The European Data Protection Board (EDPB) published an opinion (Opinion) on the interplay between the ePrivacy Directive (Directive 2002/58/EC) and the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). The Opinion responds to questions submitted by the Belgian data protection authority, specifically:
- whether data protection authorities (DPAs) are competent to regulate processing that triggers both GDPR and the ePrivacy Directive;
- whether DPAs should take the ePrivacy Directive (and/or its national implementing legislation) into account when exercising their powers under GDPR;
- whether the cooperation and consistency mechanisms should apply to processing that triggers both GDPR and the ePrivacy Directive; and
- the extent to which processing can be governed by provisions of both the ePrivacy Directive and GDPR.
The EDPB also provided more general guidance on the interplay between the ePrivacy Directive and GDPR. This blog sets out key takeaways of the Opinion.
Division between the ePrivacy Directive and GDPR
GDPR Article 95 provides that, where the ePrivacy Directive provides for a specific obligation with the same objective as GDPR, GDPR shall not impose an additional obligation. For example, both GDPR and the ePrivacy Directive oblige companies to notify the relevant supervisory authority following a data breach. Separate notifications are unnecessary and would “constitute an added burden without immediate apparent benefits for data protection”. In this scenario, only one data breach notification needs to be made.
GDPR generality versus the ePrivacy Directive speciality
The ePrivacy Directive may “particularise” GDPR’s more generalised provisions. Where the ePrivacy Directive makes a provision in GDPR more specific, the specific provision in the ePrivacy Directive takes precedence over the more general GDPR provision. However, any processing of personal data remains subject to GDPR if not specifically referred to by the ePrivacy Directive. One example of this is the application of Article 6 of the ePrivacy Directive, concerning traffic data, which limits the number of lawful grounds for processing of such data. The GDPR also provides for the lawful processing of personal data, offering more grounds for processing. In this instance the more restrictive provision of the the ePrivacy Directive applies. This means that companies will not benefit from the GDPR’s more liberal processing regime. They must instead comply with the ePrivacy Directive.
The ePrivacy Directive particularises and complements GDPR’s enforcement provisions. DPAs can enforce on GDPR matters, but their enforcement powers under the ePrivacy Directive depend on the local laws implementing the ePrivacy Directive. Not all DPAs are empowered to enforce the ePrivacy Directive in their countries. The Opinion offers clarification on this point. It states that DPAs may only take an infringement under the ePrivacy Directive into account if they are empowered to do so by local law. This is important as a breach may trigger both GDPR and the ePrivacy Directive. Maximum fines under each regime differ widely. GDPR fines can range as high as 4% of a company’s annual global turnover. In contrast, the maximum fine under the ePrivacy Directive depends on local implementing law. In the United Kingdom, the maximum fine under the ePrivacy Directive is £500,000.
Many companies engage in online behavioural advertising and use tracking cookies. They should be aware of the separate regimes under the ePrivacy Directive and GDPR that govern these practices. The Opinion is a timely reminder of the twin regulatory regimes. We also await further news on the finalisation of the long-running e-Privacy Regulation, which is due to replace the ePrivacy Directive. The ePrivacy Regulation will likely increase potential sanctions for companies that break the law. The ePrivacy Regulation is unlikely to come into force before 2021. The current draft includes wording that delays the application of the Regulation by 24 months after being adopted. Significant areas of the draft Regulation are still under review by the European Council. This will then be followed by trilogue discussions by the European Council, Parliament and Commission. However, the upcoming elections in May 2019 will likely further delay this process. We will continue to keep you updated on developments in this area.