The European Data Protection Board recently published an opinion on the interplay between the EU Directive on Privacy and Electronic Communications (“ePrivacy Directive”) and the General Data Protection Regulation (“GDPR”) to generally clarify whether the processing of personal data triggers the material scopes of both the GDPR and the ePrivacy Directive.
In order to answer these questions, the opinion dated 12 March 2019 addresses the material scope of the ePrivacy Directive and the GDPR, the interplay between the two, the competence, tasks and powers of EU Data Protection Authorities (DPA), and the applicability of the GDPR cooperation and consistency mechanisms to processing operations where the material scopes of both the GDPR and the ePrivacy Directive are triggered.
This article shortly examines the main highlights of the opinion.
Interplay between the ePrivacy Directive and the GDPR
However, any processing of personal data which is not specifically governed by the ePrivacy Directive remains subject to the provisions of the GDPR. For example, the GDPR provisions regarding the exercise of data subjects’ rights with respect to their personal data will apply, as there are no specific ePrivacy provisions on these rights.
Further, by supplementing the GDPR, the ePrivacy Directive protects not only the fundamental rights of natural persons and their right to privacy, but also the legitimate interests of legal persons.
Competence, Tasks and Powers of Data Protection Authorities
The GDPR provides for enforcement of its provisions by assigning independent data protection authorities whereas the ePrivacy Directive provides that Member States should ensure that each of the tasks of the ePrivacy Directive is assigned to national regulatory authorities. Therefore, Member states have chosen different entities to allocate the task of enforcing national ePrivacy rules.
When the processing of personal data falls within the material scope of both the GDPR and the ePrivacy Directive, EU DPAs are competent to scrutinize data processing operations that are governed by national rules implementing the ePrivacy Directive in case national law confers competence for the enforcement of the ePrivacy Directive on the data protection authority. National law should also determine the tasks and powers of the data protection authority in relation to the enforcement of the ePrivacy Directive.
However, the competence of data protection authorities under the GDPR in any event remains unchanged as regards processing operations which are not subject to special rules contained in the ePrivacy Directive but which are only subject to the GDPR. The mere fact that a subset of the processing also falls within the scope of the ePrivacy directive does not limit the competence of EU DPAs under the GDPR.
Applicability of the GDPR’s cooperation and consistency mechanisms
Following the GDPR, the cooperation and consistency mechanisms available to data protection authorities under the GDPR concern the monitoring of the application of GDPR provisions only. The GDPR mechanisms do not apply to the enforcement of the provisions contained in the ePrivacy Directive as such. Any cross-border cooperation between authorities competent for the enforcement of the ePrivacy Directive, including data protection authorities, national regulatory authorities and other authorities, may take place to the extent that relevant national regulatory authorities adopt measures to allow such cooperation. It should be noted that the cooperation and consistency mechanism remains fully applicable to the extent that the processing is subject to the general provisions of the GDPR (and not to a special rule contained in the ePrivacy Directive).
The ePrivacy Directive is meant to particularise and complement the GDPR by setting special rules related to the processing of personal data and the protection of privacy in the electronic communications sector. Where specific provisions exist which govern a particular processing operation, the specific provisions take precedence over the general rules of the GDPR which are applied in all other cases (i.e. where no specific provisions govern a particular processing operation or set of operations).
The authorities that are appointed as competent by Member States are exclusively responsible for enforcing the national provisions transposing the ePrivacy Directive that are applicable to that specific processing operation, including in cases where the processing of personal data triggers the material scope of both the GDPR and the ePrivacy Directive. Nevertheless, data protection authorities remain fully competent as regards any processing operations performed upon personal data which are not subject to one or more specifics rules contained in the ePrivacy Directive. The full opinion can be found here: https://edpb.europa.eu/sites/edpb/files/files/file1/201905_edpb_opinion_eprivacydir_gdpr_interplay_en_0.pdf