The General Data Protection Regulation (GDPR) is very closely linked to other EU legislation protecting privacy of electronic communications (“e-Privacy”). A recent opinion issued by the European Data Protection Board (EDPB) states authoritatively that GDPR and e-Privacy rules work together to provide comprehensive data protection.
This opinion refers formally to the 2002 Directive on Privacy and Electronic Communications, but it is issued without prejudice to the e-Privacy Regulation currently making its way through the European legislative process.
Progress on the e-Privacy Regulation has been rocky. It covers some of the most hotly contested areas in modern privacy and the digital economy, including online advertising, marketing and cookies, confidentiality of online communications in relation to traditional telecommunications and the privacy of smartphones and other devices, including apps. As such, it has been subjected to an unprecedented level of lobbying by businesses concerned about consumers being given more power to control their data. This pressure has at times threatened to derail the entire process.
One of the points of contention is the relationship between e-Privacy and the GDPR. Some business lobbies have argued that there is no need to have two pieces of legislation as this creates conflicting privacy safeguards. This contention has been contested by the European Data Protection Supervisor (EDPS) in a lengthy piece advocating strongly for a reform of the current e-Privacy legislation. It has also been analytically critiqued in the EDPB’s Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR, in particular regarding the competence, tasks and powers of data protection authorities.
The EDPB Opinion was issued in response to a request from the Belgian Data Protection Authority (DPA) to clarify the interplay between e-Privacy and the GDPR. The main question asked by Belgium was whether national DPAs must or should take into account provisions of the e-Privacy Directive in their analysis and rulings. The EDPB was also asked to examine whether the “cooperation and consistency” mechanisms between DPAs can be engaged where processing can be governed by provisions of both the e-Privacy Directive and the GDPR.
The Opinion made it clear that both pieces of legislation are necessary. In some situations, only the GDPR will apply. In other situations, both the GDPR and e-Privacy laws can apply. Sometimes, e-Privacy goes further than the GDPR; for example, by protecting the legitimate interests of legal persons in addition to the fundamental rights of natural persons. A number of provisions in the e-Privacy Directive also “particularise and complement” the GDPR. In line with the standard rule that specific law trumps general law, where e-Privacy makes GDPR rules more specific, e-Privacy should prevail. For example, where e-Privacy stipulates that consent is required for a specific data processing activity, this will override the full range of possible lawful grounds for processing provided by Article 6 of the GDPR. This would be the case in most electronic communications and online marketing.
There are points where e-Privacy and the GDPR contain parallel obligations, for example to notify the relevant authorities of personal data breaches. The EDPB Opinion confirms that having regard to both pieces of legislation should not impose additional obligations or unnecessary administrative burdens. So, for example, breach notification need only be done once.
In terms of consistency and cooperation mechanisms, the EDPB confirmed that national DPA powers derive from the GDPR; they do not have automatic competency to enforce e-Privacy. DPAs need to be given specific powers or assigned tasks in order to scrutinise data processing operations governed by e-Privacy law. States may also or alternatively appoint another authority or body as an e-Privacy enforcement authority. This has a range of possible implications, particularly in terms of fine levels.
In issuing this Opinion, the EDPB seems to be losing patience with European legislators who are stalling in taking the e-Privacy Regulation forward. The day after publishing the Opinion, the EDPB issued a further statement calling for stronger efforts to be made towards the adoption of an e-Privacy Regulation and urging legislators to start trilogue negotiations as soon as possible. It stated that the Regulation “must complement the GDPR by providing additional strong guarantees for all types of electronic communications.” Apparently concerned about the potential for watering down the provisions by the Council of the European Union, the EDPB also insisted that “the e-Privacy Regulation must under no circumstances lower the level of protection offered by the current e-Privacy Directive.”
By Javier Ruiz, Policy Director, Open Rights Group