The European Data Protection Board (the “EDPB“) has published its opinion on the interplay between the GDPR and Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (the “ePrivacy Directive“).
However, the opinion also deals with the following two key issues:
- Precedence: The opinion confirms that, in situations where detailed provisions of the ePrivacy Directive apply to processing also caught by the general provisions of the GDPR, the detailed ePrivacy provisions will take precedence. At a practical level, this means that, in relation to electronic marketing for example, the specific provisions of Article 13 of the ePrivacy Directive (requiring explicit opt-in consent to receive such communications unless an exception such as the so-called ‘soft opt-in’ can be relied upon) will take precedence over the more general provisions of Article 6 of the GDPR which set out a number of lawful bases for processing, including where it is in the ‘legitimate interests’ of the controller. This is an important clarification but not a “get out of jail free” card for GDPR compliance as the EDPB confirms in its opinion that the mere fact that a subset of the processing falls within the scope of the ePrivacy Directive, does not limit the competence of data protection authorities under the GDPR. In other words, organisations will still need to comply with aspects of the GDPR that are not covered by the detailed ePrivacy Directive provisions.
- Enforcement: The opinion confirms that an infringement of the GDPR might also constitute an infringement of ePrivacy rules. The data protection authority may take this factual finding as to an infringement of ePrivacy rules into consideration when applying the GDPR (e.g. when assessing compliance with the lawfulness or fairness principle under article 5(1)a GDPR). However, any enforcement decision must be justified on the basis of the GDPR. If national law designates the data protection authority as the competent authority under the ePrivacy Directive, this data protection authority has the competence to directly enforce national ePrivacy rules in addition to the GDPR (otherwise it does not). This is important because not all Member States have designated their national privacy regulator as the competent authority to enforce the ePrivacy Directive.
Whilst the opinion contains some important clarifications, it also contains an interesting caveat at the end where it states that “the Board acknowledges that the interpretation above is without prejudice to the outcome of the current negotiations of the ePrivacy Regulation. The proposed Regulation addresses many important elements, including as regards the competences of data protection authorities, but also as regards a range of other very important issues. The Board reiterates its position that the adoption of an ePrivacy Regulation is important.” As such, whilst useful, organisations are reminded that the whole ePrivacy regime is currently being renegotiated at a European level and the new ePrivacy Regulation could further change the position outlined in the opinion.