rights of natural persons and their right to privacy, but also the legitimate interests of legal persons.
Competence, Tasks and Powers of Data Protection Authorities
The GDPR provides for enforcement of its provisions by assignig independent data protection authorities whereas the ePrivacy Directive provides that Member States should ensure that each of the tasks of the ePrivacy Directive is assigned to national regulatory authorities. Therefore, Member states have chosen different entities to allocate the task of enforcing national ePrivacy rules.
When the processing of personal data falls within the material scope of both the GDPR and the ePrivacy Directive, EU DPAs are competent to scrutinize data processing operations that are governed by national rules implementing the ePrivacy Directive in case national law confers competence for the enforcement of the ePrivacy Directive on the data protection authority. National law should also determine the tasks and powers of the data protection authority in relation to the enforcement of the ePrivacy Directive.
However, the competence of data protection authorities under the GDPR in any event remains unchanged as regards processing operations which are not subject to special rules contained in the ePrivacy Directive but which are only subject to the GDPR. The mere fact that a subset of the processing also falls within the scope of the ePrivacy directive does not limit the competence of EU DPAs under the GDPR.
Applicability of the GDPR’s cooperation and consistency mechanisms
Following the GDPR, the cooperation and consistency mechanisms available to data protection authorities under the GDPR concern the monitoring of the application of GDPR provisions only. The GDPR mechanisms do not apply to the enforcement of the provisions contained in the ePrivacy Directive as such. Any cross-border cooperation between authorities competent for the enforcement of the ePrivacy Directive, including data protection authorities, national regulatory authorities and other authorities, may take place to the extent that relevant national regulatory authorities adopt measures to allow such cooperation. It should be noted that the cooperation and consistency mechanism remains fully applicable to the extent that the processing is subject to the general provisions of the GDPR (and not to a special rule contained in the ePrivacy Directive).
Conclusion
The ePrivacy Directive is meant to particularise and complement the GDRP by setting special rules related to the processing of personal data and the protection of privacy in the electronic communications sector. Where specific provisions exist which govern a particular processing operation, the specific provisions take precedence over the general rules of the GDPR which are applied in all other cases (i.e. where no specific provisions govern a particular processing operation or set of operations).
The authorities that are appointed as competent by Member States is exclusively responsible for enforcing the national provisions transposing the ePrivacy Directive that are applicable to that specific processing operation, including in cases where the processing of personal data triggers the material scope of both the GDPR and the ePrivacy Directive. Nevertheless, data protection authorities remain fully competent as regards any processing operations performed upon personal data which are not subject to one or more specifics rules contained in the ePrivacy Directive. Full opinion can be found in the below link:
https://edpb.europa.eu/sites/edpb/files/files/file1/201905_edpb_opinion_eprivacydir_gdpr_interplay_en_0.pdf
For more information please visit our Data Protection & Cyber law team or email Ms. Eleni Neoptolemou at This email address is being protected from spambots. You need JavaScript enabled to view it..
Back to News
