On March 15, 2019, the European Data Protection Board published Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR, in particular regarding the competence, tasks, and powers of data protection authorities. While the title is a mouthful, the 25-page document is a worthwhile read for anyone involved in electronic communications with EU personal data. And given the ubiquity of “electronic communications” the audience pool here is pretty large.
The passage of the GDPR in 2016 absorbed the focus of so many organizations and people that one would not be blamed for thinking that it was the only European data protection law warranting attention. Complex as the GDPR is, it remains one of several laws affecting data protection.
The EU Parliament’s adoption of the General Data Protection Regulation in 2016 replaced entirely the 1995 EU Data Protection Directive. But the 1995 Directive itself was simply one important part of the EU data protection fabric of rules. The 2002 Directive on privacy and electronic communications (with its 2009 amendments) are collectively known as the ePrivacy Directive. Under the 1995 Directive, member states had to pass implementing legislation concerning the lawful processing of personal data generally, which involved notice, consent, the need for lawful processing, and the legal bases for international data transfers.
The concept of the ePrivacy Directive has been to provide a series of supplemental rules more narrowly tailored for public electronic communication services such as the internet and mobile and landline telephony and via their accompanying networks. Beyond telephone calls themselves, these rules apply to the publicly accessible web along with the communications passing across the web, whether via email, text, or an alternative format.
A central focus of application of the ePrivacy Directive has been managing user consent when presenting consumers with company web pages or marketing messages. This is required in many situations, including:
- before unsolicited communications (spam) can be sent to them. This also applies to short message services (SMSs) and other electronic messaging systems;
- before information (cookies) is stored on their computers or devices or before access to that information is obtained – the user must be given clear and full information, among other things, on the purpose of the storage or access;
- before telephone numbers, e-mail addresses or postal addresses can appear in public directories.
Interplay of the GDPR and the ePrivacy Directive
The EDPB’s Opinion responds to an inquiry from the Belgian data protection authority concerning how these two rules are to be interpreted. It is also important to consider that until the long gestating ePrivacy Regulation emerges, the ePrivacy Directive will continue to be implemented and thus interpreted by each EU member state.
Key takeaways for those considered controllers and processors under the GDPR include the following:
- EU case law has previously established that different rules (such as the GDPR and the ePrivacy Directive) can apply to the same data and circumstances. Thus, the GDPR does not overrule or shunt aside any relevant provisions of the ePrivacy Directive.
- Practical examples are online identifiers such as cookies and IP addresses and electronic communications between an organization and its customer or prospective customer.
- While the GDPR may offer the “legitimate business interests” basis for a company to process customer data in preparation for marketing messages, the ePrivacy Directive as implemented by each member state governs the delivery conditions of that message.
- The dual jurisdiction challenge appears not only in the context of identifying and effecting compliance, but also on the enforcement side. If an organization has violated a member state’s implementation of the ePrivacy Directive, it is just as likely that a GDPR violation lurks too.
- On the (more) positive aspect, to the extent that the GDPR directly addresses a topic within another law, such as breach notification within the ePrivacy Directive, the GDPR rules. What is more often the case is that the ‘narrower’ law will ‘particularise’ or complement the GDPR.
- Finally, the potential fines for GDPR violations are not to be applied to violations of other laws, such as the ePrivacy Directive, which may offer some solace to those whose online advertising, cookie and IP tracking, and customer marketing messages could still benefit from improvement.
The EDPB’s Opinion provides helpful guidance on the interplay of overlapping rules, whether the topic is consumer marketing, employee privacy rights, or anything else. However, at least for the ePrivacy Directive, its demise has been in the works for a while now. When the final version of the ePrivacy Regulation lands, the resulting mandates could adopt a relatively strict approach on, e.g., consents as well as the potentially harsh fines of the GDPR. Stay tuned.